KR101824642B1 - Residence Management System using a plurality of virtual Private network - Google Patents
Residence Management System using a plurality of virtual Private network Download PDFInfo
- Publication number
- KR101824642B1 KR101824642B1 KR1020150087770A KR20150087770A KR101824642B1 KR 101824642 B1 KR101824642 B1 KR 101824642B1 KR 1020150087770 A KR1020150087770 A KR 1020150087770A KR 20150087770 A KR20150087770 A KR 20150087770A KR 101824642 B1 KR101824642 B1 KR 101824642B1
- Authority
- KR
- South Korea
- Prior art keywords
- vpn
- server
- management
- residential
- service
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a residential management system and method using a multi-virtual private network, comprising a client terminal including a VPN agent for user authentication and a VPN agent for residential management, a residential management including a control VPN and at least one residential management VPN The present invention provides a residential management system in which a network for user authentication and a residential management service are separated using a network, a server system including an authentication server and a residential management server.
Description
The present invention relates to a residential management system and method using a multi-virtual private network.
In the case of a general communication system, the client terminal is composed of a service providing server and a communication network connecting the client terminal and the service providing server.
Also, in order to provide various communication services such as finance, home automation, etc., it is necessary to connect to a plurality of service providing servers by using one terminal, and the communication network should also be appropriately separated for the multiple access.
1 shows an example of a general communication network in which a client such as the PC 10 or the
In addition, the communication
When such a communication system is used, a user of the client terminal performs packet communication with one or more service servers to receive a desired specific service.
In the communication system as shown in FIG. 1, one or more routers may be used to secure a path for moving packets. A router is a device that reads the address of a destination contained in transmission information (packet) and transmits it to another communication network using the most appropriate communication path when information is exchanged by connecting different networks. For example, to relay different local area networks (LANs) or to connect a local area network to a wide area network (WAN). It is essential equipment to connect the Internet, and it is a core communication device that provides a role to set the path to transmit information in the communication network operated by different protocol.
Such a conventional router creates a network path based on an IP prefix, so that networks for various services are not separated from each other.
In particular, since the network for management and control of user authentication and the network for service data for providing actual service are not distinguished from each other, there is a possibility that important authentication information transmitted and received through the management and control network is exposed to the outside do.
2 is a configuration diagram of each node of a general communication system.
2, in the case of a general computer network, a
Meanwhile, the server
In this general communication network, terminal access control is performed between the
In addition, the
On the other hand, data communication using a computer network can be largely realized by packet communication and circuit communication.
In a packet network capable of packet communication, a client generates a packet and transmits it to an adjacent router. At this time, the router can not access control such as user recognition. In addition, in the IP network, transmission is performed on a per-packet basis. On the TCP / IP basis, which is a protocol used for such packet transmission, not only is it vulnerable to forgery and falsification of data, but also has a disadvantage in that it is impossible to isolate the network. In other words, packet communication is superior in transmission efficiency, but is vulnerable to data security.
Conversely, in circuit communication, if there is a connection request from the terminal, it is transmitted to the gateway such as the PBX through the modem. In this case, the PBX can first authenticate the user's identity by communicating with the server first. The PSTN server exchanges information after forming a channel through the PSTN network. Such circuit communication has a disadvantage in that data transmission is inefficient although data security is excellent.
DISCLOSURE OF THE INVENTION In view of the above, the present invention takes advantage of transmission efficiency by using a packet network, divides a network into a plurality of virtual private networks, and provides a control network for authentication / control and a service network for providing a service separately By doing so, we intend to establish a communication system that is not vulnerable to data security or user authentication, while being excellent in transmission efficiency.
In other words, a secure and efficient communication system that permits the authorized network access to authorized devices and users at any time and any place is established by establishing a service utilization environment inherent in security through separation of the control network based on the virtual network and the service network .
Accordingly, it is an object of embodiments of the present invention to provide a communication system that is excellent in data transmission efficiency and strong in data security.
It is another object of the present invention to provide a communication system having a service using environment in which security is inherent through separation of a control network based on a virtual private network (VPN) and a service network.
