KR102564416B1 - System for controlling network access and method of the same - Google Patents

Abstract

A node according to an embodiment disclosed herein includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor and storing a target application and an access control application; The memory, when executed by the processor, makes the node request network access to an external server through the access control application, the network access request includes identification information of the target application and identification information of the destination network, If access is possible, storing instructions configured to receive a data flow from the external server and transmit a data packet of the target application through a communication device based on the data flow, the data flow is stored in the communication device and the It may be created in the external server when authentication between nodes is completed and connection between the node and the external server is completed.

Description

System for controlling network access and method therefor

Embodiments disclosed in this document relate to a system and method for controlling network access.

Multiple devices may communicate data over a network. For example, the terminal may transmit or receive data with a server through the Internet. The network may include a private network such as an intranet as well as a public network such as the Internet.

Conventional technologies for performing connectivity control identify and control communication objects through connections between communication objects such as channels (tunneling, secure sessions such as TLS, QUIC, etc.) or logical connections (TCP or UDP session control), and access By providing a technology that disables communication between communication objects when there is no existing object, the problem of whether unauthorized objects are allowed to communicate or not that occurs in an always-connected network environment has been solved.

In the case of an unidentified communication target or an unauthorized or unaccepted target, problems related to access to the authorization action may not be granted, resulting in failure to access the network or improper network access.

Network boundary elements or related systems for relaying network access between communication objects must be controlled by a controller, and mutual access information (e.g., authentication information for tunneling, certificates for creating secure sessions, and logical connection authentication) must be controlled by the controller. authentication information) must be provided to control the communication after the communication target receives it.

In the existing network environment, since VPN (Virtual Private Network), NAC (Network Access Control), SWG (Secure Web Gateway), FW (Firewall), and security technologies operating in the operating system of nodes are common, it is possible to use a controller to improve connectivity. In the case of processing control, difficulties may occur in technology diffusion and application because a network boundary processing connectivity control must be additionally installed or a structure for installing and supplementing the corresponding function in the network boundary or system must be provided.

In addition, existing legacy network boundaries can block unauthorized or disallowed nodes from accessing services based on identification information of various nodes such as user authentication, IP address, MAC address, tunneling, and secure session (TLS, HTTPS, etc.). Due to limitations in identification information inherent in OSI 7 layer and IP communication inherent in network boundary technology, the target application that is the actual communication target of the node and the service the target application wants to access cannot be controlled from the logical connection point of view, so malware or ransomware A problem in which software or unauthorized applications can access the service server may occur.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above problems in a network environment.

A node according to an embodiment disclosed herein includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor and storing a target application and an access control application; The memory, when executed by the processor, makes the node request network access to an external server through the access control application, the network access request includes identification information of the target application and identification information of the destination network, If access is possible, store instructions configured to receive a data flow from the external server and transmit a data packet of the target application through a communication device based on the data flow, and the data flow causes the node to perform the communication When authentication is performed and completed with a device, and controller connection between the node and the external server is completed, it may be generated and received in the external server.

A node according to another embodiment disclosed in this document detects a network connection event of the target application through the access control application, and if there is a data flow corresponding to the target application and received from an external server, the data of the target application A packet is transmitted to the communication device, a network access blocking request is made to an external server, the network access request includes identification information of the target application and identification information of the destination network, and if the connection is to be blocked, from the external server receiving a connection blocking result, and storing instructions configured to update the connection blocking result in the data flow, wherein the connection blocking result indicates that the external server determines that an authentication state between the communication device and the node is not completed. , or if access is impossible, it may be created in the external server.

A server according to an embodiment disclosed in this document includes a memory for storing a communication circuit and a database; and a processor in operative connection with the memory and the communication circuitry, the processor configured to receive a network connection request from a connection control application of the node, the network connection request comprising identification information and a destination of a target application of the node. Communication that includes identification information of the network, determines whether or not the target application can access the destination network based on the database, and if the connection is possible, the communication through which the target application must pass to access the destination network Check the authentication status between the device and the node, and if authentication is completed or authentication is not required, create a data flow so that the target application can access the destination network and transmit it to the access control application, and if authentication is not completed It may be configured to request confirmation of authentication completion from the communication device or to transmit a network access failure result to the node.

A communication device according to an embodiment disclosed in this document includes a communication circuit, a memory, and a processor operatively connected to the memory and the communication circuit, wherein the processor receives an authentication request from a node and sends an external server. Requesting confirmation as to whether or not the connection between the node and the external server is completed, receiving a result, performing authentication when the connection between the node and the external server is completed, and transmitting the authentication result to the node, and transmitting the authentication result to the node and It may be configured to reject authentication of the node when the connection between the external servers is not completed.

A method of operating a server according to an embodiment disclosed in this document includes receiving a network access request from an access control application of a node, the network access request including identification information of a target application of the node and identification information of a destination network. and verifying whether or not the target application can access the destination network based on the database. Operation of checking the status and authentication is completed or authentication is not required, creating a data flow so that the target application can access the destination network and transmitting it to the access control application, and if authentication is not completed, authentication to the communication device It may include an operation of requesting confirmation of completion or transmitting a network connection failure result to the node.

A method of operating a communication device according to an embodiment disclosed in this document includes receiving an authentication request from a node, requesting an external server to confirm whether or not a connection between the node and the external server has been completed, and receiving a result. and when the connection between the node and the external server is completed, authentication is performed and an authentication result is transmitted to the node, and when the connection between the node and the external server is not completed, authentication of the node is rejected. can

According to the embodiments disclosed in this document, while solving the problem of IP (Internet Protocol) address-centric or orphaned network access inherent in legacy network boundary technology, connectivity between communication objects inherent in connectivity control technology You can fine-tune the communication through this.

According to the embodiments disclosed in this document, when network access control of a node is performed based on a data flow in a state in which connectivity control does not exist, a network access control application is not installed or an unauthenticated target is connected to the network It can solve the problem of not being able to control access to .

According to the embodiments disclosed in this document, it solves the problem of performing network access control of nodes based on data flow by utilizing the minimum access control means of legacy network boundary technology, and at the same time, legacy network boundary technology Problems of legacy networks can be solved by providing a structure that controls fine communication targets that could not be controlled (e.g., applications that are actual communication targets and various data packets, destination network information, and logical elements that allow nodes to control communication in advance). there is.

In addition, according to the embodiments disclosed in this document, a node is in a state where it is basically impossible to access the network by legacy network boundary technology, and after performing authentication with the legacy network boundary technology and performing connection with the controller, the legacy network boundary technology It is possible to control network access of nodes to perform communication through.

In addition, according to the embodiments disclosed in this document, network access of a node can be more safely controlled by transmitting/receiving information about whether a node has been authenticated, whether a node has been terminated, and whether a node has been connected between a controller and a legacy network.

In addition to this, various effects identified directly or indirectly through this document may be provided.

