WO2023211124A1 - System for controlling controller-based network connection and method for same - Google Patents

Abstract

A node according to an embodiment disclosed in the present document may store instructions for: performing a network connection request of the target application on an external server through a connection control application, wherein the network connection request includes identification information about the target application and destination network identification information; receiving a data flow from the external server, wherein the data flow includes certificate information corresponding to the destination network identification information; and processing a data packet of the target application on the basis of the certificate information.

Description

System and method for controlling controller-based network access

Cross-citation with related applications

The present invention claims the benefit of priority based on Korean Patent Application No. 10-2022-0051660 filed on April 26, 2022, and all contents disclosed in the document of the Korean Patent Application are included as part of this specification.

Technology field

Embodiments disclosed in this document relate to a system and method for controlling controller-based network access.

Multiple devices can communicate data over a network. For example, a terminal can transmit or receive data to and from a server via the Internet. Networks may include public networks such as the Internet as well as private networks such as intranets.

The terminal communicates with the server using IP (Internet Protocol)-based TCP (Transmission Control Protocol) or UDP (User Datagram Protocol), and is used to control the connection between the source IP and destination IP authorized by TCP or UDP technology. Firewall technology may be used. In the case of IP communication, because data packets are transmitted in plain text, there is a problem that a third party can easily view important information in the data packet using sniffing technology such as tapping equipment or rouge WiFi. To solve this problem, VPN (Virtual Private Network) technology and tunneling technology are used to encrypt data packets between the terminal and the server.

As attacks such as leaking authentication information for accessing specific services and entering random passwords by installing key loggers on users' terminals are increasing, problems with personal information being leaked and stolen from services that are always connected to the Internet are occurring. .

To solve the above security problems, some services provide Multi Factor Authentication (MFA), but in order for all services to provide enhanced authentication methods, a lot of money must be invested to modify existing services. In particular, as various MFA technologies proliferate, it may be difficult to support all of the user's preferred authentication methods.

In addition, since the service is always connected to the Internet, that is, data packets are already being sent and received during the general authentication (based on User ID and Password input) or MFA performance stages, it prevents the attack itself by entering a random password. There is no way to do this. In other words, if a continuous attack occurs against a specific ID, only the type of function that requires authentication can be provided through additional authentication, which may be inconvenient from the user's perspective.

The above problem can be equally applied not only to services connected to the Internet, but also to unit systems used by companies, especially when accessing the unit system from outside through technology such as VPN (Virtual Private Network), after VPN connection authentication. may be accessible to the unit system, and authentication in the unit system may be more vulnerable to security because the security authentication system is weaker than the popular services above and even the minimum authentication standards are not followed.

In addition, as services diversify, users prefer technologies (e.g. OAuth, etc.) that can provide integrated authentication for each service through a single authentication information, but the current integrated authentication technology uses HTTP in insecure terminals and network environments. Because it uses technology such as protocol-based SSO (Single Sign On), authenticating each service while authenticated to the service for integrated authentication in a practically unsafe terminal and network environment requires chain authentication and personal information. In terms of deodorization, more dangerous problems may arise.

Additionally, in popular services connected to the Internet, relaying all connections to each service through a gateway may cause operational and cost problems.

In addition, since only authenticated subjects are connected and the information that each service that responds to a service request can identify in the connection request is limited to the source IP information, a problem may arise in which it is not possible to identify which users and terminals are connected.

Additionally, for traffic that bypasses a security session such as SSL/TLS between the terminal and the service server, a problem may occur in which the proxy cannot inspect or manipulate service processing request information.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above-described problems in a network environment.

A node according to an embodiment disclosed herein includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a database, a target application, and a connection control application. And the memory, when executed by the processor, causes the node to perform a network connection request of the target application to an external server through the connection control application, and the network connection request includes identification information of the target application and a destination network. Contains identification information, receives a data flow from the external server, wherein the data flow includes certificate information corresponding to the destination network identification information, and processes data packets of the target application based on the certificate information. , commands can be saved.

A node according to another embodiment disclosed herein includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a database, a target application, and a connection control application. And, when the memory is executed by the processor, the node receives tunneling creation information from an external server through the access control application, and establishes tunneling with a gateway corresponding to the tunneling creation information based on the tunneling creation information. Generate and transmit proxy information and tunneling information set in the node to the external server, and if the proxy information and the tunneling information do not correspond, receive proxy server setting status and proxy server setting information from the external server, Commands for setting a proxy based on the received proxy server setting status and the proxy server setting information may be stored.

A server according to an embodiment disclosed in this document includes a communication circuit, a memory for storing a database, and a processor operatively connected to the communication circuit and the memory, wherein the processor is connected to a network connection control application of a node. Receiving a connection request, the network connection request includes identification information of a target application of the node, identification information of a destination network of the target application, a connection policy included in the database, identification information of the target application, and Check whether connection is possible based on the identification information of the destination network, check whether a data flow corresponding to the identification information of the destination network exists, and if the data flow does not exist, determine the domain policy included in the database. Based on this, check domain information corresponding to the identification information of the destination network, check whether certificate information corresponding to the domain information exists, generate a data flow including the domain information and the certificate information, and generate the It can be configured to transmit the data flow to the nodes and gateways.

A gateway according to an embodiment disclosed in this document includes a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory, wherein the processor receives a service processing request from a node and processes the service. Check the existence of a data flow corresponding to the request, and if the data flow exists, check the domain information included in the service processing request based on whether the data flow includes domain information, and based on the check result The service processing request may be forwarded or a service processing request failure result may be returned. If the data flow does not exist, the service processing request failure result may be returned.

A method of operating a connection control application installed in a node according to an embodiment disclosed in this document includes performing a network connection request of a target application to an external server, wherein the network connection request includes identification information of the target application and destination network identification information. An operation of receiving a data flow from the external server, wherein the data flow includes certificate information corresponding to the destination network identification information, and processing a data packet of the target application based on the certificate information. may include.

A method of operating a server according to an embodiment disclosed in this document includes receiving a network connection request from a connection control application of a node, wherein the network connection request includes identification information of the target application of the node, and information about the destination network of the target application. Containing identification information, an operation of checking whether connection is possible based on a connection policy included in a database, identification information of the target application, and identification information of the destination network, and data flow corresponding to the identification information of the destination network. An operation to check whether the data flow exists; if the data flow does not exist, an operation to check domain information corresponding to the identification information of the destination network based on a domain policy included in the database; certificate information corresponding to the domain information It may include an operation of checking the existence of , an operation of creating a data flow including the domain information and the certificate information, and an operation of transmitting the generated data flow to the node and the gateway.

A method of operating a gateway according to an embodiment disclosed in this document includes the operation of receiving a service processing request from a node, the operation of checking the existence of a data flow corresponding to the service processing request, and if the data flow exists, the data Checks the domain information included in the service processing request based on whether domain information is included in the flow, forwards the service processing request based on the inspection result, or returns a service processing request failure result, or the data flow If does not exist, it may include an operation of returning a result of the service processing request failure.

According to the embodiments disclosed in this document, it is possible to safely access a service using existing application access control technology, provide technology to identify and authenticate the access target in the service, and easily apply it to popular services. It is possible to provide integrated authentication technology that can

In addition, according to the embodiments disclosed in this document, a method is provided through which only authenticated subjects can access the service server through an access control application and a gateway, thereby providing unnecessary service requests or service requests containing attack acts transmitted from unauthenticated subjects. By fundamentally blocking DDoS (distributed denial of service) attacks, DDoS (distributed denial of service) attacks can be effectively prevented by ensuring safe network access at all times between authenticated targets and service servers and at the same time reducing service requests from unauthorized targets.

In addition, according to the embodiments disclosed in this document, service requests containing service attack behavior information among service requests passing through the gateway can be filtered in advance, and it is possible to determine whether a target has performed the attack behavior. At the same time, continuous DDoS attacks can be blocked by isolating the network connection of the target who performed the attack.

In addition, according to the embodiments disclosed in this document, due to the characteristics of HTTP, which is one of the representative service applications, if the network connection with the terminal is not maintained at all times, the point in time when the terminal's network connection ends is unknown, so invalid session information You can manage and prevent vulnerable issues from Session Hijacking attacks using this session information.

In addition, according to the embodiments disclosed in this document, the service server can remove invalid session information by releasing the data flow at the end of the network connection, and by blocking service requests using invalid session information. It may be possible to provide a more secure network service.

According to the embodiments disclosed in this document, by controlling authentication through a network access control application, each service can provide a unified service access and authentication structure without the need to apply a separate strong authentication method.

According to embodiments disclosed in this document, a communication structure can be provided in which the proxy server re-requests service request information from the service server after the security session or general session between the terminal and the proxy server is removed.

