KR100383224B1 - Linux-Based Integrated Security System for Network and Method thereof, and Semiconductor Device Having These Solutions - Google Patents

Abstract

The present invention relates to a Linux-based network integrated security system and method thereof, which solves the security vulnerability, generality limitations and operational difficulties of the conventional S / W network security system and secures the Internet networking security on the H / W chip. A single device is integrated with a total of built-in programs such as firewall, load balancing, virtual private network (VPN), intrusion detection (IDS), and routing functions.

This hardware-based integrated security solution partially takes the main operating system (OS) from the Linux kernel and builds on it, improving the operating mechanisms of security functions such as routing functions, firewalls, and VPNs, and also load balancing and intrusion. The detection system (IDS) function is combined and packaged in a single semiconductor chip.

In addition, the commercialization of hardware chips can be implemented in the form of network security equipment, PCMCIA, and add-on cards with a single chip.

Description

Linux-based integrated security system for network and method, and semiconductor device having these solutions}

The present invention relates to a Linux-based network integrated security system, a control method thereof, and a semiconductor device equipped with the same, and in particular, routing, an intrusion detection system (IDS), an intrusion prevention system (Firewall), a virtual private network (VPN), load balancing, and the like. The integrated security solution that modularizes and integrates the major network and security functions of the system into hardware on a single semiconductor chip, and the OS and all security systems are built into the Linux kernel to boot and boot. At the same time, the present invention relates to a Linux-based integrated network security system and its method and a semiconductor device equipped with the security system can be automatically built.

In addition, the present invention places a security system having a routing function and an integrated security solution in front of an internal system including a server so that an external client can access the server without restriction while using a single IP address, and a malicious external client A network integrated security system capable of protecting internal clients from

Recently, as the Internet has been combined with the development and dissemination of information and communication networks and PCs, various information providing services and commerce activities that have been processed offline have been made available online regardless of time and place.

Moreover, in the early days of the Internet, only Internet experts were able to use the Internet properly, but with the advent of the World Wide Web and the development of web browser programs that make it easy to use, With the Internet available, Internet users are exploding day by day.

In general, a network supporting information service and electronic commerce through the Internet is composed of a client / server environment. A server having various databases and providing information can be accessed by anyone on the Internet, an open public network. Lies in position. In addition, the intranet of a private network enterprise is also premised on the connection to the Internet, which is exposed to the leakage of major corporate information and the intrusion of users with illegal intentions.

In order to prevent such intrusion and information leakage, it is a security device that protects the private network inside the enterprise from the public network such as the Internet. It is located between the private network and the public network and controls the traffic from the public network to the private network. More companies are hiring. The firewall system logically and physically separates an internal network and an external network to control a user's access to internal information, block intrusion, and prevent illegal information leakage of internal users to implement a corporate network security policy.

Moreover, as network security is becoming an important issue such as information leakage and cracking due to distributed systems and network expansion, firewalls perform intrusion prevention functions that are responsible for security within and between networks.

The firewall controls Internet access through telecommunications services, such as dial-in access to the company's LAN, dial-out or leased lines, or frame relays. An effective firewall checks all communication inside and outside the network to allow only allowed communication, while once passing through the firewall, the firewall no longer provides protection.

A firewall is not a single device, such as a combination of routers, protective hosts, and other hardware. It is part of a complete network security policy. The firewall itself does not have encryption and is virtualized with encryption and authentication technology to ensure the confidentiality of transmitted data. Additional solutions include a Virtual Private Network (VPN) and an Intrusion Detection System (IDS), which implements intrusion detection.

Essential elements of a firewall or cryptographic security system include security, performance, manageability, clarity, scalability, standards-based, low cost, and especially the perfect security, scalability, cost and The management aspect can be treated as an important factor in practical application.

Cryptographic security systems are divided into two types:

First, it can be divided into application-based and network-based, and application-based encryption systems have problems in scalability. In other words, encryption can be executed within a specific application and thus only protects communication between devices using the same application. In order to partially overcome the problem of scalability limitation, an additional application provides a virtual private network (VPN) access function, but this problem is also limited.

An alternative is the IPSec (IP security protocol), a network-based security standard that protects (monitors) all traffic passing through the network with an encryption solution based on the network layer of the OSI 7 layer (Open System Interconnection 7 Layer). ), Which includes encryption, authentication, and key management.

Second, it can be divided into S / W based and H / W based. Encryption is a process-intensive process. S / W-based encryption runs the encryption process and other application processes at the same time on the host processor, reducing the speed of encryption and other processes to an unacceptable level.

On the other hand, H / W-based encryption is developed by S / W and H / W as a dedicated encryption system, so it is not affected by other processes and encryption S / W can be optimized for H / W. It allows you to reduce program coding, use cheap H / W, and make your system faster and more stable.

A typical network security system is described with reference to FIG. 1 as follows.

As shown in FIG. 1, the conventional network security system operates in an application layer located on the operating system adopted by the server group 1 while operating in software to identify host usage, user identification, and external public network. Including blocking function between the Internet 6 and the internal network LAN 2a to which the internal client 2 is connected, and load balancing to properly place the load of traffic passing therethrough. It is implemented as a firewall (3) that connects the external client (9) and the server (1) made by a virtual private network (VPN).

In this case, a web server 1a, a mail server 1b, a database server 1c, etc., which are included in the server group 1 and connected to the LAN 1a, are connected to the public network ( 6) It should be opened and located outside the firewall 3 so that general clients 9 accessing through 6) can access freely. In the case of access by the internal client 2, the server 1a-1c is connected via the switching hub 4 via the firewall 3.

Therefore, since these servers 1 are internal systems and are open to free access of external clients 9 without blocking the intrusion process, the whole is called a DMZ Zone in the meaning of a so-called neutral zone. This is an important reason to be exposed to the cracking of the DMZ zone itself and to the cracking of the internal system via the servers 1 within this area, which reveals the fundamental limitations of the conventional firewall security system.