1 shows an environment including a plurality of networks.
2A and 2B illustrate an architecture within a network environment according to various embodiments.
3 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
4 shows a functional block diagram of a node in accordance with various embodiments.
5 describes an operation of controlling network access according to various embodiments.
6 shows a signal flow diagram for controller connection according to various embodiments.
7 illustrates a signal flow diagram for user authentication according to various embodiments.
8 shows a signal flow diagram for network access according to various embodiments.
9 illustrates a signal flow diagram for node connection status request according to various embodiments.
10 illustrates a signal flow diagram for node connection state update according to various embodiments.
11 illustrates a signal flow diagram for node connection state and policy update according to various embodiments.
12 shows a signal flow diagram for control flow update according to various embodiments.
13 illustrates a signal flow diagram for network connection release according to various embodiments.
14 illustrates a signal flow diagram for termination of application execution according to various embodiments.
15 is an operational flowchart illustrating a method of operating an access control application installed in a node according to various embodiments.
16 is an operational flowchart illustrating a method of operating a server according to various embodiments.
17 is an operational flowchart illustrating a method of operating a communication device according to various embodiments.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, it should be understood that this is not intended to limit the present invention to the specific embodiments, but to cover various modifications, equivalents, and/or alternatives of the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one item or a plurality of items, unless the context clearly dictates otherwise. In this document, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A, Each of the phrases such as "at least one of B or C" may include any one of the items listed together in the corresponding one of the phrases, or all possible combinations thereof. Terms such as "first", "second", or "first" or "secondary" may simply be used to distinguish a given component from other corresponding components, and may be used to refer to a given component in another aspect (eg, importance or order) is not limited. A (e.g., first) component is said to be "coupled" or "connected" to another (e.g., second) component, with or without the terms "functionally" or "communicatively." When mentioned, it means that the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.

Each component (eg, module or program) of the components described in this document may include singular or plural entities. According to various embodiments, one or more components or operations among the corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, the actions performed by a module, program, or other component are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the actions are executed in a different order, or omitted. or one or more other actions may be added.

The term "module" used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document may be implemented as software (eg, a program or application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-temporary' only means that the storage medium is a tangible device and does not contain a signal (e.g. electromagnetic wave), and this term refers to the case where data is stored semi-permanently in the storage medium. It does not discriminate when it is temporarily stored.

Methods according to various embodiments disclosed in this document may be included and provided in a computer program product. Computer program products may be traded between sellers and buyers as commodities. A computer program product is distributed in the form of a device-readable storage medium (eg compact disc read only memory (CD-ROM)), or through an application store or between two user devices (eg smartphones). It can be distributed (e.g., downloaded or uploaded) directly or online. In the case of online distribution, at least part of the computer program product may be temporarily stored or temporarily created in a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.

1 shows an environment including a plurality of networks.

Referring to FIG. 1 , the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN.

The first network 10 may include a source node 101 . In FIG. 1 and embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances, but is not limited to the aforementioned devices. For example, the source node 101 may include a server or communication device capable of transmitting data packets through an application. The source node 101 may also be referred to as 'electronic device' or 'terminal'. Meanwhile, the destination node 102 may include the same or similar device as the above-described source node 101 . For another example, the destination node 102 can be substantially the same as the destination network.

The source node 101 may attempt access to the second network 20 and transmit data to the destination node 102 included in the second network 20 . The source node 101 may transmit data to the destination node 102 via the communication device 103 . According to the embodiment, the communication device 103 may be a component included in the source node 101 .

If access to the first network 10 of the starting node 101 is approved, since the starting node 101 can communicate with all servers included in the first network 10, the starting node 101 is malicious. ) can be exposed from program attacks. For example, the origin node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browser 110a and business application 110b. ) may receive data of an untrusted or unsecured application such as the business application 110d.

The starting node 101 infected by the malicious program may attempt access to the second network 20 and/or data transmission. When the second network 20 is formed based on IP, such as VPN, it may be difficult to individually monitor a plurality of devices included in the second network 20, and application in the OSI layer Security at the layer or transport layer may be vulnerable. In addition, if the source node 101 includes a malicious application after the channel has already been created, the data of the malicious application will be delivered to another electronic device (eg, the destination node 102) within the second network 20. can

2A and 2B illustrate an architecture within a network environment according to various embodiments.

Referring to FIG. 2A , a node 201 may be various types of devices capable of performing data communication. For another example, the node 201 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, a virtual reality (VR) device. , or home appliances, but is not limited to the aforementioned devices. For example, node 201 may include a server or communication device capable of transmitting data packets via an application. The node 201 may also be referred to as an 'electronic device' or a 'terminal'.

Node 201 may store target application 212 and access control application 211 . The target application 212 may transmit a data packet to the service server 205 through the communication device 203 under the control of the access control application 211 or, conversely, may receive a data packet. As some of the target applications 212 may be trusted and/or secured applications, such as web browsers or business applications, while others may be untrusted or unsecured malicious programs, the network access system according to embodiments may be Through the network access control of the access control application 211 , access to the service server 205 of an unauthorized program (application) may be blocked and the corresponding program may be quarantined. For example, before the target application 212 according to the embodiments communicates with the service server 205 , the access control application 211 may check from the controller 202 whether access is possible. If access is possible, the access control application 211 may control data packet transmission of the target application 212 . That is, in order for the target application 212 to access the network, it must go through the access control application 211, and the access control application 211 must be authorized from the controller 202, and the access control application 211 must pass through the target application 212. ) can be transmitted based on the data flow based on the policy of the controller 202.

The controller 202 may be, for example, a server (or cloud server). The controller 202 can ensure reliable data transmission within a network environment by managing data transmission between the node 201 , the communication device 203 , and the service server 205 . For example, the controller 202 may allow the network access of the authorized node 201 (or the access control application 211) through policy information or blacklist information. The controller 202 may provide information enabling the creation of a channel between the node 201 and the communication device 203 . Thus, the access control application 211 of the node 201 can prevent disallowed applications from sending data packets for disallowed purposes, and only allowed data packets can be sent to the service server 205. structure can be provided. In addition, the controller 202 may be connected to other interlocked security systems 206 to provide a structure for performing an additional check on network security.

According to the embodiment, the network access of the target application 212 may be blocked from the access control application 211 , the controller 202 or the communication device 203 . According to one embodiment, the controller 202 is an access control application (eg, registration, authorization, authentication, renewal, termination) associated with network access of the node 201 or access control application 211. 211) and control data packets can be transmitted and received. A flow through which the control data packet is transmitted (eg, 220) may be referred to as a 'control flow'. According to an embodiment, the controller 202 maintains a secure network state at all times by immediately recovering a channel according to a security event received from an interworking system (eg, a node 201, a communication device 203, or a service server 205). can

The communication device 203 may be located at the boundary of the network to which the node 201 belongs. According to one embodiment, the communication device 203 may be connected to the controller 202 based on a cloud.

