KR102620214B1 - System for controlling network access and method of the same - Google Patents

Abstract

A node according to an embodiment disclosed herein includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a target application and a connection control application, The memory, when executed by the processor, allows the node to access data of the target application based on authentication information included in the transmission protocol of the data packet of the target application and the data flow authorized from an external server through the access control application. Insert authentication information into a packet and transmit it to the destination node, receive a response to the data packet from the destination node, check whether the response to the data packet corresponds to the data flow, and if it corresponds to the data flow, It is configured to allow a logical connection between the node and the destination node to process data packets based on the logical connection, and the authentication information inserted into the data packet allows the destination node to tell the external server whether the authentication information is normal. It can be used to check and respond if normal.

Description

System for controlling network access and method related thereto {SYSTEM FOR CONTROLLING NETWORK ACCESS AND METHOD OF THE SAME}

Embodiments disclosed in this document relate to a system and method for controlling network access.

Multiple devices can communicate data over a network. For example, a terminal can transmit or receive data to and from a server via the Internet. Networks may include public networks such as the Internet as well as private networks such as intranets.

In most communication environments today, nodes and servers communicate with each other, but this centralized service structure causes all communication targets to make various information requests to one server, preventing server failures, computing, and networking power limitations. Relying on servers for information can cause various problems.

To solve these problems of the traditional communication environment, a distributed network based on peer-to-peer communication technology, a communication method between nodes, has been developed, and technology for mutually transmitting and sharing data and files is being developed. One of these peer-to-peer communication technology methods is the blockchain system.

The method in which nodes communicate with each other by forming a distributed network is structured so that unspecified nodes can participate in the network because there is no concept of authentication or authorization. The characteristics of a distributed network that allows constant access are a variety of information. By mutually exchanging and storing information, the persistence of specific information is improved, and, like the multicast concept of Internet protocol communication, all targets in a network segment can receive information, expanding from small data packet units to larger units. Because it can be propagated, there is a special advantage that nodes in a distributed network can easily share all or partial information.

Since unspecified nodes participating in a distributed network can share malicious data and files, such as malware, ransomware, or malicious code, problems such as the spread of malware may arise due to information sharing in the distributed network. If a majority of all nodes constituting a distributed network with malicious purposes are occupied or a small number of nodes transmit information for disturbing purposes, the distributed network itself may become difficult to operate continuously, such as a DoS (Denial of Service) attack. Possible problems may arise.

Blockchain technology has been developed to solve the above problems, but blockchain data processing consumes large computing power and resources, and shareable data is limited, so various nodes (general nodes, servers, IoT devices, V2X vehicles) etc.) may be used for limited purposes that are not suitable for use.

In order to configure a distributed network that only authorized users can access, VPN (Virtual Private Network) technology is used to configure and connect to the distributed network by installing a VPN gateway for each company and creating its own private network with a Star structure, then sharing information between each other. A structure that connects various servers and systems for sharing, blockchain, etc. to the network can be used. However, since all subjects participating in the distributed network must install a VPN gateway, it is possible to configure a distributed network that a small number of subjects can access, but configuring a large number of distributed networks involves the costs of introducing and operating a VPN gateway and the addition of new subjects. In this case, problems may arise in terms of scalability, such as having to add a whitelist of the target to all VPN gateways.

In addition, there is a method of allowing a subject authorized through a certification authority to access a distributed network based on a certificate issued to access the distributed network, but the certificate issued by the certification authority is stored in a location accessible to anyone in the node's storage. There is a problem in which malware, which is not a normal app existing within a node connecting to a distributed network, can use the certificate to access the distributed network.

The problem with the above technologies lies in the problem of allowing free communication based on the Internet Protocol on a network that is always connected and the limitation of identifying the communication target with an IP address.

In order to solve the above problems, various embodiments disclosed in this document can provide technology to allow communication between authorized nodes and block communication requests from unauthorized nodes in a distributed network where nodes communicate. there is.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above-described problems in a network environment.

A node according to an embodiment disclosed herein includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a target application and a connection control application, The memory, when executed by the processor, allows the node to access data of the target application based on authentication information included in the transmission protocol of the data packet of the target application and the data flow authorized from an external server through the access control application. Insert authentication information into a packet and transmit it to the destination node, receive a response to the data packet from the destination node, check whether the response to the data packet corresponds to the data flow, and if it corresponds to the data flow, It is configured to allow a logical connection between the node and the destination node to process data packets based on the logical connection, and the authentication information inserted into the data packet allows the destination node to tell the external server whether the authentication information is normal. It can be used to check and respond if normal.

A node according to an embodiment disclosed herein includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a connection control application, the memory comprising: When executed by the processor, the node receives a data packet from a source node through the access control application, verifies the existence of a data flow authorized from an external server corresponding to the data packet, and stores authentication information in the data packet. Check whether the authentication information is included, request the external server to check the authentication information included in the data packet, and receive the authentication information test result from the external server. If the authentication information check is successful, the node's identification information may be configured to receive an updated data flow and transmit a response to the received data packet to the source node based on the updated data flow.

A server according to an embodiment disclosed in this document includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a database, wherein the memory includes the processor. When executed by the server, the server receives a network connection request including the IP of the destination node from the source node, and determines whether the IP of the destination node constitutes a distributed network based on the database. Verifies whether connection is possible, generates a data flow including first authentication information for accessing the destination node based on the database, and transmits it to the source node, and receives the IP and first authentication information of the source node from the destination node. 2 Receiving an authentication information inspection request including authentication information, and checking the data flow corresponding to the second authentication information based on whether a data flow corresponding to the second authentication information exists and whether the second authentication information is valid. It may be configured to update the identification information of the destination node and transmit a data flow with the updated identification information of the destination node to the destination node.

A method of operating a connection control application installed in a source node according to an embodiment disclosed in this document includes an operation to check whether it is possible to transmit a data packet to a destination node based on a data flow authorized from an external server, and a transmission protocol for data packets. and inserting authentication information into a data packet of a target application based on the authentication information included in the data flow and transmitting it to the destination node, receiving a response to the data packet from the destination node, and receiving a response to the data packet from the destination node. Checking whether the response corresponds to the data flow, and if the response to the data packet corresponds to the data flow, updating the data flow by checking whether the identification information of the destination node has been updated in the data flow in the external server. and transmitting a data packet of the target application based on the updated data flow, wherein the authentication information inserted into the data packet is sent to the external server by checking whether the destination node is normal to the external server. It can be used when the data flow is updated.

A network access control system according to another embodiment disclosed in this document includes a source node, a destination node, and a server, and a first access control application installed on the source node is a first connection control application included in the first data flow received from the server. Based on the authentication information, second authentication information is inserted into the data packet and transmitted to the destination node, and a second access control application installed at the destination node receives the data packet and applies the second authentication information included in the data packet. Based on the information, an authentication information check request is made to the server, and the server checks whether a data flow corresponding to the second authentication information exists and whether the second authentication information is valid, and connects the destination node to the data flow. The identification information and third authentication information are updated and the updated second data flow is transmitted to the destination node, and the second access control application of the destination node is configured to update the third authentication information included in the second data flow. Based on this, fourth authentication information is inserted into a response data packet and transmitted to the source node, and the first access control application of the source node determines whether the first data flow corresponds to the fourth authentication information and the first 4 It may be configured to determine whether transmission of a data packet to the destination node is possible by checking whether authentication information is valid.

A node according to another embodiment disclosed in this document may include a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing a target application and a connection control application, wherein the memory, when executed by the processor, causes the node to request a network connection to an external server through the access control application. The network connection request includes identification information of the target application, a transmission protocol, identification information of the destination node, and parameter values specified when executing the target application, and generates a data flow including authentication information from the external server. Receive, insert authentication information into the data packet of the target application based on the received data flow and transmit it to the destination node, receive a response to the data packet from the destination node, and receive a response to the data packet Check whether this corresponds to the data flow, and if the response to the data packet corresponds to the data flow, update the data flow by checking whether the identification information of the destination node in the external server has been updated in the data flow, It is configured to transmit a data packet of the target application based on the updated data flow, and the authentication information inserted into the data packet is transmitted when the destination node checks whether the authentication information is normal with the external server and the external server. It is used when the server updates the data flow, and the parameter value specified when executing the target application is used when checking whether the target is registered in the group constituting the distributed network corresponding to the identification information of the destination node in the external server. You can.

According to the embodiments disclosed in this document, each node that has completed mutual authentication through a controller acting as a certification authority establishes a logical connection (or logical connection) with the communication target node in order to communicate with various nodes existing in the distributed network. When requesting a connection to create a TCP session (e.g., TCP Session creation, etc.), controller-based network access control can be provided by inserting and transmitting authentication information granted by the controller.

According to the embodiments disclosed in this document, the communication target node verifies the existence of the received authentication information and the authentication information from the controller and uses authentication information given by the controller or stored in advance or authentication generated by an authentication information generation algorithm. Confirmation information is returned to the communication request node, and the communication request node confirms the received authentication confirmation information from the controller, thereby providing a basic mechanism to confirm that the two communication target nodes are authorized nodes within the distributed network.

In addition, according to the embodiments disclosed in this document, the communication target node can confirm that it is not an authorized target when authentication information does not exist or a connection request for which authentication information is invalid occurs, and conversely, the communication request node is also authenticated. If verification information does not exist or authentication verification information is invalid, it can be confirmed that the communication target node is not authorized, thereby providing a secure distributed network configuration.

In addition, according to the embodiments disclosed in this document, since unauthorized communication access attempts are blocked, logical connections cannot be created or maintained, and thus communication between unauthorized communication targets can be blocked.

In addition, according to the embodiments disclosed in this document, various applications that communicate through a distributed network are processed by a network access control application that includes drivers or modules for controlling network access and flow at the kernel level of the operating system. (e.g. blockchain, IoT applications, etc.) can be controlled to participate in a distributed network in which only authorized subjects participate without any modification.

In addition, according to the embodiments disclosed in this document, by controlling the two communication targets through a controller that acts as a certification authority, safe distribution is achieved without the need to build separate VPN equipment for each communication target even on the Internet, where unspecified targets can access at all times. You can create a network, and rather than performing mutual authentication through a pre-distributed certificate method, information given through the controller is checked at the time of network connection and communication is performed after mutual authentication, which can occur due to certificate leakage. Problems that exist can be solved.

