KR20170003080A - Security device and network security management server for establishing security channel in network, and system and method of establishing security channel in network - Google Patents

Security device and network security management server for establishing security channel in network, and system and method of establishing security channel in network Download PDF

Info

Publication number
KR20170003080A
KR20170003080A KR1020150093281A KR20150093281A KR20170003080A KR 20170003080 A KR20170003080 A KR 20170003080A KR 1020150093281 A KR1020150093281 A KR 1020150093281A KR 20150093281 A KR20150093281 A KR 20150093281A KR 20170003080 A KR20170003080 A KR 20170003080A
Authority
KR
South Korea
Prior art keywords
security
secure channel
server
network
terminal
Prior art date
Application number
KR1020150093281A
Other languages
Korean (ko)
Inventor
홍주형
이기훈
이상준
최원규
Original Assignee
주식회사 시큐센
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 시큐센 filed Critical 주식회사 시큐센
Priority to KR1020150093281A priority Critical patent/KR20170003080A/en
Publication of KR20170003080A publication Critical patent/KR20170003080A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a security device for forming a network security channel, a network security management server, and a system and method for forming a network security channel using the network security management server, The present invention provides a network security management server that manages a device and a security device and provides a security channel between a server or a terminal located in a security zone and provides an encryption key for forming the secure channel, This paper presents a system and method for forming a network security channel using a server.

Description

TECHNICAL FIELD [0001] The present invention relates to a security device for establishing a network security channel, a network security management server, and a system and method for forming a network security channel using the security security management server for establishing a security channel. channel in network}

The present invention relates to a security device for forming a network security channel, a network security management server, and a system and method for forming a network security channel using the network security management server, and more particularly, A security management server establishes a security group composed of a plurality of servers or terminals included in a security section on a network to form a secure channel for encrypting data transmitted through the security device between servers or terminals included in the security group It is about the plan.

The development of ICT technology has contributed to improving the efficiency of business enterprises. For example, employees can communicate simultaneously via e-mail or instant messaging over an internal network, and by sharing business data files, paper documents are replaced with electronic documents, speeding up business processes and reducing business costs.

Furthermore, since a virtual private network (VPN) is provided as a corporate communication service that can greatly reduce a circuit cost by using a public network such as an Internet network as a private network, it is possible to connect a plurality of enterprise points located in a remote location or in other countries FIG. 1 shows a network configuration using a virtual private network.

The server or terminals 10a, 10b and 10c connected to one internal network 30a are connected to another internal network 30b through gateways 45a and 45b connecting the external network 40, 20b, and 20c connected to the server or the terminals 20a, 20b, and 20c.

Securing the network in such a business environment is a very important issue, and as the dependency on ICT technology continues to increase, there is a growing need to protect digital assets in these networks.

In the case of the virtual private network of FIG. 1, although the security is enhanced by transmitting encrypted data through tunneling through the gateways 45a and 45b, the tunneling period in which the encrypted data is transmitted is transmitted to the one internal network 30a and the other internal There is a problem that the security is weakened on the internal networks 30a and 30b after passing through the gateways 45a and 45b because they are formed only between the gateways 45a and 45b connecting the network 30b. Accordingly, when the hacker 50 infiltrates the internal network 30a, there is a problem that business data is exposed as it is and damage is generated.

Therefore, there is an urgent need for a plan to strengthen the security of the internal network of the network.

SUMMARY OF THE INVENTION It is an object of the present invention to provide a security method for protecting digital assets in a network in a business environment using ICT technology.

In particular, we propose a solution to prevent the leakage of corporate data by solving the problem that malicious hacker can easily cause destruction or misdirection of corporate data when intruding into company's internal network.

According to an aspect of the present invention, there is provided a security device for establishing a network security channel, the security device comprising: a server or a terminal directly connected to a server or a terminal included in a security group set by a network security management server, Receiving a cryptographic key generated by the network security management server to form a secure channel with the other server or the other terminal included in the security group, encrypting data of the server or the terminal with the cryptographic key, And forming a secure channel for encrypted data transmission with the other terminal.

Preferably, the security device comprises: a physical network interface for connecting a server or a terminal on a network; A virtual interface generating unit for generating a virtual interface for forming a secure channel with the other security apparatus connected to the other server or the other terminal included in the security group; And an encryption module that receives the encryption key corresponding to the secure channel from the network security management server and encrypts or decrypts data transmitted or received through the virtual interface.

More preferably, the physical network interface includes at least one terminal port to which a server or a terminal is connected; A network port to which a network is connected, and the virtual interface may connect one or more servers or terminals connected to the physical network interface to an end of a secure channel.

Furthermore, the virtual interface generation unit may form a plurality of security channel terminals by generating individual virtual interfaces for each of a plurality of servers or terminals connected to the physical network interface.

Alternatively, the virtual interface generation unit may form one virtual channel end by creating one virtual interface corresponding to a plurality of servers or terminals connected to the physical network interface.

In addition, the network security management server for forming a network security channel according to the present invention may select a plurality of servers or terminals included in a security interval on a network to set a security group, A secure key for transmitting encrypted data between the server or the terminal by providing a cryptographic key corresponding to the secure channel to a server included in the security group or a security device directly connected to the terminal, .

Preferably, the network security management server includes: a security group management unit for selecting a plurality of servers or terminals included in a security interval on a network to set a security group; Establishing a secure channel between a server or a terminal included in the security group and providing a cryptographic key corresponding to the secure channel to a security device installed at the end of the secure channel to form a secure channel for data transmission between the server and the terminal A security device manager; And an encryption key management unit for generating and managing an encryption key corresponding to the secure channel.

Further, the security group management unit registers identification information of a server or a terminal included in the security group, and the security management unit authenticates a server or a terminal to be connected to the secure channel based on the identification information of the server or the terminal, The server or the security device connected to the terminal.