According to embodiments disclosed in this document, a connection based on domain information is provided between the terminal and the proxy through a private DNS (Domain Name System), and a service processing request is made to the service server based on the domain information set in the proxy server. By providing a forwarding network structure, the proxy can inspect or manipulate service processing request information even for traffic that bypasses the session.

In addition, various effects that can be directly or indirectly identified through this document may be provided.

Figure 1 shows an environment including multiple networks.

Figure 2 shows an architecture within a network environment according to various embodiments.

3 is a functional block diagram showing a database stored in a controller according to various embodiments.

Figure 4 shows a functional block diagram of a node according to various embodiments.

5A and 5B illustrate an operation for controlling transmission of data packets according to various embodiments.

Figure 6 shows examples of gateway operations according to various embodiments.

Figure 7 shows a signal flow diagram for setting a domain policy according to various embodiments.

Figure 8 shows a signal flow diagram for controller connection according to various embodiments.

9 shows a signal flow diagram for user authentication according to various embodiments.

Figure 10 shows a signal flow diagram for network access according to various embodiments.

FIG. 11 illustrates an operation flowchart for processing a service request in a gateway according to various embodiments.

Figure 12 shows a signal flow diagram for control flow update according to various embodiments.

13 shows a signal flow diagram for disconnection according to various embodiments.

Figure 14 shows a signal flow diagram for terminating application execution according to various embodiments.

Figure 15 shows a flowchart of a method of operating an access control application installed in a node according to various embodiments.

Figure 16 shows a flowchart of a server operation method according to various embodiments.

Figure 17 shows a flowchart of a gateway operating method according to various embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the present invention are described below with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, but should be understood to include various modifications, equivalents, and/or alternatives to the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one or plural items, unless the relevant context clearly indicates otherwise. In this document, “A or B”, “at least one of A and B”, “at least one of A or B”, “A, B or C”, “at least one of A, B and C” and “A, Each of phrases such as “at least one of B, or C” may include any one of the items listed together in the corresponding phrase, or any possible combination thereof. Terms such as "first", "second", or "first" or "second" may be used simply to distinguish one component from another, and to refer to that component in other respects (e.g., importance or order) is not limited. One (e.g., first) component is said to be “coupled” or “connected” to another (e.g., second) component, with or without the terms “functionally” or “communicatively.” When mentioned, it means that any of the components can be connected to the other components directly (e.g. wired), wirelessly, or through a third component.

Each component (eg, module or program) described in this document may include singular or plural entities. According to various embodiments, one or more of the corresponding components or operations may be omitted, or one or more other components or operations may be added. Alternatively or additionally, multiple components (eg, modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each component of the plurality of components in the same or similar manner as those performed by the corresponding component of the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component may be executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations may be executed in a different order, or omitted. Alternatively, one or more other operations may be added.

The term “module” used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrated part or a minimum unit of the parts or a part thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document may be implemented as software (e.g., a program or application) including one or more instructions stored in a storage medium (e.g., memory) that can be read by a machine. For example, the processor of the device may call at least one instruction among one or more instructions stored from a storage medium and execute it. This allows the device to be operated to perform at least one function according to the at least one instruction called. The one or more instructions may include code generated by a compiler or code that can be executed by an interpreter. A storage medium that can be read by a device may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not contain signals (e.g. electromagnetic waves), and this term refers to cases where data is semi-permanently stored in the storage medium. There is no distinction between temporary storage cases.

Methods according to various embodiments disclosed in this document may be provided and included in a computer program product. Computer program products are commodities and can be traded between sellers and buyers. A computer program product may be distributed in the form of a machine-readable storage medium (e.g. compact disc read only memory (CD-ROM)) or through an application store or between two user devices (e.g. smartphones). It may be distributed in person or online (e.g., downloaded or uploaded). In the case of online distribution, at least a portion of the computer program product may be at least temporarily stored or temporarily created in a machine-readable storage medium, such as the memory of a manufacturer's server, an application store server, or a relay server.

Figure 1 shows an environment including multiple networks.

Referring to FIG. 1, the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN.

The first network 10 may include a source node 101. In FIG. 1 and the embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances and is not limited to the above-mentioned devices. For example, the source node 101 may include a server or gateway that can transmit data packets through an application. The source node 101 may also be referred to as an ‘electronic device’ or a ‘terminal’. Meanwhile, the destination node 102 may include the same or similar device as the above-described source node 101. As another example, the destination node 102 may be substantially the same as the destination network.

The source node 101 may attempt to access the second network 20 and transmit data to the destination node 102 included in the second network 20. The source node 101 may transmit data to the destination node 102 through the gateway 103.

If the connection of the source node 101 to the first network 10 is approved, the source node 101 can communicate with all servers included in the first network 10, and therefore the source node 101 is malicious. ) may be exposed to program attacks. For example, the source node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browsers 110a and business applications 110b. ) It is possible to receive data from untrusted or unsecured applications, such as the business application 110d.

The source node 101 infected by a malicious program may attempt to connect to the second network 20 and/or transmit data. If the second network 20 is formed based on IP, such as a VPN, it may be difficult for the second network 20 to individually monitor a plurality of devices included in the second network 20, and application at the OSI layer may be difficult. Security at the layer or transport layer may be vulnerable. Additionally, if the source node 101 includes a malicious application after the tunnel has already been created, the data of the malicious application will be transmitted to another electronic device (e.g., the destination node 102) within the second network 20. You can.

Figure 2 shows an architecture within a network environment according to various embodiments.

Referring to FIG. 2, nodes 201 and 206 may be various types of devices capable of performing data communication. For example, nodes 201 and 206 may include an authenticated node 201 and an unauthenticated node 206. As another example, the nodes 201 and 206 may be used in portable devices such as smartphones or tablets, computer devices such as desktops or laptops, multimedia devices, medical devices, cameras, wearable devices, and virtual reality (VR) devices. ) may include devices, or home appliances, and is not limited to the above-mentioned devices. For example, nodes 201 and 206 may include servers or gateways that can transmit data packets through an application. Nodes 201 and 206 may also be referred to as ‘electronic devices’ or ‘terminals.’

The authentication node 201 may store the first target application 212 and the access control application 211. The first target application 212 is controlled by the access control application 211 and can transmit data packets to the service server 205 through the gateway 203 or, conversely, receive data packets. Some of the first target applications 212 may be trusted and/or secure applications, such as web browsers or business applications, while others may be untrusted or unsecured malicious programs, thus network access according to embodiments. The system can block access to the service server 205 of unauthorized programs (applications) and isolate the programs through network access control of the access control application 211. For example, before the first target application 212 according to embodiments communicates with the service server 205, the connection control application 211 may check whether connection is possible from the controller 202. If connection is possible, the connection control application 211 can control data packet transmission of the first target application 212. That is, in order for the first target application 212 to access the network, it must go through the access control application 211, the access control application 211 must be authorized by the controller 202, and the access control application 211 must be connected to the first target application 212. Data packets of the target application 212 may be transmitted based on a data flow based on the policy of the controller 202.

The unauthorized node 206 may store the second target application 216 . For example, the unauthorized node 206 may be a node on which an access control application is not installed. According to the embodiment, the second target application 216 may access the service server 205 without guaranteeing security. In this case, the service server 205 may provide the second target application 216 with only functions suitable for the corresponding security level.

Controller 202 may be, for example, a server (or cloud server). The controller 202 can ensure trusted data transmission within a network environment by managing data transmission between the authentication node 201, the gateway 203, and the service server 205. For example, the controller 202 may allow the authorized authentication node 201 (or the access control application 211) to access the network through policy information or blacklist information. Controller 202 may provide information to create tunneling between authentication node 201 and gateway 203. Therefore, the access control application 211 of the authentication node 201 can prevent unauthorized applications from transmitting data packets for unauthorized purposes, and allows data packets to be transmitted through the tunneling created with the gateway 203. It is possible to provide a structure that can only be transmitted to the service server 205.

Depending on the embodiment, the network connection of the first target application 212 may be blocked from the access control application 211, the controller 202, or the gateway 203. According to one embodiment, the controller 202 is a connection control application to perform various operations (e.g., registration, authorization, authentication, renewal, termination) associated with the network connection of the authentication node 201 or the access control application 211. Control data packets can be transmitted and received with (211). The flow through which control data packets are transmitted (e.g., 220) may be referred to as a 'control flow'. According to the embodiment, the controller 202 immediately retrieves tunneling and sessions according to security events received from the interconnected system (e.g., authentication node 201, gateway 203, or service server 205), thereby maintaining a secure network state at all times. can be maintained.