The conventional firewall system is driven according to the procedure as shown in FIG. In the conventional system, when the power is supplied, the ROM BIOS is driven to search for peripheral devices, and to search the boot sector by searching the connected disk devices such as HDD, FDD, CDROM, etc. in the set order. For example, booting of the Windows operating system (Windows OS) is performed by the booting program existing at (S1-S3).

After that, the firewall (F / W) application is started, and the firewall daemon service, network address translation (NAT), and proxy (Proxy) are sequentially started (S4-S6).

Subsequently, as the internal user requests the packet, the firewall daemon receives the packet and filters the packet based on the rule. In the case of an external user packet request, the firewall daemon receives the packet and filters the packet based on the rule (S7-S12). ).

The problems of the conventional security system are summarized as follows.

1) Installation of security software is necessary to implement the above functions, and a basic operating system (OS) that drives this software is necessary. In addition, when high traffic occurs along with the speed drop phenomenon when implementing the functions between the two layers, Down may occur, and a PC or workstation must be provided to support such an OS.

2) Security software runs at the application layer above the base operating system, creating an operational burden because administrators must be able to run both layers.

3) Each new function requires the introduction of new equipment, causing economic burden.

4) Since the DMZ zone, a location that users using the Internet can freely access, is open outside the intrusion prevention system, there is a possibility of a security accident caused by an outside illegal intruder.

On the other hand, the packet is a bundle of data in the form of a variety of information data related to the source, destination, reception situation and the like before and after the data to be transmitted, the data is always transmitted / received in the form of a packet on the network.

Router connects two or more networks and transmits packets to H / W and S / W devices that have the function of classifying data by destination by reading IP address information of packets so that they can communicate from one network to another network. It is a dedicated computer that has the function of translating addresses between communication networks or matching protocols. Routers work at the network layer of the OSI model. Internet routers pass IP datagrams between networks.

However, in the related art, as shown in FIG. 1, the router 5 exists as a separate device at a point directly connected to the switching hub 4 and the external public network 6 in front of the internal system. This is happening.

On the other hand, NAT is a function that converts the IP address of the private network to the IP address of the global network by using an address assignment mechanism, and is used to save IP addresses by being embedded in routers or firewalls.

Moreover, NAT function is an advantage in terms of security maintenance because it is inaccessible from the external network. However, if a small company or office wants to operate a web server or a mail server, external access must be allowed. Acts as

Therefore, in this case, as shown in FIG. 1, the NAT function must be implemented inside the server 1 or must be serviced by an Internet service provider, and an additional burden of the cost due to the increase of the IP address occurs.

However, recently, NAT router technology, which saves IP address by using such NAT technology, reduces the cost of constructing and maintaining a virtual private network (VPN), and does not require encryption or security protocol, is disclosed in Korean Patent Application Publication No. 2000-185 (2000.1.15). Was proposed to.

This technique modifies the NAT table so that a particular server can be placed inside the private network so that external users can access a particular server on the private network while having a single IP address.

However, this NAT technology has an external physical device 14 having an Internet public IP address (for example, 210.60.56.62), a private private IP address (192.1.1.5) as shown in FIG. It can be expressed as being made based on a firewall daemon that performs address exchange and IP filtering between the internal physical devices 12 to which the client PC 11 is connected, that is, a dual IP method in which the firewall system 13 is located. have. That is, the firewall system 13 passes or blocks the packet through comparative analysis on the packet type using the indication DB.

However, in the above-described double IP type NAT, when the external invader succeeds in the intrusion of the primary firewall system 13, there is a problem that the entire firewall structure is incapacitated and the internal intrusion is simply possible.

In other words, if the external intruder can access the primary external physical device 14 and the firewall system 13, the external intruder can penetrate the firewall system 13 to access the inside. This is inevitable as the firewall itself is implemented in the form of a physical device, each dependent on one physical device, so that the firewall system 13 itself has an IP address that can be accessed from both inside and outside.

On the other hand, in the conventional IDS system, the IDS processor keeps the type of illegal invader as a sign DB in a HDD (Hard Disk Drive) or other place, and when the packet is received from the outside, the packet is stored in the HDD or memory. By taking a method of comparing with the DB, using the HDD causes a slowdown and using the memory requires a huge amount of memory.

Therefore, the present invention has been made in view of the problems of the prior art, the main purpose of which is routing, intrusion detection system (IDS), intrusion prevention system (Firewall), virtual private network (VPN), load balancing (Load Balancing), etc. Integrated network solution that modularizes and integrates network and security functions in hardware on a single semiconductor chip to significantly enhance the security of the network system while simultaneously integrating multi-level network equipment. The present invention provides a security system, a method thereof, and a semiconductor device having the same.

Another object of the present invention is to embed the integrated security solution as a small device in the form of a single semiconductor device, Linux that can be easily implemented in the form of network security equipment, PCMCIA card, Add-on Card (Add-on Card), etc. To provide a semiconductor device equipped with a network integrated security solution based on.

Another object of the present invention is to recompile and optimize the Linux Kernel (Linux Kernel) having an integrated security function in the chip BIOS itself to the security system by embedding the OS (Linux) and all security systems on the chip itself The aim is to provide a Linux-based integrated network security system, its control method, and a semiconductor device equipped with it that can be booted into the chip and automatically build a security system at the same time.

Another object of the present invention is to compress the built-in intrusion detection system (IDS) on the chip to make the type DB to be possible to run all within a small amount of memory, it is stored in the memory disk (RAM Disk) and executed again By providing a network integrated security system and a semiconductor device equipped with the same can significantly improve the Internet processing speed when using the HDD.

