KR102296664B1 - Server rack system capable of managing remote entrance - Google Patents

Abstract

According to one embodiment, disclosed is a server rack system capable of remote access management, in a server rack system capable of storing a server, which includes: a server rack (200) which can store a plurality of servers; a locking device (202) which is operatively coupled to a door of the server rack (200) to open or close the door of the server rack (200); and an access management system (300) which manages locking and unlocking of the locking device (202).

Description

Server rack system capable of managing remote entrance

The present invention relates to a server rack system capable of remote access management.

A server rack is a structure that can store a plurality of servers. A place such as a data center has tens to hundreds of server racks, and several to tens of servers are located in each server rack.

On the other hand, server administrators have to access each individual server and replace old or broken servers. Furthermore, there is a risk of unauthorized access to the server.

According to an embodiment of the present invention, a server rack system capable of remote access management is provided.

According to another embodiment of the present invention, a server rack system capable of remote access control with enhanced security is provided.

According to one embodiment, in the server rack system that can store the server,

Server rack 200 that can store a plurality of servers; a locking device 202 operatively coupled to the door of the server rack 200 to open or close the door of the server rack 200; and an access management system 300 for managing locking and unlocking of the locking device 202; a server rack system including a can be provided.

According to one or more embodiments, it is possible to manage the entrants for each server rack, it is possible to manage the entrants for each server stored in the server rack. In addition, information such as a phone number for access control may not be leaked to the outside.

1 and 3 are diagrams for explaining a server rack system according to an embodiment of the present invention.
FIG. 2 is a view for explaining the access management system in the embodiment of FIG. 1 .
FIG. 4 is a diagram for explaining the operation of the wireless security unit in the embodiment of FIG. 1 .
5 to 8 are views for explaining the configuration of a locking device according to an embodiment of the present invention.
9 is a view for explaining a wireless care method according to an embodiment of the present invention.
10 is a diagram for explaining a method of estimating a type of a wireless device according to an embodiment of the present invention.

The above objects, other objects, features and advantages of the present invention will be easily understood through the following preferred embodiments in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments described herein and may be embodied in other forms. The embodiments described below are exemplary embodiments provided to sufficiently convey the spirit of the present invention to those skilled in the art.

Definition of Terms

As used herein, the term 'software' refers to a technology that moves hardware in a computer, and the term 'hardware' refers to a tangible device or device (CPU, memory, input device, output device, peripheral device, etc.) constituting the computer. and, the term 'step' means a series of processing or manipulations connected in time series to achieve a predetermined goal, the term 'program' means a set of instructions combined for processing by a computer, and the term 'recording medium' means a program It means a computer-readable recording medium on which a program used for installing, executing, or distributing is recorded.

In this specification, when terms such as first, second, etc. are used to describe components, these components should not be limited by these terms. These terms are only used to distinguish one component from another. The embodiments described and illustrated herein also include complementary embodiments thereof.

As used herein, the singular also includes the plural unless specifically stated otherwise in the phrase. As used herein, the terms 'comprise' and/or 'comprising' do not exclude the presence or addition of one or more other components.

In this specification, 'component A and/or component B' means 'component A', 'component B' or 'component A and component B'.

In the present specification, a 'wireless terminal', a 'device', a 'system', or a 'device' is configured as a computer.

As used herein, 'computer' includes a computer processor and storage device, operating system, firmware, application program, communication unit, and other resources, where the operating system (OS: OPERATING SYSTEM) is other hardware, firmware, or application program (eg, For example, a management program) can be operatively linked. The communication unit means a module composed of software and hardware for transmitting and receiving data with the outside. In addition, the computer processor and the storage device, operating system, application program, firmware, communication unit, peripheral devices, and other resources (including hardware resources and software resources) are operatively connected to each other. On the other hand, the description or drawings for the above-mentioned components are described or shown within the limit for the purpose of the description of the present invention.

In this specification, a reference to component 'A' transmitting information, details, and/or data to component 'B' means that component 'A' transmits directly to component 'B' or component 'A' is used in the meaning including transmission to component 'B' through at least one other component.

As used herein, phrases identical to or similar to the phrases "a lock operatively coupled with a server rack", "a lock coupled with a server rack", "a lock of a server rack" and the phrases "a door of a server rack and operatively engaged locking device”. Also, in this specification, phrases identical to or similar to the phrases "locking device operatively coupled with the server case", "locking device coupled with the server case", "locking device of the server case", and "locking device of the server" are , used to mean “a lock operatively coupled to the door of the server case 204”.

In this specification, a phrase identical to or similar to the phrase "component A and component B is operatively connected" means that the result of the configuration or action of component A affects the configuration or action of component B, or It means that the result of the composition or action of B affects component A.

As used herein, a 'fake device' means a device capable of reading or tampering with data of other wireless devices without permission or illegal.

On the other hand, for easy description of the present invention in the present specification, previously published patent documents are referred to, and all patent documents (registrations and publications) mentioned in this way are incorporated as a part of the present specification.

1 and 3 are diagrams for explaining a server rack system according to an embodiment of the present invention, FIG. 2 is a diagram for explaining an access management system in the embodiment of FIG. 1, and FIG. 4 is a diagram of FIG. It is a view for explaining the operation of the wireless security unit in the embodiment, and Figures 5 to 8 are views for explaining the configuration of the locking device according to an embodiment of the present invention. Hereinafter, with reference to these drawings, simultaneously or partially, the operation of the server rack system and its components according to an embodiment of the present invention will be described in detail.

The server rack system according to an embodiment of the present invention is configured so that only those authorized to access the server can access.

1 to 8 , the server rack system according to an embodiment of the present invention may include a server rack 200 , locking devices 201 , 202 , 205 , and an access management system 300 . . The locking devices 201 , 202 , 205 and the access management system 300 are operatively connected to each other through a communication network. For example, the access management system 300 may manage locking and unlocking of the locking devices 201 , 202 , and 205 through a communication network.

A locking device 202 is operatively coupled to the door of the server rack 200 , and a plurality of servers 203 and 207 are stacked inside the server rack 200 . A door (not shown) of the server rack 200 is opened or closed by a locking device 202 .

The servers 203 and 207 are stored in a server case (not shown in FIG. 1, see FIG. 8), respectively, and locks 201 and 205 are operatively coupled to the door of the server case 204, respectively.

For example, the locking device 201 is operatively coupled to the door of the server 1 203 , and the locking device 205 is also operatively coupled to the door of the server 2 207 . That is, the door (not shown) of the server 1 203 is opened or closed by the locking device 201 , and the door (not shown) of the server 2 207 is opened or closed by the locking device 205 .

Hereinafter, among the locking devices 201 and 205 , the locking device 201 coupled to the door of the first server 203 will be mainly described. As will be described later, the locking device 201 coupled to the server rack 200 and the locking device 201 coupled to the server case may have the same configuration.

The access control system 300 controls the opening and closing of the locking device 201 coupled to the server rack 200 and the locking device 201 coupled to the server 1 (203). The access management system 300 stores and manages each ID of the locking devices and the most recently updated access control phone number in correspondence with each other.

When the occupant U1 calls the access control phone number displayed on the locking device 201, the access control system 300 uses the occupant U1's calling number to the server rack 200 coupled with the locking device 201. ), and the access management system 300 transmits a release signal to the locking device 201 only when the occupant U1 has the right to enter and exit. In addition, the access control system 300 checks whether there is a server with the right to which the occupant U1 can access from among the servers 203 and 207 stored in the server rack 200 , and a server with the accessible right. If there is, it transmits a release signal to the locking device 201 coupled to the server.