The gateway 203 may be located at the border of the network to which the authentication node 201 belongs or the border of the network to which the service server 205 belongs. According to one embodiment, the gateway 203 may be connected to the controller 202 on a cloud basis. According to the embodiment, the gateway 203 may relay communication with the service server 205 through a proxy for data packets received through authorized tunneling, and the service server 205 may relay a service request received from an authenticated target. A structure can be provided to process . According to the embodiment, the flow in which data packets are transmitted between the access control application 211 and the gateway 203 may be referred to as a 'data flow'. Data flows can be created at a node or IP level, as well as at more granular units (e.g. applications).

According to an embodiment, the gateway 203 may include a DNS server for processing domain information.

According to an embodiment, the gateway 203 may include a module for inspecting 5Tuples and TCP and UDP data packets, and a module for processing tunneling and secure session data packets. For example, the gateway 203 may check whether all data packets passing through the gateway 203 are data packets transmitted from an authorized target (eg, a target authorized by the controller 202).

According to the embodiment, the gateway 203 sends data packets received through a tunnel, such as authorized tunneling or session, to the service server through a proxy included in the gateway 203 (e.g., proxy server module 233 in FIG. 6). Service processing with (205) can be relayed. For example, the gateway 203 may provide a structure in which the service server 205 can process a service request received from an authenticated target, and the service server 205 may operate on an unauthenticated node other than the gateway 203 ( 206) can provide a separate network structure that can process service requests. Therefore, the above network processing structure can solve the problem of the structure in which the service server 205 must process services through the gateway 203.

According to various embodiments, the authentication node 201 may include a connection control application 211 and a network driver (not shown) for managing the network connection of the first target application 212 stored in the authentication node 201. You can. For example, when a connection event to the service server 205 of the first target application 212 included in the authentication node 201 occurs, the connection control application 211 allows the first target application 212 to connect. You can decide whether or not. If the first target application 212 is accessible, the connection control application 211 may transmit a data packet to the gateway 203. The access control application 211 can control the transmission of data packets within the authentication node 201 through a kernel including an operating system and a network driver.

3 is a functional block diagram showing a database stored in a controller according to various embodiments. Although FIG. 3 shows only the memory 330, the controller includes a communication circuit for performing communication with an external electronic device (e.g., the communication circuit 430 in FIG. 4) and a processor for controlling the overall operation of the controller (e.g., FIG. It may further include 4 processors 410).

Hereinafter, the node 201 may include the authentication node 201 of FIG. 2 . For example, the network access of the unauthorized node 206 in FIG. 2 may not be controlled by the controller 202 because the access control application is not installed.

The administrator can access the controller 202 and set a connection-oriented policy to control the connection between the access control application 211 and the service server 205, so network access is more detailed and safer than managing sessions at the service level. can be controlled.

The connection policy database 311 may include information about networks and/or services to which an identified network, node, or application can access. For example, when the access control application 211 requests network access, the controller 202 identifies the network (e.g., the network to which the node 201 belongs), the node, It may be determined whether a user (e.g., a user of the node 201) and/or an application (e.g., a target application 212 included in the node 201) can access the service server 205. One embodiment In, the controller 202 may create a whitelist of target applications 212 that can access a specific service (eg, IP and port) based on the connection policy database 311.

The tunnel policy database 312 is a gateway (e.g., the gateway 203 in FIG. 2) and a proxy that exist between a service server (e.g., the service server 205 in FIG. 2) on a connection path according to a policy. (Example: proxy server module 233 in FIG. 6) may include information. For example, the tunnel policy database 312 has a series of information (authentication information, encryption algorithm, tunnel end point, etc.) required for creating a tunnel with the gateway 203, and there is tunneling previously connected through another gateway between the connection paths. In this case, it may include a series of information for its use (collection of IP information assigned to the node and whether alternative processing is performed, etc.).

The blacklist policy database 313 is a target (e.g., node ID ( identifier), an IP address, a media access control (MAC) address, or a user ID).

The blacklist database 314 may include a list of targets blocked by the blacklist policy database 313. For example, if the identification information of the node 201 requesting network access is included in the blacklist database 314, the controller 202 may isolate the node 201 by rejecting the network access request.

The control flow table 315 is an example of a session table for managing the flow (eg, control flow) of control data packets generated between the node 201 and the controller 202. When successfully connecting to the controller 202, control flow information may be generated by the controller 202. The control flow information may include at least one of control flow identification information, an IP address identified when connecting to and authenticating the controller, a node ID, or a user ID. For example, when connection to the service server 205 is requested from the node 201, the controller 202 can retrieve control flow information through the control flow identification information received from the node 201, and the retrieved control flow Whether the node 201 can connect to the service server 205 by mapping at least one of the IP address, node ID, or user ID included in the information to the connection policy database 311, data flow for data packet transmission You can determine (decide) whether to create it or not.

According to one embodiment, a control flow may have an expiration time. The node 201 must update the expiration time of the control flow, and if the expiration time is not updated within a certain period of time, the control flow (or control flow information) may be removed. Additionally, if it is determined that immediate connection blocking is necessary according to security events collected from the node 201, the controller 202 may remove the control flow according to the node 201's connection termination request. When the control flow is removed, the previously created data flow is also removed, so the connection to the node 201 may be blocked.

The data flow table 316 is a table for managing the flow (eg, data flow) in which detailed data packets are transmitted between the node 201, the gateway 203, and the service server 205. Data flows can be created by TCP sessions, applications, or more granular units. The data flow table 316 may include data flow information for managing tunneling and sessions of the application of the node 201 (e.g., the first target application 212), the gateway 203, and the service server 205. there is. The data flow table 316 may include an application ID, destination IP address, and/or service port to identify whether the data packet transmitted from the source is an authorized data packet. The data flow table 316 can be managed based on control flow ID. In addition, the data flow table 316 may include status information including authorized target information for determining whether to forward a data packet based on the source IP and destination IP and port information of the data packet, and whether the data flow is valid. You can. According to an embodiment, the data flow table 316 may further include information indicating whether tunneling or a session is created between the application and the gateway 203. According to the embodiment, when connecting to the service server 205 through a proxy, the data flow table 316 may include domain information for connecting to the service server 205 and certificate information for domain authentication.

According to the embodiment, the data flow table 316 may be equally stored in the node 201, gateway 203, or service server 205.

The tunnel table 317 may include a list of tunnels created between the node 201 and the gateway 203.

The domain policy database 318 sends service processing requests to the service server 205 through a proxy included in the gateway 203 or a separate proxy that exists between the network boundaries of the service server 205 on the access path according to policy. When a terminal attempts to connect to a domain address for relaying, the information required to pass through the proxy (domain address resolution information, DNS server information to be assigned on the route, domain information set in the proxy, certificate required when accessing the domain, etc. ) may include.

The proxy policy database 319 may include proxy information existing between the service servers 205 on the connection path according to the policy.

Figure 4 shows a functional block diagram of a node according to various embodiments.

Referring to FIG. 4 , a node may include a processor 410, memory 420, and communication circuit 430. According to one embodiment, the node may further include a display 440 to interface with the user. According to an embodiment, the nodes may include the authenticating node 201 and the non-authenticating node 206 of FIG. 2 .

The processor 410 can control the overall operation of the node. In various embodiments, the processor 410 may include one processor core (single core) or may include a plurality of processor cores. For example, the processor 410 may include multi-core, such as dual-core, quad-core, or hexa-core. Depending on embodiments, the processor 410 may further include a cache memory located internally or externally. Depending on embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or a portion of processor 410 is electrically or operatively coupled to other components within the node (e.g., memory 420, communication circuitry 430, or display 440). It can be (coupled with) or connected to. The processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420, the communication circuit 430, or the display 440. Processor 410 may generate new messages, data, instructions, or signals based on received messages, data, instructions, or signals. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420, communication circuit 430, or display 440.

The processor 410 can process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals to the memory 420 in order to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.

Memory 420 may include one or more of volatile memory or non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). It can be included. Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, etc.

The memory 420 uses non-volatile media such as a hard disk drive (HDD), solid state disk (SSD), embedded multi media card (eMMC), and universal flash storage (UFS). More may be included.

According to one embodiment, the memory 420 may store the first target application 212 and the access control application 211 of FIG. 2. Additionally, the memory 420 may store the second target application 216 of FIG. 2 . The connection control application 211 may perform control flow creation and update functions with the controller 202. To this end, the access control application 211 may include one or more security modules.

According to one embodiment, the memory 420 may store some of the information included in the controller's memory (eg, memory 330 in FIG. 3). For example, memory 420 may store data flow table 316 described in FIG. 3 .

