KR101824642B1 - Residence Management System using a plurality of virtual Private network - Google Patents

Residence Management System using a plurality of virtual Private network Download PDF

Info

Publication number
KR101824642B1
KR101824642B1 KR1020150087770A KR20150087770A KR101824642B1 KR 101824642 B1 KR101824642 B1 KR 101824642B1 KR 1020150087770 A KR1020150087770 A KR 1020150087770A KR 20150087770 A KR20150087770 A KR 20150087770A KR 101824642 B1 KR101824642 B1 KR 101824642B1
Authority
KR
South Korea
Prior art keywords
vpn
server
management
residential
service
Prior art date
Application number
KR1020150087770A
Other languages
Korean (ko)
Other versions
KR20160150251A (en
Inventor
정현조
Original Assignee
주식회사 아라드네트웍스
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 아라드네트웍스 filed Critical 주식회사 아라드네트웍스
Priority to KR1020150087770A priority Critical patent/KR101824642B1/en
Publication of KR20160150251A publication Critical patent/KR20160150251A/en
Application granted granted Critical
Publication of KR101824642B1 publication Critical patent/KR101824642B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a residential management system and method using a multi-virtual private network, comprising a client terminal including a VPN agent for user authentication and a VPN agent for residential management, a residential management including a control VPN and at least one residential management VPN The present invention provides a residential management system in which a network for user authentication and a residential management service are separated using a network, a server system including an authentication server and a residential management server.

Figure R1020150087770

Description

{Residential Management System using a Virtual Private Network}

The present invention relates to a residential management system and method using a multi-virtual private network.

In the case of a general communication system, the client terminal is composed of a service providing server and a communication network connecting the client terminal and the service providing server.

Also, in order to provide various communication services such as finance, home automation, etc., it is necessary to connect to a plurality of service providing servers by using one terminal, and the communication network should also be appropriately separated for the multiple access.

1 shows an example of a general communication network in which a client such as the PC 10 or the wireless communication terminal 10 'and the access point 20 or only the wireless communication 20' and the communication company server system 30, .

In addition, the communication company server system 30 is connected to the IP server 40 providing the packet communication service, and the IP server is connected to the service server 50 providing one or more individual services.

When such a communication system is used, a user of the client terminal performs packet communication with one or more service servers to receive a desired specific service.

In the communication system as shown in FIG. 1, one or more routers may be used to secure a path for moving packets. A router is a device that reads the address of a destination contained in transmission information (packet) and transmits it to another communication network using the most appropriate communication path when information is exchanged by connecting different networks. For example, to relay different local area networks (LANs) or to connect a local area network to a wide area network (WAN). It is essential equipment to connect the Internet, and it is a core communication device that provides a role to set the path to transmit information in the communication network operated by different protocol.

Such a conventional router creates a network path based on an IP prefix, so that networks for various services are not separated from each other.

In particular, since the network for management and control of user authentication and the network for service data for providing actual service are not distinguished from each other, there is a possibility that important authentication information transmitted and received through the management and control network is exposed to the outside do.

2 is a configuration diagram of each node of a general communication system.

2, in the case of a general computer network, a client terminal 110 and a client side access network 120 such as a LAN, a Wi-Fi, a transport network and a server side access network 160, and a server 170 And the transport network may include a client side edge network 130 that may be configured as a router again, and an IP network 140 and a server side edge network 150. The client-side and server-side edge networks 130 and 160 may be routers.

Meanwhile, the server side edge network 160 may be interlocked with a security system such as a firewall.

In this general communication network, terminal access control is performed between the client 110 and the client-side access network 120 using an ID, a password, biometric information, etc., Or a server access control using a password or the like is performed.

In addition, the access networks 120 and 160 and the transmission network constitute an IP network, and only simple transmission control is performed on such an IP network, and access control is impossible.

On the other hand, data communication using a computer network can be largely realized by packet communication and circuit communication.