Another object of the present invention is to add a virtual IP address zone (VAZ) to a duplicated IP address structure with public and private IP addresses, thereby multiplexing the IP address structure between the inside and the outside of the system, and thereby through the external public network. Multiple NAT-Proxy for network security solution that can greatly improve the function of security system by separating / blocking the internal system and the internal system by completely blocking access to the internal system due to illegal intrusion attempts. It is to provide a system and a conversion method thereof.

Another object of the present invention is to deploy a security system having a routing function and an integrated security solution in front of an internal system including a server so that an external client can access the server without restriction while using a single IP address. The present invention provides a network integrated security system capable of protecting an internal client from an external client, a control method thereof, and a semiconductor device having the same.

1 is a block diagram of a software-based security system including a connection to a conventional public network,

2 is a flowchart illustrating a driving process of a conventional firewall system;

3 is a system conceptual diagram illustrating the operation of a conventional dual IP type NAT system;

4 is a schematic block diagram showing a network integrated security system according to the present invention;

5 is a flowchart illustrating a boot operation of a chip BIOS method according to the present invention;

6 is a detailed block diagram showing an internal structure of an integrated security system according to the present invention;

7 is an explanatory diagram showing a packet forwarding path for an integrated security system according to the present invention;

8A and 8B are a flowchart illustrating the operation of the network integrated security system according to the present invention;

9 is a flowchart illustrating a multiple IP type NAT system for an integrated security system according to the present invention;

FIG. 10 is an explanatory diagram illustrating a multiple IP type NAT system of FIG. 9.

* Explanation of Signs of Major Parts of Drawings *

6; Internet 9; External client

20; Internal system 21; server

22; Internal client 23; LAN

30; Security system 31; Routing module

32; IDS module 33; Firewall module

32a; Manifestation DB 33a; VPN authentication module

34; VAZ 35,36; Virtual external / internal device

37; Load balancing modules 81-85; packet

86,87; First and second address translation table

In order to achieve the above object, the present invention provides an integrated security system for performing a comprehensive security function between the public network and an internal system including at least one server and at least one internal client, the packet received from the public network A routing module for branching and forwarding the packet, an intrusion detection module for detecting an intrusion attempt by analyzing the intrusion pattern with the symptom database, and a packet detected if the intrusion is detected If it is determined to be a harmful packet by comparing the set internal type with the packet, the packet is released to the outside through the routing module, and the packet is not passed through the virtual private network (VPN). If the first firewall module for intrusion prevention for transmitting to the rear stage, If the packet is via a VPN, the authentication is confirmed. If the packet is from an unauthorized user, the packet is released to the outside through the routing module. If the packet is from an authenticated user, the packet is returned to the first firewall module. A VPN authentication module for performing a multi-level virtual IP address conversion using a virtual multi-IP address and a two-step intrusion blocking function for a packet received with the Internet public IP address as a destination address from the first firewall module. It consists of a virtual address zone (VAZ) for transmitting to the internal system, to provide a network integrated security system, characterized in that the Internet network security is integrally performed by multiple IP address translation (NAT) and multiple packet filtering.

The server may further include a load balancing module for distributing the packet according to the distribution information of the target server when the server is the packet of the destination.

The routing module, the intrusion detection module, the first firewall module for intrusion blocking, the VPN authentication module, the virtual address zone VAZ and the load balancing module may be implemented in hardware on a single IC chip.

The virtual address zone VAZ has a virtual first and second IP addresses and reads a virtual internal / external device for delivering a packet, and a virtual IP of a packet received between the virtual internal / external device. A virtual second firewall module for performing the secondary intrusion blocking function, a first address conversion table for converting a packet address from an Internet public IP address to a virtual first IP address, and the virtual second IP Performing a one-step address translation based on a second address translation table for converting an address of a packet from an address to a private private IP address and the packet when the packet is received by a virtual external device; The second address when a packet is received from the virtual external device to the virtual internal device after the first stage address translation It is composed of a virtual network address translation (NAT) server for performing two-step address translation based on a conversion table to deliver address-transformed packets to an internal system, and the VAZ multiplexes a virtual IP structure, It separates and blocks the internal system and the internal system to prevent the reading of the virtual IP and the illegal intrusion into the internal system.

All the modules and the VAZ are implemented based on the Linux Kernel, and are implemented in any one of a flash ROM and an ASIC chip, so that a security system can be automatically built at the same time as booting by the chip BIOS.

In addition, the system is preferably implemented as one of a network security equipment, a PCMCIA card, an Add-on Card with a single chip.

The symptom database may be compressed and embedded in the IC chip or a separate IC chip.

According to another aspect of the present invention, a network integrated security method of an integrated security system that performs a comprehensive security function between a public network and an internal system including at least one server and at least one internal client, the external packet via the public network The routing module receives the packet when attempting to access it, performs a unique branching function, forwards the packet to the IDS module, receives the packet from the routing module to the IDS module, and signs the database. Detecting whether the intrusion attempt through the data and intrusion pattern comparison analysis, and if the intrusion is detected packet is determined whether the intrusion is blocked by a step 1 through the comparative analysis of the set internal type and the packet, if it is determined that the packet is harmful It releases the packet to the outside through the routing module and passes the virtual private network (VPN) among the legitimate packets. If the packet is not received, the packet is transmitted to the rear end. If the packet is transmitted via the VPN, the VPN authentication module is used to check whether the VPN is authenticated. And transmitting the packet from the user to the first firewall module and transmitting the packet to the internal system by performing a two-step intrusion prevention function on the packet received from the first firewall module. .

When the packet is determined to be illegal intrusion, the method notifies the internal administrator console of the result of the intrusion, traces the packet sender IP address, and saves the sender IP address in the corresponding login DB to create a DB. And performing a concealment operation on the target host and server that the packet originally targeted.

In addition, in the case of a packet destined for a plurality of servers connected in parallel in the internal system, the packet is received by a load balancing module having distributed information on the target server, and the packets are distributed according to the distributed information of the target server. Preferably, the method further includes distributing to a server.