In addition, according to the embodiments disclosed in this document, unlike the existing Peer To Peer communication protocol where it is ambiguous as to which communication nodes are communicating with each other to form a distributed network due to the IP address-based identification system, the certification authority Since each node is identified upon authentication through the controller performing the role, it may be possible to identify each node that makes up the distributed network.

In addition, according to the embodiments disclosed in this document, it is possible to check compliance with various security guidelines required for nodes to participate in the distributed network and enforce security control elements, so the distributed network allows only secure subjects to participate at all times. It may be possible to operate as an identifiable network.

In addition, according to the embodiments disclosed in this document, since it is possible to configure a distributed network easily and quickly, various applications based on a distributed network (e.g. blockchain, IoT-based smart home, city, factory, V2X, etc.) Revitalization and continuous development may be possible.

In addition, according to another embodiment disclosed in this document, participation in a plurality of distributed networks can be controlled with one application, and when executing an application participating in a distributed network, a command containing information about the distributed network group to which it wishes to participate is sent. It can be identified and controlled according to that information so that the source node can communicate with the destination node participating in the identified distributed network.

In addition, various effects that can be directly or indirectly identified through this document may be provided.

Figure 1 shows an environment including multiple networks.
Figure 2 shows an architecture within a network environment according to various embodiments.
3 is a functional block diagram showing a database stored in a controller according to various embodiments.
Figure 4 shows a functional block diagram of a node according to various embodiments.
Figure 5 explains operations for controlling transmission and response of data packets according to various embodiments.
Figure 6 shows a signal flow diagram for connecting a node to a controller according to various embodiments.
Figure 7 shows a signal flow diagram for user authentication of a node according to various embodiments.
Figure 8 shows a signal flow diagram for certificate authentication of a node according to various embodiments.
Figure 9 shows a signal flow diagram for network connection of a source node according to various embodiments.
FIG. 10 illustrates an operation flowchart for data packet transmission by a source node according to various embodiments.
FIG. 11 illustrates an operation flowchart for inserting authentication information into a data packet of a source node according to various embodiments.
FIG. 12 illustrates an operation flowchart for receiving a network connection request from a destination node according to various embodiments.
Figure 13 shows a signal flow diagram for checking data packet authentication information of a destination node according to various embodiments.
FIG. 14 illustrates an operation flowchart for responding to a network connection request from a destination node according to various embodiments.
Figure 15 shows a signal flow diagram for receiving a network connection request response from a source node according to various embodiments.
Figure 16 shows a signal flow diagram for control flow update according to various embodiments.
17 shows a signal flow diagram for disconnection according to various embodiments.
Figure 18 shows a signal flow diagram for terminating application execution according to various embodiments.
Figure 19 is an operation flowchart showing a method of operating an access control application included in a source node according to various embodiments.
Figure 20 is an operation flowchart showing a method of operating a connection control application included in a destination node according to various embodiments.
Figure 21 is an operation flowchart showing a server operation method according to various embodiments.
Figure 22 is an operational flowchart showing a method of checking authentication information included in a data packet received from a destination node at a source node according to another embodiment disclosed in this document.

BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the present invention are described below with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, but should be understood to include various modifications, equivalents, and/or alternatives to the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one or plural items, unless the relevant context clearly indicates otherwise. In this document, “A or B”, “at least one of A and B”, “at least one of A or B”, “A, B or C”, “at least one of A, B and C” and “A, Each of phrases such as “at least one of B, or C” may include any one of the items listed together in the corresponding phrase, or any possible combination thereof. Terms such as "first", "second", or "first" or "second" may be used simply to distinguish one component from another, and to refer to that component in other respects (e.g., importance or order) is not limited. One (e.g., first) component is said to be “coupled” or “connected” to another (e.g., second) component, with or without the terms “functionally” or “communicatively.” When mentioned, it means that any of the components can be connected to the other components directly (e.g. wired), wirelessly, or through a third component.

Each component (eg, module or program) described in this document may include singular or plural entities. According to various embodiments, one or more of the corresponding components or operations may be omitted, or one or more other components or operations may be added. Alternatively or additionally, multiple components (eg, modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each component of the plurality of components in the same or similar manner as those performed by the corresponding component of the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component may be executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations may be executed in a different order, or omitted. Alternatively, one or more other operations may be added.

The term “module” used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrated part or a minimum unit of the parts or a part thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document may be implemented as software (e.g., a program or application) including one or more instructions stored in a storage medium (e.g., memory) that can be read by a machine. For example, the processor of the device may call at least one instruction among one or more instructions stored from a storage medium and execute it. This allows the device to be operated to perform at least one function according to the at least one instruction called. The one or more instructions may include code generated by a compiler or code that can be executed by an interpreter. A storage medium that can be read by a device may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not contain signals (e.g. electromagnetic waves), and this term refers to cases where data is semi-permanently stored in the storage medium. There is no distinction between temporary storage cases.

Methods according to various embodiments disclosed in this document may be provided and included in a computer program product. Computer program products are commodities and can be traded between sellers and buyers. A computer program product may be distributed in the form of a machine-readable storage medium (e.g. compact disc read only memory (CD-ROM)) or through an application store or between two user devices (e.g. smartphones). It may be distributed in person or online (e.g., downloaded or uploaded). In the case of online distribution, at least a portion of the computer program product may be at least temporarily stored or temporarily created in a machine-readable storage medium, such as the memory of a manufacturer's server, an application store server, or a relay server.

Figure 1 shows an environment including multiple networks.

Referring to FIG. 1, the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN.

The first network 10 may include a source node 101. In FIG. 1 and the embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances and is not limited to the above-mentioned devices. For example, the source node 101 may include a server or gateway that can transmit data packets through an application. The source node 101 may also be referred to as an ‘electronic device’ or a ‘terminal’. Meanwhile, the destination node 102 may include the same or similar device as the above-described source node 101. As another example, the destination node 102 may be substantially the same as the destination network.

The source node 101 may attempt to access the second network 20 and transmit data to the destination node 102 included in the second network 20. The source node 101 may transmit data to the destination node 102 through the gateway 103.

If the connection of the source node 101 to the first network 10 is approved, the source node 101 can communicate with all servers included in the first network 10, and therefore the source node 101 is malicious. ) may be exposed to program attacks. For example, the source node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browsers 110a and business applications 110b. ) It is possible to receive data from untrusted or unsecured applications, such as the business application 110d.

The source node 101 infected by a malicious program may attempt to connect to the second network 20 and/or transmit data. If the second network 20 is formed based on IP, such as a VPN, it may be difficult for the second network 20 to individually monitor a plurality of devices included in the second network 20, and application at the OSI layer may be difficult. Security at the layer or transport layer may be vulnerable. Additionally, if the source node 101 includes a malicious application after the channel has already been created, the data of the malicious application will be transmitted to another electronic device (e.g., the destination node 102) within the second network 20. You can.

Figure 2 shows an architecture within a network environment according to various embodiments.

Referring to FIG. 2, the source node 201 may be various types of devices capable of performing data communication. For another example, the source node 201 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. It may include devices, or home appliances, and is not limited to the above-mentioned devices. For example, the source node 201 may include a server or gateway that can transmit data packets through an application. The source node 201 may also be referred to as an ‘electronic device’ or a ‘terminal’.

Additionally, the destination node 205 may be various types of devices capable of performing data communication. For another example, the destination node 205 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. It may include devices, or home appliances, and is not limited to the above-mentioned devices. For example, destination node 205 may include a server or gateway that can transmit data packets through an application. The destination node 205 may also be referred to as an ‘electronic device’ or a ‘terminal’.

The source node 201 may store the first target application 212 and the first access control application 211. Additionally, the destination node 205 may store the second access control application 215 and the second target application 216.

The first target application 212 is under the control of the first connection control application 211 and can transmit data packets to the destination node 205 or, conversely, receive data packets. Some of the first target applications 212 may be trusted and/or secure applications, such as web browsers or business applications, while others may be untrusted or unsecured malicious programs, thus network access according to embodiments. The system can block access to the destination node 205 of an unauthorized program (application) and isolate the program through network access control of the first access control application 211. For example, before the first target application 212 according to embodiments communicates with the destination node 205, the first connection control application 211 may check whether connection is possible from the controller 202. If connection is possible, the first connection control application 211 can control data packet transmission of the first target application 212. That is, in order for the first target application 212 to access the network, it must be through the first access control application 211, the first access control application 211 must be authorized by the controller 202, and the first access control application 211 must be authorized by the controller 202. 211 may transmit the data packet of the first target application 212 based on a data flow based on the policy of the controller 202.

The second target application 216 is controlled by the second connection control application 211 and can transmit data packets to the source node 201 or, conversely, receive data packets. Some of the second target applications 216 may be trusted and/or secure applications, such as web browsers or business applications, while others may be untrusted or unsecured malicious programs, thus network access according to embodiments. The system can block access to the source node 205 of an unauthorized program (application) and isolate the program through network access control of the second access control application 215. For example, before the second target application 216 according to embodiments communicates with the source node 201, the second connection control application 215 may check whether connection is possible from the controller 202. If connection is possible, the second connection control application 215 can control data packet transmission of the second target application 216. That is, in order for the second target application 216 to access the network, it must be through the second access control application 215, the second access control application 215 must be authorized by the controller 202, and the second access control application 216 must be authorized by the controller 202. 215 may transmit the data packet of the first target application 216 based on a data flow based on the policy of the controller 202.

According to the embodiment, the source node 201 and the destination node 205 may be referred to as node 200. In this case, the first connection control application 211 of the source node 201 and the second connection control application 215 of the destination node 205 may be referred to as the connection control application 210. That is, the node 200 may include a source node 201 and a destination node 205, and the access control application 210 may include a first access control application 211 and a second access control application 215. can do.

Controller 202 may be, for example, a server (or cloud server). The controller 202 can ensure reliable data transmission within a network environment by managing data transmission between the source node 201 and the destination node 205. For example, the controller 202 may allow the authorized source node 201 (or the first access control application 211) to access the network through policy information or blacklist information, and the authorized destination node 205 (or the second access control application 215) may be allowed to access the network. The controller 202 may provide authentication information to perform authentication between the source node 201 and the destination node 205. Accordingly, the first access control application 211 of the source node 201 can prevent unauthorized applications from transmitting data packets for unauthorized purposes, and the destination node 205 can prevent data packets from being transmitted for unauthorized purposes. It is possible to provide a structure that can block data packets.

