KR101789241B1 - Method, system and computer-readable recording medium for processing dump packets in virtual private network - Google Patents
Method, system and computer-readable recording medium for processing dump packets in virtual private network Download PDFInfo
- Publication number
- KR101789241B1 KR101789241B1 KR1020150187497A KR20150187497A KR101789241B1 KR 101789241 B1 KR101789241 B1 KR 101789241B1 KR 1020150187497 A KR1020150187497 A KR 1020150187497A KR 20150187497 A KR20150187497 A KR 20150187497A KR 101789241 B1 KR101789241 B1 KR 101789241B1
- Authority
- KR
- South Korea
- Prior art keywords
- packet
- dump
- packet dump
- information
- encryption policy
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a packet dump processing method, system, and computer readable recording medium in a VPN.
The present invention relates to a packet dump processing method in a VPN, comprising the steps of obtaining tunnel policy information for tunneling for packet filtering and packet dumping with reference to a packet dump option corresponding to the encryption policy information can do.
Description
The present invention relates to a packet dump processing method, system, and computer readable recording medium in a VPN.
Figure 1 illustrates an exemplary VPN in which virtual private network (VPN) devices form a communication tunnel. Here, VPN is a network service that enables secure communication such as a private network through a public switched network such as the Internet, which is opened between remote networks. In other words, a virtual private network can be constructed to secure the stability in the public switched line without establishing a separate dedicated network by setting a logical line regardless of the configuration of the physical network through the VPN.
VPN devices form a communication tunnel between VPN devices through tunneling where tunneling is a virtual connection that can securely transmit information without being affected by the outside, And is a technology that is safely protected from other users and external users. To implement this tunneling, the two VPN devices negotiate the security policy required for the VPN service, and perform encrypted communication based on the negotiation result.
As shown in FIG. 1, in a general VPN configuration, a VPN device can be divided into a center VPN device and a branch VPN device according to its role. Here, the center VPN device is mainly located in the main office, and the branch office VPN device can be located in a remote office, a client company, a partner company, or the like. On the other hand, although FIG. 1 shows one center VPN apparatus and three branch office VPN apparatuses, this is an exemplary one, and more or fewer VPN apparatuses may be used.
Conventionally, the VPN user must be aware of the VPN tunnel encryption policy to be filtered, and there is an inconvenience in that the VPN user must directly visually confirm the SA information and apply the option. However, the present invention solves all of the above problems .
That is, the present invention aims at automatically generating a VPN packet dump so that a network user can easily use a packet dump even if he or she does not know how to generate an encryption policy or packet dump.
In order to accomplish the above object, a representative structure of the present invention is as follows.
According to an embodiment of the present invention, there is provided a method of processing a packet dump in a VPN, the method comprising: acquiring tunneling encryption policy information for packet filtering; and referring to the packet dumping option corresponding to the encryption policy information And packet dumping.
In addition, when performing a packet dump corresponding to a packet before being encrypted, at least one of i) a source IP address and a destination IP address of the packet, ii) a source port and a destination port, and iii) Can be added as an option.
In addition, when a packet dump corresponding to an encrypted packet is performed, a value of a Security Parameters Index (SPI) of the encryption policy may be added as the packet dump option.
According to another embodiment of the present invention, a packet dump processing system in a VPN includes a packet receiving unit for receiving a packet through a network and encryption policy information for a packet to be received, The packet dump option corresponding to the encryption policy information for the packet dump may be added to the packet dump.
In addition, the packet dump generation unit may include: i) a source IP address and a destination IP address of a packet, ii) a source port and a destination port, and iii) at least one of information corresponding to a protocol One of which may be added as the packet dump option.
In addition, the packet dump generator may add a Security Parameters Index (SPI) value of the encryption policy as the packet dump option when performing a packet dump corresponding to the encrypted packet.
The packet dump generation unit may further include a storage unit for storing information on a packet dump option corresponding to the encryption policy information, wherein the packet dump generation unit acquires, from the storage unit, a packet corresponding to the encryption policy information You can obtain information about the dump option.