Further, the present invention provides a first step of converting a public IP address assigned to the security system into a virtual external IP address of a virtual external device based on a first address translation table when the packet is received by the virtual external device through the first firewall module. Performing the address translation, and when the packet is received from the virtual external device to the virtual internal device after the first step address translation, based on a second address translation table, converts the virtual internal IP address of the virtual internal device into a target server of the internal system. Translating the public IP address into a private IP address using multiple virtual IP addresses by further performing a two-step address translation to a private IP address for the address and forwarding the addressed packet to the internal system. I can let you.

According to another feature of the present invention, the present invention provides a routing module for branching a packet received from a public network and forwarding it to a rear end of an internal system, and invading the packet received from the routing module through an intrusion pattern analysis with a symptom database. Intrusion detection module for detecting whether or not an attempt, and if the intrusion is a detected packet through the analysis of the comparison between the set internal type and the packet is determined by step 1 if intrusion is determined to be harmful packets outside through the routing module The first firewall module for intrusion prevention to transmit packets to the next stage if the packets are not passed through the virtual private network (VPN) among the legitimate packets, and if the packets are passed through the VPN, If the packet is from an unauthorized user, the packet is released to the outside through the routing module and authenticated. If the packet is from a user, the VPN authentication module for returning the packet to the first firewall module and the packet received from the first firewall module perform a two-step intrusion prevention function by virtual multi-IP address translation. A virtual address zone (VAZ) for transmitting a packet to the internal system, and a load balancing module for distributing the packet according to distribution information on a target server when the destination of the packet is a server of the internal system, Provided is a network integrated security semiconductor device characterized by performing an integrated security function through IP address translation and multiple packet filtering.

According to another aspect of the present invention, the present invention provides multiple network address translation for converting multiple IP addresses of packets transmitted / received between the public network and an internal system including at least one server and at least one internal client. In a (NAT) system, an external physical device having a single Internet public IP address and receiving a first packet from a public network, a virtual external device having a virtual external IP address, and a virtual internal device having a virtual internal IP address And an internal physical device having a private private IP address, a first address translation table for converting a packet address from the Internet public IP address to a virtual external IP address, and a private private from the virtual internal IP address. The address of a packet to a valid IP address A second address conversion table for translating the data, a first step address translation based on the first address conversion table when the first packet is received by the virtual internal device through an external physical device, and a first step address translation After the packet is transferred from the virtual external device to the virtual internal device, network address translation (NAT) is performed to deliver the address translated packet to the internal physical device by performing a two-step address translation based on the second address translation table. The virtual external device and the virtual internal device provide a multi-NAT system, wherein the virtual external device and the virtual internal device form a virtual address zone (VAZ) for physically blocking an internal system and an external physical device.

According to another aspect of the present invention, the present invention provides a multiple network address translation (NAT) of a network security system for translating IP addresses of packets transmitted / received between a public network and an internal system including a server and an internal client to multiplex. Method), wherein when the packet is received by the virtual external device having the virtual external IP address through the routing module and the first firewall module of the security system, the public IP address assigned to the security system is assigned to the virtual external device of the virtual external device. A first address translation step of performing an address translation to an IP address, a virtual internal IP address of a virtual internal device having a virtual internal IP address after a packet is transferred from the virtual external device to a virtual internal device after the first address translation; For the target server of the internal system The present invention provides a multiple network address translation (NAT) method of a network security system, comprising a second address translation step of performing an address translation to an IP address.

As described above, the present invention solves the security vulnerability, generality limitation, and operational difficulties of the conventional S / W network security products, and provides firewall load balancing, which is an internet networking security element, in the H / W chip. The solution, including virtual private network (VPN), intrusion detection and routing functions, is integrated and integrated into a single device.

The hardware-based integrated security solution of the present invention partially takes the main OS (operating system) from the Linux Kernel and based on it, and manages the currently implemented routing functions, security solutions such as firewall and VPN. The mechanisms are also packaged into a single semiconductor chip, combining load balancing and intrusion detection system (IDS) functions.

Furthermore, the present invention implements a security function by separating an internal system from external intrusion by applying multiple NAT techniques and multiple proxy techniques, and by using such a differentiated multiple NAT structure and multiple proxies, one virtual zone (Zone) ), The intruder was blocked at the 2nd and 3rd stages even if the invader succeeded in the first stage, making the intrusion attempt impossible.

In addition, the present invention does not need to prepare a separate OS and application functions by implementing all application functions for the OS and various security services on one chip, and this chip can be operated without any abnormality under the x86PC base. No additional equipment is needed.

The present invention implements an integrated security solution using a flash ROM or an ASIC chip to boot into a Linux operating system (OS) and use a space area in a memory, so that the processing speed is fast and effective.

(Example)

Hereinafter, the present invention will be described in more detail with reference to the accompanying drawings.

A. Structure of Integrated Security System

4 is a schematic block diagram showing a network integrated security system according to the present invention.

First, the network integrated security system according to the present invention includes an integrated security system 30 having a routing function and an integrated security solution as shown in FIG. 4, and a front end of the internal system 20 including the server 21 and the internal client 22. The external client 9 can access the server without restriction and protect the internal client 22 from the malicious external client 9 while using a single IP address.

That is, the security system 30 according to the present invention replaces the existing DMZ zone with IP encapsulation technique and sends various service requests to servers (Web, Mail, DB, etc.) located therein. By filtering in the security system 30 located in the middle and sending it to the local server 21, the external user 9 can use the server 21 as if it existed in the DMZ zone in a conventional manner. .