It is another object of the present invention to provide a method and system for managing a virtual private network by using a client installed with two or more virtual private network agents, a network including a control VPN and at least one service VPN, a control server and a server system including at least one service providing server It is an object of the present invention to provide a secure and efficient communication system that permits authority-based network access.
Another object of the present invention is to provide a residential management system constructed using the above-described communication system.
It is another object of the present invention to provide a VPN system including a client terminal including a VPN agent for user authentication and a VPN agent for residential management, a residential management network including a control VPN and at least one residential management VPN, And a housing management system in which a network for user authentication and a residential management service is separated using a server system.
According to an aspect of the present invention, there is provided a method for managing a home network including a client terminal including a VPN agent for user authentication and a VPN agent for housing management, a residential management network including a control VPN and at least one residential management VPN, And a server system including a server and a housing management server.
According to another embodiment of the present invention, there is provided a method for controlling a VPN server, the method comprising: executing a VPN agent for user authentication installed in a client terminal to set a control VPN between an authentication server and a client terminal and then performing user authentication; The method comprising: executing one of the residential management VPN agents installed in the terminal; setting a residential management VPN between the residential management server and the client terminal according to the execution of the residential management VPN agent; The present invention provides a residential management method using multiple virtual private networks.
1 shows an example of a general communication network.
2 is a detailed configuration diagram of each node of a general communication system.
3 shows the overall configuration of a communication system according to an embodiment of the present invention.
4 illustrates details of a client terminal and a terminal-side network included in a communication system according to an embodiment of the present invention.
FIG. 5 illustrates the entire communication flow of the communication system according to the present invention. User authentication using a control VPN and service provision using a service VPN are separately performed.
6 shows the overall configuration of a residential management system according to an embodiment of the present invention.
Fig. 7 shows the overall configuration of a residential management system according to another embodiment of the present invention.
FIG. 8 illustrates a process of providing a residential management service according to an embodiment of the present invention. The process of providing a residential management service using a VPN using a user authentication and a residential management service VPN is performed separately
Hereinafter, some embodiments of the present invention will be described in detail with reference to exemplary drawings. In the drawings, like reference numerals are used to denote like elements throughout the drawings, even if they are shown on different drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.
In describing the components of the present invention, terms such as first, second, A, B, (a), and (b) may be used. These terms are intended to distinguish the components from other components, and the terms do not limit the nature, order, order, or number of the components. When a component is described as being "connected", "coupled", or "connected" to another component, the component may be directly connected or connected to the other component, Quot; intervening "or that each component may be" connected, "" coupled, "or " connected" through other components.
3 shows the overall configuration of a communication system according to an embodiment of the present invention.
The communication system according to the embodiment of the present invention includes a
The
In this specification, a virtual private network (VPN) is an abbreviation of a virtual private network, which means a communication service providing a special communication scheme and an encryption scheme so that the Internet network can be used as a dedicated line.
That is, after a client and a specific server are connected to each other using a universal communication network, both the communication devices have the same effect as the dedicated communication using a predetermined communication protocol (protocol) and encryption and technique.
For such a VPN, a certain VPN program must be installed on the client side. When the VPN is executed, data is transmitted to the server side by processing the data with a predetermined protocol and encryption method, and the server decrypts and recognizes the data.
At this time, a communication channel formed similarly to a leased line between the client and the server side can be expressed as a VPN.
Meanwhile, the
The two or more terminal-side VPN nodes included in the
Similarly, the
A
The
More specifically, the
Also, the connection between the
According to the present invention, when the client terminal is a wireless terminal accessing through a wireless access point (AP), it is connected via a wireless access point tunnel, and the wireless access point tunnel can be connected to a predefined (configuration managed) virtual router have.
Similarly, the
In more detail, the
The
The control server's
In addition, a whitelist, which is a legitimate user list, may be stored in the
The
Meanwhile, the
Meanwhile, in order to construct the communication system according to the present invention, various software must be installed in the control server and the client.
The
In addition, the
Meanwhile, the
4 illustrates details of a client terminal and a terminal-side network included in a communication system according to an embodiment of the present invention.