In a packet network capable of packet communication, a client generates a packet and transmits it to an adjacent router. At this time, the router can not access control such as user recognition. In addition, in the IP network, transmission is performed on a per-packet basis. On the TCP / IP basis, which is a protocol used for such packet transmission, not only is it vulnerable to forgery and falsification of data, but also has a disadvantage in that it is impossible to isolate the network. In other words, packet communication is superior in transmission efficiency, but is vulnerable to data security.

Conversely, in circuit communication, if there is a connection request from the terminal, it is transmitted to the gateway such as the PBX through the modem. In this case, the PBX can first authenticate the user's identity by communicating with the server first. The PSTN server exchanges information after forming a channel through the PSTN network. Such circuit communication has a disadvantage in that data transmission is inefficient although data security is excellent.

DISCLOSURE OF THE INVENTION In view of the above, the present invention takes advantage of transmission efficiency by using a packet network, divides a network into a plurality of virtual private networks, and provides a control network for authentication / control and a service network for providing a service separately By doing so, we intend to establish a communication system that is not vulnerable to data security or user authentication, while being excellent in transmission efficiency.

In other words, a secure and efficient communication system that permits the authorized network access to authorized devices and users at any time and any place is established by establishing a service utilization environment inherent in security through separation of the control network based on the virtual network and the service network .

Accordingly, it is an object of embodiments of the present invention to provide a communication system that is excellent in data transmission efficiency and strong in data security.

It is another object of the present invention to provide a communication system having a service using environment in which security is inherent through separation of a control network based on a virtual private network (VPN) and a service network.

It is another object of the present invention to provide a method and system for managing a virtual private network by using a client installed with two or more virtual private network agents, a network including a control VPN and at least one service VPN, a control server and a server system including at least one service providing server It is an object of the present invention to provide a secure and efficient communication system that permits authority-based network access.

Another object of the present invention is to provide a residential management system constructed using the above-described communication system.

It is another object of the present invention to provide a VPN system including a client terminal including a VPN agent for user authentication and a VPN agent for residential management, a residential management network including a control VPN and at least one residential management VPN, And a housing management system in which a network for user authentication and a residential management service is separated using a server system.

According to an aspect of the present invention, there is provided a method for managing a home network including a client terminal including a VPN agent for user authentication and a VPN agent for housing management, a residential management network including a control VPN and at least one residential management VPN, And a server system including a server and a housing management server.

According to another embodiment of the present invention, there is provided a method for controlling a VPN server, the method comprising: executing a VPN agent for user authentication installed in a client terminal to set a control VPN between an authentication server and a client terminal and then performing user authentication; The method comprising: executing one of the residential management VPN agents installed in the terminal; setting a residential management VPN between the residential management server and the client terminal according to the execution of the residential management VPN agent; The present invention provides a residential management method using multiple virtual private networks.

1 shows an example of a general communication network.
2 is a detailed configuration diagram of each node of a general communication system.
3 shows the overall configuration of a communication system according to an embodiment of the present invention.
4 illustrates details of a client terminal and a terminal-side network included in a communication system according to an embodiment of the present invention.
FIG. 5 illustrates the entire communication flow of the communication system according to the present invention. User authentication using a control VPN and service provision using a service VPN are separately performed.
6 shows the overall configuration of a residential management system according to an embodiment of the present invention.
Fig. 7 shows the overall configuration of a residential management system according to another embodiment of the present invention.
FIG. 8 illustrates a process of providing a residential management service according to an embodiment of the present invention. The process of providing a residential management service using a VPN using a user authentication and a residential management service VPN is performed separately

Hereinafter, some embodiments of the present invention will be described in detail with reference to exemplary drawings. In the drawings, like reference numerals are used to denote like elements throughout the drawings, even if they are shown on different drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

In describing the components of the present invention, terms such as first, second, A, B, (a), and (b) may be used. These terms are intended to distinguish the components from other components, and the terms do not limit the nature, order, order, or number of the components. When a component is described as being "connected", "coupled", or "connected" to another component, the component may be directly connected or connected to the other component, Quot; intervening "or that each component may be" connected, "" coupled, "or " connected" through other components.