However, internally, the security system 30 of the present invention performs the filtering function for the packets that are accessed, and the servers 21 responsible for the respective services are located at the rear of the security system 30 and at the same time. By internally assigning each private private IP address that is not related to an externally public IP address (i.e., the security system 30 is separately assigned a public IP address and an internal private IP address), the IP address On top of that, the internal and external parts are completely separated / blocked for complete protection (this is described in detail later as a virtual server function).

In addition, the internal client 22 is secured from the external user 9 through the firewall function of the security system 30.

B. Features of Chipized Security Module and Boot Operation of Chip BIOS Method

In order to implement the security system itself, the existing security systems had to select and install an operating system (OS) suitable for the function and prepare a PC or workstation to support the OS.

However, in the present invention, it is not necessary to prepare a separate OS and application functions by implementing all the application functions for the OS and various security services on one chip, and the chip is not required to be used in the above x86 PC base. It can work on PC.

The operating principle of the security chip is to recompile and optimize the Linux kernel (Linux Kernel) that has an integrated security function on the chip itself to the security system, so that the OS itself (Linux) and all security systems are loaded on the chip itself. When the chip boots up, the security system is automatically built and no additional equipment is required.

That is, the commercialization of the hardware chip according to the present invention can be implemented as one of a network security equipment, a PCMCIA card, a built-in single chip, and an add-on card equipped with the security chip, and only one of them needs to be prepared. .

In general, the kernel is a part of the main memory, which is the most important and core foundation of the computer operating system, and all the core resources that make up the system such as memory, memory, files, and peripherals are managed here. It also plays a role in hardware support and operation of various application programs necessary for PC operation such as time management, process management, CPU scheduling, I / O control, system resource allocation.

On the other hand, the Linux kernel is open and its source is open, so it is evolving and developed by programmers all over the world, and it is possible to build Linux-based H / W integrated security solution. In other words, a security solution can be achieved only with necessary modules and applications through kernel recompiling.

FIG. 5 is a flowchart illustrating a chip BIOS boot operation according to the present invention. In the present invention, a booting and security system using a flash ROM chip in which a Linux OS and an integrated security solution are stored is illustrated. Installation is done sequentially one at a time.

That is, the system of the present invention drives the ROM BIOS to search for peripheral devices as the power is supplied, and searches the connected disk devices such as HDD, FDD, CDROM, etc. according to a preset order, so that the ROM BIOS matches the user's BIOS settings. It compares whether it matches (S21-S23).

In this case, in the present invention, there is a boot area in which a boot program for booting an OS is stored in a chip BIOS such as a flash ROM or an ASIC chip, and the ROM BIOS is set to search for the chip BIOS first.

Accordingly, the chip BIOS starts driving (S24), and when the ROM BIOS searches for a peripheral device, it notifies itself as if it is a disk (S25). As a result, the BIOS recognizes the chip BIOS as a disk (S26), and when the boot sector (Boot Sector) of the chip BIOS is searched, the chip BIOS notifies that a boot area exists inside (S27).

Therefore, booting is performed by a booting program including an integrated security solution stored in the boot area of the chip BIOS (S28), and then a memory disk is created (S29), and a chip disk Self-replicates the memory disk (S30), and then, for example, OS booting of a system server such as a Windows operating system (Windows OS) is performed (S31).

Generally, booting of general purpose PC or security system server uses OS HDD (Hard Disk Drive) or FDD (Floppy Disk Drive) .However, when there are many uses of read / write, data may be caused by magnetic media. The file may break or go wrong on the way.

However, if such a phenomenon is booted using a semiconductor chip or the like and the space area of the semiconductor memory chip is used as in the present invention, it will be quick and effective. In particular, in the case of Linux, if the kernel itself is modified and reprogrammed for special functions such as a firewall or a VPN, it can be executed in a small amount of memory, and if it is stored and executed again in a RAM disk, Become effective.

C. Internal Structure of Integrated Security System

6 is a detailed block diagram illustrating an internal structure of an integrated security system according to the present invention, and FIG. 7 is an explanatory diagram showing a packet forwarding path for the integrated security system according to the present invention.

First, referring to FIGS. 6 and 7, the integrated security system 30 of the present invention includes a routing module 31 and an IDS between the Internet 6 and the server 21 and the internal client 22 of the internal system 20. A module 32, a firewall module 33, a VPN authentication module 33a, a pair of virtual external / internal devices 35 and 36, and a load balancing module forming a virtual address zone (VAZ) 34 In a sequentially connected structure, 37 implements Routing, IDS, Firewall, VPN, and Load Balancing functions to be integrated through multiple IP filtering methods in one processor.

First, in the present invention, by integrating and implementing the functions of a router that exists as a separate independent device in a security system, it is possible to simplify the multi-stage network equipment to bring about operational and cost savings.

In the present invention, this function is programmed to be integrated with other security functions by embedding the corresponding routing module (S / W) in the security system without using a separate device.

7 and 8a and 8b will be described in detail the operation of the integrated security system 30 of the present invention.

First, when power is applied to the system, as shown in FIG. 5, a processor in which a routing and integrated security solution based on a Linux Kernel-based One Chip H / W device is operated and a system OS is operated. In this case, when the outer packet 41 attempts to access (intrude) the public network 6 (S41), the routing module 31 first receives the packet 41 (indicated by a solid line) (S42). The packet 41 is transmitted to the IDS module 32 by performing the branch function of (S43).

The IDS module 32 receives the packet 41 from the routing module 31 (S44), and the IDS / pattern analysis unit 32b compresses and embeds the symptom database in the semiconductor memory chip (Chip). Symptom DB) (32a) detects the intrusion attempt through the comparative analysis of the indication data and the intrusion pattern (S45, S46).

If it is determined to be illegal intrusion, first, the analysis result is notified (warned) to the internal administrator console (32d), the tracking operation for the sender IP address is performed, and the corresponding log-in DB (32c) is performed. The sender IP address is stored in the DB, and the concealment operation is performed on the target client 22 or the server 21 where the packet 41 was originally targeted (S47).