Preferably, the security device management unit establishes a security policy for a secure channel, provides the security policy to the security device to form a secure channel according to the security policy, and transmits status information from the security device forming the secure channel And can monitor the secure channel by receiving it.

Further, the security group management unit sets a plurality of security groups corresponding to a plurality of security intervals on the network, and the security apparatus management unit can set one or more security channels for each security group.

The network security system according to the present invention may include a plurality of the security devices, and may include the network security management server.

According to another aspect of the present invention, there is provided a method for forming a network security channel, the method comprising: setting a security group by selecting a plurality of servers or terminals included in a security zone on a network; Setting a security channel between the network security management server and a server or a terminal included in the security group; And a cryptographic key providing step of providing a cryptographic key corresponding to the secure channel to a security device installed at the end of the secure channel and connecting the server or the terminal to the network, And a secure channel for transmitting data encrypted with the encryption key is formed between a security device installed at the end and a security device installed at the other end of the secure channel.

The secure channel setting step may include: receiving a secure channel request information from the server or the terminal through the security device; An authentication step of checking whether the security group is included in the security group based on the channel request information and authenticating the security group; A secure channel setting step of establishing a secure channel between the security device connected to the server or the terminal and the other security device connected to the other server or the other terminal based on the secure channel request information; And an encryption key generation step of generating an encryption key corresponding to the secure channel.

More preferably, the secure channel setting step may include setting a security channel between a security device connected to the server or the terminal and the other security device connected to the other server or the other terminal by combining a plurality of servers or terminals included in the security group A channel setting step; An encryption key generation step of generating an encryption key corresponding to the secure channel; A secure channel request receiving step of receiving secure channel request information from the server or the terminal through the security device; And an authentication step of checking whether the security group is included in the security group based on the channel request information, authenticating the security channel, and confirming the corresponding security channel.

In addition, the security group setting step receives and registers the identification information of the server or the terminal from the security device connected to the server or the terminal included in the security group, and the authentication step registers, A server or a terminal requesting authentication can be identified and authenticated.

The security channel setting step sets a security policy for the secure channel, and the cryptographic key providing step may include a step of providing information on the other server or the other terminal forming the end of the secure channel, Security policy can be provided.

The secure channel monitoring step may further include receiving status information from the security device forming the end of the secure channel, and monitoring the secure channel based on the status information.

According to another aspect of the present invention, there is provided a method for forming a network secure channel, the method comprising: requesting a secure channel to a network security management server by a security device connecting a server or a terminal to a network; A virtual interface generation step in which the security device receives a cryptographic key from the network security management server and generates a virtual interface forming an end of a secure channel; And a security channel forming step of forming a secure channel with the other security device forming the other end of the secure channel by the security device.

Preferably, the security channel request step includes a step of requesting a security channel to be established between one or more servers or terminals connected to a physical network interface, Request information to the network security management server.

Further, the secure channel request step may generate a plurality of security channel request information corresponding to a plurality of servers or terminals connected to the physical network interface, and the virtual interface generating step may generate a plurality of security channel request information And generates a plurality of virtual interfaces forming a plurality of secure channel ends corresponding to the plurality of servers or terminals, respectively.

The secure channel request step generates one piece of security channel request information corresponding to a plurality of servers or terminals connected to the physical network interface, And one virtual interface forming one secure channel end corresponding to the plurality of servers or the entire terminals can be created.

In the virtual interface generation step, the security policy for the secure channel is provided from the network security management server, and a virtual interface may be created according to the security policy.

Preferably, the physical network interface of the security device receives data transmitted from the server or the terminal. Transmitting data received through the physical network interface to a virtual interface generated in the security device, encrypting the encrypted data with the encryption key through the encryption module of the security device, and transmitting the encrypted data to the physical network interface; And transmitting the encrypted data to the secure channel by the physical network interface.

More preferably, the physical network interface of the security device receives encrypted data transmitted over the secure channel; Transmitting encrypted data received through the physical network interface to a virtual interface generated in the security device, decrypting the decrypted data with the encryption key through the encryption module of the security device, and transmitting the decrypted data to the physical network interface; And transmitting the decrypted data to the server or the terminal by the physical network interface.

According to the present invention, a security channel can be selectively formed if necessary through a security device and a network security management server to prevent malicious third parties from accessing data transmitted through an internal network, thereby preventing data leakage do.

Furthermore, a security device for forming a secure channel can be installed in a modular or external form that can be installed in a server or a terminal, thereby facilitating disconnection or replacement of a server or a terminal requiring formation of a secure channel.

It is possible to form a separate security channel for each of a plurality of servers or terminals by a single security device or to form a single common security channel for a plurality of servers or terminals as needed, It is possible to facilitate expansion or change.

1 illustrates a network configuration using a virtual private network,
2 is a schematic block diagram of an embodiment of a network security system for forming a network security channel by applying a security device and a network security management server according to the present invention,
FIG. 3 shows a schematic configuration diagram of an embodiment in which the present invention is applied to a virtual private network,
4 is a block diagram of an embodiment of a network security management server for forming a secure channel according to the present invention,
FIG. 5 shows a block diagram of an embodiment of a security device for forming a secure channel according to the present invention,
6 shows an embodiment in which a plurality of servers or terminals are connected to a security device according to the present invention,
FIG. 7 illustrates an embodiment of forming a secure channel by applying the security device and the network security management server according to the present invention,
Figure 8 shows a schematic flow diagram of an embodiment of a method for forming a network secure channel according to the present invention,
9 is a flowchart illustrating a method for establishing a secure channel and providing a cryptographic key in the network secure channel forming method according to the present invention,
10 is a flowchart illustrating a method for establishing a secure channel and providing a cryptographic key in the network secure channel forming method according to the present invention,
11 is a flowchart illustrating a method of forming a secure channel by connecting a plurality of servers to a security device in a network security channel forming method according to the present invention,
FIG. 12 illustrates an embodiment of a method for replacing a server connected to a security device in a network security channel forming method according to the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The above and other objects, features and advantages of the present invention will become more apparent from the following detailed description of the present invention when taken in conjunction with the accompanying drawings.

