KR102588355B1 - System for controlling network access and method of the same - Google Patents

Abstract

A router according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a connection control application, the memory comprising: When executed by the processor, the router detects a network connection event of a node through the access control application, and the network connection event includes identification information of the node and node authentication information, the identification information of the node, Perform a network connection request to an external server based on the identification information of the destination network of the node, receive a data flow corresponding to the identification information of the node from the external server, and independently perform authentication of the node authentication information, or When the authentication result is received from the external server and authentication of the node authentication information is completed, commands configured to process a data packet to be transmitted by the node based on the data flow may be stored.

Description

System for controlling network access and method related thereto {SYSTEM FOR CONTROLLING NETWORK ACCESS AND METHOD OF THE SAME}

Embodiments disclosed in this document relate to a system and method for controlling network access.

Multiple devices can communicate data over a network. For example, a terminal can transmit or receive data to and from a server via the Internet. Networks may include public networks such as the Internet as well as private networks such as intranets.

Terminals and nodes other than those commonly used by users, such as industrial terminals and IoT (Internet of Things), are connected to a router for connection and communication with wired and wireless networks.

The router can be connected to a telecommunication company's wireless network using wireless communication technology such as LTE/5G, or access the service through an ISP (Internet Service Provider) through a wired network. The terminal that actually performs communication is wired or WIFI, It can be connected to the router through various connection methods such as LoRa (Long Range) and Serial.

Because industrial terminals and IoT terminals are low-power or low-spec terminals or use their own operating systems, problems may occur in which network access control applications cannot be installed.

To solve these problems, telecommunication companies and ISPs perform network access control between the Internet or services through gateways connected to routers, and traditional firewalls, IPS (Intrusion Prevention System), and DPI (Deep Packet Inspection) technologies are used. A method is used to manually register the service IP policy that can be accessed based on the assigned IP based on unique information to identify the router (e.g. USIM-based Subscriber ID), but in reality, the terminal that is the subject of communication There may be limitations to directly controlling network access.

In particular, the current communication technology that performs network access control through a gateway that exists between the Internet or service boundaries receives all data packets transmitted from the router and then determines whether to forward the data packets through a filtering policy, so pay as you go. When using a wireless network or cloud network that requires paying a fee for using data packets, a problem may arise where excessive fees are charged due to the transmission of large amounts of data packets from various applications included in uncontrollable terminals.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above-described problems in a network environment.

A router according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a connection control application, the memory comprising: When executed by the processor, the router detects a network connection event of a node through the access control application, and the network connection event includes identification information of the node and node authentication information, the identification information of the node, Perform a network connection request to an external server based on the identification information of the destination network of the node, receive a data flow corresponding to the identification information of the node from the external server, and independently perform authentication of the node authentication information, or When the authentication result is received from the external server and authentication of the node authentication information is completed, commands configured to process a data packet to be transmitted by the node based on the data flow may be stored.

A server according to an embodiment disclosed in this document includes a communication circuit, a memory for storing a database, and a processor operatively connected to the communication circuit and the memory, wherein the processor operates from a router connected to the node to the node. Receiving a network connection request, the network connection request includes identification information of the node, identification information of the destination network of the node, and node authentication information, and the database, identification information of the node, and destination network of the node. Based on the identification information, it is checked whether the node can connect to the destination network. If access is possible, the node authentication information is decrypted based on the database and authentication is performed. When authentication of the node authentication information is completed, , a data flow corresponding to the identification information of the node and the identification information of the destination network of the node is generated and transmitted to the router and the gateway, the data flow includes data packet filtering information and data packet QoS information, and the node It may be configured to transmit an authentication result of authentication information to the router.

A method of operating an access control application installed on a router according to an embodiment disclosed in this document includes detecting a network connection event of a node, the network connection event including identification information and node authentication information of the node, and the node Identification information, performing a network connection request to an external server based on identification information of the destination network of the node, receiving a data flow corresponding to the identification information of the node from the external server, the node authentication information A step of performing authentication itself or receiving an authentication result from the external server, and when authentication of the node authentication information is completed, processing a data packet to be transmitted by the node based on the data flow. How to.

According to the embodiments disclosed in this document, it includes a minimum authentication step to identify a node connected to the router, and performs network access control based on data flow information provided through a controller in the router relaying actual communication. Methods for performing it can be provided.

In addition, according to the embodiments disclosed in this document, it is possible to identify authorized MAC addresses based on arbitrarily changeable MAC addresses and block the access of unauthorized nodes attempting to access the network through forgery and forgery.

In addition, according to embodiments disclosed in this document, a node connected to the router may perform a network access request including authentication information based on information such as an authentication information generation algorithm and an assigned authentication information generation key, and the router By allowing network access only when authentication of the relevant authentication information is completed, communication targets can be safely identified and authenticated instead of arbitrarily changed MAC addresses.

In addition, according to embodiments disclosed in this document, when a network connection event occurs based on authentication information, the router checks whether the controller can be accessed and creates a channel based on the result or a network connection event based on the created channel. Access may be permitted.

In addition, according to the embodiments disclosed in this document, the network access of nodes connected to the router can be unified and controlled through an access control application installed on the router, so that the node's network access can be controlled more efficiently and safely.

In addition, various effects that can be directly or indirectly identified through this document may be provided.

Figure 1 shows an environment including multiple networks.
Figure 2 shows an architecture within a network environment according to various embodiments.
3 is a functional block diagram showing a database stored in a controller according to various embodiments.
Figure 4 shows a functional block diagram of a router according to various embodiments.
Figure 5 explains operations for controlling transmission and response of data packets according to various embodiments.
Figure 6 shows a signal flow diagram for connecting a router controller according to various embodiments.
Figure 7 shows a signal flow diagram for certificate authentication of a router according to various embodiments.
Figure 8 shows a signal flow diagram for changing channel state information of a router according to various embodiments.
Figure 9 shows a signal flow diagram for network connection of a router according to various embodiments.
Figure 10 shows an example data packet according to various embodiments.
FIG. 11 illustrates an operation flowchart for controlling transmission of data packets by a router according to various embodiments.
FIG. 12 illustrates an operation flowchart for controlling reception of data packets by a router according to various embodiments.
Figure 13 shows a signal flow diagram for updating a control flow of a router according to various embodiments.
Figure 14 shows a signal flow diagram for disconnection of a router according to various embodiments.
Figure 15 is an operation flowchart showing a method of operating an access control application installed on a router according to various embodiments.
Figure 16 is an operation flowchart showing a server operation method according to various embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the present invention are described below with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, but should be understood to include various modifications, equivalents, and/or alternatives to the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one or plural items, unless the relevant context clearly indicates otherwise. In this document, “A or B”, “at least one of A and B”, “at least one of A or B”, “A, B or C”, “at least one of A, B and C” and “A, Each of phrases such as “at least one of B, or C” may include any one of the items listed together in the corresponding phrase, or any possible combination thereof. Terms such as "first", "second", or "first" or "second" may be used simply to distinguish one component from another, and to refer to that component in other respects (e.g., importance or order) is not limited. One (e.g., first) component is said to be “coupled” or “connected” to another (e.g., second) component, with or without the terms “functionally” or “communicatively.” When mentioned, it means that any of the components can be connected to the other components directly (e.g. wired), wirelessly, or through a third component.

Each component (eg, module or program) described in this document may include singular or plural entities. According to various embodiments, one or more of the corresponding components or operations may be omitted, or one or more other components or operations may be added. Alternatively or additionally, multiple components (eg, modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each component of the plurality of components in the same or similar manner as those performed by the corresponding component of the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component may be executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations may be executed in a different order, or omitted. Alternatively, one or more other operations may be added.

The term “module” used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrated part or a minimum unit of the parts or a part thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document may be implemented as software (e.g., a program or application) including one or more instructions stored in a storage medium (e.g., memory) that can be read by a machine. For example, the processor of the device may call at least one instruction among one or more instructions stored from a storage medium and execute it. This allows the device to be operated to perform at least one function according to the at least one instruction called. The one or more instructions may include code generated by a compiler or code that can be executed by an interpreter. A storage medium that can be read by a device may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not contain signals (e.g. electromagnetic waves), and this term refers to cases where data is semi-permanently stored in the storage medium. There is no distinction between temporary storage cases.