In addition, the packet 41 detected as an intrusion through the IDS module 32 is delivered to the firewall module 33 which performs the intrusion blocking function once (S48), and the internal type and the received packet that have already been set. It is determined whether or not to block the intrusion through a comparative analysis (S49, S50), and if it is determined that the harmful packet (41a) is released via the routing module 31 (41) to release the packet (41a).

On the other hand, if it is determined that the packet 41b is legitimate, the packet 42 via the VPN has to undergo a separate authentication operation, so that the packet 42 is transmitted to the VPN authentication module 33a (S54) to perform the authentication process. (S55), in the case of the packet 42a transmitted from the unauthorized person, it is released through the routing module 31 (S56-S58), and in the case of the packet transmission from the authenticated (or authorized) user, the VPN The packet 42 is received from the authentication module 33a to the firewall module 33 again (S59 and S60).

On the other hand, the packet 41 that does not go through the VPN corresponds to a case where the authentication information is not included in the packet, so the packet 41 immediately passes through the virtual IP address zone without passing through the authentication module 33a. (S61-S63) (the mechanism of VAZ will be described in detail separately).

The packets 41 and 42 via the VAZ 34 are roughly divided into a server (Web, Mail, DB server, etc.) 21 or a host computer as a destination and an internal client 22 PC as a destination. Lose. In the case of a packet destined for the server 21, it is received by a load balancing module 37 that holds distribution information on the target server (S64), and distributed to the distribution information on the target server 21. The packets are distributed (S65) and distributed to the corresponding servers 21a-21c (S66).

That is, when a server having the same function, for example, a plurality of web servers 21a are installed in parallel, the load is balanced based on the analysis information on the current workload of each parallel server 21a, When the internal client 22 targets the PC, the packets 41 and 42 are delivered to the corresponding PC 22 (S67).

D. Virtual Address Zone (VAZ) Mechanism

The following description will be made with reference to FIG. 9, which is a reconfigured drawing to more easily describe a multiple IP type NAT (Network Address Translation) system configured by the VAZ 34.

As shown in Fig. 9, the multiple IP type NAT system applied to the security system of the present invention is an Internet public IP address, for example, between the public network 6 and the internal system 77 including a server and an internal client PC. An external physical device 71 having " 198.76.29.7 ", a first firewall daemon 72 that performs intrusion prevention (firewall) and primary NAT functions for packets in accordance with established rules, and a virtual external IP address. &Quot; A virtual external device (Vl) 73 having a 172.16.0.2 ", a virtual second firewall daemon 74 that performs a second firewall (firewall) function on the packet according to a set rule, and a virtual internal IP A virtual internal device (Vp) 75 having an address "176.16.0.3", an internal physical device 76 having a private private IP address "10.33.96.4", connected to the internal physical device and a LAN 23 Private IP address "10.33.96.5" The server 21 of the host role has a structure arranged sequentially.

Here, the external physical device 71 corresponds to the routing module 31 of FIG. 7, the first firewall daemon 72 is a firewall module 33, and the internal physical device 76 is a load balancing module 37 or Corresponds to an internal client 22.

The virtual external device 73, the virtual second firewall daemon 74, and the virtual internal device 75 forms a VAZ 34, the two-step NAT by a virtual NAT server implemented in software Perform the function.

Hereinafter, a multi-IP NAT system will be described in detail with reference to FIGS. 9 and 10.

The first packet 81 having a source address (S1: 198.76.28.4) and a destination address (D1: 198.76.29.7) from the Internet 6 has an external physical device (198.76.29.7) having a public IP address (198.76.29.7). 71) and when the VAZ 34 is reached through the first firewall daemon 72, a virtual NAT server checks the first address translation table 86 shown in FIG. Confirm that the destination IP address (198.76.29.7) is a public IP address (198.76.29.7) registered in the table, and if it is not the address registered in the first address translation table 86, the packet 81 is first released. do.

If it is determined that the address is registered in the first address translation table 86, the first packet 81 is virtualized as the destination address D2 by performing a one-step NAT based on the first address translation table 86. The external IP address 172.16.0.2 is converted into the second packet 82 having the public IP address 198.76.29.7 as the source address S2.

The second packet 82 is then sent from the virtual external device 73 through the virtual secondary firewall 74 to the virtual internal device 75 with a destination address (D3: 172.16.0.3), and a source address (S3: 172.16.0.2). It is delivered in the form of a third packet 83 having a).

When the third packet 83 is received by the virtual internal device 75, the virtual NAT server checks the second address translation table 87 so that the received destination address (172.16.0.3) of the third packet 83 is received. Check whether the address is registered in the second address translation table 87 (172.16.0.3), and if it is an address registered in the second address translation table 87, it is determined based on the second address translation table 87. Perform NAT.

That is, the virtual NAT server uses the received third packet 83 as the destination address D4 as a private private IP address (10.33.96.4), which is an IP address of the internal physical device 76, and as a source address (S4). Convert to fourth packet 84 with IP address 172.16.0.3.

The fourth packet 84 is then delivered in the form of a fifth packet 85 whose destination address D5 is the private private IP address 10.33.96.5 of the server 21 which is the host.

When the second packet 82 is delivered to the virtual external device 73 by performing the above-described one-step NAT, if it is determined to be an invalid packet by the NAT server, it is released, and the virtual external device 73 is released. Even though the forwarded packet does not exist, the real server 21 or the internal client 22 having the IP does not exist, and thus an additional progress path is not specified, so as to become a black hole, and thus to the virtual internal device 75. Packet forwarding becomes impossible.

As described above, the VAZ 34 of the present invention refers to virtual network devices 73 and 75, not physical network devices having substantial IP addresses. That is, by placing the virtual devices 73 and 75 between the physical network devices 71 and 76, not only can the packet be more reliably filtered but also the physical device 71 in case of an intrusion attempt by an external intruder. Since virtual devices 73 and 75 other than 72, 76 cannot be identified, they are much safer.