First, the terminology used in the present application is used only to describe a specific embodiment, and is not intended to limit the present invention, and the singular expressions may include plural expressions unless the context clearly indicates otherwise. Also, in this application, the terms "comprise", "having", and the like are intended to specify that there are stated features, integers, steps, operations, elements, parts or combinations thereof, But do not preclude the presence or addition of features, numbers, steps, operations, components, parts, or combinations thereof.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

The present invention relates to a security device that is directly connected to a server or a terminal to form a secure channel between a server and a terminal and a secure key between a server or a terminal located in a security section while managing the security device, The present invention also provides a system and method for forming a network security channel using the security device and the network security management server.

FIG. 2 is a schematic block diagram of an embodiment of a network security system for forming a network security channel by applying a security device and a network security management server according to the present invention.

In the present invention, the security device may be implemented as a module that is detachably installed inside a server or a terminal, or may be implemented as an external device installed outside a server or a terminal. FIG. 2 (a) FIG. 2B illustrates an embodiment of a network security system in a case where a security device is implemented externally according to an embodiment of the present invention. Respectively.

The network security system according to the present invention includes a plurality of security devices 100, 100a, 100b and 100c connected to a server or terminals 10a, 10b, 10c and 10d, a network security management server 200).

In the present invention, the network 30 in which the secure channel is formed may be an intranet configured to allow limited access or restricted access. For example, a local area network (LAN) And a virtual private network (VPN) may be applied to an internal network which is connected to an external network and can be limitedly accessed. Preferably, in the present invention, the network 30 is a network in which an external network and an internal network are interconnected through a gateway or the like. The network 30 includes security devices 100, 100a, 100b, and 100c on an internal network, Can be installed.

The security devices 100, 100a, 100b and 100c are directly connected to the server or terminals 10a, 10b, 10c and 10d. When the security device 100 is connected to the server or terminals 10a, 10b, 10c, and 10d, and the security device 100 is illustrated as being mounted to one server 10a by way of example, it is also possible to securely secure the security devices 100 on other servers 10b, 10c, The apparatus 100 is mounted. The security devices 100a, 100b and 100c are externally connected to the server or terminals 10a, 10b, 10c and 10d from the outside of the server or terminals 10a, 10b, 10c and 10d as shown in FIG. 2 (b) It may be connected directly.

The secure devices 100, 100a, 100b and 100c connect the server or the terminals 10a, 10b, 10c and 10d to the network 30 and form a secure channel end between the server and the terminals, And transmits the encrypted data between the server and the terminal.

The network security management server 200 sets up a security group by selecting a server or a terminal included in the security interval on the network 30 and generates an encryption key for forming a secure channel between servers or terminals included in the security group 100a, 100b, and 100c, thereby forming a secure channel through which encrypted data is transmitted, and managing the secure channel formed with the secure devices 100, 100a, 100b, and 100c.

2, the network security management server 200 sets a plurality of servers 10a and 10b located in the security zone 70 as security groups, and the servers 10a and 10b 100a, 100b connected to the security device 100, 100a, 100b, and provides the encryption key to the security devices 100, 100a, 100b. The security device 100, 100a, 100b forms the end of the secure channel 31 to perform data transmission between the servers 10a, 10b located in the security zone 70 through the secure channel 31, The security devices 100, 100a, and 100b encrypt and transmit and receive data transmitted and received by the servers 10a and 10b included in the group through the secure channel 31. [

At this time, data transmission / reception is performed between the servers 10a and 10b included in the same security group with the secure channel set through the security devices 100, 100a and 100b, but between the servers 10a and 10c included in different security groups Data can be transmitted and received to the general channel 35 instead of the secure channel through the security apparatuses 100, 100a and 100c and the server 10b to which the security apparatus is connected and the general server 10d The data transmission / reception may be performed through the normal channel 33 instead of the secure channel.

Furthermore, the network security system according to the present invention can be applied to a virtual private network. In this regard, FIG. 3 shows a schematic configuration diagram of an embodiment in which the present invention is applied to a virtual private network.

In the case of applying to the virtual private network, the basic configuration is similar to the embodiment of FIG. 2 described above. On the internal network A 30a and the internal network B 30b, the security device 100 Server or terminal, and a secure channel is established by the network security management server (200).

If the internal network A 30a and the internal network B 30b are connected to the external network 40 via the gateways 45a and 45b through a virtual private network such as a VPN, A security group including a server or terminal located on the network A 30a and a server or terminal located on the internal network B 30b can be established.

When a secure channel is required between the server 10a located in the internal network A 30a and the server 20a located in the internal network B 30b as shown in FIG. 3, The secure channel can be formed on the route connecting the internal network A 30a, the gateway 45a, the external network 40, the gateway 45b and the internal network B 30b, Security devices (not shown) installed in the security device 100 and the server 10b form security channels at both ends.

That is, by forming a secure channel directly connected between the servers 10a and 20b, encrypted data is transmitted and received through a secure channel not only on the external network but also on the internal network.

Hereinafter, the network security management server and the security device according to the present invention will be described in further detail.

4 is a block diagram of an embodiment of a network security management server for forming a secure channel according to the present invention.

The network security management server 200 for forming a secure channel according to the present invention may include a security group management unit 210, a security management unit 230, an encryption key management unit 250, and the like.