Communication circuitry 430 establishes a wired or wireless communication connection between a node and an external electronic device (e.g., controller 202, gateway 203, or service server 205 in FIG. 2), and performs communication over the established connection. can support. According to one embodiment, the communication circuit 430 may be a wireless communication circuit (e.g., a cellular communication circuit, a short-range wireless communication circuit, or a global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (e.g., a local area network (LAN) ) communication circuit, or power line communication circuit), and using the corresponding communication circuit, a short-range communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a long-distance communication such as a cellular network, the Internet, or a computer network It can communicate with external electronic devices through a network. The various types of communication circuits 430 described above may be implemented as one chip or may be implemented as separate chips.

The display 440 can output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410. Depending on embodiments, the display 440 may be configured with an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving touch input, etc. When the display 440 is configured as a touch screen, a plurality of touch sensors may be placed above the display 440 or below the display 440.

A server (eg, controller) according to one embodiment may include a processor 410, memory 420, and communication circuit 430. The processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

A gateway (eg, gateway 203 in FIG. 2) according to an embodiment may include a processor 410, a memory 420, and a communication circuit 430. The processor 410, memory 420, and communication circuit 430 included in the gateway may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

5A and 5B illustrate an operation for controlling transmission of data packets according to various embodiments.

Referring to FIG. 5A, the access control application 211 detects a network connection request to the service server 205 from the first target application 212 included in the authentication node 201, and connects the authentication node 201 or the connection. It may be determined whether the control application 211 is connected to the controller 202. If the authentication node 201 or the access control application 211 is not connected to the controller 202, the access control application 211 may block the transmission of data packets in the kernel or network driver that includes the operating system. You can. Through the access control application 211, the authentication node 201 can block access of malicious applications in advance at the application layer of the OSI layer.

According to the embodiment, when the access control application 211 is not connected to the controller 202 or when the data packet to be transmitted is a data packet that must be transmitted based on a tunnel but the corresponding tunnel does not exist, the connection Data packets transmitted from the control application 211 are blocked by the gateway 203, and the access control application 211 can only request a connection to the controller 202.

According to the embodiment, if the access control application 211 is not installed on the authentication node 201 or a malicious application bypasses the control of the access control application 211, unauthorized data packets may be transmitted from the authentication node 201. You can. In this case, the gateway 203 located at the border of the network blocks data packets for which a corresponding tunnel does not exist, so the data packets (e.g., data packets for TCP session creation) transmitted from the authentication node 201 are transmitted to the service server. (205) may not be reached. In other words, the authentication node 201 may be isolated from the service server 205.

Referring to FIG. 5b, in the case of an unauthenticated node 206 in which the access control application is not installed, the second target application 216 can provide a structure that can always access the service server 205 through an existing network path. there is. For example, the service server 205 provides a separate network structure that can process service requests for the unauthorized node 206 rather than the gateway 203, so that the service server 205 must be processed through the gateway 203. It can solve the problem of the inline structure where services must be processed and costs are incurred.

Figure 6 shows examples of gateway operations according to various embodiments.

Referring to FIG. 6, the gateway 203 according to an embodiment disclosed in this document may include a DNS server module 213, a tunneling module 223, and a proxy server module 233. According to the embodiment, the gateway 203 does not need to include all of the DNS server module 213, the tunneling module 223, and the proxy server module 233, but rather includes the DNS server module 213, the tunneling module 223, and the proxy. It may include at least one of the server modules 233.

The node 201 may request domain information to be interpreted in order to connect to the service server 205, and may request a proxy existing within the tunneling section through the DNS server module 213 included in the gateway 203 or an external DNS server. By receiving IP information that can connect to the server, the node 201 can be prevented from directly connecting to the service server 205 that exists in the public IP band. For example, the DNS server module 213 may process a domain resolution request from the node 201.

In addition, the node 201 can connect to the proxy server module 233 with pre-authorized tunnel and domain authentication information through data flow access control, and the controller 202 is included in the gateway 203 and the gateway 203. By transmitting data flow information to the proxy server module 233 or an external proxy server, it is possible to control so that only authorized subjects can access the service server 205.

Node 201 may request domain resolution from gateway 203. For example, node 201 may request access to private.com.

The gateway 203 can interpret the domain information of pribit.com through the DNS server module 213, and transmit the interpreted public IP information (211.1.1.1) to the proxy server module 233, and the node 201 ) can be set and transmitted to private IP information (192.168.1.10) that can access the proxy server module 233.

The tunneling module 223 can create tunneling with the node 201. For example, the tunneling module 223 may inspect data packets received through tunneling. For example, the tunneling module 223 may check whether the received data packet was received through a corresponding authorized tunnel. According to the embodiment, the tunneling module 223 may check not only whether the data packet was received through an authorized tunnel, but also whether it was received through an authorized tunnel including a tunnel or session.

The node 201 may request connection to the service server 205 based on private IP information (192.168.1.10) through previously created tunneling. The proxy server module 233 may be set to process a service processing request transmitted from the node 201 based on private IP information (192.168.1.10) with public IP information (211.1.1.1).

That is, the proxy server module 233 checks the domain information included in the received service request information and the domain information included in the data flow, and sends service processing request information to the service server 205 only to those who have accessed the authorized data flow. By retransmitting, the proxy server module 233 performs access control to the service server based on data flow information, and simultaneously processes service requests passing through the proxy server module 233 and inspects or manipulates the processing request results returned by the service server in detail. We can provide a way to do it.

Through the above network structure, the gateway 203 identifies authenticated nodes, users, applications, etc. that various access control technologies using conventional proxy servers could not control, and allows each target to access the service server 205. Detailed control is possible, and at the same time, when the target disconnects, the corresponding data flow is removed from the proxy server module 233, thereby preventing unauthorized targets from accessing the service server 205 through the proxy server module 233. there is.

Figure 7 shows a signal flow diagram for setting a domain policy according to various embodiments.

In order to control access to public services (e.g., SaaS services, etc.), the node 201 can request access to all services of the node 201 to the proxy or request access to only some services to the proxy. For example, when directing access to some services through a proxy, the controller 202 sets the domain of the DNS server to process the public IP of the public domain as a proxy IP existing in the tunneling band, and when tunneling, the IP of the DNS server is set. A control method may be needed to allocate the domain, resolve the domain on the proxy server, and then forward it to the public IP.

Referring to FIG. 7, in operation 605, the controller 202 may set a domain policy. For example, the administrator can set domain policies through a dedicated console or UI (User Interface) and transmit each setting information to the gateway 203 to set each server and module included in the gateway (operation 610). . Additionally, if the DNS server and proxy server are not included in the gateway 203 and are separated, the controller 202 can process related settings by transmitting to each server.

At operation 615, the DNS server of gateway 203 may set the domain and IP. For example, the DNS server can set a domain for service access and IP information to be returned when the node 201 queries the domain.

In operation 620, when the node 201 establishes tunneling, the gateway 203 may set a DNS server IP to query during communication as a tunneling section. For example, the tunneling module of gateway 203 can set the DNS server IP.

In operation 625, the proxy server of the gateway 203 may set information to process a service request transmitted as private IP information as public IP information.

Figure 8 shows a signal flow diagram for controller connection according to various embodiments.

Since the node 201 needs to be authorized by the controller 202 to connect to or receive the network, the access control application 211 of the node 201 requests the controller 202 to create a control flow, thereby establishing the node ( 201), you can try to connect to the controller. According to an embodiment, the node 201 may be substantially the same as the authentication node 201 of FIG. 2 on which the access control application 211 is installed.

Referring to FIG. 8, node 201 can detect a controller connection event. For example, when the access control application 211 is installed and executed within the node 201, the node 201 may detect that a connection to the controller 202 is requested.

In operation 705, node 201 may request controller connection to controller 202. For example, the access control application 211 may transmit identification information of the access control application 211 to the controller 202. Additionally, the access control application 211 may include identification information of the node 201 (e.g., terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or network Random identification information generated by the system itself may be further transmitted.

In operation 710, the controller 202 may identify whether the object requesting controller connection (e.g., the access control application 211 or the node 201) can be connected. According to one embodiment, the controller 202 determines whether information received from the node 201 is included in the connection policy database 311 or determines whether the node 201, the network to which the node 201 belongs, and/or the connection It is possible to check whether the object requesting controller access can be connected based on at least one of whether the identification information of the control application 211 is included in the blacklist database 314.

If a connection is available, at operation 715 the controller 202 may create a control flow between the node 201 (or the connection control application 211) and the controller 202. In this case, the controller 202 generates control flow identification information in the form of a random number and stores the identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 211 in the control flow table ( 315). The information stored in the control flow table 315 may be used for user authentication of the node 201, update of information of the node 201, confirmation of policy for network connection of the node 201, and/or validation.