In addition, when a virtual device (73, 75) between the physical device (71, 76) and the virtual device (73, 75) connected by using tunneling, NAT, VPN, etc., more secure measures can be established. .

Conventionally, when the external intruder succeeds in the intrusion of the firewall daemon 13 constituting the primary firewall system as shown in FIG. 3, the entire firewall structure is incapacitated and the internal intrusion can be easily performed.

That is, in the conventional dual IP method, if the external intruder can access the primary external physical device 14 and the firewall daemon 13, the external intruder can penetrate the firewall 13 to access the inside. This is inevitable as the firewall itself relies on one physical device—implemented in the form of a physical device—that the firewall system itself has an IP address that can be accessed from both inside and outside.

However, in the case of the multi-IP NAT of the present invention, the outside intruder cannot access inside only by intrusion of the primary first firewall daemon 72. That is, in the present invention, even if the first invasion is successful, the physical internal device 76 may not be accessed when the virtual VAZ 34 does not pass through the virtual virtual address zone (VAZ) 34. In addition, since the device is a virtual device rather than a physically visible device, it is difficult for the external intruder to pass through the invisible VAZ 34, and thus, the virtual secondary firewall system 74 has the effect of blocking the intrusion.

As described above, the multiple NAT system of the present invention can simultaneously solve the security problems caused by IP shortage and IP external exposure.

E. Comparison of the Prior Art with the Present Invention

1) Firewall System

Conventional firewalls restrict internal access of external users by separating internal and external in a redundant NAT or proxy method.

However, in the present invention, the separation process is performed once more through the virtual IP zone (VAZ) in the middle of separating the inside from the outside, thereby multiplexing the IP scheme and using the virtual IP address to further read the internal private IP. It makes it difficult to have an IP structure that is impossible to illegally infiltrate. In other words, if you try to infiltrate the inside illegally, the packet will be caught on the virtual local IP and will not allow any more illegal access.

In other words, the security function is implemented by separating multiple internal systems from external intrusion by applying multiple NAT techniques and multiple proxy techniques, and by using this differentiated multiple NAT structure and multiple proxies, one virtual zone is created. The intruder can not find the internal system in the 2nd and 3rd stage even if the intruder succeeds in the first stage intrusion. In other words, the intrusion attempt by the external intruder is impossible.

2) IDS system

In the conventional IDS system, the IDS processor stores the type of illegal intruder as a type DB in a hard disk drive (HDD) or other place, and when the packet is received from the outside, the packet is stored in the HDD or memory. Comparing with the existing DB results in slow speed when using HDD or huge memory when using memory.

However, the IDS of the present invention has a great advantage that it is much faster than using an HDD by compressing and embedding it in a chip to produce a type DB and does not occupy a memory shared resource. In other words, it does not require a lot of memory in addition to the fast processing speed, so it is possible to use firewall, load balancing, VPN, etc. in addition to the IDS module at the same time.

3) VPN Solution

In the present invention, as a new VAZ (Virtual Address Zone) is added to the VPN solution, the reliability of the overall security system is remarkably improved and integrated, thereby significantly improving the function.

4) Load Balancing System

In load balancing, a function is implemented in an integrated security system, thereby creating a synergy effect that enhances the association with the security function.

By combining the above results, in the present invention, it is possible to implement a network security system with remarkably improved security and flexibility (universal scalability), and program a router function essential for various solutions and networking handled as a security element. The integrated implementation in the Chip Device provides a system that can significantly improve the functional coupling and operational difficulties of the equipment.

In the above-described embodiment, an example in which the integrated security solution of the present invention is preferably implemented in the form of a chip BIOS has been described, but other forms of implementation are possible.

As described above, the present invention solves the security vulnerability, generality limitation, and operational difficulties of the conventional S / W network security products, and provides firewall load balancing, which is an internet networking security element, in the H / W chip. The solution, including virtual private network (VPN), intrusion detection and routing functions, is integrated and integrated into a single device.

The hardware-based integrated security solution of the present invention partially takes the main OS (operating system) from the Linux Kernel and based on it, and manages the currently implemented routing functions, security solutions such as firewall and VPN. The mechanisms are also packaged into a single semiconductor chip, combining load balancing and intrusion detection system (IDS) functions.

Furthermore, the present invention implements a security function by separating an internal system from external intrusion by applying multiple NAT techniques and multiple proxy techniques, and by using such a differentiated multiple NAT structure and multiple proxies, one virtual zone (Zone) ), Even if the first stage of intrusion is successful, it is blocked in 2nd and 3rd stages, and the intrusion attempt by an external intruder is basically impossible.

In addition, the present invention does not need to prepare a separate OS and application functions by implementing all application functions for the OS and various security services on one chip, and this chip can be operated without any abnormality under the x86PC base. No additional equipment is needed.

The present invention implements an integrated security solution using a flash ROM or an ASIC chip to boot into a Linux operating system (OS) and use a space area in a memory, so that the processing speed is fast and effective.