Referring to each configuration of the network security management server 200, the security group management unit 210 sets a security group by selecting a plurality of servers or terminals included in the security interval on the network. Herein, the security interval on the network is a transmission interval requiring security for data transmitted through a network between a server or a terminal, and may be set by a manager as needed. The security interval is a one-to-one data transmission interval between the server and the terminal Or may be a plurality of data transmission periods in which mutual data transmission is performed between a plurality of servers or terminals.

Also, the security group management unit 210 may receive identification information of a server or a terminal included in the security group from the security device 100, and the identification information may be transmitted to the security device 100 through a server, And various information capable of recognizing and authenticating a server or a terminal such as a password, a certificate, a MAC address, and the like.

The security device management unit 230 establishes a secure channel between the server or the terminals included in the security group set by the security group management unit 210 and provides a cryptographic key corresponding to the secure channel to the security device connected to the server or the terminal, Thereby forming a secure channel to be transmitted in the encrypted data.

In particular, the security device management unit 230 establishes a security policy for the secure channel and provides the security policy to the security device forming the secure channel, thereby forming a secure channel based on the security policy.

Also, the security device management unit 230 performs authentication of the server or the terminal based on the identification information of the server or the terminal registered in the security group management unit 210, and transmits the security channel to the authenticated server or the security device connected to the terminal And provides a corresponding encryption key.

In addition, the secure device management unit 230 monitors a situation in which a secure channel is formed and an encrypted data packet is transmitted between the server and the secure channel through the secure channel. To this end, the secure device management unit 230 manages security Receives the status information from the device, and determines the status of the security device and the secure channel based on the status information.

The security group management unit 210 configures the servers or terminals included in each security interval as a security group corresponding to a plurality of security intervals on the network and the security device management unit 230 controls the security group management unit 210 ), One or more security channels are set for each security group.

The encryption key management unit 250 generates and manages a cryptographic key. When the secure device management unit 230 sets a secure channel, the cryptographic key management unit 250 generates and stores a cryptographic key corresponding to the secure channel, And extracts and provides the corresponding encryption key according to a request from the management unit 230. [ Here, the encryption key management unit 250 may generate and hold one cryptographic key corresponding to the secure channel, or may generate and hold a cryptographic key for each security device forming both ends of the secure channel. In the present invention, various techniques known in the art can be applied to the encryption key system and the encryption system, and appropriate technology can be selected and applied according to the circumstances without being limited to the specific technology. In the present invention, a cryptographic key scheme and an encryption scheme are not the main features, and a detailed description thereof will be omitted.

FIG. 5 shows a block diagram of an embodiment of a security device for forming a secure channel according to the present invention.

The security device 100 for forming a secure channel in the present invention may roughly include a physical network interface 110, a virtual interface generation unit 130, an encryption module 150, and the like.

The physical network interface 110 is an interface for connecting a server or a terminal on a network and may include a network port to which a network or a terminal or a terminal or a terminal to which the terminal is connected is connected, And is directly connected to the server or the terminal through the interface 110. [

For example, when the physical network interface 110 includes a plurality of terminal ports, a number of servers or terminals corresponding to the terminal port of the physical network interface 110 may be connected to one security device 100.

The virtual interface generation unit 130 generates a virtual interface for forming a secure channel end, creates a virtual interface corresponding to the secure channel set by the network security management server 200 to form a secure channel end, Connect the server or terminal to the channel.

Here, the virtual interface generation unit 130 may generate one virtual interface corresponding to one secure channel or may generate a plurality of virtual interfaces corresponding to a plurality of secure channels.

For example, when a plurality of servers or terminals are connected to the physical network interface 110 of the security device 100, the network security management server 200 may secure the security corresponding to the number of servers or terminals connected to the security device 100 And the virtual interface generation unit 130 may generate a plurality of virtual interfaces according to the number of the secure channels set by the network security management server 200. [

Further, even when a plurality of servers or terminals are connected to the physical network interface 110 of the security device 100, if the network security management server 200 establishes a secure channel such that a plurality of connected servers or terminals are connected to a single secure channel, Accordingly, the virtual interface generation unit 130 may generate a virtual interface corresponding to one security channel to which a plurality of servers or terminals are connected.

6, in the security device 100, two servers 10e and 10f are connected to the security device 100 shown in FIG. 6. Referring to FIG. 6A, The virtual interface generation unit 130 of the security device 100 sets a security channel for each of the servers 10e and 10f in the network security management server 200. In this case, The virtual interface A 133 and the virtual interface B 135 are created in accordance with the channel setting so that one server 10e is connected to the secure channel through the virtual interface A 133 and the other server 10f is connected to the virtual interface B 135 to another secure channel.

In FIG. 6B, although two servers 10e and 10f are connected to the security device 100, the network security management server 200 forms one security channel for the two servers 10e and 10f The virtual interface generation unit 130 of the security device 100 generates one virtual interface 137 and transmits the two servers 10e and 10f to one security channel .

In this way, a plurality of servers or terminals can be connected to the security device 100. In accordance with the security channel setting of the network security management server 200, the security device 100 forms a security channel by creating a virtual interface.

5, the encryption module 150 receives the encryption key corresponding to the security channel set up from the network security management server 200 and encrypts or decrypts the data packet At this time, data to be transmitted through the virtual interface generated by the virtual interface generating unit 130 is encrypted or data received through the virtual interface is decrypted.

To this end, the virtual interface forming the end of the secure channel is transmitted from the other server or the other terminal to the secure channel, and all the encrypted data received through the physical network interface 110 of the security device 100 is transmitted to the encryption module 150 And transmits the decrypted data to the physical network interface 110 and transmits the decrypted data to the server or the terminal.

In addition, the virtual interface receives all data to be transmitted from the server or the terminal to the other server or the other terminal through the secure channel from the physical network interface 110 and transmits the encrypted data to the encryption module 150 to encrypt the encrypted data, (110) and transmit the same through a secure channel.