In addition to this, another method for implementing the present invention, another system, and a computer-readable recording medium for recording a computer program for executing the method are further provided.
According to the present invention, a packet dump is automatically generated by a packet dump processing system in a VPN, so that a network dummy user can easily use a packet dump even if he or she does not know an encryption policy or a packet dump generation method.
Figure 1 illustrates an exemplary VPN in which VPN devices form a communication tunnel.
2 is a block diagram showing an internal configuration of a packet dump processing system in a VPN.
3 is a diagram for illustrating an exemplary packet dump generated according to an embodiment of the present invention.
4 is a diagram illustrating a main process performed in a packet dump processing system according to an embodiment of the present invention.
The following detailed description of the invention refers to the accompanying drawings, which illustrate, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It should be understood that the various embodiments of the present invention are different, but need not be mutually exclusive. For example, certain features, structures, and characteristics described herein may be implemented in other embodiments without departing from the spirit and scope of the invention in connection with an embodiment. It is also to be understood that the position or arrangement of the individual components within each disclosed embodiment may be varied without departing from the spirit and scope of the invention. The following detailed description is, therefore, not to be taken in a limiting sense, and the scope of the present invention is to be limited only by the appended claims, along with the full scope of equivalents to which such claims are entitled, if properly explained. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention.
The present invention provides a packet dump processing method and a system therefor when transmitting and receiving data packets using a virtual private network (VPN).
First, a VPN is a network service that enables secure communication such as a private network through an Internet communication network that is opened between remote networks. IP security (hereinafter referred to as IPsec) VPN encrypts and transmits a data packet in a transmitting terminal to protect data in a public Internet communication network, and a receiving terminal decrypts and transmits the encrypted packet.
At this time, the encryption method can be performed through key exchange, and a set of key exchange information between two points is called a security association (SA). An SA is a set of elements that must be unified prior to exchanging data, such as an encryption algorithm, a key exchange method, a key exchange cycle, and a key exchange policy, when exchanging secret data (authentication, encryption data) between a data transmitter and a receiver.
On the other hand, the encryption policy is a policy on which packets to encrypt. The encryption policy is a combination of IP address, port, protocol information, service, time, etc., and when the packet conforming to the tunnel policy is received, the encryption policy is transmitted. SA has Security Parameters Index (SPI) value for identifying SAs between VPN devices and distinguishes Encapsulation Security Payload (ESP) packets that come into my equipment using SA information and SPI And decodes it.
Next, a packet dump is a tool that allows a user to check a packet input or output to the network interface card, for example, Linux tcpdump, windows wireshark, and the like. Packet dumps are used to monitor the current status, logging, and analyze faults.
The packet dump processing system in the VPN according to the present invention may be configured to be included in the VPN device, but is not limited thereto and may be located outside the VPN device.
Hereinafter, a configuration of a packet dump processing system in a VPN according to the present invention and functions of respective configurations will be described with reference to FIG.
2 is a block diagram illustrating an internal configuration of a packet dump processing system in a VPN according to an embodiment of the present invention.
2, a packet
The packet
First, the
The packet before the encryption is to be transmitted from the internal network to the external network via the VPN device, and may be an original packet which is not encrypted. The encrypted packet is transmitted from the external network to the internal network Lt; RTI ID = 0.0 > ciphered < / RTI >
Next, the packet
For this purpose, the
Specifically, the
On the other hand, in the case of a packet in the encrypted state, the packet
Hereinafter, the packet dump procedure by the packet dump generation unit will be described in detail with reference to FIG.
3 is a diagram for illustrating an exemplary packet dump generated according to an embodiment of the present invention.