For example, the access management system 300 determines whether the visitor U1 has the authority to access the server 1 203 when the visitor U1 wants to access the server 1 203 , and the authority is When it is determined that there is, a lock signal for releasing the locking device 202 coupled to the server rack 200 is transmitted to the locking device 202, and the locking device 201 coupled to the server 1 203 is locked. to the device 201 . The occupant U1 can release the locking device 202 and the locking device 201 by simply calling the access control phone number displayed on the locking device 202 coupled to the server rack 200 .

The access management system 300 stores and manages the smartphone phone number of a person who can access the server rack 200, and servers (eg, server 1 203, server 2 207)... ..) stores and manages the smartphone phone number of the person who can access it.

The access control system 300, for example, when the visitor U1 calls the access control phone number, the visitor U1 accesses the server rack 200 using the caller number of the visitor U1. It is determined whether or not it is possible, and it is determined which server 1 (203) among the servers can be accessed. If the person U1 is a person who can access both the server 1 203 and the server 2 207 , the access management system 300 releases the locking device 202 coupled to the server rack 200 . transmits a release signal to the locking device 202, and transmits a signal for releasing the locking device 201 coupled to the first server 203 to the locking device 201, and the locking device coupled to the second server 207 A signal for releasing 205 is transmitted to the locking device 205 .

On the other hand, the access control system 300 does not send a signal for releasing the locking device 201 coupled to the server 1 203 and a signal for releasing the locking device 205 coupled to the server 2 207 at the same time, It can also be sent sequentially with a predetermined time interval. That is, after transmitting a signal for releasing the locking device 201 to the locking device 201 , a signal for releasing the locking device 205 may be transmitted to the locking device 205 after about 10 seconds. By doing so, the visitor may open only the door of the server that needs to be accessed from among the servers to which he/she has the right to access, and may not access the door of the server that he does not need to access.

Continuing to refer to FIG. 1 , it is assumed that a person authorized to access the server 2 207 (eg, person 1) calls the access control phone number displayed on the lock device 202 . The access management system 300 may know whether the visitor 1 calls the access control phone number, and may also know the caller number of the visitor 1. The access management system 300 determines whether or not the visitor 1 has the right to access the server rack 200 using the caller number of the visitor 1 and the right to access any server 1 203 stored in the server rack 200 . It can be known that there is

The access control system 300 allocates and manages an access control phone number for each lock device coupled to the server rack, and periodically changes it. The access management system 300 allocates the access control phone numbers to each lock device so that they do not overlap and are different from each other.

According to this embodiment, the access control phone number assigned to the locking device 202 coupled to the server rack 200 is for access control assigned to the locking device (not shown) coupled to another server rack (not shown). different from the phone number. Accordingly, the access management system 300 can know which server rack 200 is coupled to the locking device 201 when a call is received from the first person. On the other hand, the access control system 300 may change the authority to access the server rack 200 and the server 1 (203) according to a predetermined standard. For example, it is possible to give permission to different people for each server rack, to give permission to different people for servers stored in a server rack, or to allow the same person to have different access rights over time.

Referring to FIG. 1 , it is assumed that visitor 2 calls the access control phone number 070-582-6593 displayed on the locking device 202 . When the access control system 300 receives a call from visitor 2, the access control phone number 070-582-6593 is assigned to which server rack lock device is checked. If it is assigned to the server rack 200, any server among the server 1 203, server 2 207, ... located (stored) in the server rack 200 using the caller number of person 2 Check if 1 (203) can be accessed. If there is no check result, the access control system 300 may transmit a warning message (warning that an unauthorized person is trying to access the server rack 200) to the smart phone of the manager (not shown) of the access control system 300 .

1 and 7, the server rack 200 has a tubular structure with an empty interior so that a plurality of servers can be stacked and stored. The server rack 200 is provided with a door so that only authorized persons can access the inside of the server rack 200, and only when the door is opened, it will be possible to access the server in the inside of the door rack.

According to this embodiment, the locking device 202 is coupled to the door of the server rack 200, and the door is opened only when the locking device 202 is released.

In the present invention, there is one feature in that the door of the server rack 200 is remotely opened and closed by the locking device 201 according to the present invention, and with respect to the physical structure of the server rack 200, the conventional server The one in the rack can be used as it is. Therefore, the physical configuration of the server rack 200 in the present invention can be used that of a conventionally known server rack. For example, the technical configuration disclosed in Korea Patent Registration No. 2022005390000 (2021.01.04) (improved server rack and server using the same), the technical configuration disclosed in Korea Patent Registration No. 2021311130000 (2020.07.01) (space-saving server rack) Configuration, the technical configuration disclosed in Korean Patent Registration No. 2019811300000 (2019.05.16) (server rack with server interval adjustment function) can be used as the server rack 200 of the present invention. That is, it is possible to operatively couple the locking device 201 according to the present invention to the door of the server rack disclosed in these patent documents (so that the door is opened or closed by the locking device 201). The technical contents disclosed in these prior server rack patents are all incorporated as a part of this specification.

Referring to Figure 1, Figure 7, and Figure 8, the server rack 200 according to the present invention, the servers may be respectively stacked and positioned, each of those servers is built in the server case 204 shown in Figure 8 It is stacked on the server rack 200 in the form of a.

Assuming that the server 1 203 is built in the server case 204, in order to access the server 1 203 built in the server case 204, the doors OP1 and OP2 of the server case 204 must be opened. and the doors OP1 and OP2 of the server case 204 can be opened only when the locking device 201 is released.

When the locking device 201 is released, the doors OP1 and OP2 of the server case 204 are opened so that the doors OP1 and OP2 of the server case 204 and the locking device 201 are operatively connected.

In the present invention, there is one feature in that the doors OP1 and OP2 of the server case 204 are remotely opened and closed by the locking device 201 according to the present invention, and the physical As for the structure, a conventional server case can be used as it is. As shown in FIG. 8, the server case 204 may have a configuration with an empty interior as a rectangular tubular shape in which the server 1 203 can be embedded. For example, the configuration disclosed in Korean Patent Registration 2018140850000 (2017.12.26) (Computer case for server rack), Korean Patent Publication 2020050207866 (2005.11.16) (Case for blade server with panel I/O mounted on the side) It can be utilized in the server case 204 of the present invention. For example, a door is installed on one side of the computer case or server case disclosed in these patent documents, and the locking device 201 according to the present invention is operatively coupled to the door (the door by the locking device 201 ) can be opened or closed). The method of physically coupling the door and the locking device 201 is known in the prior art, for example, the technical configuration disclosed in Korean Patent Publication 2020200002021 (2020.05.21) (door lock locking device) or Korean Patent No. 2004898320000 (2019.08.09) The technical configuration disclosed in (Direction change push-pull door lock) can be utilized.

1, 5, and 6 , the locking device may include a communication unit 202a, a microcomputer 202b, a display unit 202c, a power source 202e, and a mechanism unit 202d. Such a locking device may be used as the locking device 202 coupled to the door of the server rack 200 or the locking devices 201 and 203 for opening or closing the door of the server case 204 . The functions of the locking device 202 operatively coupled to the door of the server rack 200 and the locking device 201 operatively coupled to the door of the server case 204 are the same.