In operation 720, the controller 202 connects to the access policy database 311 and the tunnel policy database 312 corresponding to the identified information (e.g., node 201, source network information to which node 201 belongs). Whitelist information of possible applications can be created. Depending on the embodiment, the controller 202 determines whether there is destination network information to which the current connection requesting node 201 can basically connect based on the identified information, the connection policy database 311, and the tunnel policy database 312. You can check it. In one embodiment, the controller 202 may transmit the application white list to the connection control application 211 in operation 725.

Additionally, if a connection is available, the controller 202 can list the tunneling types and gateways to which the node 201 can be connected. For example, in order for the node 201 to connect to the destination network, the controller 202 uses the type, location information, environment, and network information containing the node 201 included in the control flow, and the controller ( Tunneling that the node 201 can connect based on at least one of the identification information (e.g., IP information) of the node 201 identified through 202) and the identification information of the node 201 identified in the node 201. Types and gateways can be listed. For another example, the controller 202 uses the type, location information, environment, and network information including the node 201 included in the control flow for the node 201 to connect to the destination network. The node 201 can connect based on a combination of two or more of the identification information (e.g. IP information) of the node 201 identified through 202 and the identification information of the node 201 identified through node 201. Tunneling types and gateways can be listed.

The controller 202 can check the status of the listed gateways and identify tunneling optimized for the node 201 and the gateway 203 among the listed gateways. For example, controller 202 may identify one tunneling and one gateway 203. According to the embodiment, when there is tunneling and a gateway 203 accessible to the node 201, the controller 202 generates tunneling such as a gateway 203 and tunneling authentication information for the node 201 to create tunneling. Information may be transmitted to node 201 (act 725).

According to the embodiment, tunneling is not created between the node 201 and the gateway 203, but through pre-connected tunneling between the gateway 203 existing in the network to which the node 201 belongs and existing at the boundary of the destination network. In the case of a connection structure or a connection between the node 201 and the destination network boundary through another tunneling technology, the controller 202 may not transmit tunneling creation information to the node 201.

In operation 725, the controller 202 may transmit control flow identification information to the node 201 in response to the controller connection request. Depending on the embodiment, if the object requesting controller connection is unconnectable or included in the blacklist, the controller 202 may transmit unconnection information in operation 725 without generating a control flow. In one embodiment, the controller 202 may transmit the application white list created through operation 720 to the access control application 211.

In operation 730, when tunneling creation is necessary (e.g., tunneling creation information is received from the controller 202), the access control application 211 generates information for tunneling creation received from the controller 202 (e.g., gateway 203 ) and a series of information required for tunneling creation, such as tunneling authentication information, can be requested to the gateway 203 to create tunneling. The gateway 203 may create tunneling in response to the tunneling creation request of the node 201. According to the embodiment, when tunneling creation is determined to be unnecessary by the controller 202 (e.g., when tunneling creation information is not received from the controller 202, or when tunneling creation unnecessary information is received from the controller 202) etc.) The access control application 211 may not perform operation 730.

At operation 735, the connection control application of node 201 may process the tunneling creation results. For example, when the node 201 completes creating a tunnel with the gateway 203, a designated DNS server may be assigned during tunneling.

According to the embodiment, the access control application 211 may perform a check on the application. For example, the access control application 211 may perform a check on applications based on a white list of accessible applications received from the controller 202. The access control application 211 can check whether the application exists (installed) on the node 201 based on the accessible application information, and in the case of the existing application, the integrity and stability are checked according to the validation policy ( Above the application, tampering inspection, code signing inspection, and fingerprint inspection) can be performed.

In operation 740, the access control application 211 may transmit node 201 information. For example, the access control application 211 may transmit tunneling creation completion information, certificate and proxy setting information set in the node 201, and assigned tunneling identification information (IP information) to the controller 202. According to the embodiment, the access control application 211 may transmit the application check result to the controller 202. For example, the access control application 211 may transmit information on existing applications and the results of validation to the controller 202.

At operation 745, the controller 202 may check proxy policies (e.g., proxy policy database 319 in FIG. 3) and domain policies (e.g., domain policy database 318 in FIG. 3). For example, when tunneling creation is completed based on the tunneling creation completion information received from the access control application 211, the controller 202 stores the tunneling IP assigned to the node 201 and the corresponding tunneling creation information in the tunneling table (e.g. : Can be registered in the tunneling table 317 of FIG. 3, and information received from the node 201 can be updated in the control flow.

In addition, the controller 202 can identify the proxy server that exists in the tunneling section of the gateway 203 to which the node 201 is connected in the proxy policy, and sets a proxy in the node 201 to proxy all service requests. You can check whether you want to process it or not.

According to the embodiment, when a proxy server needs to be set, the controller 202 can check whether the proxy server information received from the node 201 exists and determines the proxy server information to be set based on the received proxy server information and the proxy policy 319. You can compare proxy server information. For example, if the received proxy server information and the proxy server information to be set are the same, the controller 202 may determine that the proxy setting of the node 201 is complete. For another example, if the received proxy server information is different from the proxy server information to be set, or if the received proxy server information does not exist, the controller 202 determines whether to set up a proxy, and proxy server identification information (e.g. IP information). and port information may be returned to node 201 (operation 755).

In addition, the controller 202 can check whether a service server that the node 201 can access exists based on the access policy 311 and the domain policy, and can check domain information and certificate information for accessing the service server. there is. For example, if there is domain information and certificate information for accessing the service server, the controller 202 compares the certificate information received from the node 201 to determine if there is an additional certificate or renewal certificate to be set in the node 201. It can be checked whether it exists, and if certificate settings are required, the certificate information can be returned to the node 201 (operation 755).

In addition, the controller 202 can check whether the application is valid based on the received application information, and if it is a valid application, the node 202 uses the connection policy and tunnel policy to allow access to the node 201 connected to the network. It is possible to check the gateway 203 where (201) is located and to generate data flow information based on the source IP, destination IP, and port information so that the node 201 can transmit data packets without a network connection request procedure. .

The controller 202 may transmit the generated data flow to the gateway 203 and the access control application 211 (operations 750 and 755).

In operation 760, the access control application 211 may process a result value according to the received response. For example, the connection control application 211 may store the received control flow identification information and display a user interface screen to the user indicating that the controller connection is complete. Once the controller connection is completed, the network connection request for the destination network of the node 201 can be controlled by the controller 202.

According to another embodiment, controller 202 may determine that node 201 is unreachable. For example, if the identification information of the node 201 and/or the network to which the node 201 belongs is included in the blacklist database, the controller 202 may determine that the node 201 is inaccessible. In this case, the controller 202 may not generate a control flow in operation 715 and may transmit a response indicating that controller connection is not possible in operation 725. Additionally, in this case, operations 730 to 755 may not be performed. Depending on the embodiment, if a retry of controller connection is required, the connection control application 211 may perform operation 705 again.

In addition, the access control application 211 can update the data flow of the node 201 when a data flow received from the controller 202 exists and transmit data packets based on a pre-allowed data flow when connecting to the network. Data flow can be managed so that Afterwards, when a data packet transmission request is detected, the access control application 211 may process the data packet to be transmitted based on the received data flow.

According to the embodiment, the access control application 211 may perform proxy settings and certificate settings, respectively, if proxy setting information or certificate information received from the controller 202 exists.

9 shows a signal flow diagram for user authentication according to various embodiments.

In order for the node 201 to be granted detailed access rights to the destination network, the access control application 211 of the node 201 may receive authentication for the user of the node 201 from the controller 202. According to an embodiment, the node 201 may be substantially the same as the authentication node 201 of FIG. 2 on which the access control application 211 is installed.

Referring to FIG. 9, node 201 may receive input for user authentication. The input for user authentication may be, for example, a user input of entering a user ID and password. For another example, the input for user authentication may be a user input for stronger authentication (e.g., biometric information). In this case, in operation 805, the access control application 211 of the node 201 may request user authentication from the controller 202. If a control flow between the node 201 and the controller 202 has already been created, the access control application 211 may transmit input information for user authentication along with control flow identification information.

At operation 810, controller 202 may authenticate the user based on information received from node 201. For example, the controller 202 may store the user ID, password, and/or enhanced authentication information contained in the received information and a database contained in the memory of the controller 202 (e.g., the access policy database of FIG. 3). Based on (311) or the blacklist database (314), it can be determined whether the user can access according to the access policy and whether the user is included in the blacklist.

If the user is authenticated, at operation 815, the controller 202 may add the user's identification information (e.g., user ID) to the control flow's identification information. The added user identification information can be used to connect the authenticated user to the controller or network.