3 shows the overall configuration of a communication system according to an embodiment of the present invention.

The communication system according to the embodiment of the present invention includes a client terminal 310 in which two or more VPN setting agents 312 are installed, an access network 320 composed of a communication network such as LAN, Wi-Fi, 3G / LTE wireless communication network, A server system including an access gateway 330, a service gateway 350, a control server 370, and at least one service server 360.

The client terminal 310 is provided with a VPN setting agent 312 which is software for setting two or more VPNs. More specifically, the client terminal 310 is provided with a VPN setting agent 312 for setting up a control VPN in which authentication / A VPN agent for authentication, and a service VPN agent for VPN connection with an individual service server.

In this specification, a virtual private network (VPN) is an abbreviation of a virtual private network, which means a communication service providing a special communication scheme and an encryption scheme so that the Internet network can be used as a dedicated line.

That is, after a client and a specific server are connected to each other using a universal communication network, both the communication devices have the same effect as the dedicated communication using a predetermined communication protocol (protocol) and encryption and technique.

For such a VPN, a certain VPN program must be installed on the client side. When the VPN is executed, data is transmitted to the server side by processing the data with a predetermined protocol and encryption method, and the server decrypts and recognizes the data.

At this time, a communication channel formed similarly to a leased line between the client and the server side can be expressed as a VPN.

Meanwhile, the access gateway 330 may include one or more terminal-side VPN nodes, and the terminal-side VPN node may be a router, but is not limited thereto.

The two or more terminal-side VPN nodes included in the access gateway 330 may again include the control VPN node 332 and the one or more service VPN node 334. [

Similarly, the service gateway 350 on the server side includes one or more server-side VPN nodes, and the server-side VPN node may include a control VPN node 352 and a service VPN node 354. [

A VPN network 340 is connected to each VPN node of the access gateway 330 and each VPN node of the service gateway 350 one to one. More specifically, a control VPN is established between the two VPN nodes , And a service VPN is established between the corresponding service VPN node.

The access gateway 330 is located on the client side and serves to upload an authentication packet to the control VPN or the control network, and can perform access control based on a whitelist for each virtual network.

More specifically, the access gateway 330 according to the present invention includes an authentication redirection function for detecting an abnormal traffic type and protecting the authentication server or the control server from external hacking in response to the authentication redirection, ), And a function of collecting a tunnel of an authenticated normal client to a corresponding virtual router and transmitting the collected tunnel to a corresponding VPN node of the corresponding service gateway 350.

Also, the connection between the access gateway 330 and the service gateway 350 can be performed through the predefined L3 VPN tunnel, and the connection between the individual virtual router or VPN nodes can be predefined and used.

According to the present invention, when the client terminal is a wireless terminal accessing through a wireless access point (AP), it is connected via a wireless access point tunnel, and the wireless access point tunnel can be connected to a predefined (configuration managed) virtual router have.

Similarly, the service gateway 350 according to the present invention performs access control and management for the virtualized network in association with the access gateway 330 in a server aggregation place, for each network and server, and creates and terminates a tunnel .

In more detail, the service gateway 350 according to the present invention protects the authentication server or the control server 370 from external attack and hacking in conjunction with the access gateway 330, User / terminal, and creates / maintains / deletes / manages pre-defined service VPN tunnels for each user / terminal. In addition, only VPN tunnels allowed through authentication allow access to the corresponding virtual network (white-list-based access control), manages predefined mobile IP VPN tunnels per virtual router, and access gateway and predefined L3 VPN tunnels And may have the capability of keeping the virtualization networks mutual.

The corresponding service servers 360 are linked to each service VPN node 354 of the service gateway 350 and a control server 370 having a control DB 372 for storing authentication information and the like is connected to the control VPN node ) Are interlocked.

The control server's control DB 372 stores authentication information for a user who is provided with the service according to the present invention. The authentication information may include a user's ID / password, biometric information, and the like.