According to one embodiment, the function, structure, and shape of the locking device 202 operatively coupled to the door of the server rack 200 and the locking device 201 coupled to the door of the server case 204 are completely different from each other. may be the same. Alternatively, the functions of the locking device 202 operatively coupled to the door of the server rack 200 and the locking device 201 operatively coupled to the door of the server case 204 are configured to be identical to each other, Depending on the size or shape of the door of the server rack 200 and the door of the server case 204, the lock 202 coupled to the door of the server rack 200 and the door of the server case 204 are operatively coupled to each other. The physical size or shape of the locking device 201 may be different from each other. In the following, the locking device 202 coupled to the server rack 200 and the locking device 201 coupled to the server case 204 are not differentiated between the locking devices 201 and 202 as long as there is no real difference between them. to explain without.

5 and 6, the communication unit 202a is configured to communicate with the access management system 300 through the in-house wired/wireless communication network and communication network. That is, the communication unit 202a is configured to receive the unlock signal, the lock signal, and the access control phone number of the lock device 202 from the access control system 300 .

When the communication unit 202a receives the access control phone number, the access control phone number is displayed in a form that a person can visually see by the display unit 202c.

The display unit 202c may display text so that a person can visually see the phone number for access control.

When the communication unit 202a receives the access control phone number, the access control phone number is displayed on the display unit 202c. 6 exemplarily shows that the display unit 202c displays a phone number for access control.

The mechanism part 202d means all parts necessary for locking or unlocking. That is, the mechanism unit 202d is configured to physically lock or open the door of the server rack 200 . The mechanism unit is a technical configuration disclosed in conventionally known patent documents, for example, Korean Patent Registration No. 2018147190000 (2017.12.27) (Digital door lock remote control system and method using a mobile terminal), Korean Patent Registration No. 2012421220000 (2013.03.05) Technical configuration disclosed in (Method for remotely controlling a door lock device using a smartphone and a door lock device therefor), the technical configuration disclosed in Korean Publication No. 2020050087624 (Aug. 31, 2005) (Remote door lock release method in a wireless communication terminal), and Korean Patent Registration No. 2015387360000 (2015.07.16) (a door lock device and a technical configuration disclosed in a remote control monitoring door lock system having the same, a technical configuration disclosed in Korean Patent Publication 2020200002021 (2020.05.21) (door lock locking device 201)), or The technical configuration disclosed in Korean Patent Registration 2004898320000 (2019.08.09) (direction change push-pull door lock) can be used.

The power source 202e supplies power required for each component of the locking device 202 . The power source 202e is configured to supply power to each component from a portable battery (not shown), or receives power from an external wire to supply power to each component of the locking device 202 . can be

The microprocessor 202b refers to a microprocessor computer, and is configured to include a central processing unit (CPU), a memory, a ROM, an input/output device, and circuits for the operation of each of these components.

The microcomputer 202b, when the communication unit 202a receives data such as a release signal, a lock signal, and/or a phone number for access control, performs a corresponding operation. For example, when the communication unit 202a receives the release signal, the microcomputer 202b controls the mechanism unit 202d to open the door, and when the communication unit 202a receives the lock signal, the microcomputer 202d The mechanism part 202d is controlled to put the door into a closed state. In addition, when the communication unit 202a receives the access control phone number, the microcomputer 202d controls the display unit 202c to display the access control phone number on the display unit 202c.

The access control system 300 transmits the access control phone number to the locking device 202 , but periodically changes the access control phone number arbitrarily, and transmits the changed access control phone number to the locking device 202 . do. Dozens to hundreds or more of phone numbers for access control to be assigned to the locking device 202 are prepared in advance, and the access control system 300 arbitrarily selects any one of the phone numbers for access control prepared in advance. is selected and assigned to the locking device 202 . For reference, phone numbers for access control prepared in advance for assignment to the locking device 202 are stored and managed in a DB storage device 303 to be described later.

When the locking device 202 receives a new access control phone number from the access control system 300 , as exemplarily shown in FIG. 6 , the locking device 202 displays it on the display unit 202c. When a person who wants to access the server rack 200 makes a call to the access control phone number displayed on the display unit 202c, the access control system 300 checks whether the person has the right to access the server rack 200 or not. After checking, if it is determined that there is an authority, a release signal is transmitted to the locking device 202 .

The locking device 202 according to the present invention is a locking device known in the prior art in that it has a configuration and action to periodically receive an access control phone number from the access control system 300 and display it through the display unit 202c. is differentiated from That is, in the locking device 202 according to the present invention, except for the configuration for displaying the access control phone number periodically received from the access control system 300, the rest of the configuration is a conventionally known locking device (for example, the Refer to the published patent documents) can be utilized as it is.

For example, the technical configuration disclosed in Korea Patent Registration No. 2018147190000 (2017.12.27) (Digital door lock remote control system and method using a mobile terminal), Korean Patent Registration No. 2012421220000 (2013.03.05) (Remotely using a smartphone The technical configuration disclosed in the method for controlling a door lock device and the door lock device thereof), the technical configuration disclosed in Korean Publication No. 2020050087624 (Aug. 31, 2005) (remote door lock release method in a wireless communication terminal), and Korean Patent Registration No. 2015387360000 (2015.07. 16) (At least one or more of the technical configurations disclosed in the door lock device and the remote control monitoring door lock system having the same may be utilized.

The access control system 300 according to an embodiment of the present invention allocates a phone number for access control to each lock device differently, and manages access periodically (for example, daily, weekly, or monthly) even with the same lock device. Change and assign the phone number for use. Accordingly, when the prospective person makes a call to the access control phone number displayed on the locking device 202 , the access management system 300 can know whether the prospective person tries to access the locking device 202 . According to the present embodiment, different access control phone numbers are assigned to a plurality of locking devices, and by periodically changing such access control phone numbers, the prospective person must be in a position close to the locking device 202 . You have to go and call the access control phone number displayed on the locking device 201 .

Since the access control phone number displayed on the locking device 202 can be known only by seeing the locking device 202 with their own eyes, a person who wants to release the locking device 202 cannot visually see the locking device 202. It should be positioned to the extent that there is (that is, to the extent that the text displayed on the display unit 202c provided in the locking device 202 can be visually recognized).

This is to prevent a case in which a person present at a location far from the locking device 202 releases the locking device 202 . That is, even if an authorized person is not in a position close to the locking device 202 (meaning a position where the access control phone number displayed on the display unit 202c of the locking device 202 can be visually seen), the lock This is to ensure that the device 201 cannot be released.

Figure 3 is a view for explaining the operation of the server rack system.

Hereinafter, the locking device 202 will be described as an example.

1, 2, and 3 together, the access management system 300 stores and manages (deletes, adds, and corrects) the authority DB in the DB storage device 303 . The authority DB is information about the person who has the authority to access the server rack 200 (or the access control phone number assigned to the locking device 202), the server rack 200 (for example, name , smartphone phone number), and information (eg, name, smartphone phone number).

For example, the authority DB can correspond to the ID of the locking device 202 and the most recently updated phone number for access control, and can enter and exit the server rack 200 operatively coupled to the locking device 202 . It is data in which the ID of the locking device 202 is correlated with the phone number of at least one or more persons who have permission. The access control server 301 stores and manages the ID of the locking device 202 and the most recently updated phone number for access control in the authorization DB, and the access control server 301 is used for access control. When a call comes in from a phone number, the authority DB is searched to check whether the caller's number has the authority to access the server rack 200 operatively coupled to the locking device 202, and the caller's caller number is included in the permission DB, transmits a release signal to the locking device 202 .