Figure 3 illustrates the basic structure of a packet dump, wherein the packet dump is configured with a combination of
The packet
Specifically, the packet
At this time, the predetermined packet dump
Hereinafter, "tcpdump" is used as a tool for executing the packet dump in the packet
As described above, the
When the packet to be received by the
Thereafter, the packet
On the other hand, when the
The
As described above, only one of the source IP address and the destination IP address or the SPI information may be added as the packet dump addition option. However, the present invention is not limited to this, and information about the source IP address and the destination IP address, It is also possible to add all of the SPI information.
In this case, a packet dump such as "tcpdump -nnp -i ethX 'ip [20: 4] = 0x00000001' or" dst net 200.200.200.0/24 and src net 100.100.100.0/24 ' ). ≪ / RTI >
In the
The packet
Although the
Meanwhile, the
The
The
4 is a diagram illustrating a main process performed in a packet dump processing system in a VPN according to an exemplary embodiment of the present invention.
In step S410, the packet
In step S420, the packet
When the packet
According to the present invention, since a packet dump is automatically generated, a network user (particularly, a manager) can easily use a packet dump even if he or she does not know how to generate an encryption policy or packet dump.
The embodiments of the present invention described above can be implemented in the form of program instructions that can be executed through various computer components and recorded on a computer-readable recording medium. The computer-readable recording medium may include program commands, data files, data structures, and the like, alone or in combination. The program instructions recorded on the computer-readable recording medium may be those specially designed and constructed for the present invention or may be those known and used by those skilled in the computer software arts. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CD-ROMs and DVDs, magneto-optical media such as floptical disks, media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those generated by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware device may be configured to operate as one or more software modules for performing the processing according to the present invention, and vice versa.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, Those skilled in the art will appreciate that various modifications, additions and substitutions are possible, without departing from the scope and spirit of the invention as disclosed in the accompanying claims.
Therefore, the spirit of the present invention should not be construed as being limited to the above-described embodiments, and all of the equivalents or equivalents of the claims, as well as the following claims, I will say.
200: Packet dump processing system in VPN
210:
220: Packet dump generation unit
230:
240:
250:
Claims (8)
The packet dump processing system obtaining encryption policy information of a tunnel for packet filtering;
The packet dump processing system comprising: adding a packet dump option corresponding to the encryption policy information to a packet dump execution tool to generate a packet dump structure; And
And performing a packet dump using the packet dump structure,
Wherein the step of acquiring the encryption policy information comprises:
Extracting pre-stored encryption policy information corresponding to the requested VPN tunnel information; And
Extracting a previously stored packet dump option corresponding to the extracted encryption policy information,
Wherein the packet dump structure comprises:
The packet dump execution tool, the encryption policy identifier information corresponding to the extracted encryption policy information, and the extracted packet dump option,
When performing a packet dump corresponding to a packet before being encrypted, at least one of i) a source IP address and a destination IP address of the packet, ii) a source port and a destination port, and iii) Lt; / RTI >
Wherein a value of a Security Parameters Index (SPI) of the encryption policy is added as the packet dump option when performing a packet dump corresponding to an encrypted packet.