Depending on the embodiment, the network connection of the first target application 212 may be blocked from the first access control application 211, the controller 202, or the destination node 205. According to one embodiment, the controller 202 is configured to perform various operations (e.g., registration, approval, authentication, renewal, termination) associated with the network connection of the source node 201 or the first access control application 211. 1 Control data packets can be transmitted and received with the access control application 211. The flow through which control data packets are transmitted (e.g., 220) may be referred to as a 'control flow'. According to the embodiment, the controller 202 can maintain a secure network state at all times by immediately reclaiming the channel according to a security event received from the interconnected system (e.g., the source node 201 and the destination node 205). Additionally, the above-mentioned structure can be substantially applied equally to the relationship between the destination node 205 and the controller 202.

According to various embodiments, the source node 201 uses a first connection control application 211 and a network driver (not shown) to manage the network connection of the first target application 212 stored in the source node 201. It can be included. For example, when a connection event occurs for the destination node 205 of the first target application 212 included in the source node 201, the first connection control application 211 is connected to the first target application 212. You can decide whether or not access is possible. If the first target application 212 is accessible, the first connection control application 211 can send a data packet to the destination node 205 and receive a data packet from the destination node 205. The first access control application 211 may control the transmission of data packets within the source node 201 through a kernel including an operating system and a network driver.

According to various embodiments, the destination node 205 uses a second connection control application 215 and a network driver (not shown) to manage the network connection of the second target application 216 stored in the destination node 205. It can be included. For example, when a connection event occurs from the source node 201 of the second target application 216 included in the destination node 205, the second connection control application 215 connects the second target application 216. You can decide whether it is possible or not. If the second target application 216 is accessible, the second connection control application 216 may receive a data packet from the source node 201 and send a response to the received data packet to the source node 201. You can. The second access control application 215 may control the transmission of data packets within the destination node 205 through a kernel including an operating system and a network driver.

According to an embodiment, the source node 201 and the destination node 205 may be included in the distributed network 230. For example, the controller 202 can determine whether the source node 201 and the destination node 205 can be included in the distributed network 230 and, if so, based on authentication information. Network access can be controlled so that the departure node 201 and the destination node 205 can be connected to each other.

3 is a functional block diagram showing a database stored in a controller according to various embodiments. Although FIG. 3 shows only the memory 330, the controller includes a communication circuit for performing communication with an external electronic device (e.g., the communication circuit 430 in FIG. 4) and a processor for controlling the overall operation of the controller (e.g., FIG. It may further include 4 processors 410).

The administrator can connect to the controller 202 and set a connection-oriented policy to control the connection between the first access control application 211 and the destination node 205, so it is more detailed and safer than managing sessions at the service end. You can control network access.

The connection policy database 311 may include information about networks and/or services to which an identified network, node, or application can access. For example, when a network access request is made by the access control application 210 (e.g., the first access control application 211 and the second access control application 215), the controller 202 stores the information in the access policy database 311. Networks identified based on the policy (e.g., the network to which the source node 201 belongs, the network to which the destination node 205 belongs), nodes, and users (e.g., users of the source node 201, users of the destination node 205) ), and/or an application (e.g., the first target application 212 included in the source node 201 or the second target application 216 included in the destination node 205) to the destination (e.g., the destination node 205 ) or whether access to the source node 201) is possible. According to the embodiment, the controller 202 whitelists the first target application 212 or the second target application 216 that can be accessed through a specific service (eg, IP and port) based on the access policy database 311. can be created.

The authentication policy database 312 determines whether to authenticate a series of data packet flows related to a network connection request between the source node 201 and the destination node 205 on the connection path according to the policy, and whether to perform the authentication. In this case, you can set policies related to authentication methods. According to the embodiment, the controller 202 may generate authentication information based on the authentication policy database 312 and transmit the generated authentication information to the source node 201 or the destination node 205. In addition, the source node 201 or the destination node 205 can authenticate data packets with each other based on the received authentication information, and thus the controller 202 connects the source node 201 and the destination node 205 to each other. can be recognized.

The blacklist policy database 313 is a target (e.g., node) identified through analysis of the risk level, occurrence cycle, and/or behavior of the security event among the security events periodically collected from the source node 201 or the destination node 205. It may indicate a blacklist registration policy to block access by at least one of an identifier (ID), an IP address, a media access control (MAC) address, or a user ID).

The blacklist database 314 may include a list of targets blocked by the blacklist policy database 313. For example, if the identification information of the source node 201 or destination node 205 requesting network access is included in the blacklist database 314, the controller 202 rejects the network access request, thereby Alternatively, the destination node 205 can be isolated.

The control flow table 315 is an example of a session table for managing the flow (eg, control flow) of control data packets generated between the node 200 and the controller 202. When successfully connecting to the controller 202, control flow information may be generated by the controller 202. The control flow information may include at least one of control flow identification information, an IP address identified when connecting to and authenticating the controller, a node ID, or a user ID. For example, when connection to the destination node 205 is requested from the source node 201, the controller 202 can search for control flow information through the control flow identification information received from the source node 201, and the retrieved By mapping at least one of the IP address, node ID, or user ID included in the control flow information to the connection policy database 311, it is determined whether the source node 201 can connect to the destination node 205 and transmit a data packet. You can determine whether to create a data flow for this purpose. For another example, when connection to the source node 201 is requested from the destination node 205, the controller 202 may retrieve control flow information through control flow identification information received from the destination node 205, By mapping at least one of the IP address, node ID, or user ID included in the retrieved control flow information to the connection policy database 311, whether the destination node 205 can connect to the source node 201, data packet transmission It is possible to determine (decide) whether to create a data flow for .

According to one embodiment, a control flow may have an expiration time. The source node 201 or the destination node 205 must update the expiration time of the control flow, and if the expiration time is not updated within a certain period of time, the control flow (or control flow information) may be removed. In addition, if it is determined that immediate connection blocking is necessary according to security events collected from the source node 201 or the destination node 205, the controller 202 requests the source node 201 or the destination node 205 to terminate the connection. Depending on this, the control flow can be eliminated. When the control flow is removed, the previously created data flow is also removed, so connection to the source node 201 or the destination node 205 may be blocked. That is, when the control flow is removed, the logical connection that exists between the source node 201 and the destination node 205 may be released and data packets cannot be transmitted or received.

The data flow table 316 is a table for managing the flow (eg, data flow) in which detailed data packets are transmitted between the source node 201 and the destination node 205. Data flows can be created by TCP sessions, applications, or more granular units.

Data flow identification information (e.g., ID) to identify the data flow, identification information of the node 200, and because the application may create one or more logical connections, the data flow table 316 is based on the control flow ID. It can be managed.

In addition, the data flow table 316 includes the transmission protocol (TCP, UDP, etc.) of the data packet, the source IP and destination IP of the data packet, and authorized target information to determine whether to transmit or receive the data packet based on the port information; and status information including whether the data flow is valid.

According to the embodiment, the data flow table 316 is a series of information for inserting and checking authentication information to check whether an allowed target has transmitted a data packet. A method of inserting authentication information for each protocol (e.g., TCP In the case of TCP SYN packet insertion, in the case of UDP, insertion of authentication information for each data packet or insertion of authentication information at regular intervals (or cycles), information for encryption/decryption of authentication information, algorithm information for generating and verifying authentication information, and It may include a series of information included in the algorithm (e.g., at least one of information such as Secret Key when generating HMAC OTP) and authentication information including whether or not the source IP is authenticated.

According to the embodiment, the data flow table 316 may be equally stored in the source node 201 and the destination node 205.

The database stored in the memory 330 of the controller 202 according to another embodiment disclosed in this document may further include a group policy database 317.

The group policy database 317 is linked to the access policy database 311 to identify the argument (argument or parameter) information of the application to which the node wishes to connect, and to identify the grouped nodes where the application composes the distributed network (e.g. You can check whether you can connect to the distributed network by checking whether the application's parameter information is included in the white list (user, certificate, terminal identification information, IP information, etc.).

Figure 4 shows a functional block diagram of a node according to various embodiments.

Referring to FIG. 4 , a node may include a processor 410, memory 420, and communication circuit 430. According to one embodiment, the node may further include a display 440 to interface with the user.

The processor 410 can control the overall operation of the node. In various embodiments, the processor 410 may include one processor core (single core) or may include a plurality of processor cores. For example, the processor 410 may include multi-core, such as dual-core, quad-core, or hexa-core. Depending on embodiments, the processor 410 may further include a cache memory located internally or externally. Depending on embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or a portion of processor 410 is electrically or operatively coupled to other components within the node (e.g., memory 420, communication circuitry 430, or display 440). It can be (coupled with) or connected to. The processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420, the communication circuit 430, or the display 440. Processor 410 may generate new messages, data, instructions, or signals based on received messages, data, instructions, or signals. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420, communication circuit 430, or display 440.

The processor 410 can process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals to the memory 420 in order to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.

Memory 420 may include one or more of volatile memory or non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). It can be included. Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, etc.

The memory 420 uses non-volatile media such as a hard disk drive (HDD), solid state disk (SSD), embedded multi media card (eMMC), and universal flash storage (UFS). More may be included.

According to one embodiment, the memory 420 may store the first target application 212 and the first access control application 211 of FIG. 2. Additionally, the memory 420 may store the second access control application 215 and the second target application 216 of FIG. 2 . The first access control application 211 and the second access control application 215 may perform control flow creation and update functions with the controller 202. To this end, the first access control application 211 and the second access control application 215 may include one or more security modules.

According to one embodiment, the memory 420 may store some of the information included in the controller's memory (eg, memory 330 in FIG. 3). For example, memory 420 may store data flow table 316 described in FIG. 3 .

The communication circuit 430 may support establishment of a wired or wireless communication connection between a node and an external electronic device (e.g., the controller 202 and the destination node 205 of FIG. 2), and performing communication through the established connection. According to one embodiment, the communication circuit 430 may be a wireless communication circuit (e.g., a cellular communication circuit, a short-range wireless communication circuit, or a global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (e.g., a local area network (LAN) ) communication circuit, or power line communication circuit), and using the corresponding communication circuit, a short-range communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a long-distance communication such as a cellular network, the Internet, or a computer network It can communicate with external electronic devices through a network. The various types of communication circuits 430 described above may be implemented as one chip or may be implemented as separate chips.

The display 440 can output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410. Depending on embodiments, the display 440 may be configured with an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving touch input, etc. When the display 440 is configured as a touch screen, a plurality of touch sensors may be placed above the display 440 or below the display 440.