As shown in FIG. 4, the
In addition, a unique VPN is established by execution of each VPN agent. More specifically, when the
The
FIG. 5 illustrates the entire communication flow of the communication system according to the present invention. User authentication using the control VPN and service provision using the service VPN are separately performed.
5, the control VPN is established between the client and the control server by executing the control VPN agent on the client terminal side (S510)
Next, authentication information of the user or the client terminal, that is, ID / password, biometric information such as fingerprint or iris, is input using the client terminal (S520)
The entered authentication information is transmitted to the control server in a state isolated from other service servers or other VPNs through the control VPN.
The control server compares the received authentication information with authentication information stored in the control DB or the like to perform user authentication (S530)
When the user authentication is completed, the control server transmits the result of user authentication to the client. Only when the authentication is successful, the client terminal can execute the individual service VPN agent.
As an example of this, when receiving a valid user authentication result, it is possible to change the enable flag (Enable Frag) of two or more service VPN agents to 1 and permit execution of the service VPN agent only when the enable flag is set to 1 (S540)
Next, the client terminal executes the VPN agent (
Next, the client terminal transmits and receives data to and from the
At this time, the control server can grant authority of the service VPN agent that can be executed for each user step by step. For example, it is possible to allow all service VPN agents of
As described above, according to the present invention, a control VPN is established between a client terminal and a control server, control / control information such as user authentication information is transmitted, a service VPN is set only when the user is authenticated, By making it possible to send and receive data to and from the service server, it is possible to secure the security by separating the channel of the control data and the channel of the service data.
In other words, there is an advantage that secure computer networking is possible by completely separating the network management domain (Control Domain) and the data domain (Data Domain) by using multiple VPNs.
Further, since the addresses of the control server and the service providing server exposed to the outside can be concealed, the security can be enhanced.
In addition, according to the present invention, it is possible to reduce the operating cost by creating, constructing, and operating a required number of virtual networks (VPNs) by utilizing the existing network resources and connecting with a terminal virtualization solution (VPN agent) It is possible to minimize the purchase cost and the power consumption of the terminal by making it possible to use various jobs and the internet with the minimum number of terminals.
That is, a control VPN agent for user authentication and a service VPN agent for providing a plurality of services are simultaneously installed in one client terminal, and the corresponding VPN agent is executed in accordance with the purpose to provide user authentication and service using a virtual private network Therefore, there is an effect that the user can simultaneously provide a plurality of services using one terminal.
Also, it is advantageous in that the control server can restrict the types and the number of service VPNs that can be generated for each user, thereby providing a step-by-step or selective service for a plurality of users.
6 shows the overall configuration of a residential management system according to an embodiment of the present invention.
3 to 5, the residential management system according to the present invention includes a
The
Similar to the control VPN agent described in FIGS. 3 and 4, the
In the case where the user authentication information is an ID / password, the character / number input pad is used as the user authentication information, and the user authentication information is stored in the living body such as the fingerprint / iris The fingerprint input means or the iris recognition means.
The
The
At this time, both ends of the
That is, the
In addition, the residential management server system may include an
Examples of the residential management server include an individual home automation (H / A)
A
Meanwhile, the
Also, the
The
At this time, the
The housing management system according to the present invention allows a user to execute a user authentication VPN agent installed in his or her client terminal to establish a private VPN with an authentication server and then perform user authentication, After establishing a VPN connection to the management server, you can get the necessary housing management services.
That is, the user is provided with authentication and service using a single terminal, but using a communication system in which a user authentication and a service domain are separated by separate channels, thereby providing a residential management service with excellent security and convenience .
FIG. 8 illustrates a process of providing a residential management service according to an embodiment of the present invention. The process of providing a residential management service using a VPN using a user authentication and a residential management service VPN is performed separately.
8, the control VPN is established between the client and the authentication server by executing the VPN agent for user authentication on the client terminal side (S810)
Next, iris recognition, which is user authentication information of the user, is performed using the client terminal (S820)
The iris information, which is input authentication information, is transmitted to the authentication server in a state isolated from other residential management server or other VPN through the control VPN.
The authentication server performs user authentication by comparing the received authentication information with the authentication information stored in the authentication DB or the like (S830)
The authentication server transmits the user authentication result to the client when the user authentication is completed, and allows the client terminal to execute one of the individual residential management VPN agents only when the authentication is successful.