According to an embodiment, communication device 203 may also be referred to as a legacy network boundary or network boundary. For example, the communication device 203 performs basic communication of the authenticated node 201 based on identification information of various nodes 201, such as user authentication, IP address, MAC address, tunneling, and secure session (TLS, HTTPS, etc.). It can be implemented by including legacy network boundary technology for controlling. For another example, the communication device 203 may include a firewall configured in the form of hardware or software, a virtual private network (VPN), a network access control (NAC), a secure web gateway (SWG), and the like, an intranet, a cloud Alternatively, it may exist at the network boundary of the service server.

According to the embodiment, a flow in which data packets are transmitted between the access control application 211 and the communication device 203 may be referred to as a 'data flow'. Data flows can be created in granular units (eg applications) as well as nodes or IP units.

According to the embodiment, the target application 212 existing in the node where basic communication control is applied and minimum authentication is completed may create a logical connection (eg, TCP Session, UDP Session, etc.) to access the service server, and the node The access control application 211 present in 201 prevents disallowed applications from transmitting data packets to disallowed destinations, and has a structure for transmitting only permitted data packets through a logical connection created between servers. can provide

According to various embodiments, node 201 may include a connection control application 211 and a network driver (not shown) for managing the network connection of a target application 212 stored in node 201 . For example, when an access event for the service server 205 of the target application 212 included in the node 201 occurs, the access control application 211 may determine whether the target application 212 can be accessed. . If the target application 212 is accessible, the access control application 211 may transmit a data packet to the communication device 203 . The access control application 211 may control transmission of data packets through a kernel including an operating system and a network driver within the node 201 .

Referring to FIG. 2B , a communication device 203 may be included in a node 201 . In addition, a communication device included in the node 201 may communicate with an external communication device 203 to process data packets of the node 201 .

3 is a functional block diagram illustrating a database stored in a controller according to various embodiments. Although FIG. 3 shows only the memory 330, the controller includes a communication circuit for communicating with an external electronic device (eg, the communication circuit 430 of FIG. 4) and a processor for controlling the overall operation of the controller (eg, FIG. Four processors 410) may be further included.

Since the administrator can connect to the controller 202 and set connection-oriented policies to control access between the access control application 211 and the service server 205, network access is more detailed and secure than session management at the service level. can control.

The access policy database 311 may include information about networks and/or services to which the identified networks, nodes, or applications may access. For example, the controller 202, when requesting network access from the access control application 211, identifies a network based on a policy of the access policy database 311 (eg, a network to which the node 201 belongs), a node, A user (eg, a user of the node 201) and/or an application (eg, a target application 212 included in the node 201) may determine whether access to the service server 205 is possible. According to this, the controller 202 may create a whitelist of target applications 212 accessible to a specific service (eg, IP and port) based on the access policy database 311 .

The network boundary policy database 312 may include network boundary information for accessing a service server according to an access policy. For example, the network boundary may support a form of software that exists between two communication targets in the form of hardware or is installed on the service server or node 201 or uses both forms, and the network boundary policy database 312 the type of network perimeter (e.g. firewall, virtual private network (VPN), network access control (NAC), secure web gateway (SWG)) and information identifying through that perimeter (e.g. user authentication, IP address, MAC address) , tunneling, secure sessions (TLS, HTTPS)).

According to an embodiment, the controller 202 matches node information identified by the controller 202 based on node information identified at the network boundary based on the network boundary policy database 312 to determine whether the network boundary is authenticated or allowed. Network access control can be performed accordingly. To this end, the controller 202 uses a method for mutually exchanging authentication information with the network boundary (e.g., the network boundary pushes the identified target and related information to the controller, or the controller 202 pushes the identified target and related information to the network boundary). mutual information can be exchanged by pushing related information, etc.). According to an embodiment, the network boundary may be substantially the same as the communication device 203 .

The blacklist policy database 313 is a target (e.g., node ID) identified through security event risk, occurrence cycle, and/or behavior analysis among security events periodically collected by the node 201 or the communication device 203. (identifier), at least one of an IP address, a media access control (MAC) address, or a user ID) may indicate a blacklist registration policy for blocking access. In addition, the blacklist policy database 313 may be used as information for determining a risk level of an application according to an application inspection result and whether to temporarily or permanently quarantine the application according to the risk level.

The blacklist database 314 may include a list of objects blocked by the blacklist policy database 313 . For example, the controller 202 may isolate the node 201 by rejecting the network access request when identification information of the node 201 requesting network access is included in the blacklist database 314 .

The control flow table 315 is an example of a session table for managing a flow (eg, control flow) of control data packets generated between the node 201 and the controller 202 . When accessing the controller 202 is successful, control flow information may be generated by the controller 202 . The control flow information may include at least one of control flow identification information, an IP address identified during access to and authentication of a controller, a node ID, and a user ID. For example, when access to the service server 205 is requested from the node 201, the controller 202 may search for control flow information through control flow identification information received from the node 201, and the searched control flow Whether the node 201 can access the service server 205 by mapping at least one of the IP address, node ID, or user ID included in the information to the access policy database 311, data flow for data packet transmission It can be judged (determined) whether it is created or not.

According to one embodiment, a control flow may have an expiration time. The node 201 needs to update the expiration time of the control flow, and if the expiration time is not updated for a certain period of time, the control flow (or control flow information) may be removed. In addition, when it is determined that immediate disconnection is necessary according to the security event collected from the node 201 , the controller 202 may remove the control flow according to the connection termination request of the node 201 . When the control flow is removed, the connection of the node 201 may be blocked because the previously generated data flow is also removed.

The data flow table 316 is a table for managing a flow (eg, data flow) in which detailed data packets are transmitted between the node 201, the communication device 203, and the service server 205. Data flows can be created in TCP sessions, applications, or more granular units. The data flow table 316 may include data flow information for managing channels and sessions of the application (eg, the target application 212) of the node 201, the communication device 203, and the service server 205. . The data flow table 316 may include an application ID, destination IP address, and/or service port for identifying whether a data packet transmitted from a source is an authorized data packet. The data flow table 316 may be managed based on control flow IDs.

In addition, the data flow table 316 may include state information including whether or not the data flow is valid and authorized destination information for determining whether data packets are forwarded based on source IP, destination IP, and port information of the data packet. can

According to an embodiment, the data flow table 316 may be equally stored in the node 201 and the communication device 203 .

The network edge authentication table 317 may be a table for managing authentication between the node 201 and the network edge. For example, the network boundary authentication table 317 includes identification information (eg, user authentication, IP address, MAC address, tunneling, secure session (TLS, HTTPS)) of nodes 201 to which access is permitted for each network boundary. can do.

4 shows a functional block diagram of a node in accordance with various embodiments.

Referring to FIG. 4 , a node may include a processor 410 , a memory 420 , and a communication circuit 430 . According to one embodiment, the node may further include a display 440 to interface with a user.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include a single processor core or may include a plurality of processor cores. For example, the processor 410 may include multi-cores such as dual-core, quad-core, and hexa-core. According to embodiments, the processor 410 may further include an internal or external cache memory. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or part of processor 410 is electrically or operatively coupled to other components within the node (e.g., memory 420, communication circuitry 430, or display 440). (coupled with) or connected to. The processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, command, or signal based on the received message, data, command, or signal. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .

The processor 410 may process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.

The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). can include The nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, and the like.

The memory 420 uses a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS). can include more.

According to one embodiment, the memory 420 may store the target application 212 and the access control application 211 of FIG. 2 . The access control application 211 may perform control flow creation and update functions with the controller 202 . To this end, the access control application 211 may include one or more security modules.

According to an embodiment, the memory 420 may store some of the information included in the memory of the controller (eg, the memory 330 of FIG. 3 ). For example, the memory 420 may store the data flow table 316 described in FIG. 3 .

The communication circuit 430 establishes a wired or wireless communication connection between the node and an external electronic device (eg, the controller 202, the communication device 203 or the service server 205 of FIG. 2) and communicates through the established connection. can support implementation. According to one embodiment, the communication circuit 430 may be a wireless communication circuit (eg, cellular communication circuit, short-range wireless communication circuit, or global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN)). ) communication circuit, or power line communication circuit), and using a corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a cellular network, a long-distance communication such as the Internet, or a computer network It may communicate with an external electronic device through a network. The various types of communication circuits 430 described above may be implemented as a single chip or may be implemented as separate chips.

The display 440 may output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

A server (eg, controller) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

A communication device (eg, the communication device 203 of FIG. 2 ) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410, memory 420, and communication circuit 430 included in the communication device may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

5 describes an operation of controlling transmission of a data packet according to various embodiments.

Referring to FIG. 5 , the access control application 211 detects a request for network access to the service server 205 from the target application 212 included in the node 201, and the node 201 or the access control application 211 ) can determine whether or not the controller 202 is in a connected state. When the node 201 or the access control application 211 is not connected to the controller 202, the access control application 211 may block transmission of data packets in a kernel or network driver including an operating system. there is. Through the access control application 211, the node 201 may block access of malicious applications in advance in the application layer of the OSI layer.

According to the embodiment, comprehensive network access control of the node 201 may use technology (eg, legacy network boundary technology) of the communication device 203, and control of the actual communication target is performed by the access control application 211 However, in a state in which the access control application 211 is not installed and authenticated, a structure for interoperating with each other so that the legacy network boundary does not operate may be provided.

According to the embodiment, when the access control application 211 is not connected to the controller 202 or when a data packet to be transmitted is a data packet to be transmitted based on a channel but the corresponding channel does not exist, Data packets transmitted from the control application 211 are blocked by the communication device 203 and the access control application 211 can only request a connection to the controller 202 .

According to an embodiment, if the access control application 211 is not installed on the node 201 or if a malicious application bypasses the control of the access control application 211, unauthorized data packets may be transmitted from the node 201. . In this case, since the communication device 203 existing at the boundary of the network blocks data packets for which the corresponding channel does not exist, the data packets transmitted from the node 201 (eg, data packets for TCP session creation) are sent to the service server. (205) may not be reached. In other words, node 201 can be isolated from service server 205 .

6 shows a signal flow diagram for controller connection according to various embodiments.

Since the node 201 needs to be authorized by the controller 202 to access or receive the network, the access control application 211 of the node 201 requests the controller 202 to create a control flow, thereby 201) can try to connect to the controller. According to an embodiment, node 201 may be substantially the same as node 201 of FIG. 2 in which connection control application 211 is installed.

Referring to FIG. 6 , node 201 may detect a controller connection event. For example, when the connection control application 211 is installed and executed within the node 201, the node 201 may detect that a connection to the controller 202 is requested.

At operation 605 , node 201 may request controller connection from controller 202 . For example, the access control application 211 may transmit identification information of the access control application 211 to the controller 202 . Additionally, the access control application 211 may include identification information of the node 201 (eg, terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or network Arbitrary identification information generated by the system itself may be further transmitted. According to an embodiment, the access control application 211 includes the type of node 201, location information, environment and network including the node 201, identification information of the access control application 211, and whether the node 201 is authorized. At least one of user or device authentication information for identifying whether the node is a registered node may be transmitted to the controller 202 .

In operation 610, the controller 202 may identify whether or not the controller connection request (eg, the access control application 211 or the node 201) is accessible. According to one embodiment, the controller 202 determines whether information received from the node 201 is included in the access policy database 311, the node 201, the network to which the node 201 belongs, and/or the connection. Based on at least one of whether the identification information of the control application 211 is included in the blacklist database 314 , it is possible to check whether the controller connection requesting object is accessible.

If the connection is possible, at operation 615 , the controller 202 may create a control flow between the node 201 (or the connection control application 211 ) and the controller 202 . In this case, the controller 202 generates control flow identification information in the form of random numbers, and converts identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 211 into a control flow table ( 315) can be stored. Information stored in the control flow table 315 may be used for user authentication of the node 201 , information update of the node 201 , policy check for network access of the node 201 , and/or validation.

In operation 620, the controller 202 provides whitelist information of accessible applications based on the identified information (eg, the node 201 and source network information to which the node 201 belongs) and the corresponding access policy database 311. can create According to an embodiment, the controller 202 may transmit the application white list to the access control application 211 in operation 625 .

In operation 625 , the controller 202 may transmit control flow identification information to the node 201 in response to the controller connection request. Depending on the embodiment, if the object requesting controller access is unavailable or is included in the blacklist, the controller 202 may transmit access unavailability information in operation 625 without generating a control flow. In one embodiment, the controller 202 may transmit the application white list generated through the execution of operation 620 to the connection control application 211 .

At operation 630, the access control application 211 may perform a check on the application. For example, the access control application 211 can perform a check for applications based on the white list of accessible applications received from the controller 202 . According to the embodiment, the access control application 211 may check whether an application included in the application white list is installed on the node 201, and whether the installed application is integrity and safety according to a validation policy (eg: It can check whether the application has been forged or tampered with, code signing inspection, fingerprint inspection).

At operation 635 , the access control application 211 may transmit the test result to the controller 202 .

In operation 640, the controller 202 may check whether the application is valid based on the received application information. For example, if it is a valid application, the controller 202 determines the node 201 identified in the access policy 311, the source IP, the user, the target application 212, and the destinations to which the identified target application 212 can connect. IP and port information can be checked, and the authentication state of a network boundary (eg, the communication device 203) that must be passed through to access the destination IP and port can be checked.

In operation 645, the authentication state of the network boundary (eg, communication device 203) through which access to the corresponding destination IP and port is to be reached with the identified target information is verified, or authentication is complete (eg, network boundary such as NAC and VPN). When authentication is completed with target information identified by technology and access is possible), when there is no need for authentication (e.g., when identified target information such as a firewall is always allowed by whitelist without separate authentication), The controller 202 may generate data flow information including authentication information including transport protocol information, source IP, destination IP, and port information so that the node 201 can transmit data packets without a network access request procedure. there is. In this case, the controller 202 may transmit the generated data flow to the connection control application 211 of the node 201 (operation 650).