In the present invention, the security device as described above may be connected to a server or a terminal, or a plurality of security devices may be installed on a network by connecting a plurality of servers or terminals, Channel can be formed and managed by managing the entire network security system. An example of forming a secure channel by applying the security device and the network security management server according to the present invention shown in FIG. .

The network security management server 200 establishes a secure channel between the servers 10a and 10b located in the security section and generates a security policy and an encryption key for the secure channel and transmits the security policy and the encryption key to the security devices 100a and 100b connected to the servers 10a and 10b , 100b.

Each of the security devices 100a and 100b is connected to the network security management server 200 and receives information on the encryption key and the other security devices 100a and 100b for forming a security policy and a secure channel, 200 to set virtual IPs 131a and 131b.

The security devices 100a and 100b transmit all data packets received at the terminal ports 115a and 115b of the physical network interfaces 110a and 110b directly connected to the servers 10a and 10b to the virtual interfaces 131a and 131b And the data packets transmitted to the virtual interfaces 131a and 131b are transmitted to the encryption modules 150a and 150b and encrypted with the encryption key provided from the network security management server 200 and then transmitted to the physical network interface 110a, 110b to the network ports 111a, 111a.

The security devices 100a and 100b transmit all the encrypted data packets received at the network ports 111a and 111a of the physical network interfaces 110a and 110b directly connected to the network 30 to the virtual interfaces 131a and 131b And the encrypted data packets transferred to the virtual interfaces 131a and 131b are transferred to the encryption modules 150a and 150b and decrypted with the encryption key provided from the network security management server 200. Then, To the terminal ports 115a and 115b of the interfaces 110a and 110b.

7, the network security management server 200 sets up a secure channel, and the security devices 100a and 100b form a secure channel, thereby realizing network security.

In addition, the present invention proposes a method for forming a network security channel by applying the network security system. The method for forming a network security channel according to the present invention includes: And a process of forming a network security channel on the side of the device.

First, a schematic process of forming a network security channel in the aspect of a network security management server comprises: a security group setting step of setting a security group by selecting a plurality of servers or terminals included in a security section on a network; Setting a security channel between the network security management server and a server or a terminal included in the security group; And a cryptographic key providing step in which the network security management server is installed at the end of the secure channel and provides a cryptographic key corresponding to the secure channel to a security device connecting the server or the terminal to the network, A secure channel for transmitting data encrypted with the encryption key may be formed between a security device installed at one end of the secure channel and a security device installed at the other end of the secure channel.

Next, a schematic process of forming a network secure channel in the aspect of a security device includes a secure channel request step in which a security device connecting a server or a terminal to a network requests a secure channel to the network security management server; A virtual interface generation step in which the security device receives a cryptographic key from the network security management server and generates a virtual interface forming an end of a secure channel; And a secure channel forming step of forming a secure channel with the other security device forming the other end of the secure channel.

Hereinafter, a method for forming a network security channel according to the present invention will be described with reference to embodiments of a process of integrating aspects of a network security management server and a security device.

FIG. 8 shows a schematic flow diagram of an embodiment of a method for forming a network secure channel according to the present invention.

When the security apparatus A 100a is connected to the server A 10a (S110a), the security apparatus A 100a recognizes the server A 10a and obtains the identification information about the server A 10a, And provides it to the network security management server 200 (S130a). At this time, the security apparatus A 100a may automatically recognize the connection of the server A 10a to obtain the identification information, or the user of the server A 10a may input the identification information. The obtained identification information may optionally include various information capable of recognizing and authenticating a server or a terminal such as an ID, a password, a certificate, a MAC address, and the like. In addition to the information about the server A 10a, 100a may be included.

Similarly, when the server B 10b is connected (S110b), the security device B 100b also recognizes the server B 10b and obtains the identification information about the server B 10b and provides it to the network security management server 200 S130b).

The network security management server 200 receives the identification information about the servers from the security devices and registers the servers (S150). In addition, a security group may be established by classifying servers located in a security zone (S170). In this case, the security zone may be set to a security zone or a zone that is predetermined by the administrator. For example, when the server A 10a and the server B 10b are located in the same secure period in FIG. 8, the network security management server 200 sets a security group including the server A 10a and the server B 10b do.

The network security management server 200 establishes a secure channel between the server A 10a and the server B 10b in the same security group S200 and establishes a secure channel between the server A 10a and the server B 10b, And provides the encryption key to the security apparatus A 100a connected to the server A 10a and the security apparatus B 100b connected to the server B 10b at steps S300a and S300b. At this time, one encryption key corresponding to the secure channel may be provided to the security apparatuses A 100a and B 100b in the same manner, or security may be provided to the security apparatuses A 100a and B 100b, It is possible to generate a private key and a public key corresponding to the channel and provide the counterpart public key to the security apparatuses A 100a and B 100b, respectively.

When the secure channel is set and a corresponding encryption key is provided from the network security management server 200, the security apparatuses A 100a and B 100b correspond to the secure channel setting of the network security management server 200 A virtual interface is created (S310a, S310b), and a secure channel between the server A 10a and the server B 10b is formed with the encryption key provided from the network security management server 200 (S350). In detail, the security device A 100a forms one end of the secure channel, connects the server A 10a to one end of the secure channel, and the security device B 100b forms the other end of the secure channel, (10b) to the other end of the secure channel.

When a secure channel is formed between the server A 10a and the server B 10b through the security apparatuses A 100a and B 100b, the apparatus transmits and receives the encrypted data through the secure channel. When data is transmitted from the server A 10a to the server B 10b, the security device A 100a receives the data to be transmitted from the server A 10a (S410) and encrypts it with an encryption key corresponding to the secure channel The secure device B 100b receives the encrypted data transmitted through the secure channel and decrypts the decrypted data using the encryption key corresponding to the secure channel in step S440. The decrypted data is transmitted to the server B 10b ).