The person with the authority has the authority to access only the server rack 200, or may have the authority to access all or some of the servers located in the server rack 200 and the server rack 200. <Table 1> below shows an example of the authority DB.

Access control phone number Server Rack ID visitor's phone number Server ID
070-582-6593 R1 010-9104-6594. 010-6743-5594
010-6904-2230 R1S1
010-9104-6594
R1S2
070-582-6594 R2 010-9104-6594. 010-6743-5594
010-6904-2230 R2S1
010-9104-6594. 010-6743-5594
010-6904-2230 R2S2
010-9104-6594 R2S3
070-582-6595 R3 010-9104-6594 R3S1
010-6743-5594
010-6904-2230 R3S2

The access control system 300 stores and manages the authority DB as shown in <Table 1> in the DB storage device 303, and a lock device 202 is coupled to the door of the server rack R1, and the server rack R2 ), a locking device (not shown) is coupled to the door of the server rack (R3), a locking device (not shown) is also coupled to the door of the server rack (R3), and the server (R1S1) and the server (R1S2) are stored in the server rack (R1). It is assumed that the locking device 201 is coupled to the door of the server R1S1 and the locking device 205 is coupled to the door of the server R1S2. In addition, visitor 1's phone number is 010-9104-6594, visitor 1 accesses the server (R1S1) of the server rack (R1), visitor 2's phone number is 010-9194-6666, and visitor 2 accesses the server rack ( Assume that the server (R2S1) of R2) is accessed.

On the assumptions described above, the operation of the server rack system will be described with reference to FIGS. 1, 2, and 3 .

The access control system 300 includes a locking device 202 coupled to the server rack R1, a locking device coupled to the server rack R2 (not shown), and a locking device coupled to the server rack R3 (not shown). ) to periodically update and transmit the access control phone number. The most recently updated access control phone number is stored and managed in the authorization DB. Referring to <Table 1>, the access control phone number most recently transmitted by the access control system 300 is a lock 202 coupled to the server rack R1, and a lock coupled to the server rack R2. '070-582-6593', '070-582-6594', and '070-582-6595' are transmitted to the device (not shown), and a lock (not shown) coupled to the server rack (R3), respectively. it can be seen that Hereinafter, the locking device 202 will be described first.

The locking device 202 displays the most recently updated access control phone number '070-582-6593'. When visitor 1 calls the access control phone number '070-582-6593' displayed on the locking device 202 with his/her smartphone, the access control system 300 returns the access control phone number '070-582-6593' ' and the caller number '010-9104-6594' of visitor 1.

The access control system 300 can know the server rack (R1) to which the access control phone number '070-582-6593' is assigned with reference to <Table 1> stored in the DB storage device 303, and the server rack ( Among the servers R1S1 and R1S2 of R1), it is possible to know which server is authorized to access. Referring to <Table 1>, it can be seen that visitor 1 has the right to access all of the servers R1S1 and R1S2 of the server rack R1.

The access management system 300 checks whether the access control phone number '070-582-6593' and the access control number '070-582-6593' called by the visitor 1 and the caller number of the visitor 1 are recorded in the authority DB, so that the servers of the server rack (R1) ( It can be seen that there is a right to access R1S1, R1S2).

The access control system 300 transmits a signal for unlocking the locking device 202 of the server rack R1, the locking device 201 of the server R1S1, and the locking device 205 of the server R1S2 to the locking device 202. , the locking device 201, and the locking device 205, respectively. Here, when transmitting the release signal, the signal for releasing the locking device 202 of the server rack R1 is first transmitted, the signal for releasing the locking device 201 is transmitted secondly, and finally the locking device 205 is transmitted. A signal that is released may be transmitted. Alternatively, these signals may be transmitted simultaneously.

When the locking device 202 receives a release signal from the access control system 300 , the door of the server rack R1 is in a state in which it can be opened, and the locking device 201 also receives a release signal from the access management system 300 . Upon reception, the door of the case of the server R1S1 is in a state that can be opened, and when the locking device 205 also receives a release signal from the access control system 300, the door of the case of the server R1S2 can be opened. be in a state of being Here, the 'state in which the door can be opened' and the 'state in which the door can be opened' refer to a state in which the door can be opened by hand. The locking device 202 is closed again if the door is left without opening it by hand for a predetermined period of time in a 'state in which the door can be opened'.

The locking device 201 and the locking device 205 are also closed again when the door is left without opening it by hand for a predetermined period of time in a 'state in which the door can be opened'. Therefore, if the entrant 1 needs to access only the server R1S1, when the locking device 202 is released, the door of the server rack R1 is opened, and only the door of the server R1S1 to which the locking device 201 is coupled. just open it The locking device 205 remains in an open state for a certain period of time, and then returns to a closed state when the door of the server R1S2 is not opened.

Referring to FIG. 3 , a description will now be given of a case in which a person who does not have access rights calls an access control phone number.

The locking device 202 displays the most recently updated access control phone number '070-582-6593'. When the visitor 2 calls the access control phone number '070-582-6593' displayed on the locking device 202 with his/her smartphone, the access control system 300 returns the access control phone number '070-582-6593' ' and the caller number '010-9194-6666' of visitor 2.

The access control system 300 can know the server rack (R1) to which the access control phone number '070-582-6593' is assigned with reference to <Table 1>, and the servers R1S1 of the server rack R1, R1S2), you can find out which server you have the right to access. Referring to <Table 1>, it can be seen that with respect to all of the servers (R1S1, R1S2) of the server rack (R1), the entrant 2 has no right to access. Accordingly, the access management system 300 may transmit a notification to the effect that 'there is no authority' to the caller number '010-9194-6666' of the visitor 2. In addition, the access control system 300, the smart phone of the manager of the access control system 300, may also transmit a message to the effect that an unauthorized person is trying to access the server rack (R1).

FIG. 4 is a diagram for explaining the operation of the wireless security unit in the embodiment of FIG. 1 .

An operation of the wireless security unit of the access management system 300 will be described with reference to FIGS. 1 to 4 as well.

1 to 4 , an access management system 300 according to an embodiment of the present invention includes an access management server 301 , a DB storage device 303 , an IP-PBX 305 , and a wireless security unit ( 100) is included. Here, the DB storage device 303 may store the authority DB. Since the authority DB has been described above, it will be omitted here.

The access control server 301, the DB storage device 303, the IP-PBX 305, and the wireless security unit 100 can communicate wirelessly with each other through the in-house wired and wireless communication network N3, and for example, It may be a wireless communication technology such as Wi-Fi or Bluetooth. PSTN (N4) means a telephone communication network, and as technology develops, the range of PSTN (N4) is gradually narrowing. Although the PSTN (N4) is illustrated in this embodiment, an outgoing signal by the smart phone of the visitor 1 can be transmitted to the IP-PBX 305 without going through the PSTN (N4).

The VoIP provider 401 collectively refers to software and hardware for voice communication and delivery of a multimedia session through an Internet Protocol (IP) network such as the Internet. On the other hand, the router 308 is a device included in the network layer in the OSI layer 7, and after finding the best route it knows It is a device that sends packets to other networks.