In operation 655, the access control application 211 may process the resulting value according to the received response. For example, the connection control application 211 may store the received control flow identification information and display a user interface screen indicating completion of the controller connection to the user. When the controller connection is completed, the request for network connection of the node 201 to the destination network may be controlled by the controller 202 .

According to another embodiment, controller 202 may determine that node 201 is unreachable. For example, if identification information of the node 201 and/or a network to which the node 201 belongs is included in a blacklist database, the controller 202 may determine that the node 201 is inaccessible. In this case, the controller 202 may transmit a response indicating that the controller connection is impossible in operation 625 without generating a control flow in operation 615 . Also, in this case, operations 630 to 650 may not be performed. Depending on the embodiment, if a controller connection needs to be retried, the connection control application 211 may perform operation 605 again.

In addition, the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed. Afterwards, when a data packet transmission request is detected, the access control application 211 may process a data packet to be transmitted by the target application based on the received data flow.

According to an embodiment, when receiving network connection release information from the controller 202, the access control application 211 may terminate the application or block all network access of the application.

7 illustrates a signal flow diagram for user authentication according to various embodiments.

In order for the node 201 to be granted detailed access rights to the destination network, the access control application 211 of the node 201 may authenticate the user of the node 201 from the controller 202 . According to an embodiment, node 201 may be substantially the same as node 201 of FIG. 2 in which connection control application 211 is installed.

Referring to FIG. 7 , node 201 may receive an input for user authentication. An input for user authentication may be, for example, a user input for inputting a user ID and password. For another example, the input for user authentication may be a user input (eg, biometric information) for stronger authentication. In this case, the access control application 211 of the node 201 may request user authentication from the controller 202 in operation 705 . If the control flow between the node 201 and the controller 202 has already been created, the access control application 211 may transmit input information for user authentication together with control flow identification information.

At operation 710 , controller 202 may authenticate the user based on the information received from node 201 . For example, the controller 202 may use the user ID, password, and/or enhanced authentication information included in the received information and a database included in the memory of the controller 202 (e.g., the access policy database of FIG. 3). 311 or the blacklist database 314), it is possible to determine whether the user can access according to the access policy and whether the user is included in the blacklist.

If the user is authenticated, in operation 715, the controller 202 may add user identification information (eg, user ID) to identification information of the control flow. The added user identification information can be used for the authenticated user's controller access or network access.

In operation 720, the controller 202 generates whitelist information of accessible applications in the access policy database 311 that corresponds to the identified information (eg, node 201 and source network information to which the node 201 belongs). can do. In one embodiment, the controller 202 may send the application white list to the connection control application 211 at operation 725 .

In operation 725, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In one embodiment, the controller 202 may transmit the application white list generated through the execution of operation 720 to the connection control application 211 .

At operation 730, the access control application 211 may perform a check on the application. For example, the access control application 211 can perform a check for applications based on the white list of accessible applications received from the controller 202 . According to the embodiment, the access control application 211 may check whether an application included in the application white list is installed on the node 201, and whether the installed application is integrity and safety according to a validation policy (eg: It can check whether the application has been forged or tampered with, code signing inspection, fingerprint inspection).

At operation 735 , the access control application 211 may transmit the test results to the controller 202 .

In operation 740, the controller 202 may check whether the application is valid based on the received application information. For example, if it is a valid application, the controller 202 determines the node 201 identified in the access policy 311, the source IP, the user, the target application 212, and the destinations to which the identified target application 212 can connect. IP and port information can be checked, and the authentication state of a network boundary (eg, the communication device 203) that must be passed through to access the destination IP and port can be checked.

In operation 745, the authentication state of the network boundary (eg, the communication device 203) through which access to the destination IP and port is to be accessed with the identified target information is complete or authentication is complete (eg, network boundary such as NAC and VPN). When authentication is completed with target information identified by technology and access is possible), when there is no need for authentication (e.g., when identified target information such as a firewall is always allowed by whitelist without separate authentication), The controller 202 may generate data flow information including authentication information including transport protocol information, source IP, destination IP, and port information so that the node 201 can transmit data packets without a network access request procedure. there is. In this case, the controller 202 may transmit the generated data flow to the connection control application 211 of the node 201 (operation 750).

In operation 755, the access control application 211 may process the resulting value according to the received response. For example, the access control application 211 may store the received control flow identification information and display a user interface screen indicating completion of user authentication to the user. When user authentication is complete, the request for network access of the node 201 to the destination network may be controlled by the controller 202 .

According to another embodiment, controller 202 may determine that user authentication of node 201 is not possible. For example, if identification information of the node 201 and/or the network to which the node 201 belongs is included in the blacklist database, the controller 202 may determine that the node 201 is inaccessible and user authentication is not possible. . In this case, the controller 202 may not reflect user identification information in operation 715 and may transmit a response indicating that access to the controller is impossible in operation 725 . Also, in this case, operations 730 to 750 may not be performed.

In addition, the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed.

According to an embodiment, when receiving network connection release information from the controller 202, the access control application 211 may terminate the application or block all network access of the application.

8 illustrates a signal flow diagram for network access according to various embodiments.

After node 201 is authorized by controller 202, node 201 controls the network access of other applications stored in node 201 through node 201's access control application 211 to provide trusted data. delivery can be guaranteed. According to an embodiment, node 201 may be substantially the same as node 201 of FIG. 2 in which connection control application 211 is installed.

Referring to FIG. 8 , in operation 805 , the access control application 211 may detect a network connection event of another application stored in the node 201 (eg, the target application 212 of FIG. 2 ).

In operation 810, the access control application 211 may check the existence of a data flow corresponding to identification information of the application requesting network access, destination network identification information, and port information. Depending on the embodiment, if a data flow exists but is not valid, the access control application 211 may drop the data packet. According to another embodiment, if a data flow exists, the access control application 211 may transmit a data packet based on the data flow. According to the embodiment, the access control application 211 of the node 201 may perform a network access request in operation 815 without performing operation 810 .

When the data flow needs to be updated, such as when the data flow does not exist or when the authentication time expires and renewal is required, in operation 815, the access control application 211 may request the controller 202 to access the network. For example, the network access request may include control flow identification information, destination network identification information, and port information.

In operation 820, the controller 202 determines the access requested identification information (eg, destination network identification information) in the access policy corresponding to the identified information (eg, node, user, source network identification information) based on the control flow identification information. and port information) and whether the destination network is accessible can be checked. According to the embodiment, the controller 202 can check whether the target application can access the communication device 203 or the service server 205 . Depending on the embodiment, the controller 202 may transmit a connection failure result to the connection control application 211 of the node 201 when the network connection is unavailable (operation 835).