As an example, when receiving a valid user authentication result, the enable flag of two or more residential management VPN agents is changed to 1, and execution is performed only for the residential management VPN agent whose enable flag is set to 1 .
Next, the client terminal executes the individual H / A server VPN connection agent which is one of the enabled VPN agents for the residential management (S840), and accordingly, performs individual H / A management between the client terminal and the individual H / VPN connection is established.
In this state, the user can remotely control the opening and closing of the individual entrance door by transmitting a signal requesting opening of the individual door lock apparatus to the individual H / A management server (S850)
Then, if the residential management service through the management server is required, the client terminal executes the VPN connection agent, which is one of the enabled VPN agents for the residential management (S860) The management server VPN connection is established.
In this state, the user can remotely control the opening and closing of the common entrance by transmitting a signal requesting the opening of the common entrance door lock apparatus to the management server (S870)
An example of using the housing management system will be described as follows.
If there is a visitor in the user's household, it is assumed that the common entrance door and the individual entrance door are opened and the user is located at the remote place.
In this case, a user executes a VPN agent for user authentication installed in a communication device such as a mobile phone of his or her own, connects his / her control VPN, which is a dedicated channel, with the authentication server, and transmits his / her authentication information to securely perform user authentication .
Then, after executing the VPN connection agent of this management server VPN program which is another program of the terminal of the same communication device, VPN connection is established with the management server, and then the corresponding entrance gate of the corresponding building is opened.
Next, the individual H / A management server VPN connection agent, which is another program of the terminal of the same communication device, is executed to VPN connection with the individual H / A management server, and then the door of the household entrance door can be opened.
At this time, the authentication server restrictively restricts the number or types of residential management servers that can set a VPN for each user, thereby giving different kinds of services that can be provided for each user.
Fig. 7 shows the overall configuration of a residential management system according to another embodiment of the present invention.
The housing management system according to the embodiment according to FIG. 7 is configured not to house the individual household server or the management server in the housing management server, but to manage one or more cluster servers covering a certain range of residential areas and cluster servers And a group management server that performs user authentication through the control VPN.
7 includes a
Since the configuration and the function of the
The
The residential management server system may include an
The
In addition, the
The
The
Such a cluster server can be installed and operated in a guard room that manages the area covered by the cluster server.
As described above, when the housing management system according to the present invention is used, the transmission / reception channel of the control data for user authentication and the transmission / reception channel of the housing management service data are separated to secure the security of various personal information generated in the housing management process can do.
Also, since the addresses of the authentication server and the service providing server of the housing management system exposed to the outside can be hidden, the security can be enhanced.
In addition, according to the present invention, it is possible to reduce the construction and operation cost of a residential management system by creating, constructing, and operating a required number of virtual networks (VPN) using the existing network resources.
In addition, the user can safely use various residential management services at the same time with one terminal.
In addition, the authentication server can restrictively provide the types and the number of the residential management service VPNs that can be generated for each user, thereby providing a stepwise or selective residential management service for each user.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the present invention as defined by the appended claims. , Separation, substitution, and alteration of the invention will be apparent to those skilled in the art. Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents should be construed as falling within the scope of the present invention.
610, 710: client terminal 630: residential management network
622, 722: control
650: authentication server 660: individual H / A server
670: Management server 750: Group management server
760, 770: Cluster Server
Claims (10)
A residential management network that includes a control VPN and one or more residential management VPNs; And
A server system including an authentication server and a housing management server,
The client terminal executes the user authentication VPN agent to set a control VPN, receives biometric information, transmits the biometric information to the authentication server to perform user authentication,
Changes the enable flag of the residential management VPN agent to 1 when receiving a valid user authentication result,
Only when the user authentication is performed, only the residential management VPN agent with the enable flag set to 1 is permitted to execute and the residential management VPN is set, and then the service request signal is transmitted to the corresponding residential management server A residential management system using multiple virtual private networks.
Wherein the residential management network includes a terminal side access network, an access gateway, and a service gateway, and a control VPN and at least one residential management service VPN are formed between the access gateway and the service gateway. Used Housing Management System.