In operation 820, the controller 202 connects the access policy database 311 and the tunnel policy database 312 corresponding to the identified information (e.g., node 201, source network information to which node 201 belongs). Whitelist information of possible applications can be created. Depending on the embodiment, the controller 202 determines whether there is destination network information to which the current connection requesting node 201 can basically connect based on the identified information, the connection policy database 311, and the tunnel policy database 312. You can check it. In one embodiment, the controller 202 may transmit the application white list to the connection control application 211 in operation 825.

Additionally, if a connection is available, the controller 202 can list the tunneling types and gateways to which the node 201 can be connected. For example, in order for the node 201 to connect to the destination network, the controller 202 uses the type, location information, environment, and network information containing the node 201 included in the control flow, and the controller ( Tunneling that the node 201 can connect based on at least one of the identification information (e.g., IP information) of the node 201 identified through 202) and the identification information of the node 201 identified in the node 201. Types and gateways can be listed. For another example, the controller 202 uses the type, location information, environment, and network information including the node 201 included in the control flow for the node 201 to connect to the destination network. The node 201 can connect based on a combination of two or more of the identification information (e.g. IP information) of the node 201 identified through 202 and the identification information of the node 201 identified through node 201. Tunneling types and gateways can be listed.

The controller 202 can check the status of the listed gateways and identify tunneling optimized for the node 201 and the gateway 203 among the listed gateways. For example, controller 202 may identify one tunneling and one gateway 203. According to the embodiment, when there is tunneling and a gateway 203 accessible to the node 201, the controller 202 generates tunneling such as a gateway 203 and tunneling authentication information for the node 201 to create tunneling. Information may be transmitted to node 201 (act 825).

According to the embodiment, tunneling is not created between the node 201 and the gateway 203, but through pre-connected tunneling between the gateway 203 existing in the network to which the node 201 belongs and existing at the boundary of the destination network. In the case of a connection structure or a connection between the node 201 and the destination network boundary through another tunneling technology, the controller 202 may not transmit tunneling creation information to the node 201.

In operation 825, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. Additionally, the controller 202 may transmit information on accessible applications to the connection control application 211.

In operation 830, when tunneling creation is required (e.g., tunneling creation information is received from the controller 202), the access control application 211 generates tunneling information received from the controller 202 (e.g., gateway 203 ) and a series of information required for tunneling creation, such as tunneling authentication information, can be requested to the gateway 203 to create tunneling. The gateway 203 may create tunneling in response to the tunneling creation request of the node 201. According to the embodiment, when tunneling creation is determined to be unnecessary by the controller 202 (e.g., when tunneling creation information is not received from the controller 202, or when tunneling creation unnecessary information is received from the controller 202) etc.) The access control application 211 may not perform operation 830.

At operation 835, the connection control application of node 201 may process the tunneling creation results. For example, when the node 201 completes creating a tunnel with the gateway 203, a designated DNS server may be assigned during tunneling.

According to the embodiment, the access control application 211 may perform a check on the application. For example, the access control application 211 may perform a check on applications based on a white list of accessible applications received from the controller 202. The access control application 211 can check whether the application exists (installed) on the node 201 based on the accessible application information, and in the case of the existing application, the integrity and stability are checked according to the validation policy ( Above the application, tampering inspection, code signing inspection, and fingerprint inspection) can be performed.

In operation 840, the access control application 211 may transmit node 201 information. For example, the access control application 211 may transmit tunneling creation completion information, certificate and proxy setting information set in the node 201, and assigned tunneling identification information (IP information) to the controller 202. According to the embodiment, the access control application 211 may transmit the application check result to the controller 202. For example, the access control application 211 may transmit information on existing applications and the results of validation to the controller 202.

At operation 845, the controller 202 may check proxy policies (e.g., proxy policy database 319 in FIG. 3) and domain policies (e.g., domain policy database 318 in FIG. 3). For example, when tunneling creation is completed based on the tunneling creation completion information received from the access control application 211, the controller 202 stores the tunneling IP assigned to the node 201 and the corresponding tunneling creation information in the tunneling table (e.g. : Can be registered in the tunneling table 317 of FIG. 3, and information received from the node 201 can be updated in the control flow.

In addition, the controller 202 can identify the proxy server that exists in the tunneling section of the gateway 203 to which the node 201 is connected in the proxy policy, and sets a proxy in the node 201 to proxy all service requests. You can check whether you want to process it or not.

According to the embodiment, when a proxy server needs to be set, the controller 202 can check whether the proxy server information received from the node 201 exists and determines the proxy server information to be set based on the received proxy server information and the proxy policy 319. You can compare proxy server information. For example, if the received proxy server information and the proxy server information to be set are the same, the controller 202 may determine that the proxy setting of the node 201 is complete. For another example, if the received proxy server information is different from the proxy server information to be set, or if the received proxy server information does not exist, the controller 202 determines whether to set up a proxy, and proxy server identification information (e.g. IP information). and port information may be returned to the node 201 (operation 855).

In addition, the controller 202 can check whether a service server that the node 201 can access exists based on the access policy 311 and the domain policy, and can check domain information and certificate information for accessing the service server. there is. For example, if there is domain information and certificate information for accessing the service server, the controller 202 compares the certificate information received from the node 201 to determine if there is an additional certificate or renewal certificate to be set in the node 201. It can be checked whether it exists, and if certificate settings are required, the certificate information can be returned to the node 201 (operation 855).

In addition, the controller 202 can check whether the application is valid based on the received application information, and if it is a valid application, the node 202 uses the connection policy and tunnel policy to allow access to the node 201 connected to the network. It is possible to check the gateway 203 where (201) is located and to generate data flow information based on the source IP, destination IP, and port information so that the node 201 can transmit data packets without a network connection request procedure. .

The controller 202 may transmit the generated data flow to the gateway 203 and the access control application 211 (operations 850 and 855).

In operation 860, the access control application 211 may process a result value according to the received response. For example, the access control application 211 may store the received control flow identification information and display a user interface screen to the user indicating that user authentication is complete. Once user authentication is completed, the node 201's network connection request to the destination network may be controlled by the controller 202.

According to another embodiment, the controller 202 may determine that user authentication of node 201 is not possible. For example, if the identification information of node 201 and/or the network to which node 201 belongs is included in the blacklist database, the controller 202 may determine that node 201 is inaccessible and user authentication is not possible. . In this case, the controller 202 may not reflect the user identification information in operation 815 and may transmit a response indicating that controller access is not possible in operation 825. Additionally, in this case, operations 830 to 855 may not be performed.

In addition, the access control application 211 can update the data flow of the node 201 when a data flow received from the controller 202 exists and transmit data packets based on a pre-allowed data flow when connecting to the network. Data flow can be managed so that

According to the embodiment, the access control application 211 may perform proxy settings and certificate settings, respectively, if proxy setting information or certificate information received from the controller 202 exists.

Figure 10 shows a signal flow diagram for network access according to various embodiments.

After the node 201 is authorized by the controller 202, the node 201 controls the network access of other applications stored in the node 201 through the access control application 211 of the node 201, thereby controlling the network access of other applications stored in the node 201. Transmission can be guaranteed. According to an embodiment, the node 201 may be substantially the same as the authentication node 201 of FIG. 2 on which the access control application 211 is installed.

In operation 905, the connection control application 211 may detect a network connection event of another application (eg, the first target application 212 in FIG. 2) stored in the node 201.

In operation 910, the access control application 211 may confirm the existence of a data flow corresponding to the identification information of the application requesting network access, destination network identification information, and port information. Depending on the embodiment, if a data flow exists but is not valid, the access control application 211 may drop the data packet. According to another embodiment, when a data flow exists, the access control application 211 may transmit data packets based on the data flow. According to an embodiment, the access control application 211 of the node 201 may perform a network connection request in operation 915 without performing operation 910.

When the data flow needs to be updated, such as when the data flow does not exist or when the authentication time has expired and needs to be updated, in operation 915, the access control application 211 may request network access from the controller 202. For example, a network connection request may include control flow identification information, identification information of the destination network, and port information.

In operation 920, the controller 202 collects the connection request identification information (e.g., identification information of the destination network) from the connection policy corresponding to the identified information (e.g., node, user, source network identification information) based on the control flow identification information. and port information) and whether the destination network is accessible. According to the embodiment, the controller 202 may check whether the target application can connect to the gateway 203 or the service server 205. Depending on the embodiment, the controller 202 may transmit a connection failure result to the connection control application 211 of the node 201 when network connection is impossible (operation 935).

If connectivity is available, in operation 925, the controller 202 may check domain information and whether tunneling between the node 201 and the gateway 203 has been created based on the tunnel table and domain policy. For example, if tunneling has not been created, the controller 202 may send a connection unavailability result to the access control application (act 935).