If access is possible, in operation 825, the controller 202 determines the node 201 identified in the access policy 311, the source IP, the user, the target application 212, and the destination to which the identified target application 212 can access. IP and port information can be checked, and the authentication state of a network boundary (eg, the communication device 203) that must be passed through to access the destination IP and port can be checked.

In operation 830, the authentication state of the network boundary (eg, communication device 203) through which access to the corresponding destination IP and port is to be reached with the identified target information is verified, or authentication is completed (eg, network boundary such as NAC and VPN). When authentication is completed with target information identified by technology and access is possible), when there is no need for authentication (e.g., when identified target information such as a firewall is always allowed by whitelist without separate authentication), The controller 202 may generate data flow information including authentication information including transport protocol information, source IP, destination IP, and port information so that the node 201 can transmit data packets without a network access request procedure. there is. In this case, the controller 202 may transmit the generated data flow to the connection control application 211 of the node 201 (operation 835).

According to an embodiment, if a valid data flow exists, the controller 202 may transmit a network connection result to the node 201 by performing operation 835 without generating a data flow.

At operation 840 , the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 . For example, when the connection control application 211 receives a network connection failure result from the controller 202, it may drop a data packet to be transmitted by the target application. For another example, when a data flow is received from the controller 202, the access control application 211 may transmit a data packet based on the received data flow. In this case, the access control application 211 may update the existing data flow with the received data flow.

According to an embodiment, in FIG. 8 , when a network access event of the target application occurs, the access control application 211 performs a network access request to the controller 202 and processes the data packet of the target application based on the received result. Operation is shown, but is not limited thereto. That is, when a network connection event of the target application occurs, the access control application 211 can check whether a data flow corresponding to the target application exists, and after transmitting the data packet based on the data flow, the controller 202 ) to block network access, the controller 202 checks the authentication status between the communication device 203 and the node 201, and based on the checked result, the connection control application 211 connects to the network of the target application. A structure for controlling access can be provided.

9 illustrates a signal flow diagram for node connection status request according to various embodiments.

The communication device 203 (network boundary (e.g. VPN, NAC, SWG)) performing authentication on the node 201 prior to allowing comprehensive network access to the node 201 of the identified node 201. The access control application 211 is installed, executed, and authenticated on the node 201 identified based on information (eg, user information, source IP address, MAC address, node identification information, certificate information, etc.) In order to check whether network access is being controlled, a connection state request operation between the communication device 203 and the controller 202 may be performed through means such as an API connected in advance.

If the operation shown in FIG. 9 is not performed, since the communication device 203 allows comprehensive network access occurring in the node 201 after self-authentication, malware, ransomware, or unusable applications are not allowed. Insecure or unsafe applications can always access unauthorized services.

Therefore, in order to check whether the network connection of the node 201 is controlled before allowing a comprehensive network connection, the communication device 203 provides identification information and information of the node 201 and identification of the communication device 203. Information may be transmitted to the controller 202 .

Referring to FIG. 9 , in operation 905 , the communication device 203 may request a node connection status to the controller 202 . For example, the communication device 203 may transmit identification information of the communication device 203 and identification information of the node 201 that has performed the authentication request to the controller 202 and request a node connection state.

According to the embodiment, when the communication device 203 stores information indicating that the node 201 has previously been connected to the controller 202, the node 201 does not perform the operations shown in FIG. authentication can be performed.

According to an embodiment, the communication device 203 may perform the operations shown in FIG. 9 to check whether the node 201 is connected to the controller 202 when the node 201 performs an authentication request. can

In operation 910, the controller 202 may check whether the communication device 203 is a valid communication device 203 based on the received identification information of the communication device 203. According to the embodiment, if the communication device 203 is invalid, the controller 202 may return access impossible state information to the communication device 203 (operation 920).

If it is a valid communication device 203, in operation 915, the controller 202 controls the node 201 based on the identification information of the node 201 or the connection control application 211 executed on the node 201. You can check whether a flow exists. According to the embodiment, when the control flow corresponding to the node 201 does not exist, the controller 202 determines that the node 201 is not connected and transmits connection failure state information to the communication device 203. may (act 920).

When a control flow corresponding to the node 201 exists, in operation 920, the controller 202 may return access availability status information to the communication device 203.

In operation 925 , the communication device 203 may process the result value of the node connection status request received from the controller 202 . For example, upon receiving an accessible state, the communication device 203 may perform authentication with the node 201 to allow comprehensive network access. For another example, when receiving an unavailable state, the communication device 203 may reject authentication of the node 201 and induce the node 201 to install, execute, or authenticate the access control application 211. there is.

10 illustrates a signal flow diagram for node connection state update according to various embodiments.

The controller 202, which controls the network access of the node 201, is connected to the node 201 of the communication device 203 (network boundary (e.g., VPN, NAC, SWG)) that performs authentication for the node 201. Based on the identification information (eg user information, source IP address, MAC address, node identification information, certificate information, etc.) of the node 201 to allow or block comprehensive network access to the node 201 access control application When the connection state of the node 201 is changed, such as when 211 is terminated or logged out, the control flow is released, or when the access control application 211 is executed to complete access and authentication and a control flow is created A node connection state update operation between the communication device 203 and the controller 202 may be performed through means such as an API connected in advance.

Referring to FIG. 10 , in operation 1005 , the controller 202 may request the communication device 203 to update the connection state of the node 201 . For example, when the state of the node 201 is changed, the controller 202 sends a request to update the connection state of the node 201 while transmitting identification information and state information of the node 201 whose state has changed to the communication device 203. can be done

According to the embodiment, the controller 202 does not perform the operations shown in FIG. 10 when authentication between the communication device 203 and the node 201 is completed and the connection between the controller 202 and the node 201 is completed. may not be

In operation 1010, the communication device 203 may update the connection state of the node 201. For example, the communication device 203 checks the received identification information and state information of the node 201, and when the node 201 is in a state where it cannot perform network access control (eg, the node 201 When the access control application 211 is terminated or logged out, or when the control flow is released), the connection of the node 201 may be blocked. For another example, when the controller 202 is in a state where the connection of the node 201 is being controlled, the communication device 203 performs authentication when there is an authentication request from the node 201 to allow comprehensive network access. can do. For another example, when the controller 202 is controlling the access of the node 201 and authentication with the node 201 is completed, the communication device 203 informs the controller 202 that the authentication of the node 201 is complete. By returning the information, a response may be sent so that the controller 202 can update authentication information and authentication status information between the communication device 203 and the node 201 (operation 1015).

In operation 1020, the controller 202 may process the result value received from the communication device 203. For example, when the controller 202 receives authentication completion state information of the node 201 from the communication device 203, the communication device 202 based on the identification information of the communication device 203 and the identification information of the node 201. Authentication information and status information between 203 and node 201 may be updated.

11 illustrates a signal flow diagram for node connection state and policy update according to various embodiments.