9 and 10, a process of setting a secure channel and providing a cryptographic key in the network secure channel forming method according to the present invention will be described in further detail with reference to FIGS. 9 and 10. FIG. 8, the process of establishing a secure channel (S200) to the process of forming a secure channel (S350) may be the same as the embodiment of FIG.

In the first embodiment of FIG. 9, the network security management server 200 establishes a secure channel in response to a request for a secure channel to form a secure channel. In this example, the server A connected to the secure device A 100a The server A sends a request for a secure channel to the network security management server 200 in step S210. In this case, the server A requests a security channel for data transmission to the server B connected to the network 100b, The secure device A 100a may request the secure channel to the server 200 or when the server A requests data transmission to the server B, the secure device A 100a may request the secure channel to the network security management server 200 .

In response to the secure channel request from the security device A 100a, the network security management server 200 confirms the server A based on the registration information or verifies the security device A 100a as needed (S220) And establishes a secure channel between the server A and the server B. More precisely, a secure channel is established between the security apparatus A 100a connected to the server A and the security apparatus B 100b connected to the server B. Then, the network security management server 200 generates an encryption key for the established secure channel (S240), and provides the encryption key to the security device A 100a (S300a). Also, the security device B (S300b) (S300b). At this time, the network security management server 200 may provide a security policy for establishing a secure channel and counterpart side identification information to the security apparatuses A 100a and B 100b.

Then, the security apparatuses A 100a and B 100b create a virtual interface (S310a, S210b) according to the security channel setting of the network security management server 200. When a security policy is provided, And creates a virtual interface.

When a virtual interface is generated in each of the security apparatuses A 100a and B 100b, a secure channel is formed at the end of the secure channel for each virtual interface (S350) Decrypts and transmits all data transmitted and received through the secure channel. The security device B 100b encrypts or decrypts all data transmitted and received by the server B over the secure channel, and delivers the decrypted data.

In the second embodiment of FIG. 10, the network security management server 200 establishes a secure channel in advance and forms a secure channel according to a secure channel request. (S250) between the servers included in the security group (S250) and generates an encryption key for the secure channel (S260).

In accordance with the secure channel request (S270) from the security device A (100a), the server A connected to the security device A (100a) is confirmed or if necessary, the security device A (100a) (S300a), and the security device B (S300b), which is the other party, also detects the security channel between the server A and the counterpart server B, And provides an encryption key (S300b). At this time, the network security management server 200 may provide a security policy for establishing a secure channel and counterpart side identification information to the security apparatuses A 100a and B 100b.

The process of creating a virtual interface (S310a, S310b) and forming a secure channel (S350) is the same as that of the first embodiment shown in FIG. 9 described above, so a description thereof will be omitted.

In addition, in the present invention, a plurality of servers or terminals are connected to one security device to form a secure channel end for each of a plurality of servers or terminals in one security device. In this regard, A method of forming a channel, a plurality of servers are connected to a security device to form a secure channel.

11A shows a case where a server A 10a and a server B 10b are connected to one security device 100 and a physical network interface of the security device 100 is connected to a plurality of servers or a network When the server A 10a is connected to the security device 100, the security device 100 recognizes the connection of the server A 10a and transmits the identification information about the server A 10a to the network A The security device 100 recognizes the connection of the server B 10b and provides the network security management server 200 with identification information about the server B 10b. This process is repeatedly performed as many times as the number of servers connected to the security device 100. [ Then, the network security management server 200 receives the identification information of each server from the security device 100 (S151a and S151b), and sets the servers located in the security zone as a security group.

11B shows a case where a secure channel is formed for each of the server A 10a and the server B 10b in one security device 100 and the network security management server 200 transmits a security channel to the server A 10a The network security management server 200 first provides the encryption key A for the secure channel A to be connected to the server A 10a to the security device 100 (S301a). At this time, the security policy for the secure channel A and the counterpart side identification information can be provided together with the encryption key A.

When the secure device 100 receives the encryption key A and the security policy from the network security management server 200, the secure device 100 generates a virtual interface A corresponding to the encryption key A and allocates a secure channel A to the server A 10a (S312a) Thereby forming a secure channel A for the server A 10a (S351a).

In addition, the network security management server 200 also provides the encryption key B for the secure channel B to be connected to the server B 10b to the security device 100 (S301b). In this case, The security policy and the other party's identification information can be provided. The secure device 100 generates a virtual interface B corresponding to the encryption key B and the security policy from the network security management server 200 in step S311b and transmits the virtual interface B to the server B 10a And allocates the secure channel B (S312b) to form a secure channel B for the server B 10a (S351b).

11C shows a case where one security channel for the server A 10a and the server B 10b is formed in one security device 100 and the network security management server 200 transmits a security channel The network security management server 200 provides the cryptographic key for forming the secure channel to the security device 100 in a state where one common secure channel is set for the server B 10a and the server B 10b At this time, the encryption key and the security policy for the secure channel and the peer side identification information can be provided.

When the security device 100 receives the encryption key and the security policy from the network security management server 200, the security device 100 creates one virtual interface corresponding to the encryption key and the security policy, and transmits one virtual interface to the server A 10a and the server B (S316, S317) to form a single secure channel (S255). That is, the server A 10a and the server B 10b use a common secure channel through the virtual interface of the security device 100. [

As described above, according to the present invention, a single secure device can form a separate secure channel for each of a plurality of servers or terminals, or a single common secure channel can be formed for a plurality of servers or terminals, if necessary.

In the present invention, the security device is directly connected to the server or the terminal in a modular or external form, so that it is possible to simply disconnect the server or the terminal through the physical network interface of the security device, In this regard, FIG. 12 illustrates an embodiment of a method for replacing a server connected to a security device in a network security channel forming method according to the present invention.