A server (eg, controller) according to one embodiment may include a processor 410, memory 420, and communication circuit 430. The processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

Figure 5 explains an operation for controlling transmission of data packets according to various embodiments.

Referring to FIG. 5, the first access control application 211 detects a network connection request to the destination node 205 from the first target application 212 included in the source node 201, and Alternatively, it may be determined whether the first connection control application 211 is connected to the controller 202. If the source node 201 or the first access control application 211 is not connected to the controller 202, the first access control application 211 executes a data packet in the kernel or network driver including the operating system. transmission can be blocked. Through the first access control application 211, the source node 201 can block access of malicious applications in advance at the application layer of the OSI layer.

The first target application 212 of the source node 201 must connect to the controller 202 to perform authentication, and when connecting to the destination node 205 after performing authentication, it queries the controller 202 for connection network information. It is possible to check whether connection is possible, and if connection is possible, a data packet containing authentication information can be transmitted to the destination node 205.

The destination node 205 verifies the authentication information of the data packet received from the source node 201 through the controller 202, and if it is a data packet transmitted by the authorized source node 201, sends a response data packet to the source node ( 201) can be permitted. That is, the second access control application 215 may receive a data packet from the authorized source node 201 and transmit a response to the data packet to the source node 201. On the other hand, the second access control application 215 may drop data packets received from unauthorized nodes through a process of checking authentication information or querying the controller 202.

As a result, unauthorized nodes or applications are basically unable to communicate with each other, and even if they are authorized nodes or applications, they cannot transmit and receive data packets unless they authenticate each other through the controller 202. The network access control system according to the embodiment disclosed in may provide a state in which nodes are isolated from each other before authenticating their connection to the controller 202.

Figure 6 shows a signal flow diagram for controller connection according to various embodiments.

In order for the node 200 to connect to or receive a network, it needs to be authorized by the controller 202, so the access control application 210 of the node 200 requests the controller 202 to create a control flow, thereby establishing the node ( 200), you can try to connect to the controller. According to the embodiment, the node 200 is substantially connected to the source node 201 of FIG. 2 where the first access control application 211 is installed or the destination node 205 of FIG. 2 where the second access control application 215 is installed. may be the same. That is, the access control application 210 may be substantially the same as the first access control application 211 or the second access control application 216.

Referring to FIG. 6, node 200 can detect a controller connection event. For example, when the access control application 210 is installed and executed within the node 200, the node 200 may detect that a connection to the controller 202 is requested.

At operation 605, node 200 may request controller connection to controller 202. For example, the access control application 210 may transmit identification information of the access control application 210 to the controller 202. Additionally, the access control application 210 may include identification information (e.g., terminal ID, IP address, MAC address) of the node 200, type, location, environment, identification information of the network to which the node 200 belongs, and/or the network. Random identification information generated by the system itself may be further transmitted.

In operation 610, the controller 202 may identify whether the object requesting controller connection (e.g., the access control application 210 or the node 200) can be connected. According to one embodiment, the controller 202 determines whether information received from the node 200 is included in the connection policy database 311, or determines whether the node 200, the network to which the node 200 belongs, and/or the connection It is possible to check whether the object requesting controller access can be connected based on at least one of whether the identification information of the control application 210 is included in the blacklist database 314.

If a connection is available, at operation 615 the controller 202 may create a control flow between the node 200 (or the connection control application 210) and the controller 202. In this case, the controller 202 generates control flow identification information in the form of a random number and stores the identification information of at least one of the node 200, the network to which the node 200 belongs, or the access control application 210 in the control flow table ( 315). The information stored in the control flow table 315 may be used for user authentication of the node 200, update of information of the node 200, confirmation of policy for network connection of the node 200, and/or validation.

In operation 620, the controller 202 based on the access policy database 311 and the authentication policy database 312 corresponding to the identified information (e.g., node 200, source network information to which node 200 belongs). You can create whitelist information of accessible applications. In one embodiment, controller 202 may transmit an application white list to connection control application 210 in operation 625.

At operation 625, the controller 202 may transmit control flow identification information to the node 200 in response to the controller connection request. Depending on the embodiment, if the object requesting controller connection is unconnectable or included in the blacklist, the controller 202 may transmit unconnection information in operation 625 without generating a control flow. In one embodiment, the controller 202 may transmit the application white list created by performing operation 620 to the access control application 210.

In operation 630, the access control application 210 may perform a check on the application. For example, the access control application 210 may perform a check on applications based on a white list of accessible applications received from the controller 202. The access control application 210 can check whether an application exists (installed) on the node 200 based on accessible application information, and performs each check based on application inspection information included in the application whitelist. It can be done.

At operation 635, the access control application 210 may transmit the test results to the controller 202. For example, the access control application 210 may transmit the results of performing each test to the controller 202 based on application test information.

In operation 640, the controller 202 may perform data flow processing based on the received test result. For example, the controller 202 checks whether the application is valid based on the received application inspection result, and if it is a valid application, sets the connection policy 311 and the authentication policy ( Based on 312), a data flow that allows the node 200 to transmit data packets without a network connection request procedure can be created. According to an embodiment, the data flow includes transmission protocol information, source IP, destination IP and port information, and a method of inserting authentication information into the transmission protocol when performing data packet authentication (e.g., for TCP, TCP SYN packet insertion, UDP In the case of inserting authentication information for each data packet or inserting authentication information at regular intervals (or cycles)), information for encryption/decryption of authentication information, algorithm information for generating and verifying authentication information, a series of information included in the algorithm (e.g. When creating an HMAC OTP, information such as Secret Key, etc.), and authentication information including whether the source IP is authenticated) may be included. However, it is not necessary to include all of the above information, and the data flow may include at least one or a plurality of the above information.

At operation 645, the controller 202 may transmit the generated data flow to the node 200. According to the embodiment, if a data flow is not created, the controller 202 may transmit a connection failure result to the node 200 and not transmit the data flow.

In operation 650, the access control application 210 may process a result value according to the received response. For example, the access control application 210 may store the received control flow identification information and display a user interface screen to the user indicating that the controller connection is complete. Once the controller connection is completed, the network connection request for the destination network of the node 200 can be controlled by the controller 202.

According to another embodiment, controller 202 may determine that node 200 is unreachable. For example, if the identification information of the node 200 and/or the network to which the node 200 belongs is included in the blacklist database, the controller 202 may determine that the node 200 is inaccessible. In this case, the controller 202 may not generate a control flow in operation 615 and may transmit a response indicating that the controller connection is unavailable in operation 625. Additionally, in this case, operations 630 to 645 may not be performed. Depending on the embodiment, if a retry of controller connection is required, the connection control application 210 may perform operation 605 again.

In addition, the access control application 210 can update the data flow of the node 200 when a data flow received from the controller 202 exists and transmit data packets based on a pre-allowed data flow when connecting to the network. Data flow can be managed so that Afterwards, when a data packet transmission request is detected, the access control application 210 may process the data packet to be transmitted based on the received data flow.

According to an embodiment, when the connection control application 210 receives network connection release information from the controller 202, it may terminate the application or block all network connections of the application.

7 shows a signal flow diagram for user authentication according to various embodiments.

In order for the node 200 to be granted detailed access rights to the destination network, the access control application 210 of the node 200 may receive authentication for the user of the node 200 from the controller 202. According to the embodiment, the node 200 is substantially connected to the source node 201 of FIG. 2 on which the first access control application 211 is installed or the destination node 205 of FIG. 2 on which the second access control application 215 is installed. may be the same. That is, the access control application 210 may be substantially the same as the first access control application 211 or the second access control application 216.

Referring to FIG. 7, node 200 may receive input for user authentication. The input for user authentication may be, for example, a user input of entering a user ID and password. For another example, the input for user authentication may be a user input for stronger authentication (e.g., biometric information). In this case, in operation 705, the access control application 210 of the node 200 may request user authentication from the controller 202. If a control flow between the node 200 and the controller 202 has already been created, the access control application 210 may transmit input information for user authentication along with control flow identification information.

At operation 710, controller 202 may authenticate the user based on information received from node 200. For example, the controller 202 may store the user ID, password, and/or enhanced authentication information contained in the received information and a database contained in the memory of the controller 202 (e.g., the access policy database of FIG. 3). Based on (311) or the blacklist database (314), it can be determined whether the user can access according to the access policy and whether the user is included in the blacklist.

If the user is authenticated, in operation 715, the controller 202 may add the user's identification information (e.g., user ID) to the control flow's identification information. The added user identification information can be used to connect the authenticated user to the controller or network.

In operation 720, the controller 202 accesses the access policy database 311 and the authentication policy database 312 corresponding to the identified information (e.g., node 200, source network information to which node 200 belongs). Whitelist information of possible applications can be created. In one embodiment, controller 202 may transmit an application white list to connection control application 210 in operation 725.

In operation 725, the controller 202 may transmit information indicating that the user is authenticated to the node 200 in response to the user authentication request. In one embodiment, the controller 202 may transmit the application white list created by performing operation 720 to the access control application 210.

In operation 730, the access control application 210 may perform a check on the application. For example, the access control application 210 may perform a check on applications based on a white list of accessible applications received from the controller 202. The access control application 210 can check whether an application exists (installed) on the node 200 based on accessible application information and performs each check based on application inspection information included in the application whitelist. It can be done.

At operation 735, the access control application 210 may transmit the test results to the controller 202. For example, the access control application 210 may transmit the results of performing each test to the controller 202 based on application test information.

In operation 740, the controller 202 may perform data flow processing based on the received test results. For example, the controller 202 checks whether the application is valid based on the received application inspection result, and if it is a valid application, sets the connection policy 311 and the authentication policy ( Based on 312), a data flow that allows the node 200 to transmit data packets without a network connection request procedure can be created. According to the embodiment, the data flow includes transmission protocol information, source IP, destination IP and port information, and a method of inserting authentication information into the transmission protocol when performing data packet authentication (e.g., for TCP, TCP SYN packet insertion, UDP In the case of inserting authentication information for each data packet or inserting authentication information at regular intervals (or cycles)), information for encryption/decryption of authentication information, algorithm information for generating and verifying authentication information, a series of information included in the algorithm (e.g. When creating an HMAC OTP, information such as Secret Key, etc.), and authentication information including whether the source IP is authenticated) may be included. However, it is not necessary to include all of the above information, and the data flow may include at least one or a plurality of the above information.

At operation 745, the controller 202 may transmit the generated data flow to the node 200.