The communication device 203 (network boundary (e.g., VPN, NAC, SWG)) performing authentication on the node 201 allows comprehensive network access to the node 201, and then identification information of the node 201. If the node 201 requests network access through the access control application 211 based on (e.g., user information, source IP address, MAC address, node identification information, certificate information, etc.), network access may be allowed. In order to update the authentication status between the communication device 203 and the node 201, the connection status and policy update operation between the communication device 203 and the controller 202 may be performed through means such as an API connected in advance. .

In addition, when the node 201 connected to the communication device 203 performing authentication on the node 201 terminates the connection, the communication device 203 identifies the node 201 based on the identification information of the node 201. Performs a procedure for updating the authentication status between the communication device 203 and the node 201 so that it can no longer access the network through the access control application 211.

Referring to FIG. 11 , in operation 1105 , the communication device 203 may request the controller 202 to update the access state and policy of the node 201 . For example, the communication device 203 may transmit the identification information of the node 201 and the identification information of the communication device 203 to the controller 202 and request a connection status and policy update of the node 201. .

In operation 1110, the controller 202 may determine whether the communication device 203 is a valid communication device 203 based on the received identification information of the communication device 203. According to the embodiment, if the communication device 203 is not valid, the controller 202 may return update failure information to the communication device 203 (operation 1120).

If it is a valid communication device 203, in operation 1115, the controller 202 may update identification information and authentication status information of the node 201 to the identified communication device 203. According to an embodiment, upon receiving from the communication device 203 an authentication status for the node 201 to no longer be able to access the network via the access control application 211, the controller 202 is responsible for the node 201's In the data flow corresponding to the identification information, the access permitted list to the communication device 203 may be deleted and updated.

In operation 1120 , the controller 202 may transmit a connection status and policy update response to the communication device 203 .

In operation 1125 , the communication device 203 may process the connection state of the node 201 and the response to the policy update received from the controller 202 .

12 shows a signal flow diagram for control flow update according to various embodiments.

Referring to FIG. 12 , in operation 1205, the access control application 211 may detect a control flow update event.

In operation 1210, the access control application 211 may request a control flow update from the controller 202 based on the control flow identification information.

In operation 1215, the controller 202 may check whether a control flow exists in a control flow table (eg, the control flow table 315 of FIG. 3) based on the received control flow identification information. Depending on the embodiment, when the control flow does not exist (eg, when the connection is disconnected by another security system, when the connection is disconnected by its own risk detection, etc.), the controller 202 determines that the connection of the node 201 is valid. Therefore, a connection failure result may be transmitted to the connection control application 211 (operation 1220).

When a control flow exists, the controller 202 may check a data flow corresponding to the control flow. In this case, the controller 202 may update the update time included in the control flow and search data flow information corresponding to the control flow.

According to an embodiment, the controller 202 may return corresponding data flow information when re-authentication needs to be performed among data flows or there is a data flow to which access is no longer possible (operation 1220).

At operation 1225 , the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 . For example, the access control application 211 may block all network accesses of applications when the control flow update result is impossible. For another example, the access control application 211 may update the data flow when the control flow update result is normal and updated data flow information exists.

13 illustrates a signal flow diagram for disconnection according to various embodiments.

Referring to FIG. 13 , in operation 1305, the node 201 terminates the node 201, terminates the access control application 211, terminates the target application, no longer uses the network connection, and information identified from the interworking system. At least one of connection termination requests may be detected based on . In this case, at operation 1310, node 201 or access control application 211 may request controller 202 to remove the control flow.

In operation 1315, the controller 202 may remove the identified control flow based on the received control flow identification information.

In operation 1320, the controller 202 may remove all data flows dependent on the removed control flow. Thus, node 201 can no longer connect to the destination network based on the removed data flow.

14 illustrates a signal flow diagram for termination of application execution according to various embodiments.

Referring to FIG. 14 , in operation 1405, the access control application 211 of the node 201 may check in real time whether or not the running application is terminated, and may detect an application execution termination event.

Depending on the embodiment, the access control application 211 may check whether a data flow corresponding to terminated application identification information and PID (Process ID and Child Process ID Tree) information exists.

At operation 1410 , the connection control application 211 may issue a data flow removal request to the controller 202 . For example, the access control application 211 may transmit identification information of a terminated application or identification information of a data flow corresponding to the terminated application to the controller 202 and may perform a data flow removal request.

In operation 1415, the controller 202 may delete the data flow requested to be removed.

15 is an operational flowchart illustrating a method of operating an access control application installed in a node according to various embodiments. According to an embodiment, the operations shown in FIG. 15 may be performed via node 201 and access control application 211 of FIGS. 2A and 2B .

Referring to FIG. 15 , in operation 1505, the access control application 211 installed in the node 201 may request a network connection to an external server. For example, the network access request may include identification information of a target application and identification information of a destination network.

At operation 1510, the connection control application 211 may receive a data flow from an external server. For example, the external server may create a data flow and transmit it to the access control application 211 when a network connection is available.

According to the embodiment, the data flow may be generated in the external server when authentication between the communication device 203 and the node 201 is completed and connection between the node 201 and the external server is completed.

At operation 1515, the access control application 211 may be configured to transmit data packets of the target application through the communication device based on the data flow.

16 is an operational flowchart illustrating a method of operating a server according to various embodiments. According to an embodiment, the operations shown in FIG. 16 may be performed through the controller 202 of FIG. 2 .

Referring to FIG. 16 , in operation 1605, a server may receive a network access request from an access control application of a node.

In operation 1610, the server may check whether the target application can access the destination network based on the database.

In operation 1615, if the connection is possible, the server may check an authentication state between the communication device and the node through which the target application must pass in order to access the destination network.

According to the embodiment, if authentication is completed or authentication is not required, the server may generate and transmit a data flow to the access control application so that the target application can access the destination network (operation 1620).

According to the embodiment, if authentication is not completed, the server may request confirmation of authentication completion from the communication device 203 or may transmit a network connection failure result to the node (operation 1620).

17 is an operational flowchart illustrating a method of operating a communication device according to various embodiments. According to an embodiment, the operations shown in FIG. 17 may be performed through the communication device 203 of FIG. 2 .

Referring to FIG. 17 , at operation 1705 , communication device 203 may receive an authentication request from node 201 .

In operation 1710, the communication device 203 may receive a result of requesting confirmation from the external server as to whether or not the connection between the node and the external server has been completed.

According to the embodiment, when the connection between the node and the external server is completed, the communication device 203 may perform authentication and transmit an authentication result to the node (operation 1715).

According to an embodiment, the communication device 203 may reject authentication of the node when the connection between the node and the external server is not completed (operation 1715).

The above description is only an illustrative example of the technical idea disclosed in this document, and those skilled in the art to which the embodiments disclosed in this document belong will be within the scope of the essential characteristics of the embodiments disclosed in this document. Many modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are not intended to limit the technical idea disclosed in this document, but to explain, and the scope of the technical idea disclosed in this document is not limited by these embodiments. The scope of protection of technical ideas disclosed in this document should be interpreted according to the scope of the following claims, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of this document.