Methods according to various embodiments disclosed in this document may be provided and included in a computer program product. Computer program products are commodities and can be traded between sellers and buyers. A computer program product may be distributed in the form of a machine-readable storage medium (e.g. compact disc read only memory (CD-ROM)) or through an application store or between two user devices (e.g. smartphones). It may be distributed in person or online (e.g., downloaded or uploaded). In the case of online distribution, at least a portion of the computer program product may be at least temporarily stored or temporarily created in a machine-readable storage medium, such as the memory of a manufacturer's server, an application store server, or a relay server.

Figure 1 shows an environment including multiple networks.

Referring to FIG. 1, the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN.

The first network 10 may include a source node 101. In FIG. 1 and the embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances and is not limited to the above-mentioned devices. For example, the source node 101 may include a server or gateway that can transmit data packets through an application. The source node 101 may also be referred to as an ‘electronic device’ or a ‘terminal’. Meanwhile, the destination node 102 may include the same or similar device as the above-described source node 101. As another example, the destination node 102 may be substantially the same as the destination network.

The source node 101 may attempt to access the second network 20 and transmit data to the destination node 102 included in the second network 20. The source node 101 may transmit data to the destination node 102 through a router or gateway 103.

If the connection of the source node 101 to the first network 10 is approved, the source node 101 can communicate with all servers included in the first network 10, and therefore the source node 101 is malicious. ) may be exposed to program attacks. For example, the source node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browsers 110a and business applications 110b. ) It is possible to receive data from untrusted or unsecured applications, such as the business application 110d.

The source node 101 infected by a malicious program may attempt to connect to the second network 20 and/or transmit data. If the second network 20 is formed based on IP, such as a VPN, it may be difficult for the second network 20 to individually monitor a plurality of devices included in the second network 20, and application at the OSI layer may be difficult. Security at the layer or transport layer may be vulnerable. Additionally, if the source node 101 includes a malicious application after the channel has already been created, the data of the malicious application will be transmitted to another electronic device (e.g., the destination node 102) within the second network 20. You can.

Figure 2 shows an architecture within a network environment according to various embodiments.

Referring to FIG. 2, nodes 231 and 232 may be various types of devices capable of performing data communication. For another example, the nodes 231 and 232 may be connected to portable devices such as smartphones or tablets, computer devices such as desktops or laptops, multimedia devices, medical devices, cameras, wearable devices, and virtual reality (VR) devices. ) may include devices, or home appliances, and is not limited to the above-mentioned devices. For example, nodes 231 and 232 may include servers or gateways capable of transmitting data packets through an application. Nodes 231 and 232 may also be referred to as ‘electronic devices’ or ‘terminals.’ According to the embodiment, the nodes 231 and 232 may include a plurality of nodes (eg, the first node 231 and the second node 232).

Router 201 may be connected to nodes 231 and 232. For example, the router 201 can provide a structure in which communication is possible only when a data flow authorized by the controller 202 exists in order for the connected nodes 231 and 232 to access the services 233 and 234, If a data flow does not exist, a structure in which the nodes 231 and 232 cannot communicate may be provided. Additionally, the router 201 may include an access control application 211 and a network driver to control network access of nodes 231 and 232 connected to the router 201.

According to the embodiment, when a network connection request occurs from the nodes 231 and 232, the router 201 can check whether connection is possible with the controller 202, and only if connection is possible, data generated by the controller 202 Data packets can be transmitted to the gateway 203 located at the border of the network providing services 233 and 234 through flow information.

Additionally, devices providing services 233 and 234 may be various types of devices capable of performing data communication. As another example, devices providing services 233, 234 include portable devices such as smartphones or tablets, computer devices such as desktops or laptops, multimedia devices, medical devices, cameras, wearable devices, It may include a virtual reality (VR) device, or a home appliance device, and is not limited to the aforementioned devices. For example, a device providing services 233, 234 may include a server or gateway that can transmit data packets through an application. Devices that provide services 233 and 234 may also be referred to as 'electronic devices' or 'terminals'.

The nodes 231 and 231 are controlled by the access control application 211 included in the router 201 and can transmit data packets to devices providing services 233 and 234 or, conversely, receive data packets. Some of the applications contained in nodes 231, 231 may be trusted and/or secure applications, such as web browsers or business applications, while others may be untrusted or unsecured malicious programs, so in embodiments The network access system according to the present invention can block access to devices providing services 233 and 234 of unauthorized programs (applications) through network access control of the access control application 211 and isolate the programs.

Controller 202 may be, for example, a server (or cloud server). The controller 202 can ensure reliable data transmission within a network environment by managing data transmission between the router 201 and devices providing services 233 and 234. For example, the controller 202 may allow the authorized router 201 (or the access control application 211) to access the network through policy information or blacklist information. The controller 202 may provide authentication information to perform authentication between the router 201 and the nodes 231 and 232. Accordingly, the access control application 211 of the router 201 can prevent unauthorized nodes 231 and 232 from transmitting data packets for unauthorized purposes.

According to the embodiment, the network connection of the nodes 231 and 232 may be blocked from the access control application 211, the controller 202, or the gateway 203. According to one embodiment, the controller 202 is a connection control application (e.g., registration, authorization, authentication, renewal, termination) to perform various operations (e.g., registration, approval, authentication, renewal, termination) associated with the network connection of the router 201 or the access control application 211. 211) and control data packets can be transmitted and received. The flow through which control data packets are transmitted (e.g., 220) may be referred to as a 'control flow'. According to an embodiment, the controller 202 can maintain a secure network state at all times by immediately reclaiming a channel according to a security event received from a linked system (e.g., router 201, gateway 203). Additionally, the above structure can be applied substantially in the same way to the relationship between the gateway 203 and the controller 202.

According to the embodiment, the controller 202 may communicate with the communication service 206, and when the router 201 operates while connected to a wireless communication provider or an Internet Service Provider (ISP) provider's own network, the router 201 ) can be requested to check whether router access is allowed to the communication service 206 and the result can be received to check whether it is a valid target that can be connected.

According to various embodiments, the router 201 may include a connection control application 211 and a network driver (not shown) to manage the network connection of the nodes 231 and 232. For example, when a connection event occurs from the nodes 231 and 232 to a device providing services 233 and 234, the connection control application 211 may determine whether the nodes 231 and 232 can be connected. . If the nodes 231 and 232 are connectable, the connection control application 211 can send data packets to the devices providing services 233 and 234, and receive data packets from the devices providing services 233 and 234. You can receive it. The access control application 211 can control the transmission of data packets within the router 201 through a kernel including an operating system and a network driver.

3 is a functional block diagram showing a database stored in a controller according to various embodiments. Although FIG. 3 shows only the memory 330, the controller includes a communication circuit for performing communication with an external electronic device (e.g., the communication circuit 430 in FIG. 4) and a processor for controlling the overall operation of the controller (e.g., FIG. It may further include 4 processors 410).

The administrator can access the controller 202 and set a connection-oriented policy to control access between the access control application 211 and the gateway 203 and devices providing services 233 and 234, so that the session can be established at the service end. You can control network access more precisely and safely than managing .

The access policy database 311 may include information for identification of the router 201 (router unique identification information, USIM identification information connected to the router, MAC address, etc.) and authentication (certificate, etc.). For example, a controller (202) provides the identified network (e.g., the network to which the router 201 belongs, services 233, 234) based on the policy of the access policy database 311 when the access control application 211 requests network access. network to which the device belongs), a node and/or application (e.g., an application contained in a node connected to the router 201) connects to a destination (e.g., a device or router 201 that provides services 233, 234) It is possible to determine whether this is possible. According to the embodiment, the controller 202 sets a series of information (MAC You can check whether connection is possible and create a data flow based on the destination IP, port information, and protocol information (e.g. TCP, UDP) included in the address and IP header.