In addition, a whitelist, which is a legitimate user list, may be stored in the control DB 372. [

The VPN network 340 may be constructed using communication protocol software used by the Linux-based MPLS L3 VPN technology to provide IPVPN services in a router or an Ethernet switch. This L3 VPN technology can provide multi-protocol label switching (MPLS) virtual private network (VPN) services in an IP network environment based on standards defined by the Internet Engineering Task Force (IETF).

Meanwhile, the control server 370 in the present invention is for various control or control as a basic condition for providing individual services such as user authentication, and may be expressed in other terms such as an IP manager or an IP management device.

Meanwhile, in order to construct the communication system according to the present invention, various software must be installed in the control server and the client.

The control server 370 according to the present invention may have a VPN tunnel, a virtual network configuration and interworking management, a quality assurance management function for each tunnel and virtual path, and an authentication server (AAA) association function. In addition, the control server compares the image of the agent (Agent) with the image of the normal state in the case of the software image management of the client terminal 310 and the authentication request from the client, It has the function of performing appropriate (blocking) action when changing.

In addition, the control server 370 establishes and applies the management and security policies of the client terminal, and can perform the authentication process management of the client terminal, and the like.

Meanwhile, the client terminal 310 according to the present invention stores authentication parameters (an authentication function based on a unique number for each device), and a VPN agent, which is software for creating, managing and terminating a two-way VPN tunnel for each VPN, .

4 illustrates details of a client terminal and a terminal-side network included in a communication system according to an embodiment of the present invention.

As shown in FIG. 4, the client terminal 410 according to the present invention is provided with a user authentication VPN agent or a control VPN agent 412 for setting a control VPN in which authentication / control data for user authentication and control are transmitted, A service 1 VPN agent 414, a service n VPN agent 416, and the like, which are one or more service VPN agents for connecting to a server with a VPN, are installed.

In addition, a unique VPN is established by execution of each VPN agent. More specifically, when the control VPN agent 412 is executed, a control VPN (hereinafter referred to as " VPN ") capable of transmitting / receiving control data between the client terminal and the control server via the control VPN node When the service VPN agents 414 and 416 are executed, service VPNs 454 and 456 capable of transmitting and receiving service data between the client terminal and the corresponding service server via the service VPN node are set .

The client terminal 410 according to the present invention executes the control VPN agent 412 to set the control VPN 452, and then receives user authentication information such as biometric information or an ID / password and transmits the same to the control server And executes the service VPN agents 414 and 416 only when the user authentication is performed to set the service VPN and transmit / receive data to / from the corresponding service server.

FIG. 5 illustrates the entire communication flow of the communication system according to the present invention. User authentication using the control VPN and service provision using the service VPN are separately performed.

5, the control VPN is established between the client and the control server by executing the control VPN agent on the client terminal side (S510)

Next, authentication information of the user or the client terminal, that is, ID / password, biometric information such as fingerprint or iris, is input using the client terminal (S520)

The entered authentication information is transmitted to the control server in a state isolated from other service servers or other VPNs through the control VPN.

The control server compares the received authentication information with authentication information stored in the control DB or the like to perform user authentication (S530)

When the user authentication is completed, the control server transmits the result of user authentication to the client. Only when the authentication is successful, the client terminal can execute the individual service VPN agent.

As an example of this, when receiving a valid user authentication result, it is possible to change the enable flag (Enable Frag) of two or more service VPN agents to 1 and permit execution of the service VPN agent only when the enable flag is set to 1 (S540)

Next, the client terminal executes the VPN agent (service 1 VPN agent) for the enabled service 1 (S540), and sets the service 1 VPN between the client terminal and the service server of the corresponding service 1 according to the execution. (S550)

Next, the client terminal transmits and receives data to and from the corresponding service server 1 through the established service 1 VPN, so that the service 1 can be provided.

At this time, the control server can grant authority of the service VPN agent that can be executed for each user step by step. For example, it is possible to allow all service VPN agents of user A service 1 to service n to be executed, and only user B to execute service 1 and service 2 VPN agent.