The access control server 301 controls the opening and closing of the locking device 201 of the server rack 200 and the locking device 201 of the server 1 203 . The access management server 301 stores and manages each ID of the locking devices and the most recently updated access control phone number in the DB storage device 303 in correspondence with each other. When the visitor calls the access control phone number, the IP-PBX 305 can know the calling number of the visitor. The IP-PBX 305 transmits to the access management server 301 the access control phone number called by the visitor and the calling number of the visitor.

The access management server 301 checks whether the caller's calling number has the authority to access the server rack 200 combined with the locking device 202, and locks only when the accessor has the authority to enter and exit. Send a release signal to device 202 . In addition, the access control server 301 checks whether there is a server with the right to access among the servers stored in the server rack 200, and the server with the right to access (for example, server 1 ( 203)), transmits a release signal to the locking device 201 coupled to the case of the server 1 (203).

For example, the access control server 301 determines whether or not the person has authority when the person accesses the server 1 203, and if it is determined that the person has authority, the locking device 202 of the server rack 200 ) is transmitted to the locking device 202 , and a signal for unlocking the locking device 201 of the server 1 203 is transmitted to the locking device 201 . The visitor can release the locking device 202 and the locking device 201 by simply calling the phone number for access control displayed on the locking device 202 coupled to the server rack 200 .

The access control server 301 stores and manages the smartphone phone number of a person who can access the server rack 200 in the DB storage device 303, and servers (eg, server 1 203, server 2 (207)....) is managed by storing the smartphone phone number of the person who can access the DB storage device (303). The access control server 301 determines whether or not an access person can access the server rack 200 using the access control phone number provided from the IP-PBX 305 and the person's calling number, Determines which server can be accessed.

If the visitor is a person who can access both the server 1 203 and the server 2 207 , the access control server 301 locks the unlock signal for releasing the lock device 202 of the server rack 200 . It transmits to the device 202, a signal for unlocking the locking device 201 of the server 1 203 is transmitted to the locking device 201, and a signal for unlocking the locking device 205 of the server 2 207 is locked. to the device 205 . On the other hand, the access control server 301 does not send a signal for releasing the lock device 201 of the server 1 203 and a signal for releasing the lock device 205 of the server 2 207 at the same time, and You can also send them sequentially. That is, after transmitting a signal for releasing the locking device 201 , a signal for releasing the locking device 205 may be transmitted about 10 seconds later.

Now, it is assumed that a person (entrant 1) authorized to access only the server 2 207 calls the access control phone number displayed on the lock device 202 . When the visitor 1 calls the access control phone number, the outgoing signal of the visitor 1 is transmitted to the IP-PBX 305 via the PSTN (N4), the VoIP provider 401 and the router 308.

As described above, the IP-PBX 305 can know the access control phone number that the visitor 1 called and the caller number of the visitor 1, and the access control phone number and the visitor 1 caller number are the access control server 301 is sent. The access management server 301 uses the caller number of the visitor 1 to know whether the visitor 1 has the right to access the server rack 200 and which servers stored in the server rack 200 can be accessed. .

The access control server 301 allocates and manages a phone number for access control to the locking device 202 and periodically changes it. That is, one access control phone number is assigned to each server rack 200 , and such an access control phone number is periodically changed. Therefore, when the access control server 301 receives a call from visitor 1, it can know which server rack the locking device is coupled to.

Assume that visitor 2 calls the access control phone number 070-582-6593 displayed on the locking device 202 . When an outgoing signal arrives from visitor 2, the IP-PBX 305 can know the access control phone number 070-582-6593 and visitor 2's calling number, and the IP-PBX 305 has access control phone number 070- 582-6593 and the caller number of person 2 are provided to the access management server 301 . The access control server 301 checks to which server rack lock device the access control phone number 070-582-6593 is assigned. If it is assigned to the server rack 200, which server from among the server 1 203, server 2 207, ... stored in the server rack 200 using the caller number of the visitor 2 check if you can As a result of the check, if there is no authority to access any server, the access control server 301 sends a warning message to the smart phone of the manager (not shown) of the access control system 300 (warning that an unauthorized person is trying to access the server rack 200 ) ) can be transmitted.

The wireless security unit 100 detects a wireless signal of a wireless device attempting to gain unauthorized access to the access control server 301, the DB storage 303, and/or the IP-PBX 305 through the in-house wired/wireless communication network (N3). and determine whether the detected wireless device is a fake device. The wireless device to be detected by the wireless security unit 100 is any and all wired devices and wireless devices connected to the in-house wired and wireless communication network N3.

The wireless security unit 100 may perform a type estimation operation for estimating the type of the wireless device, and an operation for determining whether the wireless device is a fake device by attacking the wireless device with a weakness according to the type of the wireless device. .

The type estimation operation is an operation of estimating the type of the wireless device according to the results of the port scanning operation and the protocol scanning operation, the port scanning operation is an operation of finding an open port of the wireless device, and the protocol scanning operation is a result of the port scanning operation This is the operation to find the protocol used in the open port found by .

The protocol scanning operation includes the operation of checking the type of the open port, the operation of creating a packet for checking the protocol according to the type of the open port and transmitting it to the wireless device having the open port, and the operation from the wireless device It is an operation to check whether a response to the protocol confirmation packet is received.

Here, the response includes at least one of banner information and service information of a wireless device having an open port, and the banner information or service information includes information indicating the type of the wireless device.

The type estimation operation includes a first estimating operation of estimating the type of service from the protocol found as a result of performing the protocol scanning operation, a second estimating operation of estimating the type of service from information indicating the type of the wireless device, and the first estimation When the operation of comparing the type of service estimated by the operation and the type of service estimated by the second estimation operation is different from each other, the open port is determined from information indicating the type of the wireless device. An operation of estimating the type of a wireless device with

The wireless security unit 100 may be installed within a distance where wireless communication is possible using an in-house wired/wireless communication network. Here, the distance at which wireless communication is possible using the internal wired/wireless communication network N3 may mean a distance at which wireless communication is possible with the access control server 301 , the DB storage device 303 , and the IP-PBX 305 . Preferably, the wireless security unit 100 is connected to the in-house wired/wireless communication network (N) by wire, and is connected to the access control server 301 and the DB storage device 303 through the in-house wired/wireless communication network (N). A wireless signal of the wireless device may be detected, and it may be determined whether the detected wireless device is a fake device.

Specifically, the wireless security unit 100 performs a type estimation operation for estimating the type of the wireless device, and an operation for determining whether the wireless device is a fake device by attacking the wireless device with a weakness according to the type of the wireless device.

Here, the type estimation operation is an operation of estimating the type of the wireless device according to the results of the port scanning operation and the protocol scanning operation.

The port scanning operation is an operation of finding an open port of the wireless device, and the protocol scanning operation is an operation of finding a protocol used in an open port found as a result of the port scanning operation.

The protocol scanning operation includes an operation of confirming the type of an open port, an operation of creating a protocol confirmation packet according to the type of the open port and transmitting the packet to a wireless device having an open port, and the wireless device It is an operation to check whether a response to the protocol confirmation packet is received from the Here, the response includes at least one of banner information and service information of a wireless device having an open port, and the banner information or service information includes information indicating the type of the wireless device.

The type estimation operation includes a first estimating operation of estimating the type of service from the protocol found as a result of performing the protocol scanning operation, a second estimating operation of estimating the type of service from information indicating the type of the wireless device, and the first estimating operation A wireless device having an open port from information indicating a wireless device type when the operation of comparing the type of service estimated by , and the type of service estimated by the second estimation operation is different from the result of the comparison An operation of estimating the type of

In Fig. 4, for the purpose of explanation of the present system, arbitrary wireless devices 15: 15a, 15b, 15c, 15d are additionally shown.