In operation 750, the access control application 210 may process a result value according to the received response. For example, the access control application 210 may store the received control flow identification information and display a user interface screen to the user indicating that user authentication is complete. Once user authentication is completed, the node 200's network connection request for the destination network may be controlled by the controller 202.

According to another embodiment, the controller 202 may determine that user authentication of node 200 is not possible. For example, if the identification information of node 200 and/or the network to which node 200 belongs is included in the blacklist database, the controller 202 may determine that node 200 is inaccessible and user authentication is not possible. . In this case, the controller 202 may not reflect the user identification information in operation 715 and may transmit a response indicating that controller access is not possible in operation 725. Additionally, in this case, operations 730 to 745 may not be performed.

In addition, the access control application 210 can update the data flow of the node 200 when a data flow received from the controller 202 exists and transmit data packets based on a pre-allowed data flow when connecting to the network. Data flow can be managed so that

According to an embodiment, when the connection control application 210 receives network connection release information from the controller 202, it may terminate the application or block all network connections of the application.

Figure 8 shows a signal flow diagram for certificate authentication according to various embodiments.

The node 200 may perform user authentication through a UI (User Interface), but in the case of the node 200 operating in the form of a server, authentication may be performed based on a previously issued certificate rather than user authentication without a UI. It may be possible. In this case, the node 200 must be able to perform authentication based on a certificate in a situation where there is no UI. According to the embodiment, the node 200 is substantially connected to the source node 201 of FIG. 2 on which the first access control application 211 is installed or the destination node 205 of FIG. 2 on which the second access control application 215 is installed. may be the same. That is, the access control application 210 may be substantially the same as the first access control application 211 or the second access control application 216.

In operation 805, the access control application 210 of the node 200 transmits an electronic signature generated based on a previously issued certificate or related authentication information to the controller 202 after creating a control flow with the controller 202. You can request certificate authentication.

At operation 810, controller 202 may verify certificate authentication. For example, the controller 202 determines whether the access control application 210 has a certificate that allows access based on information requested for authentication (e.g., electronic signature and authentication information by certificate, etc.) and whether it is included in the blacklist 314. You can check whether the certificate requested for authentication is blocked. According to an embodiment, when connection is impossible or the certificate is included in the blacklist, the controller 202 may transmit connection inaccessibility information to the node 200 (operation 825).

In operation 815, if the certificate is accessible, the controller 202 may search for a control flow corresponding to the transmitted control flow identification information and add the certificate identification information to the searched control flow. According to an embodiment, the controller 202 may return a certificate authentication completion status and access policy information of the authenticated certificate to the node 200 as a result of certificate authentication (operation 825).

In operation 820, the controller 202 accesses the access policy database 311 and the authentication policy database 312 corresponding to the identified information (e.g., node 200, source network information to which node 200 belongs). Whitelist information of possible applications can be created. In one embodiment, controller 202 may transmit an application white list to connection control application 210 in operation 825.

In operation 825, the controller 202 may transmit information indicating that the user is authenticated to the node 200 in response to the user authentication request. In one embodiment, the controller 202 may transmit the application white list created by performing operation 820 to the access control application 210.

In operation 830, the access control application 210 may perform a check on the application. For example, the access control application 210 may perform a check on applications based on a white list of accessible applications received from the controller 202. The access control application 210 can check whether an application exists (installed) on the node 200 based on accessible application information and performs each check based on application inspection information included in the application whitelist. It can be done.

At operation 835, the access control application 210 may transmit the test results to the controller 202. For example, the access control application 210 may transmit the results of performing each test to the controller 202 based on application test information.

In operation 840, the controller 202 may perform data flow processing based on the received test results. For example, the controller 202 checks whether the application is valid based on the received application inspection result, and if it is a valid application, sets the connection policy 311 and the authentication policy ( Based on 312), a data flow that allows the node 200 to transmit data packets without a network connection request procedure can be created. According to the embodiment, the data flow includes transmission protocol information, source IP, destination IP and port information, and a method of inserting authentication information into the transmission protocol when performing data packet authentication (e.g., for TCP, TCP SYN packet insertion, UDP In the case of inserting authentication information for each data packet or inserting authentication information at regular intervals (or cycles)), information for encryption/decryption of authentication information, algorithm information for generating and verifying authentication information, a series of information included in the algorithm (e.g. When creating an HMAC OTP, information such as Secret Key, etc.), and authentication information including whether the source IP is authenticated) may be included. However, it is not necessary to include all of the above information, and the data flow may include at least one or a plurality of the above information.

At operation 845, the controller 202 may transmit the generated data flow to the node 200.

In operation 850, the access control application 210 may process a result value according to the received response. For example, the access control application 210 may store the received control flow identification information and display a user interface screen to the user indicating that user authentication is complete. Once user authentication is completed, the node 200's network connection request for the destination network may be controlled by the controller 202.

According to another embodiment, the controller 202 may determine that user authentication of node 200 is not possible. For example, if the identification information of node 200 and/or the network to which node 200 belongs is included in the blacklist database, the controller 202 may determine that node 200 is inaccessible and certificate authentication is not possible. . In this case, the controller 202 may not reflect the certificate identification information in operation 815 and may transmit a response indicating that the controller connection is impossible in operation 825. Additionally, in this case, operations 830 to 845 may not be performed.

In addition, the access control application 210 can update the data flow of the node 200 when a data flow received from the controller 202 exists and transmit data packets based on a pre-allowed data flow when connecting to the network. Data flow can be managed so that

According to an embodiment, when the connection control application 210 receives network connection release information from the controller 202, it may terminate the application or block all network connections of the application.

Figure 9 shows a signal flow diagram for network access according to various embodiments.

After the source node 201 is authorized by the controller 202, the source node 201 connects to the network of other applications stored in the source node 201 through the first access control application 211 of the source node 201. By controlling, trusted data transmission can be guaranteed. According to the embodiment, the source node 201 may be substantially the same as the source node 201 of FIG. 2 where the first access control application 211 is installed.

Referring to FIG. 9, in operation 905, the first connection control application 211 may detect a network connection event of another application (e.g., the first target application 212 in FIG. 2) stored in the source node 201. there is.

In operation 910, the first access control application 211 may confirm the existence of a data flow corresponding to the identification information, destination network identification information, and port information of the application requesting network access. Depending on the embodiment, if a data flow exists but is not valid, the first access control application 211 may drop the data packet. According to another embodiment, when a data flow exists, the first access control application 211 may transmit a data packet based on the data flow. According to an embodiment, the first access control application 211 of the source node 201 may perform a network connection request in operation 915 without performing operation 910.

When the data flow needs to be updated, such as when the data flow does not exist or when the authentication time has expired and needs to be updated, in operation 915, the first access control application 211 may request a network connection to the controller 202. . For example, a network connection request may include control flow identification information, identification information of the destination network, and port information.

According to another embodiment disclosed in this document, the first connection control application 211 of the source node 201 may further transmit a specified parameter value to the controller 202 when executing the target application and perform a network connection request. (Action 915). In this case, the controller 202 registers the specified parameter value when executing the target application based on the group policy (group policy database 318 in FIG. 3) constituting the distributed network corresponding to the identification information of the destination node 205. You can check whether connection is possible by checking whether the target is connected (operation 920),

Therefore, through the above operation, the source node 201 and the controller 202 according to another embodiment disclosed in this document can be controlled to participate in a plurality of distributed networks with one application. Additionally, the controller 202 When executing an application participating in a distributed network, a command containing information about the distributed network group desired to participate is identified, and according to that information, the source node 201 communicates with the destination node 205 participating in the identified distributed network. You can control it so that you can do it.

In operation 920, the controller 202 collects the connection request identification information (e.g., identification information of the destination node) from the connection policy corresponding to the identified information (e.g., node, user, source network identification information) based on the control flow identification information. and port information) and whether the destination node 205 is accessible can be checked. According to the embodiment, the controller 202 may check whether the target application can connect to the destination node 205. Depending on the embodiment, when network connection is impossible, the controller 202 may transmit a connection failure result to the first connection control application 211 of the source node 201 (operation 930).

According to the embodiment, in operation 920, the controller 202 may identify the destination node 205 to which the source node 201 wishes to connect based on IP. In this case, since there is a problem of not being able to identify the exact destination node 205 in an environment where a sub-network is configured due to the nature of IP, the controller 202 uses IP White Paper to configure the distributed network as the minimum condition for configuring the distributed network. You can check whether access is possible from the perspective of the access policy for configuring a distributed network, such as a list or blacklist of IP addresses that cannot access the distributed network, and a whitelist of applications that can access the distributed network.

If connection is possible, in operation 925, the controller 202 checks whether the data packet is authenticated and the authentication method in the authentication policy database 312 to connect to the destination node 205, and selects a valid accessible data flow from the data flow table. You can check the information.

According to the embodiment, when there is no available valid data flow information, the controller 202 performs data packet authentication by transmission protocol information, source IP, destination IP and port information, and authentication policy, and authenticates the transmission protocol using authentication information. Insertion method (e.g., for TCP, TCP SYN packet insertion, for UDP, insertion of authentication information for each data packet or insertion of authentication information at regular intervals (or cycles), etc.), information for encryption and decryption of authentication information, and generation of authentication information And algorithm information for verification and a series of information included in the algorithm (e.g. information such as Secret Key when generating HMAC OTP), generate authentication information including whether the source node (201) IP is authenticated, and include the authentication information. Data flow information can be created. When a data flow is created, the controller 202 may transmit the generated data flow to the source node 201 (operation 930).

According to an embodiment, when a valid data flow exists, the controller 202 may transmit the data flow to the source node 201 without creating the data flow.

In operation 935, the first access control application 211 of the source node 201 may process a result value for the response received from the controller 202. For example, when the first access control application 211 receives a network connection unavailable result from the controller 202, it may drop the data packet that the target application wants to transmit. For another example, when a data flow is received from the controller 202, the first access control application 211 may transmit a data packet based on the received data flow. In this case, the first access control application 211 may update the existing data flow with the received data flow.

FIG. 10 illustrates an operation flowchart for data packet transmission by a source node according to various embodiments. According to the embodiment, the operations shown in FIG. 10 may be performed through the first access control application 211 of the source node 201 of FIG. 2. According to another embodiment disclosed in this document, the operations shown in FIG. 10 may be performed through the second access control application 215 of the destination node 205.