As described above, according to the present invention, a control VPN is established between a client terminal and a control server, control / control information such as user authentication information is transmitted, a service VPN is set only when the user is authenticated, By making it possible to send and receive data to and from the service server, it is possible to secure the security by separating the channel of the control data and the channel of the service data.

In other words, there is an advantage that secure computer networking is possible by completely separating the network management domain (Control Domain) and the data domain (Data Domain) by using multiple VPNs.

Further, since the addresses of the control server and the service providing server exposed to the outside can be concealed, the security can be enhanced.

In addition, according to the present invention, it is possible to reduce the operating cost by creating, constructing, and operating a required number of virtual networks (VPNs) by utilizing the existing network resources and connecting with a terminal virtualization solution (VPN agent) It is possible to minimize the purchase cost and the power consumption of the terminal by making it possible to use various jobs and the internet with the minimum number of terminals.

That is, a control VPN agent for user authentication and a service VPN agent for providing a plurality of services are simultaneously installed in one client terminal, and the corresponding VPN agent is executed in accordance with the purpose to provide user authentication and service using a virtual private network Therefore, there is an effect that the user can simultaneously provide a plurality of services using one terminal.

Also, it is advantageous in that the control server can restrict the types and the number of service VPNs that can be generated for each user, thereby providing a step-by-step or selective service for a plurality of users.

6 shows the overall configuration of a residential management system according to an embodiment of the present invention.

3 to 5, the residential management system according to the present invention includes a client terminal 610 including a VPN agent for user authentication and a VPN agent for residential management, A residential management network 630 including a control VPN and at least one residential management service VPN, and a server system including an authentication server and a residential management server.

The client terminal 610 may be a mobile communication terminal held by each resident, or may be an individual PC, but is not limited thereto.

Similar to the control VPN agent described in FIGS. 3 and 4, the client terminal 610 is provided with a VPN agent for user authentication and at least one residential management VPN agent capable of setting a VPN with each residential management server.

In the case where the user authentication information is an ID / password, the character / number input pad is used as the user authentication information, and the user authentication information is stored in the living body such as the fingerprint / iris The fingerprint input means or the iris recognition means.

The client terminal 610 executes a VPN agent for user authentication to establish a control VPN, and receives biometric information, transmits the biometric information to the authentication server to perform user authentication, and only when a user authentication is performed, Management VPN agent to establish a residential management VPN, and then transmits a service request signal to the corresponding residential management server.

The client terminal 610 is connected to the residential management network through a general-purpose communication network such as LAN, Wi-Fi 3G / LTE, etc., and the residential management network 630 is set up between the client and the authentication server And one or more residential management service VPNs 624, 626 and 628 set between the corresponding residential management server and the client by execution of the corresponding residential management VPN agent .

At this time, both ends of the control VPN 622 and the respective residential management service VPNs 624, 626 and 628 are connected to terminal side VPN nodes 632 and 634 included in the access gateway on the client side, And server-side VPNs and nodes 642 and 644 included in the service gateway on the server side. At this time, each VPN node may be a router, but is not limited thereto.

That is, the residential management network 630 according to the present invention may include a terminal side access network, an access gateway, and a service gateway, and between the access gateway and each VPN node of the service gateway, a control VPN and at least one residential management VPN for service can be formed.

In addition, the residential management server system may include an authentication server 650 interlocked with the control VPN and one or more residential management servers interlocked with each residential management service VPN.

Examples of the residential management server include an individual home automation (H / A) server 660 for providing a residential management service for individual households, and a management server 670), and an entire APT management server 680 that can provide a residential management service in the entire apartment unit, which is the entire residential space, but the present invention is not limited thereto.

A watt hour meter 662, a refrigerator 664, a separate entrance door lock device 666, and the like, which are various controlled devices managed for each generation, may be connected to the individual H / A server 660, A common entrance door lock device 672 requiring control of a building unit and a door lock device 674 of a building underground parking can be connected to the APT management server 680. CCTV 682, A vehicle entry opening / closing device 684, and the like.