Claims (17)

In node,
communication circuit; a processor in operative connection with the communication circuitry; and a memory operably coupled with the processor, wherein the memory stores a target application and a connection control application, wherein the memory, when executed by the processor, causes the node to:
Perform a network access request to an external server through the access control application, the network access request includes identification information of the target application and identification information of the destination network,
If access to the destination network is possible, receiving a data flow from the external server;
storing instructions, configured to transmit a data packet of the target application through a communication device based on the data flow;
The data flow is generated and received by the external server when the node completes authentication with the communication device and a controller connection between the node and the external server is completed,
The communication device and the external server transmits and receives whether authentication between the node and the communication device has been completed or whether a controller connection between the node and the external server has been completed. The method of claim 1, wherein the instructions are the node,
Performing a network access request to the external server or requesting access to the external server through the access control application;
configured to receive a connection result or the data flow from the external server;
If the network connection request or the connection request to the external server exists, the external server checks authentication between the communication device and the node by itself or by querying the communication device,
A node configured to generate the data flow or transmit a connectable result to the node when authentication between the communication device and the node is completed and access is possible. According to claim 1,
The communication device,
If there is an authentication request from the node, request the external server to confirm whether the node is connected to the external server;
When the node is connected to the external server, authentication of the node is completed to allow the node to access the network;
A node configured to reject authentication of the node when the node is not connected to the external server, and induce the node to install and execute the access control application. According to claim 1,
The communication device,
A node through which the target application must pass in order to access the destination network. According to claim 1,
wherein the communication device is included in the node. According to claim 1,
The communication device includes at least one of a VPN (Virtual Private Network), NAC (Network Access Control), SWG (Secure Web Gateway), and FW (Firewall), the node. In node,
communication circuit; a processor in operative connection with the communication circuitry; and a memory operably coupled with the processor, wherein the memory stores a target application and a connection control application, wherein the memory, when executed by the processor, causes the node to:
Detecting a network access event of the target application through the access control application;
If there is a data flow corresponding to the target application and received from an external server, transmitting a data packet of the target application to the communication device;
Perform a network access blocking request to an external server, the network access blocking request includes identification information of the target application and identification information of the destination network;
If the connection is to be blocked, receive an access blocking result from the external server;
Store instructions, configured to update the connection blocking result to the data flow;
The connection blocking result is generated in the external server when the authentication state between the communication device and the node is in a state in which authentication has not been completed or a state in which connection is impossible,
The communication device and the external server transmits and receives whether authentication between the node and the communication device has been completed or whether a controller connection between the node and the external server has been completed. in the server,
communication circuit; a memory for storing a database; and a processor in operative connection with the memory and the communication circuitry; Including, the processor,
Receive a network access request from an access control application of a node, the network access request including identification information of a target application of the node and identification information of a destination network;
Check whether the target application can access the destination network based on the database;
If access is possible, check the authentication status between the communication device and the node through which the target application must pass in order to access the destination network;
When authentication is completed or authentication is not required, a data flow is generated and transmitted to the access control application so that the target application can access the destination network;
If authentication is not completed, request the communication device to confirm authentication completion or transmit a network connection failure result to the node;
Wherein the communication device and the server transmit/receive whether authentication between the node and the communication device has been completed or whether a controller connection between the node and the server has been completed. The method of claim 8, wherein the processor,
Receiving a connection state confirmation request of the node from the communication device, the connection state confirmation request including identification information of the communication device and identification information of the node;
Check whether the communication device is valid based on the database and the identification information of the communication device;
If it is a valid communication device, check whether the node is in a connected state;
If the node is in a connected state, transmits access availability state information to the communication device;
and transmits only a connection result to the communication device if the node is not in a connected state or the communication device is not a valid communication device. The method of claim 8, wherein the processor,
Upon receiving a request to terminate the connection to the server from the node,
The server configured to transmit information indicating that the connection with the node is terminated to the communication device and request a node status update. The method of claim 8, wherein the processor,
Upon receiving a request for access to the server from the node,
Checking whether the node is accessible based on the database;
If access is possible, a control flow is generated to transmit information indicating that access is possible to the node;
The server configured to transmit information indicating that it is connected to the node to the communication device and request a node status update. The method of claim 8, wherein the processor,
Receiving a request to update authentication state information of the node from the communication device;
The authentication status information update request includes identification information of the communication device and identification information of the node;
Check whether the communication device is valid based on the database and the identification information of the communication device;
If it is a valid communication device, update identification information of the node and authentication status information of the node in a policy related to the communication device, and transmit an update result to the communication device;
and transmit only a connection result if the communication device is not a valid communication device. In the communication device,
communication circuit; Memory; and
a processor in operative connection with the memory and the communication circuitry; Including, the processor,
receive an authentication request from a node;
Requesting an external server to confirm whether or not the connection between the node and the external server is completed and receiving a result;
When the connection between the node and the external server is completed, authentication is performed and an authentication result is transmitted to the node;
configured to reject authentication of the node when the connection between the node and the external server is not completed;
When authentication of the node is completed or access to the node is terminated, information indicating that authentication of the node is completed or information indicating that connection of the node is terminated is transmitted to the external server and a request is made to update the connection state of the node. A communication device configured to do so. The method of claim 13, wherein the processor,
A node connection state update request is received from the external server, and the node connection state update request includes identification information of the node, information indicating that the connection between the node and the external server is terminated, or indicating that the node and the external server are connected. contains information;
When information indicating that the connection between the node and the external server is terminated is received, the network connection of the node identified based on the identification information of the node is blocked;
When information indicating that the node is connected to the external server is received, authentication of the node identified based on the identification information of the node is performed to allow the node to access the network, or the authentication status of the node is transmitted to the external server. A communication device configured to return. delete In the method of operating the server,
receiving a network connection request from an access control application of a node, the network connection request including identification information of a target application of the node and identification information of a destination network;
checking whether the target application can access the destination network based on a database; and
if access is possible, checking an authentication state between a communication device through which the target application must pass in order to access the destination network and the node;
If authentication is completed or authentication is not required, a data flow is generated and transmitted to the access control application so that the target application can access the destination network, and if authentication is not completed, requesting confirmation of authentication completion from the communication device, or , transmitting a network access failure result to the node; including,
The communication device and the server transmit and receive whether or not authentication between the node and the communication device has been completed or whether a controller connection between the node and the server has been completed. In the operating method of the communication device,
receiving an authentication request from a node;
requesting an external server to confirm whether or not the connection between the node and the external server is completed and receiving a result;
performing authentication and transmitting an authentication result to the node when the connection between the node and the external server is completed, and rejecting authentication of the node when the connection between the node and the external server is not completed; and
When authentication of the node is completed or the connection of the node is terminated, transmitting information indicating that the authentication of the node is completed or information indicating that the connection of the node is terminated to the external server and requesting an update of the connection state of the node movement; Including, how.