After requesting a network connection, the source node 201 transmits a data packet to the destination node 205 and includes authentication information in the data packet to allow the destination node 205 to confirm that the data packet received from the source node 201 is normal. can be inserted.

In operation 1005, the first access control application 211 may detect a data packet transmission event of the target application.

In operation 1010, the first access control application 211 sets the transmission protocol of the data packet transmitted when the data packet is transmitted after the first network connection is permitted from the controller 202, the destination node ( You can check whether a data flow corresponding to the IP, port, and application of 205) exists. According to an embodiment, when no data flow exists, the first access control application 211 may drop a data packet (operation 1015).

If a valid data flow exists, in operation 1020, the first access control application 211 may check the type of data packet. For example, the first connection control application 211 may check whether the data packet is a TCP data packet or a UDP data packet, and if the data packet is a TCP data packet, perform TCP data packet processing (operation 1025), , If the data packet is a UDP data packet, UDP data packet processing (operation 1055) can be performed.

According to the embodiment, when the data packet is a TCP session creation data packet, the first connection control application 211 may insert authentication information into the TCP SYN packet and transmit the data packet (operations 1030 and 1045). For example, the operation of inserting authentication information can be performed through the operation shown in FIG. 11.

According to the embodiment, when receiving a TCP session creation complete data packet from the destination node 205 after transmitting the TCP SYN packet, the first connection control application 211 sends the status information of the data flow corresponding to the data packet to the TCP session. You can change the status to creation completed so that TCP-based data packets can be transmitted.

According to the embodiment, when the data packet is a TCP session end data packet, the first connection control application 211 changes the status information of the data flow to the TCP session creation end state to transmit a TCP-based data packet (real data packet). and transmit a TCP session termination data packet (operations 1035 and 1045).

According to the embodiment, if the data packet is a TCP-based data packet (real data packet), the first connection control application 211 may check whether the TCP session has been created from the status information of the data flow (operation 1040). For example, when TCP session creation is completed, the first connection control application 211 may transmit a data packet (operation 1045). For another example, when TCP session creation is not completed, the first connection control application 211 may drop a data packet (operation 1050).

According to the embodiment, when the data packet is a UDP-based data packet, the first access control application 211 checks whether the data packet requires authentication, and if authentication is required, inserts authentication information into the data packet and transmits it (operation 1060). , 1065), if authentication is not required, the data packet can be transmitted without inserting authentication information (operation 1065). According to an embodiment, inserting authentication information may be performed through the operation shown in FIG. 11.

According to the embodiment, the authentication information inserted into the data packet can be used by the destination node 205 to check whether the authentication information is normal with the controller 202 and respond if it is normal.

FIG. 11 illustrates an operation flowchart for inserting authentication information into a data packet of a source node according to various embodiments.

According to another embodiment disclosed in this document, the operations shown in FIG. 11 may be performed through the second access control application 215 of the destination node 205.

The first access control application 211 of the source node 201 inserts authentication information into the data packet and transmits it to the destination node 205, thereby establishing a trusted relationship with the destination node 205 through the authentication information generated by the controller 202. A network connection can be established.

In operation 1105, the first access control application 211 of the source node 201 may detect a data packet authentication information insertion event. For example, the first access control application 211 may detect a data packet authentication information insertion event through operations 1030 and 1060 of FIG. 10.

According to the embodiment, when a data packet authentication information insertion event occurs, the first access control application 211 may use the authentication information of the data flow to check whether to transmit after inserting the authentication information into the data packet, If there is no need to insert authentication information, the data packet can be transmitted without performing operations 1110 to 1120 (operation 1125).

In operation 1110, the first access control application 211 may generate authentication information. For example, the first access control application 211 may check the authentication information included in the data flow corresponding to the data packet and generate authentication information through the authentication information generation algorithm and additional information included in the authentication information. .

In operation 1115, the first access control application 211 may encrypt authentication information. For example, the first access control application 211 may encrypt the authentication information generated using the encryption algorithm and encryption key of the authentication information included in the data flow.

In operation 1120, the first access control application 211 may insert a data flow header combining encrypted authentication information and data flow identification information into a data packet according to the authentication information insertion method.

According to the embodiment, the first connection control application 211 may insert the corresponding data flow header into the payload of the TCP SYN data packet when the transmission protocol is TCP.

According to an embodiment, the first access control application 211 may insert the corresponding data flow header into the payload of a UDP data packet when the transmission protocol is UDP.

According to the embodiment, in the case of UDP data packets, the first access control application 211 inserts a data flow header in every UDP data packet, inserts a data flow header in units of certain data packets or time units, or inserts a data flow header in units of certain data packets or time units, or inserts a data flow header in the case of UDP data packets. The data flow header can be inserted according to the authentication information insertion method, such as inserting the data flow header at the start point.

When data flow header insertion is completed, the first access control application 211 may transmit a data packet (operation 1125).

FIG. 12 illustrates an operation flowchart for receiving a network connection request from a destination node according to various embodiments. The operations shown in FIG. 12 may be performed through the second access control application 215 of the destination node 205 of FIG. 2. According to another embodiment disclosed in this document, the operations shown in FIG. 12 may be performed through the first access control application 211 of the source node 201.

When the destination node 205 receives a data packet requesting network access from the source node 201, it can process the data packet based on the type of the data packet.

In operation 1205, the second connection control application 215 of the destination node 205 may receive a data packet for a network connection request from the source node 201.

In operation 1210, the second access control application 215 may check whether a data flow exists based on the transport protocol, destination IP, and destination port information included in the 5 Tuples information of the IP (Internet Protocol) corresponding to the data packet. . According to an embodiment, if no data flow exists, the second access control application 215 may drop the data packet.

If a valid data flow exists, the second access control application 215 may check the type of data packet in operation 1215. For example, the second access control application 215 may process the data packet through operation 1220 if the data packet is a TCP-based data packet, and may process the data packet through operation 1235 if the data packet is a UDP-based data packet.

According to the embodiment, when the data packet is a TCP Session creation data packet, the second access control application 215 may perform a data packet authentication information inspection step. The data packet authentication information checking step can be performed through the operations shown in FIG. 13.

According to the embodiment, if the data packet is not a TCP Session creation data packet, the second access control application 215 may forward the data packet.

According to the embodiment, when the data packet is a UDP-based data packet, the second access control application 215 may perform a data packet authentication information inspection step. The data packet authentication information checking step can be performed through the operations shown in FIG. 13.

Figure 13 shows a signal flow diagram for checking data packet authentication information of a destination node according to various embodiments.

The destination node 205 requests the controller 202 to inspect the authentication information included in the received data packet, and based on the inspection result, determines whether the target sending the data packet is authenticated by the controller 202. can be identified. Additionally, the controller 202 may recognize that a connection is established with the destination node 205 when the destination to which the data packet is transmitted is an authenticated destination.

In operation 1305, the second access control application 215 may detect a data packet authentication information check event. In this case, the second access control application 215 may check whether the data packet requires verification of authentication information from the authentication information of the data flow corresponding to the data packet. According to an embodiment, when verification of authentication information is not necessary, the second access control application 215 may transmit a response to the received data packet.

If verification of authentication information is required in operation 1310, the second access control application 215 may check whether authentication information is inserted into the data packet. For example, in the case of a TCP data packet, the second access control application 215 may check whether a data flow header is inserted into the payload information of the TCP SYN packet according to the transmission protocol. For another example, in the case of UDP data packets, the second access control application 215 may check whether a data flow header is inserted in each data packet according to a check method included in the authentication information.

If authentication information is included, in operation 1315, the second access control application 215 may request the controller 202 to check authentication information. For example, the second access control application 215 may request data flow header inspection to the controller 202 based on control flow identification information, data flow header (authentication information), source IP, and port.

According to an embodiment, the second access control application 215 may wait without transmitting a response data packet to the source node 201 until the data flow header inspection request is completed.

At operation 1320, the controller 202 generates a data flow header in a connection policy that matches information identified on the control flow (destination node 205, application, source node 201 information, etc.) corresponding to the control flow identification information. It is possible to check whether the identification information requested for inspection (transmission protocol, source IP and port information, etc.) is included and whether a data flow corresponding to the data flow identification information included in the data flow header exists. According to an embodiment, if a data flow does not exist, the controller 202 may transmit an authentication information check failure result to the destination node 205 (operation 1325).

If a data flow exists, the controller 202 may decrypt the authentication information through an authentication information decryption algorithm and a decryption key included in the authentication information of the data flow in order to check the authentication information included in the data flow header.

Additionally, if decryption is successful, the controller 202 can check whether the decrypted authentication information is valid based on the authentication information check algorithm or related information included in the authentication information of the data flow. According to an embodiment, if the authentication information is invalid, the controller 202 may transmit an authentication information check failure result to the destination node 205 (operation 1325).

If the authentication information is valid, the controller 202 updates the data flow status and the identification information of the destination node on the data flow to allow a connection between the source node 201 and the destination node 205, and sends the updated data flow. Information may be transmitted to the destination node 205 (operation 1325). Accordingly, the controller 202 can recognize the connection between the destination node 205 and the source node 201.

In operation 1330, the second access control application 215 may process a result value of the response received from the controller 202. For example, if the data flow header inspection request is successful, the second access control application 215 can be updated with the data flow received from the controller so that a response data packet for the data packet transmitted from the source node can be transmitted. there is. For another example, if the data flow header inspection request fails, the second access control application 215 may remove the data flow.

When updating the data flow in operation 1320, the controller 202 according to another embodiment disclosed in this document may update authentication information included in the data flow information generated when the source node 201 requests network connection. For example, the controller 202 inserts authentication information of the corresponding transmission protocol to generate authentication information to be included when the destination node 205 transmits a network connection request response and related data packets to the source node 201. method (e.g., in the case of TCP, inserting a TCP SYN packet, in the case of UDP, inserting authentication information for each data packet or inserting authentication information at regular intervals (or cycles), etc., information for encrypting and decrypting authentication information, and generating and verifying authentication information. The data flow can be updated to include algorithm information for and a series of information included in the algorithm (e.g. information such as Secret Key when generating HMAC OTP). In this case, the destination node 205 receiving the updated data flow performs the operations included in FIGS. 10 and 11 based on the authentication information included in the updated data flow and inserts the authentication information into the response data packet, A response data packet containing authentication information may be transmitted to the source node 201.

FIG. 14 illustrates an operation flowchart for responding to a network connection request from a destination node according to various embodiments.