12, when the server C 10c is connected to the physical network interface of the security device 100 (S112), the security device 100 recognizes the server C 10c and identifies the server C 10c Information is transmitted to the network security management server 200 (S132) and registered (S152). Since the process of registering the server or the security device in the network security management server 200 has been described with reference to the embodiment, a detailed description thereof will be omitted.

When the server C 10c connected to the security device 100 is replaced or when the use of the server C 10 is no longer required, the connection of the server C 10c is removed from the physical network interface of the security device 100 (S113) Recognizes the removal of the connection of the server C 10c and transmits the connection release information to the server C 10c to the network security management server 200 (S133). Then, the network security management server 200 deletes the information registered in the server C 10c (S153), and updates the information of the security group if the security group including the server C 10c exists.

Then, when a new server D 10d is connected to the physical network interface of the security device 100 (S115), the security device 100 recognizes the server D 10d and transmits the identification information about the server D 10d to the network security And transmitted to the management server 200 (S135) and registered (S155).

As described above, in the present invention, connection or disconnection of a server or a terminal is easily performed in a security device, so that a server or a terminal located in a security zone can be easily replaced or changed.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments of the present invention are not intended to limit the scope of the present invention but to limit the scope of the present invention. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents thereof should be construed as being included in the scope of the present invention.

10a, 10b, 10c, 10d, 10e, 10f: server,
31: Secure channel,
33, 35: general channel,
100, 100a, 100b, 100c: security device,
110, 110a, 110b: physical network interface,
130: virtual interface generation unit,
150, 150a, 150b: an encryption module,
200: network security management server,
210: security group management unit,
230: security device manager,
250: Cryptographic key management section.

Claims (24)

A server or a terminal included in a security group set by the network security management server is directly connected to connect the server or the terminal to the network,
Receiving a cryptographic key generated by the network security management server to form a secure channel with the other server or the other terminal included in the security group, encrypting data of the server or the terminal with the cryptographic key, And forming a secure channel for encrypted data transmission with the other terminal. The method according to claim 1,
The security device comprises:
A physical network interface for connecting a server or terminal on a network;
A virtual interface generating unit for generating a virtual interface for forming a secure channel with the other security apparatus connected to the other server or the other terminal included in the security group; And
And a cryptographic module for receiving a cryptographic key corresponding to the secure channel from the network security management server and encrypting or decrypting data transmitted or received through the virtual interface. . 3. The method of claim 2,
The physical network interface comprises:
One or more terminal ports to which a server or terminal is connected; A network port to which the network is connected,
The virtual interface includes:
Wherein one or more servers or terminals connected to the physical network interface are connected to the end of the secure channel. The method of claim 3,
Wherein the virtual interface generation unit comprises:
Wherein a plurality of security channel terminals are formed by creating individual virtual interfaces for each of a plurality of servers or terminals connected to the physical network interface. The method of claim 3,
Wherein the virtual interface generation unit comprises:
Wherein one end of a secure channel is formed by creating one virtual interface corresponding to a plurality of servers or terminals connected to the physical network interface. A plurality of servers or terminals included in a security section on the network are selected to set up a security group and a cryptographic key for forming a secure channel between servers or terminals included in the security group is generated,
And forming a secure channel through which encrypted data is transmitted between the server or the terminal by providing a cryptographic key corresponding to the secure channel to a server included in the security group or a security device directly connected to the terminal, Network security management server to do. The method according to claim 6,
Wherein the network security management server comprises:
A security group manager configured to select a plurality of servers or terminals included in a security section on a network to set a security group;
Establishing a secure channel between a server or a terminal included in the security group and providing a cryptographic key corresponding to the secure channel to a security device installed at the end of the secure channel to form a secure channel for data transmission between the server and the terminal A security device manager; And
And an encryption key management unit for generating and managing an encryption key corresponding to the secure channel. 8. The method of claim 7,
The security group management unit,
Registering identification information of a server or a terminal included in the security group,
The security device management unit,
A server or a terminal to be connected to the secure channel based on the identification information of the server or the terminal and provides the encryption key to the security server connected to the authenticated server or the terminal. 8. The method of claim 7,
The security device management unit,
Establishing a security policy for the secure channel, providing the security policy to the security device to form a secure channel according to the security policy, and monitoring the secure channel by receiving the status information from the security device forming the secure channel A network security management server for forming a network security channel characterized by: 9. The method of claim 8,
The security group management unit,
A plurality of security groups are set corresponding to a plurality of security intervals on the network,
The security device management unit,
And establishes one or more security channels for each security group. A security device comprising a plurality of security devices according to any one of claims 1 to 5,
11. A network security system comprising a network security management server according to any one of claims 6 to 10. A network security management server setting a security group by selecting a plurality of servers or terminals included in a security interval on the network;
Setting a security channel between the network security management server and a server or a terminal included in the security group; And
And providing a cryptographic key corresponding to the secure channel to a security device installed at the end of the secure channel and connecting the server or the terminal to the network,
Wherein a secure channel for transmitting data encrypted with the encryption key is formed between a security device installed at one end of the secure channel and a security device installed at the other end of the secure channel. 13. The method of claim 12,
The secure channel setting step may include:
A secure channel request receiving step of receiving secure channel request information from the server or the terminal through the security device;
An authentication step of checking whether the security group is included in the security group based on the channel request information and authenticating the security group;
A secure channel setting step of establishing a secure channel between the security device connected to the server or the terminal and the other security device connected to the other server or the other terminal based on the secure channel request information; And
And generating an encryption key corresponding to the secure channel. 13. The method of claim 12,
The secure channel setting step may include:
A security channel setting step of establishing a security channel between a security device connected to the server or the terminal and the other security device connected to the other server or the other terminal by combining a plurality of servers or terminals included in the security group;
An encryption key generation step of generating an encryption key corresponding to the secure channel;
A secure channel request receiving step of receiving secure channel request information from the server or the terminal through the security device; And
And confirming whether the security channel is included in the security group based on the channel request information, and authenticating the corresponding security channel. The method according to claim 13 or 14,
The security group setting step includes:
Receiving identification information of the server or the terminal from a security device connected to the server or the terminal included in the security group,
Wherein the authentication step comprises:
And a server or a terminal requesting a secure channel is identified and authenticated based on the registered identification information. 13. The method of claim 12,
The secure channel setting step may include:
Setting a security policy for the secure channel,
The encryption key providing step may include:
Wherein the information about the other server or the other terminal forming the end of the secure channel or the other security apparatus connected thereto is provided with the security policy. 13. The method of claim 12,
Further comprising a secure channel monitoring step of receiving status information from the security device forming the end of the secure channel and monitoring the secure channel based on the status information. A security channel request step in which a security device connecting a server or a terminal to a network requests a secure channel to a network security management server;
A virtual interface generation step in which the security device receives a cryptographic key from the network security management server and generates a virtual interface forming an end of a secure channel; And
And forming a secure channel with the other security device forming the other end of the secure channel by the security device. 19. The method of claim 18,
The secure channel requesting step includes:
The security device identifies a server or a terminal that is required to form a secure channel among one or more servers or terminals connected to a physical network interface and generates secure channel request information including identification information of the server or the terminal, To the network. 20. The method of claim 19,
The secure channel requesting step includes:
Generates a plurality of security channel request information corresponding to a plurality of servers or terminals connected to the physical network interface,
Wherein the virtual interface generation step comprises:
A plurality of cryptographic keys corresponding to each of a plurality of secure channel request information and a plurality of virtual interfaces forming a plurality of secure channel ends corresponding to the plurality of servers or terminals, / RTI > 20. The method of claim 19,
The secure channel requesting step includes:
Generates one security channel request information corresponding to a plurality of servers or terminals connected to the physical network interface,
Wherein the virtual interface generation step comprises:
And generates one virtual interface for providing one cryptographic key corresponding to the one secure channel request information and forming one secure channel end corresponding to the plurality of servers or the entire terminals. / RTI > 19. The method of claim 18,
Wherein the virtual interface generation step comprises:
Receiving a security policy for the secure channel from the network security management server, and creating a virtual interface according to the security policy. 19. The method of claim 18,
Receiving data transmitted from the server or the terminal by a physical network interface of the security device;
Transmitting data received through the physical network interface to a virtual interface generated in the security device, encrypting the encrypted data with the encryption key through the encryption module of the security device, and transmitting the encrypted data to the physical network interface; And
Wherein the physical network interface transmits data encrypted with the secure channel. 19. The method of claim 18,
Receiving encrypted data transmitted over the secure channel by a physical network interface of the secure device;
Transmitting encrypted data received through the physical network interface to a virtual interface generated in the security device, decrypting the decrypted data with the encryption key through the encryption module of the security device, and transmitting the decrypted data to the physical network interface; And
Wherein the physical network interface transmits the decrypted data to the server or the terminal.
KR1020150093281A 2015-06-30 2015-06-30 Security device and network security management server for establishing security channel in network, and system and method of establishing security channel in network KR20170003080A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150093281A KR20170003080A (en) 2015-06-30 2015-06-30 Security device and network security management server for establishing security channel in network, and system and method of establishing security channel in network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150093281A KR20170003080A (en) 2015-06-30 2015-06-30 Security device and network security management server for establishing security channel in network, and system and method of establishing security channel in network