If the router 201 needs a channel to connect to the gateway 203 on the connection path according to the connection policy, the channel policy database 312 stores the type of channel (tunneling or secure session, etc.) and encryption method and level. May contain information. For example, the controller 202 may provide an optimal channel for the router 201 to communicate with the gateway 203 based on a channel policy when a node connected to the router 201 requests network access.

The blacklist policy database 313 is a target (e.g., node ID (identifier), IP address) identified through analysis of security event risk, occurrence cycle, and/or behavior among security events periodically collected from the router 201. , a media access control (MAC) address, or at least one of the router's identification information) may indicate a blacklist registration policy for blocking access.

The blacklist database 314 may include a list of targets blocked by the blacklist policy database 313. For example, the controller 202 includes the identification information (e.g., router unique identification information, USIM identification information connected to the router, MAC address, etc.) of the router 201 requesting network access in the blacklist database 314. If so, the router 201 can be isolated by rejecting the network access request.

The control flow table 315 is an example of a session table for managing the flow (eg, control flow) of control data packets generated between the router 201 and the controller 202. When successfully connecting to the controller 202, control flow information may be generated by the controller 202. The control flow information may include identification information of the control flow, and information on the router 201 identified when connecting to and authenticating the controller. For example, when access to a device providing services 233 and 234 is requested from the router 201, the controller 202 can retrieve control flow information through the control flow identification information received from the router 201. and whether the router 201 or a node connected to the router 201 can access the device providing the services 233 and 234 by mapping the identification information included in the searched control flow information to the connection policy database 311. , it is possible to determine (determine) whether to create a data flow for data packet transmission.

According to one embodiment, a control flow may have an expiration time. The router 201 must update the expiration time of the control flow, and if the expiration time is not updated within a certain period of time, the control flow (or control flow information) may be removed. Additionally, if it is determined that immediate connection blocking is necessary according to security events collected from the router 201, the controller 202 may remove the control flow according to the connection termination request from the router 201. When the control flow is removed, the previously created data flow is also removed, so the connection to the router 201 may be blocked. That is, if the control flow is removed, the logical connection of the router 201 may be disconnected, making it virtually impossible to transmit and receive data packets.

The data flow table 316 is a table for managing the flow (eg, data flow) in which detailed data packets are transmitted between the node connected to the router 201 and the gateway 203. Data flow can be managed in units of network connections of nodes connected to the router 201.

Since data flow identification information (e.g., ID) for identifying a data flow, identification information of the router 201, and identification information of a node connected to the router 201 can create one or more logical connections, a data flow table ( 316) can be managed based on the control flow ID.

According to the embodiment, the data flow table 316 includes identification information of a node connected to the router 201 to identify the data flow of the authorized target, service IP and port information to be connected, and protocol information (e.g., TCP, UDP). etc.), may include detailed management unit information such as the IP assigned to the node and the received network interface identification information.

According to an embodiment, the data flow table 316 may include filtering information. For example, filtering information includes whether data packet filtering of the data flow is necessary and how data packet filtering is processed, filtering information (e.g. personal information, harmful data packet information, etc.), and prevents unnecessary or dangerous data from the router in advance. This may be information for blocking packet transmission. According to an embodiment, filtering information included in the data flow table 316 may be determined by the controller 202 based on the filtering policy 317.

According to an embodiment, the data flow table 316 may include QoS information. For example, QoS information is used to set the amount of data packets that can be transmitted per minute when QoS (Quality of Service) for data packet transmission of a data flow is required and to adjust the amount of data packets transmitted per minute at the router accordingly. It can be a series of information. According to an embodiment, QoS information included in the data flow table 316 may be determined by the controller 202 based on the data packet QoS policy 318.

According to an embodiment, the data flow table 316 may further include authentication information to check whether an allowed node transmitted the data packet. For example, authentication information is inspected by checking authentication information by protocol (e.g., for TCP, TCP SYN packet inspection, for UDP, authentication information inspection by data packet, or authentication information inspection at regular intervals (or cycles), inspection method. etc.), information for decrypting authentication information, algorithm information for generating and verifying authentication information, and a series of information included in the algorithm (e.g. information such as Secret Key when generating HMAC OTP, etc.). You can. According to an embodiment, authentication information may be determined based on the authentication policy database 321.

According to the embodiment, the data flow table 316 may be equally stored in the router 201 or the gateway 203.

The filtering policy database 317 may include whether data packet filtering is necessary, a data packet filtering processing method, and filtering information (e.g., personal information, harmful data packet information, etc.) according to the access policy. For example, the router 201 may block transmission of unnecessary or dangerous data packets in advance based on filtering information determined by the controller 202.

If QoS (Quality of Service) for data packet transmission is required according to the connection policy, the data packet QoS policy database 318 sets the amount of data packets that can be transmitted per minute, and the router 201 transmits data packets per minute accordingly. It may contain a series of information for controlling the amount of.

The channel table 319 may include identification information of a channel created between the router 201 and the gateway 203 and the IP of the channel. For example, the controller 202 may determine whether a channel has been created between the router 201 and the gateway 203 based on the channel table 319. In addition, the channel table 319 is a table for managing channels connected between the router 201 and the gateway 203, and includes a channel ID for managing and identifying the channel when a valid channel exists, and control between the gateway and the controller. It can be composed of a control flow ID for and additional information to manage TEP (tunnel end point), TSP (tunnel start point), channel algorithm and type, encryption level, etc.

The security check policy database 320 contains security check information for validating the router 201 (e.g., the execution or installation location of the operating system and major applications, signatures, fingerprints, hashes, registry, etc., unique information of the operating system and applications, operating system and a series of information for binary analysis of major applications, such as executable files, libraries and a series of files or processes referenced by the executable, memory information, and a malware detection tool or pattern DB to check whether the application and operating system are safe. Information, the router's hardware and operating system configuration information and version information, information on physically connectable devices, etc.) and security check cycle, and whether or not the control flow is released when the security check fails.

The authentication policy database 321 determines whether to authenticate network access based on the identification information of the node when connecting to the network of a node connected to the router 201 according to the access policy 311, and a series of information related to the authentication method when performing authentication. may include information.

Figure 4 shows a functional block diagram of a router according to various embodiments.

Referring to FIG. 4 , the router 201 may include a processor 410, a memory 420, and a communication circuit 430. According to one embodiment, the router 201 may further include a display 440 to interface with the user. According to the embodiment, a node connected to the router 201 may include the same or similar configuration as the router 201.

The processor 410 may control the overall operation of the router. In various embodiments, the processor 410 may include one processor core (single core) or may include a plurality of processor cores. For example, the processor 410 may include multi-core, such as dual-core, quad-core, or hexa-core. Depending on embodiments, the processor 410 may further include a cache memory located internally or externally. Depending on embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or a portion of processor 410 is electrically or operatively coupled to other components within the router (e.g., memory 420, communication circuitry 430, or display 440). It can be (coupled with) or connected to. The processor 410 may receive commands from other components of the router, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420, the communication circuit 430, or the display 440. Processor 410 may generate new messages, data, instructions, or signals based on received messages, data, instructions, or signals. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420, communication circuit 430, or display 440.

The processor 410 can process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals to the memory 420 in order to execute or control a program.

The memory 420 may store commands for controlling the router, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.

Memory 420 may include one or more of volatile memory or non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). It can be included. Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, etc.

The memory 420 uses non-volatile media such as a hard disk drive (HDD), solid state disk (SSD), embedded multi media card (eMMC), and universal flash storage (UFS). More may be included.

According to one embodiment, the memory 420 may store the access control application 211 of FIG. 2. The connection control application 211 may perform control flow creation and update functions with the controller 202. To this end, the access control application 211 may include one or more security modules.

According to one embodiment, the memory 420 may store some of the information included in the controller's memory (eg, memory 330 in FIG. 3). For example, memory 420 may store data flow table 316 described in FIG. 3 .