The destination node 205 performs a data flow check when responding to a network connection request from the source node 201, and can transmit a data packet only when the data flow is updated through the operation shown in FIG. 13. In operation 1405, the second access control application 215 may detect an event for transmitting a response to a network connection request transmitted from the source node 201 and a related data packet.

In operation 1410, the second access control application 215 may check whether a data flow corresponding to the transmission protocol, destination IP, port, and application of the responded data packet exists.

According to an embodiment, the second access control application 215 may drop the data packet if the data flow does not exist or the data flow is invalid (operation 1420).

In operation 1410, if a data flow exists and the data flow status is standby, the data packet is stored, and then the second access control application 215 transmits the stored data packet when the data flow status becomes normal (operation 1415). You can. For example, a case where the data flow state becomes normal may include a case where the controller 202 transmits an updated data flow through the operation of FIG. 13.

According to an embodiment, if a data flow exists and the state of the data flow is normal, the second access control application 215 may transmit a data packet (operation 1415).

According to another embodiment disclosed in this document, the second access control application 215 of the destination node 205 inserts authentication information based on the operations shown in FIGS. 10 and 11 instead of the operations shown in FIG. 14. It may also be transmitted to the source node 201.

Figure 15 shows a signal flow diagram for receiving a network connection request response from a source node according to various embodiments.

When the first access control application 211 of the source node 201 receives a response to the network connection request from the destination node 205, it asks the controller 202 whether it is a normal response based on the received data packet, and Based on the result, a data packet can be transmitted to the destination node 205.

In operation 1505, the first access control application 211 may receive a response to the network access request. For example, the source node 201 may receive a response data packet from the destination node 205.

In operation 1510, the first access control application 211 may check the transmission protocol of the received data packet, identification information of the destination node 205, and whether a data flow corresponding to the port exists.

If a data flow exists, in operation 1515, the first access control application 211 may request the controller 202 to inspect the data flow. For example, a data flow inspection request may include control flow identification information and data flow identification information.

At operation 1520, controller 202 may inspect the data flow. For example, the controller 202 identifies a request for data flow inspection in a connection policy matched with information identified on the control flow (source node 201, application, source network information, etc.) corresponding to the control flow identification information. Based on the inclusion of information (transmission protocol, destination node IP (205) and port information, etc.) and data flow identification information, whether the corresponding data flow exists in the data flow table and whether the corresponding data flow is determined by the destination node (205) You can check whether it has been updated. According to the embodiment, if a data flow does not exist, the controller 202 transmits a data flow check failure result to the source node 201 (operation 1525).

According to an embodiment, when an updated data flow does not exist, the controller 202 deletes the data flow corresponding to the data flow identification information and transmits a data flow check failure result to the source node 201 (operation 1525). .

According to an embodiment, if a valid data flow exists and the identification information of the destination node 205 is updated in the valid data flow, the controller 202 transmits a successful data flow check result (operation 1525).

In operation 1530, the first access control application 211 may process a result value of the response received from the controller 202. For example, if the data flow check result is failure, the first access control application 211 may remove the data flow so that data packets cannot be transmitted to the destination node 205. For another example, if the data flow check result is successful, the first access control application 211 may update the status of the data flow so that the data packet can be transmitted to the destination node 205.

According to the embodiment, when corresponding to a data flow, the first access control application 211 may allow a logical connection between the source node 201 and the destination node 205 and process data packets based on the logical connection. .

According to another embodiment disclosed in this document, the source node 201 does not perform the operations shown in FIG. 15, but performs the operations shown in FIG. 12 to receive the data packet of the destination node 205, and You can check the authentication information included in the data packet. The operation of checking the authentication information included in the data packet at the source node 201 can be performed through the operations shown in FIG. 22.

Figure 16 shows a signal flow diagram for control flow update according to various embodiments.

Referring to FIG. 16, at operation 1605, the access control application 210 may detect a control flow update event.

In operation 1610, the access control application 210 may request a control flow update from the controller 202 based on control flow identification information.

In operation 1615, the controller 202 may check whether a control flow exists in a control flow table (e.g., control flow table 315 of FIG. 3) based on the received control flow identification information. Depending on the embodiment, when the control flow does not exist (e.g., when the connection is disconnected by another security system, when the connection is disconnected due to its own risk detection, etc.), the controller 202 determines that the connection of the node 200 is valid. Since this is not done, a connection failure result can be transmitted to the access control application 210 (operation 1620).

According to the embodiment, the controller 202 determines whether the data flow information stored in the node 200 is valid, or determines whether the data flow is removed by another node (the source node 201 or the destination node 205) or unusable data is released. It is possible to check whether the flow, the second target application of the destination node 205, the service port cannot be received, etc.) are in an invalid state. In addition, when the controller 202 manages the validity of the data flow by synchronizing the availability of data flow access and reception in the controller 202 in an asynchronous manner, the node 200 sends a data packet for updated data flow status information, etc. Data flow update information for transmission or reception can be transmitted.

According to an embodiment, the controller 202 may return the corresponding data flow information when re-authentication must be performed among the data flows or when there is a data flow that is no longer accessible (operation 1620).

In operation 1625, the access control application 210 of the node 200 may process a result of the response received from the controller 202. For example, if the control flow update result is impossible, the access control application 210 may block all network connections of the application. For another example, the access control application 210 may update the data flow if the control flow update result is normal and updated data flow information exists.

17 shows a signal flow diagram for disconnection according to various embodiments.

Referring to FIG. 17, in operation 1705, the node 200 terminates the node 200, terminates the access control application 210, terminates the target application, no longer uses the network connection, and collects information identified from the interworking system. Based on , at least one of the connection termination requests can be detected. In this case, in operation 1710, the node 200 or the access control application 210 may request the controller 202 to remove the control flow.

At operation 1715, the controller 202 may remove the identified control flow based on the received control flow identification information.

In operation 1720, the controller 202 may remove all data flows dependent on the removed control flow. Accordingly, node 200 can no longer access the destination network based on the removed data flow.

Figure 18 shows a signal flow diagram for terminating application execution according to various embodiments.

Referring to FIG. 18, in operation 1805, the access control application 210 of the node 200 can check in real time whether the running application is terminated and detect an application execution termination event.

Depending on the embodiment, the access control application 210 may check whether a data flow corresponding to the terminated application identification information and PID (Process ID and Child Process ID Tree) information exists.

In operation 1810, the access control application 210 may request data flow removal from the controller 202. For example, the access control application 210 may transmit identification information of a terminated application or identification information of a data flow corresponding to the terminated application to the controller 202 and perform a data flow removal request.

At operation 1815, the controller 202 may delete the data flow for which removal has been requested.

Figure 19 is an operation flowchart showing a method of operating an access control application included in a source node according to various embodiments. The operations shown in FIG. 19 may be performed through the first access control application 211 included in the source node 201 of FIG. 2.

In operation 1905, the first access control application 211 inserts authentication information into the data packet of the target application based on the transmission protocol of the data packet of the target application and the authentication information included in the data flow authorized from the external server to the destination node. It can be sent to .

In operation 1910, the first access control application 211 may receive a response to the data packet from the destination node and check whether the response to the data packet corresponds to the data flow.

In operation 1915, if the response to the data packet corresponds to the data flow, the first access control application 211 may update the data flow by checking whether the identification information of the destination node has been updated in the data flow in the external server.

In operation 1920, the first access control application 211 may transmit a data packet of the target application based on the updated data flow.

According to the embodiment, the authentication information inserted into the data packet may be used when the destination node 205 checks whether the authentication information is normal with an external server and when the external server updates the data flow.

Figure 20 is an operation flowchart showing a method of operating a connection control application included in a destination node according to various embodiments. The operations shown in FIG. 20 may be performed through the second access control application 215 included in the destination node 205 of FIG. 2.

At operation 2005, the second connection control application 215 may receive a data packet from the source node.

In operation 2010, the second access control application 215 may confirm the existence of a data flow that corresponds to the data packet and is authorized from an external server.

In operation 2015, the second access control application 215 may check whether the data packet includes authentication information.

In operation 2020, the second access control application 215 may request an external server to check authentication information included in the data packet.

In operation 2025, the second access control application 215 may receive an authentication information check result from an external server. If the authentication information check is successful, the second access control application 215 may receive a data flow with updated identification information of the destination node.

In operation 2030, the second access control application 215 may transmit a response to the received data packet to the source node based on the updated data flow.

Figure 21 is an operation flowchart showing a server operation method according to various embodiments. The operations shown in FIG. 21 may be performed through the controller 202 of FIG. 2.

In operation 2105, the server may receive a network connection request including the IP of the destination node from the source node.

In operation 2110, the server may check whether the source node is accessible based on whether the IP of the destination node constitutes a distributed network based on the database.

In operation 2115, the server may create a data flow including first authentication information for accessing the destination node based on the database and transmit it to the source node.

In operation 2120, the server may receive an authentication information check request including the IP of the source node and the second authentication information from the destination node.

In operation 2125, the server may update the identification information of the destination node in the data flow corresponding to the second authentication information based on whether the data flow corresponding to the second authentication information exists and whether the second authentication information is valid.

In operation 2130, the server may transmit a data flow with updated identification information of the destination node to the destination node.

Figure 22 is an operational flowchart showing a method of checking authentication information included in a data packet received from a destination node at a source node according to another embodiment disclosed in this document.

Through the operations shown in FIG. 22, the source node according to another embodiment disclosed in this document checks the authentication information included in the response data packet received from the destination node to determine whether the response data packet is a data packet authorized by the controller 202. , it is possible to check whether the destination node 205 is authorized by the controller 202.

According to an embodiment, the destination node 205 may receive a data flow including authentication information from the controller 202 through an operation disclosed as an additional embodiment in FIG. 13, and may receive a data flow including authentication information in the received data flow. Based on this, authentication information can be inserted into the response data packet and transmitted to the source node 201 through the operations shown in FIGS. 10 and 11. In this case, the source node 201 processes the response data packet received from the destination node 205 through the operations shown in FIG. 12, and then authenticates the authentication information included in the response data packet through the operations shown in FIG. 22. can be inspected.

Referring to FIG. 22, in operation 2205, the first access control application 211 of the source node 201 may check whether authentication information included in the response data packet received from the destination node 205 should be checked. . For example, the first access control application 211 may check whether authentication information of the received response data packet needs to be checked from the authentication information included in the data flow corresponding to the received response data packet.