A packet receiving unit for receiving a packet through a network; And
A packet dump structure is generated by adding a packet dump option corresponding to the encryption policy information for the packet to be received to the packet dump execution tool to generate a packet dump structure, A packet dump generation unit for executing a packet dump; And
And a storage unit for storing information on a packet dump option corresponding to the encryption policy information,
Wherein the packet dump generation unit comprises:
Extracting the encryption policy information pre-stored in the storage unit corresponding to the requested VPN tunnel information, extracting the packet dump options previously stored in the storage unit corresponding to the extracted encryption policy information, Generating the packet dump structure including the extracted encryption policy identifier information corresponding to the extracted encryption policy information and the extracted packet dump option,
The packet dump generation unit may generate at least one of a source IP address, a destination IP address, a source port and a destination port of the packet and information corresponding to the protocol when the packet dump corresponding to the packet before being encrypted is performed as the packet dump option Add,
Wherein the packet dump generator adds a Security Parameters Index (SPI) value of the encryption policy as the packet dump option when performing a packet dump corresponding to an encrypted packet.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150187497A KR101789241B1 (en) | 2015-12-28 | 2015-12-28 | Method, system and computer-readable recording medium for processing dump packets in virtual private network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150187497A KR101789241B1 (en) | 2015-12-28 | 2015-12-28 | Method, system and computer-readable recording medium for processing dump packets in virtual private network |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20170077535A KR20170077535A (en) | 2017-07-06 |
KR101789241B1 true KR101789241B1 (en) | 2017-10-23 |
Family
ID=59354134
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150187497A KR101789241B1 (en) | 2015-12-28 | 2015-12-28 | Method, system and computer-readable recording medium for processing dump packets in virtual private network |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101789241B1 (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101156008B1 (en) * | 2010-12-24 | 2012-06-18 | 한국인터넷진흥원 | System and method for botnet detection based on signature using network traffic analysis |
US20140082719A1 (en) * | 2012-09-19 | 2014-03-20 | Business Security Ol Ab | Method and device for network communication management |
-
2015
- 2015-12-28 KR KR1020150187497A patent/KR101789241B1/en active IP Right Grant
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101156008B1 (en) * | 2010-12-24 | 2012-06-18 | 한국인터넷진흥원 | System and method for botnet detection based on signature using network traffic analysis |
US20140082719A1 (en) * | 2012-09-19 | 2014-03-20 | Business Security Ol Ab | Method and device for network communication management |
Non-Patent Citations (1)
Title |
---|
Shrew Soft, "VPN Trace", Shrew Soft VPN Client Administrators Guide, https://www.shrew.net/static/help2.1.x/vpnhelp.htm?VPNTrace.html, 2010. |
Also Published As
Publication number | Publication date |
---|---|
KR20170077535A (en) | 2017-07-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105591926B (en) | A kind of flow rate protecting method and device | |
US7853783B2 (en) | Method and apparatus for secure communication between user equipment and private network | |
US8713305B2 (en) | Packet transmission method, apparatus, and network system | |
US10992652B2 (en) | Methods, systems, and computer readable media for monitoring encrypted network traffic flows | |
CN109150688B (en) | IPSec VPN data transmission method and device | |
KR101680955B1 (en) | Multi-tunnel virtual private network | |
CN106209838B (en) | IP access method and device of SSL VPN | |
US10484279B2 (en) | Executing multiple virtual private network (VPN) endpoints associated with an endpoint pool address | |
US9210128B2 (en) | Filtering of applications for access to an enterprise network | |
CN105812322B (en) | The method for building up and device of internet safety protocol safe alliance | |
CN106169952A (en) | Authentication method that a kind of internet IKMP is heavily consulted and device | |
JP2005117246A (en) | Packet-discriminating apparatus | |
US9473466B2 (en) | System and method for internet protocol security processing | |
US9350712B2 (en) | Packet analysis apparatus and method and virtual private network server | |
US20230066604A1 (en) | Performance improvement for encrypted traffic over ipsec | |
JP2007036834A (en) | Encryption apparatus, program, recording medium, and method | |
KR101214613B1 (en) | Security method and security system based on proxy for identifying connector credibly | |
CN105743868A (en) | Data acquisition system supporting encrypted and non-encrypted protocols and method | |
KR101789241B1 (en) | Method, system and computer-readable recording medium for processing dump packets in virtual private network | |
KR101329968B1 (en) | Method and system for determining security policy among ipsec vpn devices | |
CN115225414A (en) | Encryption strategy matching method and device based on IPSEC (Internet protocol Security), and communication system | |
EP2878102B1 (en) | Secure data transfer | |
JP2023531034A (en) | Service transmission method, device, network equipment and storage medium | |
JP2008199420A (en) | Gateway device and authentication processing method | |
US8892884B2 (en) | Managing IPsec security associations using discrete domains |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
AMND | Amendment | ||
E601 | Decision to refuse application | ||
AMND | Amendment | ||
X701 | Decision to grant (after re-examination) | ||
GRNT | Written decision to grant |