Communication circuitry 430 establishes a wired or wireless communication connection between the router and an external electronic device (e.g., controller 202 of FIG. 2, a device providing services 233, 234), and performs communication over the established connection. can support. According to one embodiment, the communication circuit 430 may be a wireless communication circuit (e.g., a cellular communication circuit, a short-range wireless communication circuit, or a global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (e.g., a local area network (LAN) ) communication circuit, or power line communication circuit), and using the corresponding communication circuit, a short-range communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a long-distance communication such as a cellular network, the Internet, or a computer network It can communicate with external electronic devices through a network. The various types of communication circuits 430 described above may be implemented as one chip or may be implemented as separate chips.

The display 440 can output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410. Depending on embodiments, the display 440 may be configured with an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving touch input, etc. When the display 440 is configured as a touch screen, a plurality of touch sensors may be placed above the display 440 or below the display 440.

A server (eg, controller) according to one embodiment may include a processor 410, memory 420, and communication circuit 430. The processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

Figure 5 explains an operation for controlling transmission of data packets according to various embodiments.

Referring to FIG. 5, the access control application 211 detects a network connection request for a device providing services 233 and 234 from nodes 231 and 232 connected to the router 201, and connects the router 201 or The connection control application 211 may determine whether it is connected to the controller 202. If the router 201 or the access control application 211 is not connected to the controller 202, the access control application 211 may block the transmission of data packets in the kernel or network driver that includes the operating system. there is. Through the access control application 211, the router 201 can block access of malicious nodes in advance at the application layer of the OSI layer.

Nodes 231 and 232 connected to the router 201 must connect to the controller 202 to perform authentication, and when connecting devices providing services 233 and 234 after performing authentication, the connection network information is sent to the controller 202. ) to check whether connection is possible, and if connection is possible, data packets can be transmitted to the device providing the service (233, 234).

The gateway 203 checks the data packet received from the router 201 through the controller 202, and allows sending a response data packet to the router 201 if it is a data packet transmitted by the authorized router 201. can do. For example, the gateway 203 can check whether a channel is created with the router 201 from which the data packet was received, and forward the data packet to the destination only when the channel is created.

As a result, unauthorized nodes are basically unable to communicate with each other, and even authorized nodes cannot transmit and receive data packets unless a channel determined by the controller 202 is created, according to the embodiment disclosed in this document. The network access control system may provide a state in which nodes connected to the router 201 are isolated from each other before authenticating their connection to the controller 202.

Figure 6 shows a signal flow diagram for controller connection according to various embodiments.

In order for the router 201 to connect to or receive a network, it needs to be authorized by the controller 202, so the access control application 211 of the router 201 requests the controller 202 to create a control flow, thereby enabling the router ( 201), you can try to connect to the controller.

Referring to FIG. 6, the router 201 can detect a controller connection event. For example, when the access control application 211 is installed and executed within the router 201, the router 201 may detect that a connection to the controller 202 is requested.

In operation 605, the router 201 may request controller connection to the controller 202. For example, the access control application 211 may transmit identification information of the access control application 211 to the controller 202. Additionally, the access control application 211 may use identification information of the router 201 (e.g., at least one of router unique identification information, USIM identification information connected to the router, and MAC address) and/or random information generated by the network system itself. Additional identification information may be transmitted.

In operation 610, the controller 202 may identify whether the object requesting controller connection (e.g., the access control application 211 or the router 201) can be connected. For example, the controller 202 stores the information requested by the access control application 211 for access (e.g., at least one of router unique identification information, USIM identification information connected to the router, and MAC address) in the access policy database 311. By checking whether the router 201 is in a connectable state and whether the identification information of the router 201 (at least one of the router unique identification information, USIM identification information connected to the router, and MAC address) is included in the blacklist database 314, It can be confirmed whether the router 201 is accessible.

According to the embodiment, when the router 201 operates while connected to the unique network of a wireless communication service provider or an Internet Service Provider (ISP) service provider, the controller 202 checks whether the router 201 is a valid target that can be accessed. In order to do so, the connected communication service can be requested to check whether the router 201 is allowed to access the router 201 and the result can be received.

If a connection is available, at operation 615, the controller 202 may create a control flow between the router 201 (or the connection control application 211) and the controller 202. In this case, the controller 202 generates control flow identification information in the form of a random number and controls the identification information of the router 201 (e.g., at least one of router unique identification information, USIM identification information connected to the router, and MAC address). It can be stored in the flow table 315. The information stored in the control flow table 315 may be used to authenticate the certificate of the router 201, update information of the router 201, check a policy for network access of the router 201, and/or check validity.

In operation 620, the controller 202 collects accessible data based on the access policy database 311 corresponding to the identified information (e.g., at least one of router unique identification information, USIM identification information connected to the router, and MAC address). You can create flows. In addition, the controller 202 provides the connection completion status as a result of the connection and the control flow identification information for identifying the control flow when the router 201 requests additional certificate authentication and continuously updates the router 201 information to the access control application 211. May return (action 625).

According to an embodiment, the controller 202 collects information for validating the router 201 based on the security check policy 320 (e.g., execution or installation location of the operating system and major applications, signature, fingerprint, hash, Unique information of the operating system and applications such as the registry, a series of information for binary analysis of the operating system and major applications, executable files, libraries and a series of files or processes referenced by the executable files, memory information, and whether the application and operating system are safe. Security inspection information can be transmitted to the router 201 by checking at least one of malware detection tool or pattern DB information for inspection, hardware and operating system configuration information and version information of the router, and information on physically connectable devices.

In operation 625, the controller 202 may transmit control flow identification information to the router 201 in response to the controller connection request. Depending on the embodiment, if the object requesting controller connection is unconnectable or included in the blacklist, the controller 202 may transmit unconnection information in operation 625 without generating a control flow. In one embodiment, the controller 202 may additionally transmit the confirmed security check information to the access control application 211 by performing operation 620.

In operation 630, the access control application 211 may perform a security check. For example, when the router 201 receives security check information from the controller 202, the received security check information (e.g., operation or installation location of the operating system and major applications, signature, fingerprint, hash, registry, etc.) Unique information, a series of information for binary analysis of the operating system and major applications, executable files, libraries and a series of files or processes referenced by the executable, memory information, and malware detection to check whether the application and operating system are safe. A security check may be performed based on at least one of tool or pattern DB information, router hardware and operating system configuration information and version information, and physically connectable device information).

In operation 635, the access control application 211 may transmit the security check result to the controller 202. For example, the access control application 211 may transmit the result of performing a security check based on the security check information to the controller 202.

At operation 640, controller 202 may check the security check results. For example, the controller 202 may check whether the operating system and application information included in the router 201 are valid according to the security check policy based on the received security check result information. According to the embodiment, the inspection results of the operating system and application of the router 201 are obtained through a harmful application inspection module (static inspection or AI-based inspection) included in the controller 202 or existing in another system connected to the controller 202. You can judge whether it is normal or not.

According to the embodiment, if the check of the operating system and application of the router 201 is not normal, the controller 202 may evaluate the risk level of the security check result based on the security check policy 320 and according to the risk level. You can block the connection to the router 201 by disabling the control flow, or isolate the connection to the router 201 by adding it to the blacklist. Additionally, in this case, the controller 202 may return a connection unavailable result to the router 201.

In operation 645, the controller 202 may process the channel and data flow if the operating system and application checks of the router 201 are normal. For example, the controller 202 may use the MAC address allowed based on the access policy database 311, the source IP to which the MAC address can be accessed, the destination IP, and the service in order to allow the node connected to the router 201 to access the router 201 in advance. Includes port information, protocol information and data packet transmission and reception volume recording, data packet QoS and QoS level, whether a channel is required, and information for filtering out harmful information that needs to be removed or replaced in transmitted data packets. Data flow information can be created.

Additionally, the controller 202 may check the gateway 203 to which the router 201 can access the network in the channel policy database 312 in order to allow the router 201 to access the network. For example, if a basic accessible gateway 203 exists, the controller 202 sets the type of channel that can be connected between the router 201 and the gateway 203 (e.g., tunnel, security session) and a series of channels for creating the channel. Channel information including information (authentication information, encryption algorithm, Tunnel End Point IP, etc.) can be created.