If verification of authentication information is necessary, in operation 2210, the first access control application 211 may check whether authentication information (data flow header) is inserted in the response data packet. According to the embodiment, the first access control application 211 may check the payload information of the TCP SYN ACK packet if the response data packet is a TCP data packet. According to another embodiment, if the response data packet is a UDP data packet, the first access control application 211 checks whether the data flow header is inserted for every data packet according to the check method included in the authentication information, or checks whether the data flow header is inserted at a certain period or data packet. Depending on the number of transmissions, the data flow header of the data packet can be inspected. If the data flow header is not present in the response data packet, the first access control application 211 may remove the data flow corresponding to the response data packet (operation 2235).

If a data flow header is present in the response data packet, in operation 2215, the first access control application 211 may check whether a corresponding data flow exists based on data flow identification information included in the data flow header. According to the embodiment, if the corresponding data flow does not exist based on the data flow identification information, or if the corresponding data flow exists but is not valid, the first access control application 211 creates the data flow corresponding to the response data packet. May be removed (Operation 2235).

If the data flow corresponding to the data flow identification information exists and is valid, the first access control application 211 sends the data flow corresponding to the data flow identification information and the destination IP included in the data flow corresponding to the existing response data packet, You can check whether the port, transmission protocol information, etc. are the same. If the confirmation results are different, the first access control application 211 may remove the data flow corresponding to the response data packet (operation 2235).

If the information included in the data flow is the same, in operation 2220, the first access control application 211 decrypts the authentication information included in the data flow header based on the authentication information included in the data flow corresponding to the data flow identification information. can do. For example, the first access control application 211 may decrypt the authentication information through an authentication information decryption algorithm and a decryption key included in the authentication information included in the data flow corresponding to the data flow identification information. If decryption of the authentication information fails, the first access control application 211 may remove the data flow corresponding to the response data packet (operation 2235).

If decryption is successful, in operation 2225, the first access control application 211 determines whether the authentication information decrypted by the authentication information check algorithm or related information included in the authentication information included in the data flow corresponding to the data flow identification information is valid. You can check whether it was done or not. If the authentication information is invalid, the first access control application 211 may remove the data flow corresponding to the response data packet (operation 2235).

If the authentication information is valid, in operation 2230, the first access control application 211 may update the data flow to enable communication between the destination node 205 and the source node 201.

The above description is merely an illustrative explanation of the technical idea disclosed in this document, and those skilled in the art in the technical field to which the embodiments disclosed in this document belong will understand without departing from the essential characteristics of the embodiments disclosed in this document. Various modifications and variations will be possible.

Accordingly, the embodiments disclosed in this document are not intended to limit the technical ideas disclosed in this document, but rather to explain them, and the scope of the technical ideas disclosed in this document is not limited by these embodiments. The scope of protection of the technical ideas disclosed in this document shall be interpreted in accordance with the claims below, and all technical ideas within the equivalent scope shall be interpreted as being included in the scope of rights of this document.

Claims (18)

In the node,
communication circuit; a processor operatively connected to the communication circuit; and a memory operatively coupled with the processor, storing a target application and a connection control application, the memory configured to cause the node to:
Through the access control application, insert authentication information into the data packet of the target application based on the transmission protocol of the data packet of the target application and authentication information included in the data flow authorized from an external server and transmit it to the destination node,
Receive a response to the data packet from the destination node, and check whether the response to the data packet corresponds to the data flow,
Transmits identification information of the data flow corresponding to the response of the destination node to the external server, and checks whether the status of the data flow corresponding to the identification information of the data flow has been updated by the destination node in the external server. Check whether authentication for creating a logical connection between the node and the destination node is normal,
If the response to the data packet corresponds to the data flow and the authentication for creating a logical connection between the node and the destination node is normal, a logical connection between the node and the destination node is allowed and data is generated based on the logical connection. configured to process packets,
The authentication information inserted into the data packet from the node is used by the destination node to check whether the authentication information is normal with the external server and respond if it is normal,
The second authentication information inserted into the data packet by the destination node is used by the node to check with the external server whether the authentication of the destination node is normal,
A node storing instructions, wherein the data flow is used to configure a distributed network including the node and the destination node. The method of claim 1, wherein the commands cause the node to:
Determine whether authentication information needs to be inserted into the data packet of the target application based on authentication information included in the data flow through the access control application,
If insertion of the authentication information is necessary, generate authentication information to be inserted based on the authentication information included in the data flow,
A node configured to encrypt the generated authentication information and insert a data flow header combined with identification information of the data flow into the data packet. The method of claim 2, wherein the commands cause the node to:
If the transport protocol is TCP, insert the data flow header into the payload of a TCP SYN packet through the connection control application,
When the transport protocol is UDP, it is determined whether to insert the data flow header for every UDP packet based on the authentication information included in the data flow or to insert the data flow header on a certain UDP packet basis or on a time basis, and then insert the data flow header into the UDP packet. A node configured to insert the data flow header into a payload. The method of claim 1, wherein the commands cause the node to:
If the data packet of the target application is a TCP session creation data packet through the connection control application, insert the authentication information into a TCP SYN packet,
A node configured to change the state of the data flow to a TCP session creation complete state when receiving a TCP session creation complete data packet from the destination node to enable transmission of a TCP session-based data packet. The method of claim 4, wherein the commands cause the node to:
If the data packet of the target application is a TCP session termination data packet through the connection control application, change the state of the data flow to a TCP session termination state to disable transmission of TCP session-based data packets,
A node configured to transmit the TCP session termination data packet to the destination node. The method of claim 1, wherein the commands cause the node to:
Performing a network connection request including the IP of the destination node and the transport protocol to the external server through the access control application,
A node that receives a data flow including network connectivity and the authentication information from the external server, wherein network connectivity is determined based on whether the IP of the destination node constitutes a distributed network. The method of claim 1, wherein the commands cause the node to:
Request a connection to the external server through the access control application and, if connection is possible, receive control flow identification information,
Transmitting the electronic signature or related authentication information generated based on the certificate together with the control flow identification information to the external server,
A node that receives an authentication result from the external server. The method of claim 1, wherein the commands cause the node to:
If the response to the data packet corresponds to the data flow, the external server checks whether the identification information of the destination node has been updated in the data flow and updates the data flow,
Node configured to transmit data packets of the target application based on the updated data flow. delete delete delete delete On the server,
communication circuit;
a processor operatively connected to the communication circuit; and
a memory operatively connected to the processor and storing a database, wherein the memory, when executed by the processor, causes the server to:
Receive a network connection request including the IP of the destination node from the source node,
Based on the database, check whether the source node can be connected based on whether the IP of the destination node constitutes a distributed network,
Generating a data flow including first authentication information for accessing the destination node based on the database and transmitting it to the source node,
Receiving an authentication information check request including the IP of the source node and second authentication information from the destination node,
updating the identification information of the destination node in the data flow corresponding to the second authentication information based on whether a data flow corresponding to the second authentication information exists and whether the second authentication information is valid;
configured to transmit a data flow with updated identification information of the destination node to the destination node,
The second authentication information is information related to data flow identification information and the first authentication information inserted into a data packet at the source node. According to claim 13,
The second authentication information is a combination of data flow identification information and authentication information generated and encrypted at the source node,
The processor,
A server that checks whether a data flow corresponding to data flow identification information included in the second authentication information exists. 15. The method of claim 14, wherein the processor:
Verify whether the authentication information generated and encrypted by the source node is valid based on the data flow corresponding to the data flow identification information included in the second authentication information,
If the authentication information generated and encrypted at the source node is valid, the updated data flow is transmitted to the destination node so that the destination node can transmit and receive data packets with the source node,
A server that stores in the database that the source node and the destination node are connected. In the method of operating the access control application installed on the source node,
Inserting authentication information into a data packet of the target application based on the transmission protocol of the data packet of the target application and authentication information included in a data flow authorized from an external server and transmitting it to a destination node;
Receiving a response to the data packet from the destination node, and checking whether the response to the data packet corresponds to the data flow;
Transmits identification information of the data flow corresponding to the response of the destination node to the external server, and checks whether the status of the data flow corresponding to the identification information of the data flow has been updated by the destination node in the external server. An operation to check whether authentication for creating a logical connection between the source node and the destination node is normal; and
If the response to the data packet corresponds to the data flow and the authentication for creating a logical connection between the source node and the destination node is normal, a logical connection is permitted between the source node and the destination node based on the logical connection. processing data packets; Including,
The authentication information inserted into the data packet from the source node is used by the destination node to check whether the authentication information is normal with the external server and respond if it is normal,
The second authentication information inserted into the data packet by the destination node is used by the source node to check with the external server whether the authentication of the destination node is normal,
The data flow is used to construct a distributed network including the source node and the destination node. In a network access control system,
Includes a source node, a destination node, and a server,
A first access control application installed on the source node inserts second authentication information into a data packet based on the first authentication information included in the first data flow received from the server and transmits it to the destination node,
A second access control application installed in the destination node receives the data packet and requests the server to check authentication information based on the second authentication information included in the data packet,
The server checks whether a data flow corresponding to the second authentication information exists and whether the second authentication information is valid, updates the identification information of the destination node and the third authentication information in the data flow, and updates the updated first authentication information. 2 Transmit the data flow to the destination node,
The second access control application of the destination node inserts fourth authentication information into a response data packet based on the third authentication information included in the second data flow and transmits it to the source node,
The first access control application of the source node checks whether the first data flow corresponds to the fourth authentication information and whether the fourth authentication information is valid, and whether transmission of a data packet to the destination node is possible. A network access control system configured to determine. In the node,
communication circuit; a processor operatively connected to the communication circuit; and a memory operatively coupled with the processor, storing a target application and a connection control application, the memory configured to cause the node to:
A network connection request is made to an external server through the access control application, and the network connection request includes identification information of the target application, a transmission protocol, identification information of a destination node, and a parameter value specified when executing the target application,
Receive a data flow containing authentication information from the external server,
Based on the received data flow, authentication information is inserted into the data packet of the target application and transmitted to the destination node,
Receive a response to the data packet from the destination node, and check whether the response to the data packet corresponds to the data flow,
If the response to the data packet corresponds to the data flow, the external server checks whether the identification information of the destination node has been updated in the data flow and updates the data flow,
configured to transmit a data packet of the target application based on the updated data flow,
The authentication information inserted into the data packet is used when the destination node checks with the external server whether the authentication information is normal and when the external server updates the data flow,
The parameter value specified when executing the target application is used to check whether the target is registered in the group constituting the distributed network corresponding to the identification information of the destination node in the external server.