The wireless security unit 100 may detect a dangerous device capable of hacking the access management system 300 described with reference to FIG. 2 (hereinafter, 'fake device') and block communication. Hereinafter, the operation of the wireless security unit 100 will be described in more detail.

The wireless security unit 100 may monitor short-range wireless communication of the wireless devices 15: 15a, 15b, 15c, and 15d (hereinafter, referred to as '15' when there is no practical benefit of distinction).

For example, the wireless device 15 may communicate according to a short-range wireless communication technology standard such as Bluetooth or Wi-Fi.

The wireless device 15 may be a non-authorized device in the system 200 or a legitimate device that is authorized. The wireless security unit may select an unauthorized device ('fake device') from the wireless device 15 .

The wireless device 15 may be a device such as a smart phone or a laptop capable of wireless communication, but is not limited thereto.

The wireless security unit 100 may perform a type estimation operation and a fake device selection and blocking operation.

As will be described later, the wireless security unit 100 may detect wireless signals output by the wireless device 15 . Here, the wireless signal may be, for example, a signal output for Bluetooth communication or a signal output for Wi-Fi communication. The wireless security unit 100 may select one or more devices as a target device from among the detected devices according to a predetermined criterion. Here, the predetermined criterion may be signal strength.

As will be described later, a diagnostic module (not shown) included in the wireless security unit 100 may, for example, estimate the type of the target device 15 and determine whether the target device 15 is a fake device. can

In this embodiment, the number of wireless devices 15 is shown as four each, but this number is exemplary and may be less or more. Hereinafter, assuming that the wireless device 15 is a target device, a type estimation operation, a fake device selection operation, and a blocking operation will be sequentially described.

The type estimation operation is an operation for estimating the type of the target device 15 .

In the present embodiment, the diagnosis module (not shown) may perform a port scanning operation, a protocol scanning operation, and a type estimation operation.

The port scanning operation is to find an open port of the target device 15 . That is, the port scanning operation is an operation of checking which ports are open for each of the target device 15a, the target device 15b, the target device 15c, and the target device 15d.

The port scanning operation may be performed, for example, by techniques called full scanning (FULL SCNNING) or stealth scanning (STEALTH SCANNING). Pool scanning is a technology that establishes a complete TCP session and checks open ports. Stealth scanning is a type of half scan technology, and when a packet for port confirmation is sent and a response to the packet for port confirmation comes, the port that responded is open, and if there is no response, the port is closed. judge to be Stealth scanning may be, for example, FIN, NULL, or XMASH.

A port is a logical unit that identifies a network service or a specific process, and a protocol using a port is, for example, a transport layer protocol. Examples of transport layer protocols may be Transmission Control Protocol (TCP) and User Datagram Protocol (UDT). Ports are identified by a number, and these numbers are called port numbers. For example, a port number is used with an IP address.

Port numbers can be classified into three types, for example.

If the port number belongs to 0 ~ 2023, it is a well-known port, if the port number belongs to 2024 ~ 49151, it is a registered port, and if the port number is 49152 ~ 65535 If it belongs to , it is a dynamic port. On the other hand, for representative examples of well-known ports, No. 20: FTP (data), No. 21: FTP (control), No. 22: SSH, No. 23: Telnet, No. 53: DNS, No. 80: World Wide Web HTTP, 119: NNTP, 443: TLS/SSL HTTP. Those skilled in the art to which the present invention pertains (hereinafter, referred to as 'those skilled in the art') will readily recognize that these port numbers and types of ports are exemplary.

For the purpose of the description of the present invention, the open port of the target device 15a is port 80, the off port of the target device 15b is port 23, and the open port of the target device 15c is port 5555, and , it is assumed that the open port of the target device 15d is port 5559.

The port scanning operation is an operation of finding an open port of the target device 15 . For example, the diagnostic module (not shown) performs a port scanning operation. The open port of the target device 15a is port 80, the off port of the target device 15b is port 23, and the target device 15c It finds out that the open port of is port 5555, and the open port of the target device 15d is port number 5559.

The protocol scanning operation is an operation to know the type of protocol used in the open port. Here, the open port is found by the port scanning operation. For example, the diagnostic module (not shown) finds out what protocol is used in port 80, which is an open port of the target device 15a.

In addition, the diagnostic module (not shown) is used in the protocol used in port 23 of the target device 15b, the protocol used in port 5555 of the target device 15c, and port 5559 of the target device 15d. Find out what each protocol is.

The protocol scanning operation performed by the diagnostic module (not shown) includes the operation of checking the type of the open port, the operation of creating a packet to be sent to the open port according to the type of the open port (hereinafter, 'protocol confirmation packet'); and transmitting a protocol confirmation packet to the wireless device having the open port, and confirming whether a response is received from the wireless device that has transmitted the protocol confirmation packet.

The packet for protocol confirmation may be, for example, a script.

The operation of confirming the type of the open port is an operation of confirming the type of the open port found by the port scanning operation. For example, the operation of determining the type of the open port is an operation of determining whether the open port corresponds to one of a well-known port, a registered port, or a dynamic port. am. In order to perform the operation of checking the type of the open port, data (eg, <Table 1>) in which the type of port is classified according to the port number (hereinafter, 'port type data') must be prepared in advance. Such 'port type data' may be stored and managed by the wireless security unit.

According to an embodiment, the diagnosis module (not shown) may know the type of the open port by referring to 'port type data'. For example, in the diagnostic module (not shown), port 80 of the target device 15a and port 23 of the target device 15b are well-known ports, and port 5555 of the target device 15c is It can be seen that the port and port 5559 of the target device 15d are dynamic ports.

The diagnostic module (not shown) performs an operation of creating a protocol confirmation packet suitable for the type of open port.

For example, since port 80 of the target device 15a is a well-known port using the World Wide Web HTTP protocol, a packet for protocol confirmation is created using the Web HTTP protocol to 15a). If there is a response from the target device 15a to the packet for checking the protocol written using the web HTTP protocol, the diagnosis module (not shown) determines that port 80 of the target device 15a uses the web HTTP protocol.

On the other hand, if there is no response from the target device 15a to the packet for checking the protocol written using the web HTTP protocol, the diagnostic module (not shown) determines that port 80 of the target device 15a does not use the web HTTP protocol. do. In this case, the diagnostic module (not shown) uses a protocol other than the World Wide Web HTTP protocol to create a protocol confirmation packet and then transmits it to the target device 15a.

If there is a response from the target device 15a to the protocol confirmation packet written in a protocol other than the web HTTP protocol, the diagnostic module (not shown) determines that port 80 of the target device 15a uses the other protocol. . If there is no response from the target device 15a to the protocol confirmation packet written in the protocol other than the web HTTP protocol, the diagnostic module (not shown) determines that port 80 of the target device 15a uses the other protocol. decide not to Thereafter, the target device 15a creates and transmits a protocol confirmation packet using another protocol until a response is received from the target device 15a. The diagnostic module (not shown) finds out the type of protocol actually used in each open port of the target device 15 by the above-described method.

The diagnosis module (not shown) estimates each type of the target device 15 by using at least one result of the port scanning operation and the protocol scanning operation. A type estimation operation is performed.