According to the embodiment, a channel is not created between the router 201 and the gateway 203, but between the gateway 203 existing in the wireless network of a telecommunication company or ISP network that exists in the network to which the router 201 belongs. When connecting through a pre-connected channel or when connecting through another channel technology between the router 201 and the gateway 203, the controller 202 may not transmit separate channel creation information to the router.

In operation 650, the controller 202 may transmit the generated channel and data flow information to the router 201. According to the embodiment, the controller 202 may also transmit the generated channel and data flow information to the gateway 203. According to the embodiment, if a data flow is not created, the controller 202 may transmit a connection failure result to the router 201 and not transmit the data flow.

In operation 655, the access control application 211 may process a result value according to the received response. For example, when connection to the controller 202 is completed, a network connection request for a destination network of a node connected to the router 201 may be controlled by the controller 202.

According to another embodiment, controller 202 may determine that router 201 is unreachable. For example, if the router 201 and/or identification information of the network to which the router 201 belongs is included in the blacklist database, the controller 202 may determine that the router 201 is inaccessible. In this case, the controller 202 may not generate a control flow in operation 615 and may transmit a response indicating that controller connection is not possible in operation 625. Additionally, in this case, operations 630 to 650 may not be performed. Depending on the embodiment, if a retry of controller connection is required, the connection control application 211 may perform operation 605 again.

In addition, the access control application 211 can update the data flow of the router 201 when a data flow received from the controller 202 exists and transmit data packets based on a pre-allowed data flow when connecting to the network. Data flow can be managed so that Afterwards, when a data packet transmission request is detected, the access control application 211 may process the data packet to be transmitted based on the received data flow.

According to the embodiment, when the connection control application 211 receives network connection release information from the controller 202, it may terminate the application or block all network connections of the application.

According to the embodiment, when there is channel information received from the controller 202 and a channel to be created, the access control application 211 requests the gateway 203 to create a channel based on the channel information to create a channel. can be created.

Figure 7 shows a signal flow diagram for certificate authentication according to various embodiments.

The router 201 may perform user authentication through a UI (User Interface), but in the case of the router 201 operating in the form of a server, authentication may be performed based on a previously issued certificate rather than user authentication without a UI. It may be possible. In this case, the router 201 must be able to perform authentication based on a certificate in a situation where there is no UI.

In operation 705, the access control application 211 of the router 201 may perform router certificate authentication to receive detailed network access rights after creating a control flow with the controller 202. For example, the access control application 211 of the router 201 may transmit authentication information generated through a certificate set in the router 201 to the controller 202 and request certificate authentication.

At operation 710, controller 202 may verify certificate authentication. For example, the controller 202 determines whether a certificate is available for access based on information requested for authentication by the access control application 211 (e.g., authentication identification information, electronic signature information, etc.) and router information corresponding to the certificate (e.g., router-specific information). It is possible to check whether at least one of identification information, USIM identification information connected to the router, and MAC address) is accessible according to the policy. Additionally, the controller 202 can check whether the certificate identification information is included in the blacklist 314 and check whether the certificate requesting authentication is blocked. According to the embodiment, when connection is impossible or the certificate is included in the blacklist, the controller 202 may transmit connection inaccessibility information to the router 201 (operation 725).

According to the embodiment, when the router 201 operates while connected to a wireless communication service provider or an Internet Service Provider (ISP) service provider's own network, the controller 202 checks whether the router 201 is a valid connectionable target. To do this, you can request a connection to the router to be checked for connection to the connected communication service and receive the result.

In operation 715, if the certificate is accessible, the controller 202 may search for a control flow corresponding to the transmitted control flow identification information and add the certificate identification information to the searched control flow. According to the embodiment, the controller 202 may return the certificate authentication completion status and the access policy information of the authenticated certificate to the router 201 as a result of certificate authentication (operation 725).

In operation 720, the controller 202 selects an accessible data flow based on the access policy database 311 corresponding to the identified information (certificate identification information, router unique identification information, USIM identification information connected to the router, MAC address, etc.). Information can be generated.

According to an embodiment, the controller 202 collects information for validating the router 201 based on the security check policy 320 (e.g., execution or installation location of the operating system and major applications, signature, fingerprint, hash, Unique information of the operating system and applications such as the registry, a series of information for binary analysis of the operating system and major applications, executable files, libraries and a series of files or processes referenced by the executable files, memory information, and whether the application and operating system are safe. Security inspection information can be transmitted to the router 201 by checking at least one of malware detection tool or pattern DB information for inspection, hardware and operating system configuration information and version information of the router, and information on physically connectable devices.

In operation 725, the controller 202 may transmit information indicating that the certificate is authenticated to the router 201 in response to the certificate authentication request. In one embodiment, the controller 202 may transmit the security check information generated by performing operation 720 to the access control application 211.

In operation 730, the access control application 211 may perform a security check. For example, when the router 201 receives security check information from the controller 202, the received security check information (e.g., operation or installation location of the operating system and major applications, signature, fingerprint, hash, registry, etc.) Unique information, a series of information for binary analysis of the operating system and major applications, executable files, libraries and a series of files or processes referenced by the executable, memory information, and malware detection to check whether the application and operating system are safe. A security check may be performed based on at least one of tool or pattern DB information, router hardware and operating system configuration information and version information, and physically connectable device information).

In operation 735, the access control application 211 may transmit the security check result to the controller 202. For example, the access control application 211 may transmit the result of performing a security check based on the security check information to the controller 202.

At operation 740, controller 202 may check the security check results. For example, the controller 202 may check whether the operating system and application information included in the router 201 are valid according to the security check policy based on the received security check result information. According to the embodiment, the inspection results of the operating system and application of the router 201 are obtained through a harmful application inspection module (static inspection or AI-based inspection) included in the controller 202 or existing in another system connected to the controller 202. You can judge whether it is normal or not.

According to the embodiment, if the check of the operating system and application of the router 201 is not normal, the controller 202 may evaluate the risk level of the security check result based on the security check policy 320 and according to the risk level. You can block the connection to the router 201 by disabling the control flow, or isolate the connection to the router 201 by adding it to the blacklist. Additionally, in this case, the controller 202 may return a connection unavailable result to the router 201.

In operation 745, the controller 202 may process the channel and data flow if the operating system and application checks of the router 201 are normal. For example, the controller 202 may use the MAC address allowed based on the access policy database 311, the source IP to which the MAC address can be accessed, the destination IP, and the service in order to allow the node connected to the router 201 to access the router 201 in advance. Includes port information, protocol information and data packet transmission and reception volume recording, data packet QoS and QoS level, whether a channel is required, and information for filtering out harmful information that needs to be removed or replaced in transmitted data packets. Data flow information can be created.

Additionally, the controller 202 may check the gateway 203 to which the router 201 can access the network in the channel policy database 312 in order to allow the router 201 to access the network. For example, if a basic accessible gateway 203 exists, the controller 202 sets the type of channel that can be connected between the router 201 and the gateway 203 (e.g., tunnel, security session) and a series of channels for creating the channel. Channel information including information (authentication information, encryption algorithm, Tunnel End Point IP, etc.) can be created.

According to the embodiment, a channel is not created between the router 201 and the gateway 203, but between the gateway 203 existing in the wireless network of a telecommunication company or ISP network that exists in the network to which the router 201 belongs. When connecting through a pre-connected channel or when connecting through another channel technology between the router 201 and the gateway 203, the controller 202 may not transmit separate channel creation information to the router.

In operation 750, the controller 202 may transmit the generated channel and data flow information to the router 201. According to the embodiment, the controller 202 may also transmit the generated channel and data flow information to the gateway 203. According to the embodiment, if a data flow is not created, the controller 202 may transmit a connection failure result to the router 201 and not transmit the data flow.

In operation 755, the access control application 211 may process a result value according to the received response. For example, the access control application 211 may store the received control flow identification information and display a user interface screen to the user indicating that certificate authentication is complete. Once certificate authentication is completed, the network connection request of the router 201 to the destination network can be controlled by the controller 202.