Wherein the control server or the authentication server performing the user authentication of the client is linked to the control VPN or the service gateway.
The housing management server includes at least one of an individual H / A (Home Automation) server for housing management for each household, a management server for housing management for each residential building, and an entire apartment management server for managing all apartments Wherein the residential management system comprises a plurality of virtual private networks.
Wherein the authentication server restrictively restricts the number or types of residential management servers that can be VPN-settable for each user.
Wherein the residential management server includes at least one cluster server that covers a certain range of residential areas and a group management server that manages the cluster servers and performs user authentication through the control VPN. Used Housing Management System.
Wherein each of the cluster servers is connected to one or more controlled devices such as a common entrance door lock device, a household door lock device, a parking lot door lock device, and a CCTV.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150087770A KR101824642B1 (en) | 2015-06-19 | 2015-06-19 | Residence Management System using a plurality of virtual Private network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150087770A KR101824642B1 (en) | 2015-06-19 | 2015-06-19 | Residence Management System using a plurality of virtual Private network |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20160150251A KR20160150251A (en) | 2016-12-29 |
KR101824642B1 true KR101824642B1 (en) | 2018-03-15 |
Family
ID=57736595
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150087770A KR101824642B1 (en) | 2015-06-19 | 2015-06-19 | Residence Management System using a plurality of virtual Private network |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101824642B1 (en) |
-
2015
- 2015-06-19 KR KR1020150087770A patent/KR101824642B1/en active IP Right Grant
Also Published As
Publication number | Publication date |
---|---|
KR20160150251A (en) | 2016-12-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11343226B2 (en) | Systems and methods for micro network segmentation | |
US9143400B1 (en) | Network gateway configuration | |
KR20170015340A (en) | Method and network element for improved access to communication networks | |
US10362000B2 (en) | Virtual Wi-Fi network and secure tunnel provisioning for reliable, persistent connection of energy devices at the customer's premises | |
US20140075505A1 (en) | System and method for routing selected network traffic to a remote network security device in a network environment | |
JP2007180998A (en) | Wireless network controller, and wireless network control system | |
Iqbal et al. | Analysis of security virtual private network (VPN) using openVPN | |
CN107005534A (en) | Secure connection is set up | |
US20220210649A1 (en) | Systems and method for micro network segmentation | |
US20130283050A1 (en) | Wireless client authentication and assignment | |
US11316935B2 (en) | Systems and method for micro network segmentation | |
US11991086B2 (en) | Device-enabled access control in a mesh network | |
KR20170120291A (en) | Blocking apparatus for abnormal device of internet of things devices and blocking method for the same | |
Pradana et al. | The dhcp snooping and dhcp alert method in securing dhcp server from dhcp rogue attack | |
MX2013013745A (en) | Device arrangement for implementing remote control of properties. | |
US20090271852A1 (en) | System and Method for Distributing Enduring Credentials in an Untrusted Network Environment | |
KR101824642B1 (en) | Residence Management System using a plurality of virtual Private network | |
WO2003075516A1 (en) | A system and method for controlling the access to an external network | |
CN108712398A (en) | Port authentication method, server, interchanger and the storage medium of certificate server | |
JP2012060357A (en) | Remote access control method for mobile body system | |
KR20170017860A (en) | Network virtualization system based of network vpn | |
KR101618092B1 (en) | Financial Service System and Method using a plurality of virtual Private network | |
CN108667832A (en) | Authentication method, server, interchanger based on configuration information and storage medium | |
US11805100B2 (en) | Access control in a mesh network | |
Sujathakumari et al. | A theoretical survey on MAC address blacklisting |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
A302 | Request for accelerated examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application | ||
J201 | Request for trial against refusal decision | ||
J301 | Trial decision |
Free format text: TRIAL NUMBER: 2016101001836; TRIAL DECISION FOR APPEAL AGAINST DECISION TO DECLINE REFUSAL REQUESTED 20160328 Effective date: 20171013 |
|
S901 | Examination by remand of revocation | ||
GRNO | Decision to grant (after opposition) | ||
GRNT | Written decision to grant |