According to an embodiment, the type estimation operation performed by the diagnostic module (not shown) includes the operation of estimating the type of service from the type of the protocol found as a result of performing the protocol scan operation, and the estimated type of service. and estimating the type of the wireless device from the type of service.

The operation of estimating the type of service from the type of protocol is based on the experience that a protocol mainly used for each service is generally determined. For example, the RTSP, RTP, or RTCP protocol mainly supports streaming services. That is, when data defining services mainly supported for each protocol (hereinafter, 'protocol-service mapping data' is prepared, the diagnostic module (not shown) uses 'protocol-service mapping data' Service type can be estimated 'protocol-service mapping data' can be stored and managed by the wireless security unit.

The operation of estimating the type of the target device 15 from the type of service is also based on the experience that a service mainly used for each type of wireless device is generally determined. For example, the RTSP, RTP, or RTCP protocol mainly supports streaming services, which are provided by wireless devices such as, for example, IP TVs. That is, when data defining the types of wireless devices mainly provided for each service (hereinafter, 'service-type mapping data' is prepared, the diagnostic module (not shown) uses the 'service-type mapping data' to provide a service The type of the wireless device can be estimated from the type of 'service-type mapping data' can be stored and managed by the wireless security unit.

Meanwhile, the response to the protocol confirmation packet may include at least one of banner information and service information of the target device 15 .

Banner information included in the response to the protocol confirmation packet typically includes data indicating what kind of operating system used in the target device 15 . The diagnosis module (not shown) may know the type of service or estimate the type of the target device 15 if the type of the operating system is known.

Examples of the operating system used in the target device 15 include Tizen, Brillo, Fuchsia, or LiteOS. Here, Tizen is an open source mobile operating system that supports portable devices such as mobile phones, and wireless devices such as TVs and refrigerators, and Brillo is an Android-based embedded operating system announced by Google, and Puke Fuchsia is an operating system being developed by Google to support embedded systems, PCs, smartphones, and wireless devices. LiteOS is an operating system developed by Huawei for wireless devices, such as smart homes, wearable devices, or It is an operating system for supporting various wireless devices such as smart cars.

Service information included in the response to the protocol confirmation packet typically includes data indicating the type of the target device. For example, the service information may include data such as 'My iPhone', and this data is information directly indicating the type of the target device. According to an embodiment, the type estimation operation performed by the diagnosis module (not shown) includes at least one of banner information and service information of a target device, and the aforementioned port scanning information. The result of at least one of the execution result of the operation and the execution result of the protocol scanning operation is used.

For example, the type estimation operation performed by the diagnostic module (not shown) includes a first estimation operation, a second estimation operation, a comparison operation, and a type determination operation.

The first estimating operation is an operation of estimating the type of service from the type of protocol obtained by the protocol scanning operation. For an exemplary description of the first estimating operation, refer to the description referring to the RTSP, RTP, or RTCP protocol.

The second estimating operation is an operation of estimating the type of service by using at least one of banner information and service information of the target device 15 . Exemplary descriptions of the second estimated motion include the description part referring to Tizen, Brillo, Fuchsia, or LiteOS and the description referring to My iPhone. Please refer to the section

The comparison operation is an operation of comparing the type of service estimated by the first estimating operation with the type of service estimated by the second estimating operation.

In the type determining operation, when the type of service estimated by the first estimating operation and the type of service estimated by the second estimating operation are different from each other, the target device 15 from the type of service estimated by the second estimating operation determines the type of , and when the type of service estimated by the first estimating operation and the service type estimated by the second estimating operation are the same, the type of service estimated by the first estimating operation or the second estimating operation This is an operation of estimating the types of target devices 15 from .

On the other hand, when there is no banner information and service information of the target device 15 or there is no data for estimating the type of service in the banner information and service information, the type estimation operation (Type Assumption) is , including a first estimating operation and a type determining operation. That is, the type estimation operation may be performed only with the first estimating operation and the type determining operation without performing the second estimating operation and the comparing operation.

The fake device selection operation is an operation of selecting a fake device from among the target devices 15 .

In this embodiment, the diagnostic module (not shown) determines whether each of the target devices 15 is a fake device. For example, the diagnostic module (not shown) determines whether the target device 15a is a fake device among the target devices 15 , and determines whether the target device 15b is a fake device, and the target device It is possible to determine whether the device is a fake device with respect to ( 15c ), and whether it is a fake device with respect to the target device 15d . Here, the order is exemplary, and a person (hereinafter, 'person of ordinary skill in the art') engaged in the technical field to which the present invention belongs will be able to determine the order according to the situation when implementing the present invention.

The diagnosis module (not shown) attacks a vulnerability according to the type of the target device to be determined whether it is a fake device, and the diagnosis module (not shown) determines whether the attack on the target device is successful or not, It is determined whether the target device is a fake device.

Typically, a wireless device's vulnerability means a weakness that an attacker uses to lower the device's information assurance. In Wikipedia (https://en.wikipedia.org/wiki/Vulnerability), the vulnerability is defined as “Vulnerability　refers to the inability (of a system or a unit) to withstand the effects of a hostile environment”. In the specification, it will be used as defined in such Wikipedia.

For example, when the target device 15a is a 'target device', the diagnosis module (not shown) determines whether the target device 15a is a fake device according to whether the attack on the vulnerability of the target device 15a succeeds. can determine whether That is, the diagnostic module (not shown) determines that the target device 15a is not a fake device if the attack on the vulnerability of the target device 15a is successful, and the attack on the vulnerability of the target device 15a succeeds. If not, it is determined that the target device 15a is a fake device.

The diagnosis module (not shown) selects a vulnerability according to each type of the target device 15 , attacks each of the target devices 15 using the selected vulnerability, and based on the result of the attack, the target device 15 ), a fake device can be selected.

A diagnosis module (not shown) according to another embodiment of the present invention estimates each type of the target device 15 , attacks a vulnerability corresponding to each estimated type, and based on the attack result, the target device A fake device can be determined from among (15).

In the above-described embodiments, the diagnostic module (not shown) may generate a vulnerability attack message according to the type of the target device 15 by referring to data corresponding to the vulnerability by type ('vulnerability data by type'). . The vulnerability data for each type may be stored and managed by a storage device (to be described later) provided in the wireless security unit. Alternatively, the vulnerability data for each type may be stored and managed in an external storage device (not shown) that is communicatively connected so that the wireless security unit can access it.

In the above-described embodiments, the operation of selecting a vulnerability according to the type of the target device 15 may be an operation of finding a vulnerability corresponding to the type of the target device by referring to the vulnerability data for each type.

In the above-described embodiments, the diagnostic module (not shown) may generate a vulnerability attack message according to the type of the target device 15 by referring to data corresponding to the vulnerability by type ('vulnerability data by type'). . The vulnerability data for each type may be stored and managed by a storage device (to be described later) provided in the wireless security unit. Alternatively, the vulnerability data for each type may be stored and managed in an external storage device (not shown) that is communicatively connected so that the wireless security unit can access it.

In the above-described embodiments, the operation of selecting a vulnerability according to the type of the target device 15 may be an operation of finding a vulnerability corresponding to the type of the target device by referring to the vulnerability data for each type.

In the above-described embodiments, the operation of attacking the vulnerability of the target device 15 may be, for example, the operation of the diagnosis module (not shown) transmitting a message for attacking the vulnerability to the target device.