According to another embodiment, the controller 202 may determine that certificate authentication of the router 201 is not possible. For example, if the router 201 and/or the identification information of the network to which the router 201 belongs is included in the blacklist database, the controller 202 may determine that the router 201 is inaccessible and certificate authentication is not possible. . In this case, the controller 202 may not reflect the certificate identification information in operation 715 and may transmit a response indicating that controller connection is impossible in operation 725. Additionally, in this case, operations 730 to 750 may not be performed.

In addition, the access control application 211 can update the data flow of the router 201 when a data flow received from the controller 202 exists and transmit data packets based on a pre-allowed data flow when connecting to the network. Data flow can be managed so that

According to the embodiment, when the connection control application 211 receives network connection release information from the controller 202, it may terminate the application or block all network connections of the application.

Figure 8 shows a signal flow diagram for changing channel state information according to various embodiments.

The access control application 211 of the router 201 changes the channel status information to the controller 202 when the channel status changes, such as when channel creation is completed, channel creation fails, or the connection to the created channel is released. You can request.

In operation 805, the access control application 211 may detect a channel state information change event when channel creation is completed, channel creation fails, or the connection to the created channel is released.

In operation 810, the access control application 211 may transmit channel state information to the controller 202. For example, the access control application 211 may transmit channel identification information when channel creation is completed and IP information if a unique IP assigned at the time of channel creation exists. For another example, the access control application 211 may transmit channel identification information to the controller 202 when channel creation fails or the channel is released.

At operation 815, controller 202 may update channel status and data flow. For example, the controller 202 may update the channel state based on channel state information received from the router 201 and IP information assigned to the router 201.

According to the embodiment, when channel creation is completed, the controller 202 determines the MAC addresses allowed based on the access policy database 311 in order to allow access to nodes connected to the router 201 in advance, and the MAC addresses that can be accessed. Source IP, destination IP, service port information, protocol information, and whether data packet transmission and reception amount are recorded, whether data packet QoS and QoS level, whether a channel is required, and if there is harmful information that needs to be removed or replaced in the transmitted data packet. Data flow information including information for filtering this can be created.

According to an embodiment, when a channel is released or channel creation fails, the controller 202 may remove previously created channel information and data flows.

In operations 820 and 825, the controller 202 may transmit the updated data flow to the router 201 and the gateway 203. Additionally, the controller 202 may also transmit updated channel information.

Figure 9 shows a signal flow diagram for network access according to various embodiments.

After the router 201 is authorized by the controller 202, the router 201 transmits trusted data by controlling the network access of nodes connected to the router 201 through the access control application 211 of the router 201. can be guaranteed.

Referring to FIG. 9 , in operation 905, the access control application 211 may detect a network connection event of a node connected to the router 201. For example, the access control application 211 may receive a network connection event received from a network interface built into the router 201 from the network kernel of the operating system.

In operation 910, the connection control application 211 receives identification information of the node included in the data packet for network connection between the node and the service (e.g., TCP Session creation, first UDP packet or flow of consecutive UDP packets, etc.), You can check whether a data flow exists based on the destination IP, port information, and protocol information included in the MAC address and IP header. According to an embodiment, when a data flow exists but is invalid (e.g., data packet transmission is not possible, data packets are not received from a network interface authorized on the data flow, or a channel for data packet transmission does not exist) at least one of), the access control application 211 may drop a data packet. According to another embodiment, when a data flow exists, the access control application 211 may transmit data packets based on the data flow. According to an embodiment, the access control application 211 of the router 201 may perform a network connection request in operation 915 without performing operation 910.

According to the embodiment, the access control application 211 may check whether authentication is required based on the authentication information included in the data flow, and if authentication is required but the data packet does not include node authentication information, or if node authentication information is not included If is not valid, data packets may be dropped.

When the data flow needs to be updated, such as when the data flow does not exist or when the authentication time has expired and needs to be updated, in operation 915, the access control application 211 may request network access from the controller 202. For example, a network connection request may include control flow identification information, MAC address information, destination network identification information, port information, and node identification information. According to the embodiment, the network connection request may further include at least one of protocol information (eg, TCP, UDP, etc.), an IP assigned to the node, and received network interface identification information. According to another embodiment, when node authentication information must be authenticated by the controller 202, the network connection request may include node authentication information included in the data packet.

In operation 920, the controller 202 collects the connection request identification information (e.g., node identification information, MAC address, destination IP) from the connection policy corresponding to the identified information (e.g., router, channel information) based on the control flow identification information. and service port information, protocol information, received network interface identification information, etc.). Depending on the embodiment, when network connection is not possible, the controller 202 may transmit a connection failure result to the connection control application 211 of the router 201 (operation 940).

If the connection is available, at operation 925, the controller 202 may check the authentication policy 321. For example, when a node that wants to access the network must perform authentication based on the authentication policy 321, the controller 202 uses the authentication method of the node included in the authentication policy (e.g., in the case of TCP, TCP SYN packet Authentication, in the case of UDP, authentication by data packet or authentication at regular intervals (or cycles), authentication method and timing, etc.), information for decoding authentication information, algorithm information for verifying authentication information, and a series of information included in the algorithm (e.g. : When generating HMAC OTP, authentication can be performed on the received node authentication information according to information such as Secret Key, etc.). For example, if the received node authentication information exists, the controller 202 may decrypt the node authentication information and perform authentication based on the authentication information generated based on the authentication policy 321. According to the embodiment, if authentication fails, the controller 202 may return a network connection unavailable result to the router 201 (operation 940).

According to the embodiment, when authentication of a data packet is required but the received node authentication information does not exist, a network connection unavailable result may be returned to the router 201 (operation 940). According to the embodiment, when authentication must be performed in the router 201, the controller 202 may generate authentication information for authenticating the node based on the authentication policy 321 and include it in the data flow.

If access is possible and authentication has been completed (or authentication is not required), in operation 930, the controller 202 may check the channel policy database 312 to allow the router 201 to access the network. For example, the controller 202 can determine whether a gateway 203 exists on the path to the destination service and whether a channel is needed between the gateway 203 and the router 201 based on the channel policy database 312. And, if a channel is needed, you can check whether the channel has been created. According to the embodiment, the controller 202 may check whether a channel has been created based on the channel table 319.

According to the embodiment, when a channel has been created or when channel creation is not necessary, the controller 202 provides connection request information (node identification information, MAC address, source IP) to allow a node connected to the router 201 to access. , destination IP and port, protocol information, and network interface identification information), and transmit the generated data flow to the router 201 and the gateway 203. However, if the data flow has already been created, the controller 202 may not create the data flow again. According to an embodiment, the controller 202 may further include authentication information determined based on the authentication policy 321 when creating a data flow.

According to the embodiment, when a channel has not been created and channel creation is necessary, the controller 202 determines the type of channel (tunnel, security session, etc.) that can be connected between the router 201 and the gateway 203 and a series of channels for creating the channel. Channel information including information (e.g., authentication information, encryption algorithm, Tunnel End Point IP, etc.) may be created, and the generated channel information may be transmitted to the router 201 and the gateway 203 (operations 935 and 940). .

In operation 945, the access control application 211 may process a result value for the response received from the controller 202. For example, when the access control application 211 receives a network connection unavailable result from the controller 202, the node connected to the router 201 may drop the data packet that the node connected to the router 201 wants to transmit. For another example, the access control application 211 receives the data flow from the controller 202, and when authentication for the node authentication information is completed by the access control application 211 itself or the controller 202, the received data flow Data packets can be transmitted based on . In this case, the access control application 211 may update the existing data flow with the received data flow. According to an embodiment, when network access is possible but authentication is not completed, the access control application 211 may perform authentication by decrypting node authentication information based on authentication information included in the received data flow. In this case, if authentication fails, the access control application 211 may drop the data packet, and if authentication succeeds, the access control application 211 may remove the header containing the identification information of the node included in the data packet and Packets can be transmitted.

