KR101873970B1 - System for physically separating network using diskless solution - Google Patents

Abstract

The present invention relates to a physical network separation system using a diskless solution, and more particularly, At least one Internet PC; And a smart disk server, wherein the business network used by the business PC and the Internet network used by the Internet PC are physically separated, wherein the Internet PC is connected to the LAN via a hard disk drive The smart disk server collectively manages and manages the operating system and software of the Internet PC, stores and manages data for each Internet PC, And controlling the I / O port of the Internet PC to prevent the external data input / output device from being connected to the Internet PC.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a system for separating physical networks using a diskless solution,

The present invention relates to a physical network separation system using a diskless solution, and more particularly, to a network separation system that physically separates a business network, which is a security network, and an internet network, which is an insecure network, Lease solution to save and manage operating system, software, and data of PC for Internet use in a server, thereby saving PC equipment cost and management cost added according to network separation.

The diskless solution is to boot the OS through a general network card without installing a separate hard disk in the PC, and the OS, software and data of all the PCs are stored in the integrated space provided by the central server.

Because the central server provides installation automation, OS installation is possible without accessing individual PCs, and disk data can be centrally managed similar to desktop virtualization, and the performance of each PC can be maintained at the highest level at all times.

The advantage of diskless solution is that the data is stored only on the central server, so it is highly secure. As the function of virtualization, the image of each PC is managed as a file on the central server, so it is easy to backup and recover. In addition, it can be restored very quickly through installation automation even when reinstalling due to OS damage.

Meanwhile, the network separation system is intended to separate an internal network and an external network from each other to prevent intrusion into the outside, and to prevent leakage of internal information. Recently, interest in network security enhancement using network separation is increasing.

Network separation is a government-level project that has been introduced to public institutions since 2007 by the National Intelligence Service. It is divided into physical network separation and logical network separation.

Of these, the physical network separation is the physical separation of the network, literally, the establishment of the external network and the internal network separately. The advantage of this method is that it is physically separated so that the visibility can be confirmed, the separated state can be confirmed directly by the eye, the system is complete, and no special technique is needed, However, since PCs are needed for each network, there is a problem of cost to pay two PCs per person, and there is a drawback in that it is necessary to work while going to each PC.

In addition, in the conventional physical network separation system, security may be threatened by network connection of an external terminal. For example, if one employee is resting at home and has a good idea, write a draft with a PC at home, put it on a USB memory stick, and then connect the USB memory to a business PC connected to the internal network, If there was a malicious code that attacked a USB memory or a word program, it could be infected with malicious code.

In order to compensate for the disadvantages of the physical network separation as described above, a network separation method using a virtualization technique such as SBC network separation, virtualization network separation on a desktop, and OS separation using virtualization has been developed, There is a problem that the system can not be completely separated from the network such as the network separation.

According to the above-mentioned situation, a new network separation method for preventing the consumption of additional costs such as PC, management point and management cost in the physical network separation, stabilizing the hardware including the PC, enhancing security and improving the management convenience And even if the network is separated, the malicious code of the external network may enter into the internal network by various scenarios such as USB. Therefore, there is a need for security measures against network separation.

Hereinafter, the prior art in the technical field will be described, and the present invention will be described by distinguishing it from the prior art.

Korean Patent Registration No. 1432626 relates to a physical separation device for internal and external networks, and more particularly, to a network separation board on which a network separation operating system connected to an internal network or an external network is mounted; A mounting member provided on one side of the network separation board and mounted on a built-in terminal slot in a main body of the PC; A KVM module mounted on the network separation board and supporting the network separation operating system and the main operating system of the main board provided in the main body of the PC to share and use peripherals (keyboard, monitor, mouse, etc.) of the PC; Desc / Clms Page number 2 > physical network separating apparatus, which is incorporated herein by reference.

The prior art document does not require a separate PC for each of the internal and external networks by separating the physical network through a separate device (network separation device) in order to construct a physical network separation system. However, There is a problem in that the network separation construction cost is consumed by the number of PCs.

Korean Patent Laid-Open Publication No. 2015-0019315 relates to a method for controlling physically separated computers on a single monitor screen and a security system thereof. More specifically, a set-top box stores a position of a cursor displayed on the monitor screen The set-top box may include a keyboard signal generated from a mouse signal generated from a mouse connected to the set-top box or a keyboard connected to the set-top box, Transmitting a mouse signal or a keyboard signal to a computer judged to be a computer to which the set-top box will connect, generating a mouse signal or a keyboard signal and generating a video signal, Outputting the set-top box, Controlling the scaling conversion or the color space conversion according to whether the video signals received from the main computer and the non-connected computer are connected computers, and synthesizing the converted video signals and displaying them on the monitor is described .