When tunneling is created, the controller 202 can check whether a valid data flow corresponding to the identification information and port information of the destination network exists in the data flow table. According to the embodiment, if a valid data flow exists in the data flow table, the controller 202 may transmit the corresponding data flow to the gateway 203 and the access control application 211 (operations 930 and 935).

According to the embodiment, when a valid data flow does not exist, the controller 202 may check the destination network identification information requesting network access and the mapped domain list based on the domain policy. If a domain list exists, the controller 202 can check whether certificate information for accessing each domain information exists. Depending on the embodiment, when a certificate is required to access the corresponding domain information, the controller 202 can check whether the certificate is set in the node 201 based on the control flow information of the node 201.

The controller 202 may generate data flow information based on the identification information of the node 201, the identification information of the destination network, and port information so as to allow the connection of the application requesting connection to the node 201. In this case, the controller 202 can add domain information to the data flow if a domain list exists, and can add certificate information to the data flow if certificate settings are necessary. The controller 202 may transmit the generated data flow to the node 201 and the gateway 203 (operations 930 and 935). Depending on the embodiment, if the generated data flow does not exist, operation 935 may not be performed.

In operation 940, the access control application 211 of the node 201 may process the result of the response received from the controller 202. For example, when the connection control application 211 receives a network connection unavailable result from the controller 202, the connection control application 211 may drop the data packet that the target application wants to transmit. As another example, when a data flow is received from the controller 202, the access control application 211 may transmit data packets based on the received data flow.

According to the embodiment, when the network access request is successful and certificate setting is required, the access control application 211 sets the certificate based on the certificate information included in the received data flow, and transmits the data packet after the certificate is set. .

In one embodiment, after performing operation 910, the access control application 211 may perform a validation check on the access application according to a validation policy. For example, the access control application 211 may further perform a check on the integrity and stability of the access application (check for application forgery, tampering, code signing check, fingerprint check, etc.). The access control application 211 may perform operation 915 if the validation result is successful.

FIG. 11 illustrates an operation flowchart for processing a service request in a gateway according to various embodiments. Depending on the embodiment, the operations shown in FIG. 11 may be performed through the gateway 203 of FIG. 2.

Referring to FIG. 11, in operation 1005, the gateway 203 may detect a service processing request event. For example, a service processing request may include one or multiple data packets. For another example, the proxy server included in the gateway 203 may detect a service processing request event by receiving a data packet or service processing request.

In operation 1010, the proxy server of the gateway 203 may check whether a data flow corresponding to the source IP, destination IP, and port information included in the service processing request information exists.

Depending on the embodiment, if a valid data flow does not exist, the gateway 203 may return a service processing request failure result in operation 1025. For example, the proxy server included in the gateway 203 may return information for forwarding or redirecting a service processing request to a designated path according to a service processing policy, or may return service request failure information.

Depending on the embodiment, if a valid data flow exists and the data flow does not include domain information, the gateway 203 may forward a service processing request (operation 1020).

If a valid data flow exists and the data flow includes domain information, in operation 1015, the proxy server of gateway 203 may check the domain information. For example, the proxy server of the gateway 203 may check whether domain information included in the service request information is included in the domain information in the data flow. Accordingly, if the domain information included in the service request information is not included in the domain information in the data flow, the node 201 cannot connect to the service server, and the proxy server may return a service processing request failure result. (Operation 1025).

Depending on the embodiment, if the domain information included in the service request information is included in the domain information in the data flow, the proxy server may forward the service processing request information based on the IP and port of the service server corresponding to the domain information. There is (operation 1020).

Figure 12 shows a signal flow diagram for control flow update according to various embodiments.

Referring to FIG. 12, in operation 1105, the access control application 211 may detect a control flow update event.

In operation 1110, the access control application 211 may request a control flow update from the controller 202 based on control flow identification information.

In operation 1115, the controller 202 may check whether a control flow exists in a control flow table (e.g., control flow table 315 of FIG. 3) based on the received control flow identification information. Depending on the embodiment, when a control flow does not exist (e.g., when the connection is disconnected by another security system, when the connection is disconnected due to its own risk detection, etc.), the controller 202 determines that the connection of the node 201 is valid. Since this is not done, a connection failure result can be transmitted to the access control application 211 (operation 1120).

The controller 202 may update the update time when a control flow exists in the control flow table (e.g., the control flow table 315 in FIG. 3). In this case, the controller 202 may transmit the updated identification information of the control flow to the access control application 211 (operation 1120).

In one embodiment, if re-authentication is required among data flows dependent on the identified control flow, or if there is a data flow that is no longer accessible, the controller 202 sends information about the data flow to the access control application ( 211) (operation 1120).

In operation 1125, the access control application 211 of the node 201 may process the result of the response received from the controller 202. For example, the access control application 211 may block all network connections of the application when the control flow update result is impossible. For another example, the access control application 211 may update the data flow if the control flow update result is normal and updated data flow information exists.

13 shows a signal flow diagram for disconnection according to various embodiments.

Referring to FIG. 13, in operation 1205, the node 201 terminates the node 201, terminates the connection control application 211, terminates the target application, no longer uses the network connection, and collects information identified from the interworking system. Based on , at least one of the connection termination requests can be detected. In this case, in operation 1210, the node 201 or the access control application 211 may request the controller 202 to remove the control flow.

At operation 1215, the controller 202 may remove the identified control flow based on the received control flow identification information.

In operation 1220, the controller 202 may remove all data flows dependent on the removed control flow. Accordingly, node 201 can no longer connect to the destination network based on the removed data flow.

In operation 1225, the controller 202 may request the gateway 203 to remove all data flows dependent on the removed control flow. The gateway 203 may remove the data flow, and thus data packets corresponding to the source network, destination network, and port information included in the removed data flow can no longer be transmitted.

Figure 14 shows a signal flow diagram for terminating application execution according to various embodiments.

Referring to FIG. 14, in operation 1305, the access control application 211 of the node 201 can check in real time whether the running application is terminated and detect an application execution termination event.

Depending on the embodiment, the access control application 211 may check whether a data flow corresponding to the terminated application identification information and PID (Process ID and Child Process ID Tree) information exists.

In operation 1310, the access control application 211 may request the controller 202 to remove a data flow. For example, the access control application 211 may transmit identification information of a terminated application or identification information of a data flow corresponding to the terminated application to the controller 202 and perform a data flow removal request.

At operation 1315, the controller 202 may delete the data flow for which removal has been requested. Additionally, the controller 202 may perform a removal request for the removed data flow to the gateway 203 (operation 1320). The gateway 203 may remove the data flow, and thus data packets corresponding to the source network, destination network, and port information included in the removed data flow can no longer be transmitted.

Figure 15 shows a flowchart of a method of operating an access control application installed in a node according to various embodiments. The operations shown in FIG. 15 can be performed through the access control application 211 of FIG. 2.

Referring to FIG. 15, in operation 1405, the access control application 211 may request network connection of the target application to an external server. For example, a network connection request may include identification information of the target application and identification information of the destination network.

In operation 1410, the access control application 211 may receive a data flow from an external server. For example, the data flow may include domain information and certificate information corresponding to destination network identification information.

In operation 1415, the access control application 211 may process the data packet of the target application based on domain information and certificate information. For example, if certificate setting is required based on the data flow, the access control application 211 can set the certificate and transmit a data packet.

Figure 16 shows a flowchart of a server operation method according to various embodiments. The operations shown in FIG. 16 may be performed through the controller 202 of FIG. 2.

Referring to FIG. 16, at operation 1505, the controller 202 may receive a network connection request from the node's connection control application.

In operation 1510, the controller 202 may check whether connection is possible based on the connection policy, identification information of the target application, and identification information of the destination network included in the database.

In operation 1515, the controller 202 may check whether a data flow corresponding to the identification information of the destination network exists.

In operation 1520, if a data flow does not exist, the controller 202 may check domain information corresponding to the identification information of the destination network based on the domain policy included in the database.

In operation 1525, the controller 202 may check whether certificate information corresponding to domain information exists.

At operation 1530, the controller 202 may generate a data flow including domain information and certificate information.

At operation 1535, the controller 202 may transmit the generated data flow to the node and gateway.

Figure 17 shows a flowchart of a gateway operating method according to various embodiments. The operations shown in FIG. 17 may be performed through the gateway 203 of FIG. 2.

Referring to FIG. 17, in operation 1605, the gateway 203 may receive a service processing request from the node. A service processing request may include one or multiple data packets.

In operation 1610, the gateway 203 may confirm the existence of a data flow corresponding to the service processing request. For example, the proxy server of gateway 203 can confirm the existence of a data flow.