In the above, the present invention has been illustrated and described with reference to specific preferred embodiments, but the present invention is not limited to the above-described embodiments and is not limited to the spirit of the present invention. Various changes and modifications can be made by those who have

Claims (16)

An integrated security system for performing a comprehensive security function between a public network and an internal system including at least one server and at least one internal client, A routing module for branching and forwarding the packet received from the public network, An intrusion detection module for detecting an intrusion attempt by analyzing an intrusion pattern with a symptom database on the packet received from the routing module; If the intrusion is a detected packet, it is determined whether the intrusion is blocked in the first step through the comparative analysis of the set internal type and the packet, and when it is determined to be a harmful packet, the packet is released to the outside through the routing module, and a virtual private network among the legitimate packets A first firewall module for intrusion prevention for transmitting to a later stage if the packet does not pass through the VPN; If the packet is passed through the VPN, the authentication is confirmed. If the packet is from an unauthorized user, the packet is released to the outside through the routing module. If the packet is from an authenticated user, the packet is sent to the first firewall module. VPN authentication module for returning, The packet received from the first firewall module with the Internet public IP address as the destination address is configured to perform the multi-step virtual IP address conversion using the virtual multi-IP address and the two-step intrusion blocking function to transmit the packet to the internal system. Configured with a virtual address zone (VAZ), Network integrated security system, characterized in that the Internet network security is performed integrally by multiple IP address translation (NAT) and multiple packet filtering. 2. The network integrated security system of claim 1, further comprising a load balancing module for distributing packets according to distribution information on a target server when the server is a packet that is a destination. The method of claim 2, wherein the routing module, the intrusion detection module, the first firewall module for intrusion prevention, the VPN authentication module, the virtual address zone (VAZ) and the load balancing module are implemented in hardware on a single IC chip. Network integrated security system. The method of claim 1, wherein the virtual address zone (VAZ) is A virtual internal / external device for forwarding packets with virtual first and second IP addresses, A virtual second firewall module for performing a second intrusion blocking function by reading a virtual IP of a packet received between the virtual internal / external devices; A first address conversion table for converting a packet address from an Internet public IP address to a virtual first IP address; A second address translation table for converting a packet address from the virtual second IP address to a private private IP address; Perform a one-step address translation based on the first address translation table when the packet is received by a virtual external device, and when the packet is received from the virtual external device to a virtual internal device after one-step address translation, the second address It consists of a virtual network address translation (NAT) server for performing the two-step address translation based on the translation table to deliver the address translation packet to the internal system, The VAZ multiplexes a virtual IP structure to separate / block an external public network and an internal system to prevent reading of the virtual IP and illegal intrusion into the internal system. The network integrated security system according to any one of claims 1 to 4, wherein all the modules and the VAZ are implemented based on a Linux kernel. The network integrated security system of claim 5, wherein all the modules and the VAZ are implemented in one of a flash ROM and an ASIC chip, and a security system is automatically built at the same time as booting by a chip BIOS. The system of claim 3, wherein the system is implemented as one of a network security device having a single chip, a PCMCIA card, and an add-on card. 4. The network integrated security system according to claim 1 or 3, wherein the symptom database is compressed and embedded in the IC chip. In the network integrated security method of the integrated security system that performs a comprehensive security function between the public network and the internal system including at least one server and at least one internal client, When an external packet attempts to access the public network, the routing module receives the packet, performs a unique branch function, and delivers the packet to the IDS module; Receiving a packet from the routing module to the IDS module, and detecting whether the intrusion attempts through the comparative analysis of the indication data and the intrusion pattern of the indication database (DB), When the intrusion is detected, if the packet is determined to be invasive through a comparison analysis between the set internal type and the packet, and if it is determined to be a harmful packet, the packet is released to the outside through the routing module, and a virtual private network of the legitimate packet ( If the packet does not pass through the VPN), the packet is transmitted to the next stage. If the packet passes through the VPN, the VPN authentication module checks whether the VPN is authenticated. Releasing and returning a packet from the authenticated user to the first firewall module, And performing a two-step intrusion prevention function on the packet received from the first firewall module, and transmitting the packet to the internal system. 10. The method of claim 9, wherein if the packet is determined to be illegal intrusion, the intrusion fact is notified to the internal administrator console, and the sender IP address is stored in the corresponding login DB while tracking the packet sender IP address. The method further comprises the step of creating a DB and performing a concealment operation on the target host and server to which the packet was originally targeted. 10. The method of claim 9, wherein in the case of a packet destined for a plurality of servers connected in parallel in the internal system, the packet is received by a load balancing module having distribution information on a target server, and according to the distribution information of the target server. And distributing the packets to the corresponding server. 10. The network of claim 9, wherein the integrated security method is implemented based on a Linux kernel and further comprises automatically building the security system simultaneously with booting by a chip BIOS. Integrated security method. The virtual external device according to any one of claims 9 to 12, wherein the public IP address assigned to the security system is based on a first address translation table when the packet is received by the virtual external device through the first firewall module. Performing a one-step address translation into a virtual external IP address of the device, Step 2, converting the virtual internal IP address of the virtual internal device into a private IP address for a target server of the internal system based on a second address translation table when a packet is transferred from the virtual external device to the virtual internal device after the first step address translation; Performing address translation to forward the addressed packet to the internal system; And converting the public IP address into a private IP address using multiple virtual IP addresses. A routing module for branching packets received from the public network and forwarding them to the rear end of the internal system; An intrusion detection module for detecting an intrusion attempt by analyzing an intrusion pattern with a symptom database on the packet received from the routing module; If the intrusion is a detected packet, it is determined whether the intrusion is blocked in the first step through the comparative analysis of the set internal type and the packet, and when it is determined to be a harmful packet, the packet is released to the outside through the routing module, and a virtual private network among the legitimate packets A first firewall module for intrusion prevention for transmitting to a later stage if the packet does not pass through the VPN; If the packet is passed through the VPN, the authentication is confirmed. If the packet is from an unauthorized user, the packet is released to the outside through the routing module. If the packet is from an authenticated user, the packet is transmitted to the first firewall module. VPN authentication module for returning to A virtual address zone (VAZ) for performing a two-stage intrusion blocking function by performing virtual multi-IP address translation on the packet received from the first firewall module, and transmitting the packet to the internal system; If the destination of the packet is a server of the internal system is configured with a load balancing module for distributing the packet according to the distribution information for the target server, An integrated security semiconductor device, characterized in that to perform an integrated security function through the multiple IP address translation and multiple packet filtering. delete delete