Meanwhile, the authentication server 650 according to the present invention performs user authentication and overall management or control of the client, and may include an authentication DB 652 storing user authentication information and the like. Authentication information for a user who is provided with the housing management service according to the present invention is stored, and the authentication information may include biometric information such as a user's ID / password, fingerprint / iris, and the like.

Also, the authentication DB 652 may store a whitelist, which is a legitimate user list.

The authentication server 650 may be installed in a security room, a management room, or the like that manages the entire residential space of an apartment or the like, and may store and manage the authentication information of all the residents in addition to the personal information of the residents.

At this time, the authentication server 650 can restrictively restrict the number or types of residential management servers that can be VPN-set for each user. That is, the user A is allowed to access only the individual H / A management server, and the user B is allowed to access only the two H / A management servers and the management server.

The housing management system according to the present invention allows a user to execute a user authentication VPN agent installed in his or her client terminal to establish a private VPN with an authentication server and then perform user authentication, After establishing a VPN connection to the management server, you can get the necessary housing management services.

That is, the user is provided with authentication and service using a single terminal, but using a communication system in which a user authentication and a service domain are separated by separate channels, thereby providing a residential management service with excellent security and convenience .

FIG. 8 illustrates a process of providing a residential management service according to an embodiment of the present invention. The process of providing a residential management service using a VPN using a user authentication and a residential management service VPN is performed separately.

8, the control VPN is established between the client and the authentication server by executing the VPN agent for user authentication on the client terminal side (S810)

Next, iris recognition, which is user authentication information of the user, is performed using the client terminal (S820)

The iris information, which is input authentication information, is transmitted to the authentication server in a state isolated from other residential management server or other VPN through the control VPN.

The authentication server performs user authentication by comparing the received authentication information with the authentication information stored in the authentication DB or the like (S830)

The authentication server transmits the user authentication result to the client when the user authentication is completed, and allows the client terminal to execute one of the individual residential management VPN agents only when the authentication is successful.

As an example, when receiving a valid user authentication result, the enable flag of two or more residential management VPN agents is changed to 1, and execution is performed only for the residential management VPN agent whose enable flag is set to 1 .

Next, the client terminal executes the individual H / A server VPN connection agent which is one of the enabled VPN agents for the residential management (S840), and accordingly, performs individual H / A management between the client terminal and the individual H / VPN connection is established.

 In this state, the user can remotely control the opening and closing of the individual entrance door by transmitting a signal requesting opening of the individual door lock apparatus to the individual H / A management server (S850)

Then, if the residential management service through the management server is required, the client terminal executes the VPN connection agent, which is one of the enabled VPN agents for the residential management (S860) The management server VPN connection is established.

In this state, the user can remotely control the opening and closing of the common entrance by transmitting a signal requesting the opening of the common entrance door lock apparatus to the management server (S870)

An example of using the housing management system will be described as follows.

If there is a visitor in the user's household, it is assumed that the common entrance door and the individual entrance door are opened and the user is located at the remote place.

In this case, a user executes a VPN agent for user authentication installed in a communication device such as a mobile phone of his or her own, connects his / her control VPN, which is a dedicated channel, with the authentication server, and transmits his / her authentication information to securely perform user authentication .

Then, after executing the VPN connection agent of this management server VPN program which is another program of the terminal of the same communication device, VPN connection is established with the management server, and then the corresponding entrance gate of the corresponding building is opened.

Next, the individual H / A management server VPN connection agent, which is another program of the terminal of the same communication device, is executed to VPN connection with the individual H / A management server, and then the door of the household entrance door can be opened.

At this time, the authentication server restrictively restricts the number or types of residential management servers that can set a VPN for each user, thereby giving different kinds of services that can be provided for each user.

Fig. 7 shows the overall configuration of a residential management system according to another embodiment of the present invention.