The above prior art document can solve some of the resource waste which is a disadvantage of the conventional physical network separation technology by controlling a plurality of computers separated by a network using a single monitor, a keyboard and a mouse connected to a set-top box, A keyboard, and a mouse. However, there is still a problem that a separate PC must be provided in accordance with the physical network separation.

The present invention has been made in order to solve the above problems, and it is an object of the present invention to prevent unnecessary expenses such as a PC, a management point, and management cost from being consumed when a network is separated, In order to improve the convenience and convenience of strengthening and managing the network, it is necessary to provide a network separation system that can operate and manage the operating system and software of the Internet PC, which are added according to the physical network separation through the diskless solution .

A physical network separation system using a diskless solution according to an embodiment of the present invention includes at least one business PC; At least one Internet PC; And a smart disk server, wherein the business network used by the business PC and the Internet network used by the Internet PC are physically separated, wherein the Internet PC is connected to the LAN via a hard disk drive The smart disk server collectively manages and manages the operating system and software of the Internet PC, stores and manages data for each Internet PC, And controlling the I / O port of the Internet PC to prevent the external data input / output device from being connected to the Internet PC.

In an embodiment of the physical network separation system utilizing the diskless solution, the Internet network includes a Network Access Controller (NAC), and monitors terminal information connected to the Internet network through the NAC, So that the connection can be blocked or released.

In addition, the NAC may provide a real-time notification function, a blocking function for a specific IP address and a MAC address, and a trial period to the user and the administrator when the terminal is disconnected, as an embodiment of the physical network separation system utilizing the diskless solution. A function of allocating an IP to a visitor or a temporary user, an automatic recovery of an IP address not used for a long time, and a function of blocking a network when using the corresponding IP after automatic recovery.

In addition, as an embodiment of the physical network separation system utilizing the discless solution, secure data transmission and strip connection between the business network and the Internet network are performed through a data transmission system and a strip connection system.

As an embodiment of the physical network separation system utilizing the discless solution, the data transmission system includes an L4 switch on the side of the business network, an internal system server for data transmission, an L4 switch on the side of the Internet network, And data transmission is performed through an external system server.

In addition, as an embodiment of the physical network separation system utilizing the diskless solution, the data transmission system may include a function of performing up / down and malicious code checking at the time of file transmission, A transmission blocking function, an infected file transmission blocking function after a malicious code inspection of a transmission file, an encryption communication function between a sender and a receiver at the time of file transmission, and a file integrity checking function during a transmission / reception of a file.

As an embodiment of the physical network separation system utilizing the diskless solution, the data transmission system uses its own protocol as NON-TCP communication, analyzes the communication request protocol in file transmission, And a plurality of pixels.

As an embodiment of the physical network separation system utilizing the discless solution, the strip connection system includes an L4 switch on the side of the business network and an internal system server for strip connection, an L4 switch on the side of the Internet network, And the strip connection is performed through the external system server.

In one embodiment of the physical network separation system utilizing the diskless solution, the strip connection system constitutes a unidirectional communication session from the internal system server for strip connection to the external system server for strip connection, Thereby preventing security vulnerabilities and hacking threats caused by opening the inbound ports.

In addition, as an embodiment of the physical network separation system utilizing the diskless solution, the strip connection system uses its own protocol as NON-TCP communication, analyzes the communication request protocol in the strip connection, .

In addition, as one embodiment of the physical network separation system utilizing the diskless solution, the file transmission system or the strip connection system may be constructed by using two internal system servers and two external system servers to form a dual structure, Even if a failure occurs in the file transfer system section or the strip link system section of the optical disk apparatus, the file transfer or the strip link can be normally performed.

As an embodiment of the physical network separation system utilizing the diskless solution, the file transmission system or the strip connection system may be a system for connecting the two internal system servers and two external system servers, The L4 switch and the L4 switch on the side of the Internet network are provided so that the L4 switch failure and the file transmission or the strip connection can be normally performed even if the failure occurs in the file transmission system section or the strip connection system section.

The present invention relates to a physical network separation system using a diskless solution, which separates a business network and an Internet network into physical network separation methods, establishes a diskless server for an Internet PC in the Internet network, By operating and managing the operating system and software of each Internet PC in a lump, it is possible to manage the software easily without needing the recovery solution for each PC and manage the software easily. And it is possible to overcome the problem of HDD failure, to realize hardware stabilization more easily, and to control the I / O port of each PC, thereby improving the security of the network and the network.

1 is a view for explaining a physical network separation system utilizing a diskless solution according to an embodiment of the present invention.
FIG. 2 is a view for explaining a redundancy configuration of an eternal system server and an external system server according to an embodiment of the present invention.
3 is a view for explaining the L4 switch duplication configuration according to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to the present embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout. Explain it.