According to an embodiment, when channel information is received from the controller 202, the access control application 211 may request channel creation to the gateway 203 based on the received channel information. In this case, when channel creation with the gateway 203 is completed, the access control application 211 may transmit information indicating that channel creation is complete to the controller 202 (e.g., operation shown in FIG. 8).

Figure 10 shows an example data packet according to various embodiments.

A UDP data packet 1005 including a node header may include an IP header, a node header (Device Header), and a payload. For example, the node header 1015 may include node identification information and node authentication information.

The TCP data packet 1010 including the node header may include an IP header, a TCP header, a node header, and a payload. For example, the node header 1015 may include node identification information and node authentication information.

According to the embodiment, the node authentication information may be information for commonly authenticating all network connections transmitted from the node, or for authenticating by network connection unit (destination IP and port).

The node inserts the node identification information and authentication information given in advance by the controller 202 (e.g., for TCP, inserts TCP SYN packets, for UDP, inserts authentication information for each data packet, or at regular intervals (or cycles). Authentication information insertion, insertion method and timing, etc.), information for encryption of authentication information, algorithm information for generating authentication information, and a series of information included in the algorithm (e.g. information such as Secret Key when generating HMAC OTP). ), a node header can be created and transmitted by including it in a data packet. The node header included in the data packet may be authenticated by the router 201 or the controller 202 to check whether it is a normally transmitted data packet.

FIG. 11 illustrates an operation flowchart for controlling transmission of data packets by a router according to various embodiments. According to the embodiment, the operations shown in FIG. 11 may be performed through the access control application 211 of the router 201 of FIG. 2.

When the network connection of a node connected to the router 201 is authorized by the controller 202, the router 201 controls the data packets that the node wants to transmit based on the data flow, thereby providing the node with a safe network connection environment. there is.

In operation 1105, the access control application 211 of the router 201 may receive a data packet transmission event received from a network interface built into the router 201 from the network kernel of the operating system.

In operation 1110, the access control application 211 may check whether a corresponding data flow exists based on the destination IP, port information, and protocol information (e.g., TCP. UDP) included in the IP header of the received data packet.

According to an embodiment, the access control application 211 transmits a data packet when a data flow exists but is invalid (e.g., data packet transmission is not possible, and the data packet is not received from a network interface authorized on the data flow). A data packet may be dropped if at least one of the following cases does not exist a channel for it) or if a data flow does not exist.

If a data flow exists, in operation 1115, the access control application 211 may inspect the data packet based on data packet filtering information included in the data flow. For example, when a data packet needs to be inspected based on data packet filtering information, the access control application 211 can inspect the data packet. According to the embodiment, the access control application 211 may set a single data packet or multiple data packets as an inspection target.

In operation 1120, the access control application 211 may filter the data packet if the data packet is included in the filtering target. For example, when a data packet requires replacement, the access control application 211 may replace the data packet based on replacement information or rules included in the filtering information of the data flow. For another example, when data packet replacement is not required or filtering is not required, the access control application 211 may perform operation 1125 without performing operation 1120. For another example, when blocking of data packets is necessary, the access control application 211 may drop the data packets.

In operation 1125, the access control application 211 may check whether QoS of the data packet is required based on data packet QoS information included in the data flow.

If data packet QoS is required, the access control application 211 can check the amount of data packets that can be transmitted separately included in the data packet QoS information and check whether QoS is necessary based on the transmitted data packet QoS information per minute.

If the amount of data packets transmitted per minute exceeds the amount of data packets that can be transmitted per minute, in operation 1130, the access control application 211 delays transmission of the data packet for a certain time according to the data packet QoS method and then transmits the data packet. A data packet may be dropped (operation 1145) to induce retransmission.

According to the embodiment, when data packet QoS is not required, the access control application 211 may transmit and process data packets. Additionally, the access control application 211 may transmit and process the data packet when the inspection of the data packet is completed based on the data packet filtering information and data packet QoS information (operation 1135).

In operation 1140, after processing data packet transmission and data packet drop, the access control application 211 may update the amount of transmitted or dropped data packets in the data packet QoS information included in the data flow.

FIG. 12 illustrates an operation flowchart for controlling reception of data packets by a router according to various embodiments. The operations shown in FIG. 12 may be performed through the access control application 211 of the router 201 of FIG. 2.

Even when receiving data packets, the router 201 can provide safe network control by receiving data packets based on the data flow authorized by the controller 202.

In operation 1205, the access control application 211 may receive a data packet reception event received from a network interface built into the router 201 from the network kernel of the operating system.

In operation 1210, the access control application 211 determines whether a data flow corresponding to the reverse direction exists based on the destination IP, port information, and protocol information (e.g., TCP, UDP, etc.) included in the IP header of the received data packet. You can.

In operation 1215, if a data flow exists, the access control application 211 may update the amount of received data packets in the data packet QoS information included in the data flow.

Figure 13 shows a signal flow diagram for updating a control flow of a router according to various embodiments.

Referring to FIG. 13, in operation 1305, the access control application 211 may detect a control flow update event.

According to an embodiment, when a control flow update event is detected, the access control application 211 collects the security check information received from the controller 202 (e.g., execution or installation location of the operating system and major applications, signature, fingerprint, hash, Unique information of the operating system and applications such as the registry, a series of information for binary analysis of the operating system and major applications, executable files, libraries and a series of files or processes referenced by the executable files, memory information, and whether the application and operating system are safe. A security check is performed based on at least one of malware detection tool or pattern DB information, router hardware and operating system configuration information and version information, and physically connectable device information) and transmits the results to the controller 202. You can.

In operation 1310, the access control application 211 may request a control flow update from the controller 202 based on control flow identification information. According to the embodiment, the access control application 211 may transmit the security check results to the controller 202.

In operation 1315, the controller 202 may check whether a control flow exists in a control flow table (e.g., control flow table 315 of FIG. 3) based on the received control flow identification information. Depending on the embodiment, when the control flow does not exist (e.g., when the connection is disconnected by another security system, when the connection is disconnected due to its own risk detection, etc.), the controller 202 determines that the connection of the router 201 is valid. Since this is not done, a connection failure result can be transmitted to the access control application 211 (operation 1320).

According to the embodiment, if a control flow exists, the controller 202 checks whether the operating system and application information included in the router is valid according to the security check policy based on the received security check result information, or checks whether the operating system and application information included in the router is valid. Through the harmful application inspection module (static inspection or AI-based inspection) included in or existing in other systems connected to the controller, it is possible to determine whether the inspection results of the router's operating system and application are normal. In this case, if the test result is abnormal, the controller 202 may remove the control flow, dependent channel information, and data flow, and transmit the removed information to the router 201 and the gateway 203 (operation 1320).

According to the embodiment, if the inspection result is normal, the controller 202 may update the update time, check the data flow dependent on the control flow, perform re-authentication of the data flow, or return the data flow to the router 201. there is.

In operation 1325, the access control application 211 of the router 201 may process the result of the response received from the controller 202. For example, the access control application 211 may block all network connections of nodes connected to the router 201 when the control flow update result is impossible. For another example, the connection control application 211 may update the data flow if the control flow update result is normal and an updated data flow exists.

Figure 14 shows a signal flow diagram for disconnection of a router according to various embodiments.

Referring to FIG. 14, in operation 1405, the router 201 terminates the router 201, terminates the connection control application 211, no longer uses the network connection, and terminates the connection based on information identified from the interworking system. At least one of the requests can be detected. In this case, in operation 1410, the router 201 or the access control application 211 may request the controller 202 to remove the control flow.

At operation 1415, the controller 202 may remove the identified control flow based on the received control flow identification information.

In operation 1420, the controller 202 may remove all data flows dependent on the removed control flow. Accordingly, the router 201 can no longer connect to the destination network based on the removed data flow. Additionally, the controller 202 performs a request to remove the channel and data flow to the gateway 203, which relays all data flows dependent on the removed control flow, thereby establishing a state in which data packets can no longer be transmitted to the destination network. can be provided.