Publications (1)

Publication Number Publication Date
KR20170003080A true KR20170003080A (en) 2017-01-09

Family

ID=57810987

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150093281A KR20170003080A (en) 2015-06-30 2015-06-30 Security device and network security management server for establishing security channel in network, and system and method of establishing security channel in network

Country Status (1)

Country Link
KR (1) KR20170003080A (en)

Similar Documents

Publication Publication Date Title
CN102970299B (en) File safe protection system and method thereof
US8059818B2 (en) Accessing protected data on network storage from multiple devices
EP1394982B1 (en) Methods and apparatus for secure data communication links
US8761401B2 (en) System and method for secure key distribution to manufactured products
US9705854B2 (en) Cryptography and key management device and architecture
CN113691560B (en) Data transmission method, method for controlling data use, and cryptographic device
US20130332724A1 (en) User-Space Enabled Virtual Private Network
US20170201382A1 (en) Secure Endpoint Devices
CN102006276B (en) Licensing and certificate distribution via secondary or divided signaling communication pathway
US20170279807A1 (en) Safe method to share data and control the access to these in the cloud
CN109891423B (en) Data encryption control using multiple control mechanisms
US11799844B2 (en) Secure communication network
CN105027493A (en) Secure mobile app connection bus
JP2023514736A (en) Method and system for secure communication
US9015825B2 (en) Method and device for network communication management
US20070179907A1 (en) Security bootstrapping for distributed architecture devices
CN105763318A (en) Pre-shared key obtaining method, pre-shared key distribution method and pre-shared key distribution device
JP2007318806A (en) Method for securing data traffic in mobile network environment
CN100499453C (en) Method of the authentication at client end
CN104735020A (en) Method, device and system for acquiring sensitive data
US9774630B1 (en) Administration of multiple network system with a single trust module
CN105099849A (en) Method and equipment for establishing IPsec tunnel
KR20170003080A (en) Security device and network security management server for establishing security channel in network, and system and method of establishing security channel in network
US11968302B1 (en) Method and system for pre-shared key (PSK) based secure communications with domain name system (DNS) authenticator
CN115835194B (en) NB-IOT terminal safety access system and access method

Legal Events

Date Code Title Description
AMND Amendment
E601 Decision to refuse application
AMND Amendment