In the drawings of the present invention, the sizes and dimensions of the structures are enlarged or reduced from the actual size in order to clarify the present invention, and the known structures are omitted so as to reveal the characteristic features, and the present invention is not limited to the drawings .

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description, well-known functions or constructions are not described in detail to avoid obscuring the subject matter of the present invention.

In addition, since the embodiments described in the present specification and the configurations shown in the drawings are only the most preferred embodiments of the present invention and do not represent all the technical ideas of the present invention, It is to be understood that equivalents and modifications are possible.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, a physical network separation system and a method thereof using a diskless solution according to the present invention will be described in detail with reference to the accompanying drawings.

The present invention relates to a network separation system that physically separates a business network and the Internet network, and applies a diskless solution to an Internet PC in the Internet network to reduce the cost of the internet PC equipment Thereby improving the security of the network and the manganese.

For reference, a diskless solution is a network system consisting of a LAN, an Ethernet card, and a switch hub, which is generally called DISKLESS, HARDLESS, NOHARD, etc., Is uploaded to a virtual IMG file arbitrarily generated by a manager from a central server (a smart disk server in the present invention), and then each PC user uses the PC using the IMG file stored in the server in a LAN booting manner It is possible to operate PC without installing separate HDD in each PC.

In other words, the diskless solution uses the LAN communication method and the LAN boot method to transfer the OS file and the software file from the central server, so that the PC can be operated without the HDD.

1 is a view for explaining a physical network separation system utilizing a diskless solution according to an embodiment of the present invention.

As shown in FIG. 1, a physical network separation system utilizing a diskless solution includes at least one business PC; At least one Internet PC; And a smart disk server, wherein the business network used by the business PC and the Internet network used by the Internet PC are physically separated, wherein the Internet PC is connected to the LAN via a hard disk drive The smart disk server collectively manages and manages the operating system and software of the Internet PC, stores and manages data for each Internet PC, By controlling the I / O port of the Internet PC, it is possible to manage and control all the data of each Internet PC by preventing the external data input / output device from being connected to the Internet PC.

In addition, as described above, the present invention separates the business network and the Internet network into physical network separation methods, establishes a diskless server for the Internet PC in the Internet network, By managing and managing the software in a lump, it is effective to increase the convenience of management, such as the recovery solution for each Internet PC is unnecessary and the software can be easily managed.

In addition, all Internet PCs are always initialized to the same state at the time of rebooting by the smart disk server, and the PC state of the initial setting state is always retrieved. Therefore, the same SSD class booting, reading and writing speeds can always be implemented, The PC state can be maintained.

In addition, since all the OS and software are stored and managed in the smart disk server, it is possible to solve the HDD failure which occupies 50% of the PC hardware failure because no separate hard disk is required for each PC, It is possible to protect the PC from the power consumption and the hardware stabilization effect.

In addition, since the administrator can manage each PC through the diskless server, it is possible to prevent installation of software not authorized by the administrator, to protect intellectual property rights such as prevention of illegal software use, By operating system virtualization by server and application virtualization, each PC can be protected from malicious code and virus. By controlling I / O port of each PC, it is possible to control not to use keyboard, mouse and unauthorized USB port So that the security of the network and the manganese can be improved.

Since the Internet PC is operated through a smart disk server, a hard disk is not required. Therefore, the Internet PC is composed of a monitor, a keyboard, a mouse, and a computer main body. The computer includes a main board, a CPU, a RAM, It shall be the minimum component.

In addition, the present invention may include a network access controller (NAC) in the Internet network for management and control of various terminals connected to the Internet network.

And monitor or access to the terminal connected to the Internet network through the NAC. More specifically, the NAC includes a terminal tracking and monitoring function connected to the Internet network, a real-time notification function for a user and an administrator when blocking a terminal connection, a blocking function for a specific IP address and a MAC address, A function of assigning an IP to a user, an automatic recovery of an IP address that has not been used for a long time, and a function of blocking a network when using the corresponding IP after automatic recovery.

Accordingly, the present invention can secure visibility of the Internet network, perform role-based access control through authentication, secure the integrity of the terminal according to the security standard established by the administrator, It is possible to block and control the connection of weak terminals.

In addition, since the business network and the Internet network are physically separated from each other in the present invention, it is necessary to secure network connection for data exchange and business service connection necessary for business execution. It is difficult to record logs of manganese exchange data when data is exchanged using a removable memory device such as USB without network connection, and it is difficult to track the outflow route when a security incident such as data leakage occurs, There may be a problem that the data is leaked to the outside.

In order to solve such problems, the present invention performs secure data transmission and strip connection between the business network and the Internet through a data transmission system and a strip connection system.

FIG. 2 is a view for explaining a redundancy configuration of an eternal system server and an external system server according to an embodiment of the present invention.