The housing management system according to the embodiment according to FIG. 7 is configured not to house the individual household server or the management server in the housing management server, but to manage one or more cluster servers covering a certain range of residential areas and cluster servers And a group management server that performs user authentication through the control VPN.

7 includes a client terminal 710 including a VPN agent for user authentication and a VPN agent for residential management, a control VPN, and one or more residential management service VPNs in a similar manner to the embodiment of FIG. 6 And a server system including a group management server 750 and at least one cluster server 760,

Since the configuration and the function of the client terminal 730 are the same as those of the embodiment of FIG. 6, the description is omitted in order to avoid redundancy.

The client terminal 710 executes the VPN agent for user authentication, sets the control VPN, transmits the biometric information to the group management server to perform user authentication, and only when the user authentication is performed, Management VPN agent to establish a residential management VPN, and then transmits a service request signal to the corresponding cluster server.

The residential management server system may include an aggregation management server 750 that performs user authentication and manages multiple cluster servers in cooperation with the control VPN, and one or more cluster servers 760 and 770 that are linked to the respective cluster VPNs .

The group management server 750 may be installed in a central management office such as an apartment or the like as a main server functioning to perform user authentication in cooperation with a control VPN and managing a plurality of cluster servers.

In addition, the group management server 750 may include a group DB 752 in which authentication information such as iris information of all residents included in the group is stored. In the group DB, Can be integrated and stored / managed.

The cluster servers 760 and 770 are local servers that manage a certain area of the entire residential area. Each of the cluster servers includes a common entrance door lock device 765, a household door lock device 766, a parking lot door lock device 767, CCTV 764, and the like.

The cluster servers 760 and 770 may be provided with cluster DBs 762 and 772 that are separate from the group DB 752 of the group management server. The cluster DB may store personal information on the residents managed by the cluster, Authentication information and log information can be stored / managed.

Such a cluster server can be installed and operated in a guard room that manages the area covered by the cluster server.

As described above, when the housing management system according to the present invention is used, the transmission / reception channel of the control data for user authentication and the transmission / reception channel of the housing management service data are separated to secure the security of various personal information generated in the housing management process can do.

Also, since the addresses of the authentication server and the service providing server of the housing management system exposed to the outside can be hidden, the security can be enhanced.

In addition, according to the present invention, it is possible to reduce the construction and operation cost of a residential management system by creating, constructing, and operating a required number of virtual networks (VPN) using the existing network resources.

In addition, the user can safely use various residential management services at the same time with one terminal.

In addition, the authentication server can restrictively provide the types and the number of the residential management service VPNs that can be generated for each user, thereby providing a stepwise or selective residential management service for each user.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the present invention as defined by the appended claims. , Separation, substitution, and alteration of the invention will be apparent to those skilled in the art. Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents should be construed as falling within the scope of the present invention.

610, 710: client terminal 630: residential management network
622, 722: control VPN 624, 626, 628: residential management service VPN
650: authentication server 660: individual H / A server
670: Management server 750: Group management server
760, 770: Cluster Server

Claims (10)