In operation 1615, if a data flow exists, the gateway 203 checks the domain information included in the service processing request based on whether the data flow includes domain information, and if the check result is successful based on the check result, Service processing requests can be forwarded. Additionally, the gateway 203 may return a service processing request failure result if the test result is failure based on the test result. Additionally, the gateway 203 may return a service processing request failure result if a data flow does not exist.

The above description is merely an illustrative explanation of the technical idea disclosed in this document, and those skilled in the art in the technical field to which the embodiments disclosed in this document belong will understand without departing from the essential characteristics of the embodiments disclosed in this document. Various modifications and variations will be possible.

Accordingly, the embodiments disclosed in this document are not intended to limit the technical ideas disclosed in this document, but rather to explain them, and the scope of the technical ideas disclosed in this document is not limited by these embodiments. The scope of protection of the technical ideas disclosed in this document shall be interpreted in accordance with the claims below, and all technical ideas within the equivalent scope shall be interpreted as being included in the scope of rights of this document.

Claims (20)

1. In the node,

   communication circuit;

   a processor operatively connected to the communication circuit; and

   a memory operatively coupled to the processor and storing a database, a target application, and a connection control application, wherein the memory, when executed by the processor, causes the node to:

   Perform a network connection request of the target application to an external server through the access control application, and the network connection request includes identification information of the target application and destination network identification information,

   Receive a data flow from the external server, wherein the data flow includes certificate information corresponding to the destination network identification information,

   A node that stores instructions to process data packets of the target application based on the certificate information.
2. The method of claim 1, wherein the commands cause the node to:

   Check whether certificate settings are necessary based on the data flow through the access control application,

   If setting the certificate is necessary, set the certificate based on the certificate information and transmit the data packet,

   A node that transmits the data packet when the certificate setting is not required.
3. The method of claim 1, wherein the commands cause the node to:

   Receive tunneling creation information from the external server,

   Based on the tunneling creation information, create a gateway and tunneling corresponding to the tunneling creation information,

   When the tunneling is created, the node is assigned a Domain Name System (DNS) server.
4. The method of claim 1, wherein the commands cause the node to:

   Transmitting proxy information set in the node to the external server through the access control application,

   If the proxy information and the gateway to which the node will connect do not correspond, receive proxy server setting status and proxy server setting information from the external server,

   A node that sets a proxy based on the received proxy server setting status and the proxy server setting information.
5. The method of claim 1, wherein the commands cause the node to:

   Performing a domain information interpretation request to the gateway through which tunneling has been created with the node through the access control application,

   Receive a domain analysis result from the gateway, and the domain analysis result includes IP information,

   Requesting the gateway to connect to the destination network based on the IP information,

   The IP information is processed as identification information of the destination network by a proxy included in the gateway.
6. The method of claim 1, wherein the commands cause the node to:

   If a policy exists that allows the node to access the network without requesting a data flow, it receives a data flow that can be accessed without a request from the external server through the access control application,

   A node that transmits the data packet based on the data flow accessible without the request.
7. In the node,

   communication circuit;

   a processor operatively connected to the communication circuit; and

   a memory operatively coupled to the processor and storing a database, a target application, and a connection control application, wherein the memory, when executed by the processor, causes the node to:

   Receive tunneling creation information from an external server through the access control application,

   Based on the tunneling creation information, create a gateway and tunneling corresponding to the tunneling creation information,

   Transmitting proxy information and tunneling information set in the node to the external server,

   If the proxy information and the tunneling information do not correspond, receive proxy server setting status and proxy server setting information from the external server,

   A node that stores commands to set a proxy based on the received proxy server setting status and the proxy server setting information.
8. The method of claim 7, wherein the commands cause the node to:

   Transmitting the certificate information set in the node to the external server through the access control application,

   If the certificate information and the gateway information to which the node will connect do not correspond, receive certificate setting status and certificate setting information from the external server,

   A node that sets a certificate based on whether the received certificate is set and the certificate set information.
9. On the server,

   communication circuit;

   memory to store the database; and

   a processor operatively connected to the communication circuit and the memory, the processor comprising:

   Receiving a network connection request from a connection control application of a node, the network connection request including identification information of a target application of the node and identification information of a destination network of the target application,

   Check whether connection is possible based on the connection policy included in the database, identification information of the target application, and identification information of the destination network,

   Check whether a data flow corresponding to the identification information of the destination network exists,

   If the data flow does not exist, check domain information corresponding to the identification information of the destination network based on the domain policy included in the database,

   Check whether certificate information corresponding to the domain information exists,

   A server configured to generate a data flow including the domain information and the certificate information, and transmit the generated data flow to the node and the gateway.
10. The method of claim 9, wherein the processor:

    If connection is possible, the node checks whether a tunnel has been created in the tunnel table included in the database,

    If the tunnel is not created in the node, a non-connection result is sent to the node,

    A server configured to determine whether the data flow exists if the tunnel has been created.
11. The method of claim 9, wherein the processor:

    Receiving a connection request including identification information of the node and identification information of the connection control application from the connection control application,

    Check whether connection is possible based on the identification information of the node and the identification information of the access control application, and if connection is possible, generate control flow identification information and a whitelist of connectable applications,

    List gateways and tunneling types associated with the node based on the tunnel policy included in the database,

    Select a gateway and tunneling based on the status of each of the listed gateways,

    A server, configured to transmit the control flow identification information and the application whitelist, information of the selected gateway, and information for creating the tunneling to the node.
12. The method of claim 9, wherein the processor:

    Receive tunnel creation completion information and proxy setting information from the access control application,

    Update the database based on the tunnel creation completion information,

    Identifying the proxy included in the gateway corresponding to the node based on the proxy policy included in the database,

    If the proxy and the proxy setting information are different or the proxy setting information does not exist, the server is configured to return identification information of the proxy and whether the proxy is set to the access control application.
13. The method of claim 9, wherein the processor:

    Set domain policy based on the database,

    Transmit the set domain policy to the gateway,

    A server configured to transmit the set domain policy to a Domain Name System (DNS) server or proxy server.
14. In the gateway,

    communication circuit;

    Memory; and

    a processor operatively connected to the communication circuit and the memory, the processor comprising:

    Receive service processing requests from nodes,

    Confirm the existence of a data flow corresponding to the service processing request,

    If the data flow exists, the domain information included in the service processing request is checked based on whether the data flow includes domain information, and the service processing request is forwarded based on the inspection result or the service processing request fails. returns the result,

    A gateway that returns a failure result of the service processing request if the data flow does not exist.
15. 15. The method of claim 14, wherein the processor:

    Receive a domain resolution request from the node,

    Based on the domain information included in the domain interpretation request, a domain interpretation result is generated and returned as IP information,

    Receiving a destination network connection request based on the IP information from the node,

    A gateway that allows the node to access the destination network based on the IP information and the domain information.
16. 15. The method of claim 14, wherein the processor:

    a DNS server module that processes domain resolution requests from the node;

    a tunneling module that creates tunneling with the node; and

    A gateway including a proxy server module that processes domain information by matching it with IP information.
17. According to claim 16,

    The DNS server module receives a domain policy from an external server and sets public IP information corresponding to the domain information based on the domain policy,

    When creating tunneling with the node, the tunneling module sets private IP information of the DNS server module to be queried when communicating through the tunneling,

    The proxy server module is configured to process a service processing request transmitted from the node based on the private IP information with the public IP information.
18. In the method of operating the access control application installed on the node,

    An operation of performing a network connection request of a target application to an external server, wherein the network connection request includes identification information of the target application and destination network identification information;

    Receiving a data flow from the external server, the data flow including certificate information corresponding to the destination network identification information; and

    Processing a data packet of the target application based on the certificate information; Method, including.
19. In the operating method of the server,

    Receiving a network connection request from a connection control application of a node, the network connection request including identification information of a target application of the node and identification information of a destination network of the target application;

    An operation of checking whether connection is possible based on a connection policy included in a database, identification information of the target application, and identification information of the destination network;

    An operation of checking whether a data flow corresponding to the identification information of the destination network exists;

    If the data flow does not exist, checking domain information corresponding to the identification information of the destination network based on a domain policy included in the database;

    An operation to check whether certificate information corresponding to the domain information exists;

    generating a data flow including the domain information and the certificate information; and

    Transmitting the generated data flow to the node and gateway; Method, including.
20. In the method of operating the gateway,

    An operation of receiving a service processing request from a node;

    An operation of confirming the existence of a data flow corresponding to the service processing request;

    If the data flow exists, the domain information included in the service processing request is checked based on whether the data flow includes domain information, and the service processing request is forwarded based on the inspection result or the service processing request fails. Returning a result or, if the data flow does not exist, returning a result of failure of the service processing request; Method, including.

Images