As shown in the figure, the data transmission system performs data transmission through an L4 switch on an office network side, an internal system server for data transmission, an L4 switch on the Internet network side, and an external system server for data transmission.

The file transfer system includes an internal system server for data transfer and an external system server for data transfer, a function for checking whether the file is transferred, a function for checking malicious code, , An infected file transmission blocking function after the malicious code of the transmission file, an encryption communication function between the sender and the receiver at the time of file transmission, and a file integrity checking function during transmission / reception of the file, .

In addition, the strip connection system performs strip connection through the L4 switch on the business network side, the internal system server for strip connection, the L4 switch on the Internet network side, and the external system server for strip connection.

At this time, the strip connection system configures a unidirectional communication session from the system server for strip connection on the side of the business network to the external server for strip connection on the side of the Internet network so that the security weakness due to the opening of the inbound port and the threat of hacking .

In addition, the file transmission system and the strip connection system can use the NON-TCP communication in-house protocol to analyze the communication request protocol in the file transmission and the stipple connection, thereby blocking the out-of-policy communication.

Meanwhile, in constructing the file transfer system and the strip connection system as described above, the present invention overcomes the problem that the manganese file transfer or the strip connection is interrupted when a fault occurs in one file transmission system section or a strip connection system section Therefore, even if a failure occurs in one file transmission system section or a strip connection system section, a file transmission system or a strip connection system can be normally constructed by using two internal system servers and two external system servers, So that the linkage can be performed.

In addition, as shown in FIG. 3, even if an L4 switch failure occurs, an L4 switch on the side of a business network connected to the two internal system servers and two external system servers so that normal file transfer or strip connection can be performed And an L4 switch on the Internet network side.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, I will understand the point. Accordingly, the technical scope of the present invention should be determined by the following claims.

10: Network separation system
100: Business network
110: Business PC
120: Servers in business network
130: eternal system server for file transfer
140: eternal system server for strip connection
150: L4 switch
200: Internet network
210: Internet PC
220: Smart Disk Server
230: External system server for file transfer
240: External system server for strip connection
250: L4 switch

Claims (12)

At least one business PC;
At least one Internet PC; And
1. A network separation system including a smart disk server, wherein a business network used by the business PC and an Internet network used by the Internet PC are physically separated,
The Internet PC includes an operating system and software from the smart disk server connected to the LAN via a hard disk drive, and the smart disk server collectively manages and manages the operating system and software of the Internet PC And controls the I / O port of each Internet PC to prevent the external data input / output device from being connected to the Internet PC,
Data transmission and strip connection between the business network and the Internet network is performed through a data transmission system and a strip connection system,
The data transmission system performs data transmission through the L4 switch on the side of the business network and the internal system server for data transmission, the L4 switch on the side of the Internet network and the external system server for data transmission, and the strip- The L4 switch and the strip system are connected through the internal system server for the strip connection and the L4 switch for the Internet network side and the external system server for the strip connection,
The data transmission system or the strip connection system is constructed by using two internal system servers and two external system servers and is also connected to the two internal system servers and two external system servers The L4 switch on the network side and the L4 switch on the Internet network side are provided so that data transmission or strip connection can be normally performed even if a failure occurs in the L4 switch failure and the data transmission system section or the strip connection system section A physical network separation system using a diskless solution. The method according to claim 1,
And a network access controller (NAC), wherein the terminal information, which is connected to the network, can be monitored or disconnected or deactivated through the NAC. 3. The method of claim 2,
The NAC includes:
Real-time notification function to users and administrators when blocking access to terminals, blocking function for specific IP address and MAC address, function of assigning IP to visitor or temporary user by setting trial period, automatic retrieval and automatic recovery of IP address not used for a long time And then blocking the network when the corresponding IP is used. The physical network separation system using the diskless solution. delete delete The method according to claim 1,
The data transmission system comprising:
Tampering and malicious code checking during file transmission, blocking the transmission of up / modifying files by analyzing the file header of the transmission file, blocking the transmission of infected files after checking the malicious code of the transmission file, A segment encryption communication function, and a file integrity check function for a transmission / reception at the time of file transmission. The method according to claim 6,
The data transmission system comprising:
Wherein the NON-TCP communication uses its own protocol and analyzes a communication request protocol when a file is transmitted to block out-of-policy communication. delete The method according to claim 1,
The strip connection system comprises:
And a unidirectional communication session is established from an internal system server for strip connection to an external system server for strip connection, thereby preventing a security vulnerability and a hacking threat due to inbound port opening, Separation system. 10. The method of claim 9,
The strip connection system comprises:
Wherein the NON-TCP communication uses its own protocol and analyzes the communication request protocol when the strip is connected, thereby blocking the out-of-policy communication. delete delete

Images