A client terminal including a virtual private network (VPN) agent for user authentication and a VPN agent for residential management;
A residential management network that includes a control VPN and one or more residential management VPNs; And
A server system including an authentication server and a housing management server,
The client terminal executes the user authentication VPN agent to set a control VPN, receives biometric information, transmits the biometric information to the authentication server to perform user authentication,
Changes the enable flag of the residential management VPN agent to 1 when receiving a valid user authentication result,
Only when the user authentication is performed, only the residential management VPN agent with the enable flag set to 1 is permitted to execute and the residential management VPN is set, and then the service request signal is transmitted to the corresponding residential management server A residential management system using multiple virtual private networks. The method according to claim 1,
Wherein the residential management network includes a terminal side access network, an access gateway, and a service gateway, and a control VPN and at least one residential management service VPN are formed between the access gateway and the service gateway. Used Housing Management System. 3. The method of claim 2,
Wherein the control server or the authentication server performing the user authentication of the client is linked to the control VPN or the service gateway. The method according to claim 1,
The housing management server includes at least one of an individual H / A (Home Automation) server for housing management for each household, a management server for housing management for each residential building, and an entire apartment management server for managing all apartments Wherein the residential management system comprises a plurality of virtual private networks. delete The method according to claim 1,
Wherein the authentication server restrictively restricts the number or types of residential management servers that can be VPN-settable for each user. The method according to claim 1,
Wherein the residential management server includes at least one cluster server that covers a certain range of residential areas and a group management server that manages the cluster servers and performs user authentication through the control VPN. Used Housing Management System. 8. The method of claim 7,
Wherein each of the cluster servers is connected to one or more controlled devices such as a common entrance door lock device, a household door lock device, a parking lot door lock device, and a CCTV. delete delete
KR1020150087770A 2015-06-19 2015-06-19 Residence Management System using a plurality of virtual Private network KR101824642B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150087770A KR101824642B1 (en) 2015-06-19 2015-06-19 Residence Management System using a plurality of virtual Private network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150087770A KR101824642B1 (en) 2015-06-19 2015-06-19 Residence Management System using a plurality of virtual Private network

Publications (2)

Publication Number Publication Date
KR20160150251A KR20160150251A (en) 2016-12-29
KR101824642B1 true KR101824642B1 (en) 2018-03-15

Family

ID=57736595

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150087770A KR101824642B1 (en) 2015-06-19 2015-06-19 Residence Management System using a plurality of virtual Private network

Country Status (1)

Country Link
KR (1) KR101824642B1 (en)

Also Published As

Publication number Publication date
KR20160150251A (en) 2016-12-29

Similar Documents

Publication Publication Date Title
US11343226B2 (en) Systems and methods for micro network segmentation
US9143400B1 (en) Network gateway configuration
KR20170015340A (en) Method and network element for improved access to communication networks
US10362000B2 (en) Virtual Wi-Fi network and secure tunnel provisioning for reliable, persistent connection of energy devices at the customer's premises
US20140075505A1 (en) System and method for routing selected network traffic to a remote network security device in a network environment
JP2007180998A (en) Wireless network controller, and wireless network control system
Iqbal et al. Analysis of security virtual private network (VPN) using openVPN
CN107005534A (en) Secure connection is set up
US20220210649A1 (en) Systems and method for micro network segmentation
US20130283050A1 (en) Wireless client authentication and assignment
US11316935B2 (en) Systems and method for micro network segmentation
US11991086B2 (en) Device-enabled access control in a mesh network
KR20170120291A (en) Blocking apparatus for abnormal device of internet of things devices and blocking method for the same
Pradana et al. The dhcp snooping and dhcp alert method in securing dhcp server from dhcp rogue attack
MX2013013745A (en) Device arrangement for implementing remote control of properties.
US20090271852A1 (en) System and Method for Distributing Enduring Credentials in an Untrusted Network Environment
KR101824642B1 (en) Residence Management System using a plurality of virtual Private network
WO2003075516A1 (en) A system and method for controlling the access to an external network
CN108712398A (en) Port authentication method, server, interchanger and the storage medium of certificate server
JP2012060357A (en) Remote access control method for mobile body system
KR20170017860A (en) Network virtualization system based of network vpn
KR101618092B1 (en) Financial Service System and Method using a plurality of virtual Private network
CN108667832A (en) Authentication method, server, interchanger based on configuration information and storage medium
US11805100B2 (en) Access control in a mesh network
Sujathakumari et al. A theoretical survey on MAC address blacklisting

Legal Events

Date Code Title Description
A201 Request for examination
A302 Request for accelerated examination
E902 Notification of reason for refusal
E601 Decision to refuse application
J201 Request for trial against refusal decision
J301 Trial decision

Free format text: TRIAL NUMBER: 2016101001836; TRIAL DECISION FOR APPEAL AGAINST DECISION TO DECLINE REFUSAL REQUESTED 20160328

Effective date: 20171013

S901 Examination by remand of revocation
GRNO Decision to grant (after opposition)
GRNT Written decision to grant