Figure 15 is an operation flowchart showing a method of operating an access control application installed on a router according to various embodiments. The operations shown in FIG. 14 can be performed through the access control application 211 of FIG. 2.

At operation 1505, the connection control application 211 may detect a network connection event of the node. For example, a network connection request may include node identification information and node authentication information.

In operation 1510, the access control application 211 may request a network connection to an external server based on the identification information of the node and the identification information of the node's destination network.

In operation 1515, the access control application 211 may receive a data flow corresponding to the identification information of the node from an external server.

In operation 1520, the access control application 211 may perform authentication of node authentication information itself or may receive the authentication result from an external server. For example, if a response is received from the controller 202 without authentication being completed, the access control application 211 may perform authentication for the node authentication information based on authentication information included in the data flow. For another example, the access control application 211 may receive a result of completed authentication from the controller 202.

In operation 1525, when authentication of the node authentication information is completed, the access control application 211 may process the data packet that the node wants to transmit based on the data flow.

Figure 16 is an operation flowchart showing a server operation method according to various embodiments. The operations shown in FIG. 16 may be performed through the controller 202 of FIG. 2.

In operation 1605, the server may receive the node's network connection request from the router connected to the node. For example, a network connection request may include identification information of the node and identification information of the node's destination network.

In operation 1610, the server may check whether the node can connect to the destination network based on the database, the node's identification information, and the node's destination network identification information.

In operation 1615, if connection is possible, the server may perform authentication by decrypting node authentication information based on the database.

In operation 1620, when authentication of the node authentication information is completed, a data flow corresponding to the node identification information and the identification information of the node's destination network may be created and transmitted to the router and the gateway. For example, a data flow may include data packet filtering information and data packet QoS information.

In operation 1625, the server may transmit the authentication result of the node authentication information to the router.

The above description is merely an illustrative explanation of the technical idea disclosed in this document, and those skilled in the art in the technical field to which the embodiments disclosed in this document belong will understand without departing from the essential characteristics of the embodiments disclosed in this document. Various modifications and variations will be possible.

Accordingly, the embodiments disclosed in this document are not intended to limit the technical ideas disclosed in this document, but rather to explain them, and the scope of the technical ideas disclosed in this document is not limited by these embodiments. The scope of protection of the technical ideas disclosed in this document shall be interpreted in accordance with the claims below, and all technical ideas within the equivalent scope shall be interpreted as being included in the scope of rights of this document.

Claims (13)

In the router,
communication circuit; a processor operatively connected to the communication circuit; and a memory operatively coupled to the processor, storing a connection control application, wherein the memory, when executed by the processor, causes the router to:
Receiving a data packet for network connection of the node through the access control application,
Check whether the data packet for the network connection includes identification information and node authentication information of the node,
If the node authentication information is not included or the node authentication information is invalid, dropping a data packet for connecting to the network,
Performing a network connection request to an external server based on the identification information of the node and the identification information of the destination network of the node,
It is determined whether to perform authentication of the node authentication information itself or to receive the authentication result from the external server, and when the authentication result from the external server must be received, the node authentication information is sent to the network connection request. Transmit further including,
Receiving a data flow corresponding to the identification information of the node from the external server,
A router that stores commands, configured to process a data packet to be transmitted by the node based on the data flow when authentication of the node authentication information is completed. The method of claim 1, wherein the commands allow the router to:
When channel information is received from the external server through the access control application,
Create a gateway and channel based on the channel information,
Transmitting the channel identification information generated and the IP information assigned when creating the channel to the external server,
A router, configured to receive updated channel information and a data flow with updated channel information from the external server. The method of claim 1, wherein the commands allow the router to:
Verifying the node's identification information, the destination network's identification information, communication protocol information, and network interface identification information in a data packet for network connection of the node through the access control application,
Check whether a data flow corresponding to a data packet for network connection of the node exists,
If a data flow corresponding to a data packet for network connection of the node exists, authentication is performed by decrypting the node authentication information based on authentication information included in the data flow,
A router configured to transmit a data packet of the node when authentication of the node authentication information is completed. The method of claim 1, wherein the commands allow the router to:
Confirm whether the data packet of the node is subject to filtering based on data packet filtering information included in the data flow through the access control application,
If the data packet of the node is subject to filtering and data packet replacement is required, the data packet is replaced based on replacement information or replacement rules included in the filtering information,
A router, configured to drop the data packet of the node if the data packet of the node is subject to filtering and data packet blocking is necessary. The method of claim 1, wherein the commands allow the router to:
Check whether the data packet of the node requires QoS based on QoS (Quality of Service) information included in the data flow through the access control application,
If the data packet of the node requires QoS, check the amount of data packets that can be transmitted based on the QoS information,
When the amount of data packets that can be transmitted is exceeded, the router is configured to delay transmission of the data packets for a certain time based on the QoS information to transmit the data packets or induce retransmission of the data packets. The method of claim 1, wherein the commands allow the router to:
Receive a response data packet for the data packet transmitted through the access control application,
Check whether a data flow corresponding to the response data packet exists,
The router, configured to update the amount of the received data packet to the QoS information of the data flow if there is a data flow corresponding to the response data packet. The method of claim 1, wherein the commands allow the router to:
Further transmitting the node authentication information when performing the network connection request to the external server through the access control application,
Receive from the external server whether the node authentication information is valid based on an authentication result of the node authentication information,
A router, configured to transmit the data packet based on the data flow when authentication of the node authentication information is completed. On the server,
communication circuit;
memory to store the database; and
a processor operatively connected to the communication circuit and the memory, the processor comprising:
Receiving a network connection request of the node from a router connected to the node, the network connection request includes identification information of the node, identification information of the destination network of the node, and node authentication information,
Confirm whether the node can connect to the destination network based on the database, the identification information of the node, and the identification information of the destination network of the node,
If connection is possible, authentication is performed by decrypting the node authentication information based on the database,
When authentication of the node authentication information is completed, a data flow corresponding to the node's identification information and the identification information of the node's destination network is generated and transmitted to the router and the gateway, and the data flow includes data packet filtering information and data. Contains packet QoS information,
configured to transmit an authentication result of the node authentication information to the router,
The node authentication information is included in a data packet for network connection transmitted from the node to the router. The method of claim 8, wherein the processor:
A server configured to determine whether it is necessary to create a channel between the router and the gateway based on the database, generate information necessary for channel creation, and transmit it to the router and the gateway. The method of claim 8, wherein the processor:
Receive channel identification information indicating channel creation and IP information assigned upon channel creation from the router,
Update the channel identification information and the IP information assigned when creating the channel to the database and the data flow,
A server configured to transmit updated data flows to the router and the gateway. The method of claim 8, wherein the processor:
Receiving a connection request including identification information of the router from the router,
Check whether the router can be connected based on the database,
If connection is possible, generate a control flow corresponding to the router, and transmit security check information including identification information of the control flow and information for checking the validity of the router to the router,
Receive a security check result based on the security check information from the router,
A server configured to determine whether the security check result is normal and transmit the result to the router. The method of claim 8, wherein the processor:
Receive a certificate authentication request containing authentication information related to certificate authentication from the router,
Check whether the certificate authentication is normal based on the database,
If the certificate authentication is normal, the control flow is updated based on the authentication information,
Transmitting certificate authentication results and security check information to the router,
Receive a security check result based on the security check information from the router,
A server configured to determine whether the security check result is normal and transmit the result to the router. In the method of operating the access control application installed on the router,
Receiving a data packet for network connection of the node;
Checking whether the data packet for the network connection includes node identification information and node authentication information;
dropping a data packet for the network connection when the node authentication information is not included or the node authentication information is invalid;
Performing a network connection request to an external server based on the identification information of the node and the identification information of the destination network of the node, whether to perform authentication of the node authentication information itself or receive the authentication result from the external server determines whether to do so, and further includes the node authentication information in the network connection request and transmits it when it is necessary to receive an authentication result from the external server;
Receiving a data flow corresponding to the identification information of the node from the external server; and
When authentication of the node authentication information is completed, processing a data packet to be transmitted by the node based on the data flow; Method, including.