In the above-described embodiments, the diagnosis module (not shown) determines that the target device is not a fake device when the target device responds to the vulnerability attack, and when the target device does not respond to the vulnerability attack, It may be determined that the target device is a fake device.

Hereinafter, vulnerabilities of wireless devices and messages for attacking vulnerabilities will be described by way of example.

For example, the target device may be a router having the following types of vulnerabilities.

. Vulnerability: An unauthorized attacker could access the URL "/category_view.php" with the HTTP GET method

. Vulnerability attack message: GET/category_view.php

As another example, the target device may be a router having the following types of vulnerabilities.

ㆍVulnerability: An unauthorized attacker could access the URL "/mydlink/get_TriggeredEventHistory.asp" with HTTP GET method

. Exploit message: GET/mydlink/get_TriggeredEventHistory.asp

As another example, the target device may be a router having the following types of vulnerabilities.

. Vulnerability: An unauthorized attacker may access the URL "/router_info.xml?section=wps" with the HTTP GET method to obtain information such as the PIN and MAC address of the target device.

. Vulnerability attack message: GET/router_info.xml?section=wps

As another example, the target device may be a router having the following types of vulnerabilities.

. Vulnerability: When an unauthorized attacker accesses the "/wpsacts.php" URL with the HTTP POST method, it may be possible to insert script statements into the data.

. Vulnerability attack message: GET//wpsacts.php

As another example, the target device may be a DVR having the following types of vulnerabilities.

. Vulnerability: A vulnerability where a backdoor exists for the default / tluafed account.

. Vulnerability attack message: POST/Login. htm

As another example, the target device may be a DVR having the following types of vulnerabilities.

. Vulnerability: When an unauthorized user accesses the URL "/device.rsp?opt=user&cmd=list" using the HTTP GET method, the administrator account is exposed in plain text.

ㆍ Vulnerability attack message: GET/device.rsp?opt=user&cmd=list

According to embodiments of the present invention, even if the target device has the same type of function, if the vulnerability is different, the target device is treated as a different type. For example, the routers described above have different vulnerabilities, and thus are distinguished into different types of target devices. In addition, when the above-described digital video recorders (DVRs) have different vulnerabilities, they are also classified as different types of target devices. For another example, if the target device has the same manufacturer and the same type of device has different firmware, it is treated as a different type.

According to an embodiment of the present invention, the 'vulnerability data for each type' may be data corresponding to a vulnerability for each type of the target device. When the vulnerability data for each type is stored and managed, the diagnostic module (not shown) attacks the vulnerability of the target device by referring to the vulnerability data for each type.

Alternatively, the 'vulnerability data by type' may be data corresponding to a 'vulnerability attack message' for each type of target device.

According to another embodiment of the present invention, vulnerability data for each type may not be prepared in advance. In this embodiment, the diagnosis module (not shown) may directly generate a message for vulnerability attack corresponding to the type of the target device (eg, when the vulnerability attack unit is configured to directly generate a message for attack for each type) .

The blocking operation is an operation of blocking communication of the fake device.

The blocking operation is an operation of blocking communication of the fake device by performing a DDoS attack on the fake device.

For example, the diagnostic module (not shown) transmits a large amount of messages to the fake device, and the fake device that has received the large number of messages is unable to communicate with other devices in response to the message. As such, the diagnostic module (not shown) may block communication of a target device having a vulnerability.

For example, assuming that the wireless device 15a is a fake device, the diagnostic module (not shown) blocks communication of the Bluetooth device by performing a DDoS attack on the fake device 15a. That is, the diagnosis module (not shown) transmits a large amount of messages to the fake device 15a, so that the fake device 15a that has received the large amount of messages cannot communicate with other Bluetooth devices in response to the message. As such, the diagnostic module (not shown) may block communication only with the fake device 15a.

Hereinafter, an exemplary configuration of the wireless security unit 100 according to an embodiment of the present invention will be described.

The wireless security unit of the present invention includes a port scanning unit, a protocol scanning unit, a type estimation unit, a determination unit, an operating system, a communication unit, a vulnerability attack unit, a computer processor, a peripheral device, a storage device, and a memory, and these components (not shown) cities) are operatively connected to each other. Meanwhile, the port scanning unit, the protocol scanning unit, the type estimating unit, the determining unit, and the vulnerability attack unit will be collectively referred to as a diagnosis module (not shown), and such a diagnosis module (not shown) is a program executed under the control of the computer processor. can be composed of Programs such as an operating system or a diagnostic module (not shown) are loaded into a memory and executed under the control of a computer processor, and may be operatively connected to other programs or hardware.

The diagnosis module (not shown) may perform the above-described type estimation operation, fake device selection operation, and blocking operation. Specifically, the port scanning unit may perform a port scanning operation, the protocol scanning unit may perform a protocol scanning operation, the type estimator may estimate a device type, and the determination unit may perform a fake device selection operation and a blocking operation. Please refer to the above-mentioned part for each of these operations.

The port scanning unit performs the aforementioned port scanning operation. The port scanning unit writes a port confirmation packet, transmits the port confirmation packet to the wireless device 15 through the communication unit, checks whether a response to the port confirmation packet is received, and checks the open port in the wireless device 15 . decide

The protocol scanning unit performs the protocol scanning operation described above. The protocol scanning unit prepares a protocol confirmation packet, transmits the protocol confirmation packet to the wireless device 15 through the communication unit, checks whether a response to the protocol confirmation packet is received, and the protocol actually used in the open port. to decide

The vulnerability attack unit transmits the vulnerability attack message to the target device through the communication unit, and the judgment unit checks whether there is a response to the vulnerability attack message, and if there is a response, the target device is not a fake device, and if there is no response, it is a fake device .

The operating system is software that not only manages hardware but also provides a hardware abstraction platform and common system services to execute application software, and the storage device and memory include a recording medium providing a space for storing and executing programs, respectively. A computer processor is a central processing unit (CPU), and such a central processing unit is a control unit of a computer that controls a computer system and executes a program operation, or a chip in which the function is embedded.

A memory and/or a storage device may provide a space in which a program is stored or executed, and may also store data necessary for the operation of the present invention, such as protocol-service mapping data or service-type mapping data.

The memory and/or storage device may also temporarily and/or permanently store various data. For example, the memory and/or the storage device may store messages for exploiting vulnerabilities.

The type estimator performs the above-described type estimation operation.

According to an embodiment, the type estimator includes at least one of banner information and service information of the wireless device 15, and an operation result of at least one of an operation result of the port scanning unit and an operation result of the protocol scanning unit. use the

According to another embodiment, at least one result of the operation result of the port scanning unit and the operation result of the protocol scanning unit is used. Since detailed descriptions of these embodiments have been described above, they will be omitted.

According to an embodiment, a type estimation result of the type estimator is stored in the memory device and/or the memory. The type estimation result is data corresponding to a type for each wireless device 15 . Meanwhile, vulnerability data for each type may also be stored in the memory device and/or memory. Vulnerability data by type (data corresponding to vulnerabilities by type) is used to find the vulnerability of the target device type.

The vulnerability attack unit may refer to the vulnerability data for each type, find a vulnerability corresponding to the type of the target device, and generate a message for attacking the vulnerability. Thereafter, the vulnerability attack message is transmitted to the target device through the communication unit. After checking whether there is a response to the vulnerability attack message, the determination unit determines that the target device is not a fake device if there is a response, and determines that the target device is not a fake device if there is no response.

All or at least a part of the port scanning unit may be configured as a program. The part composed of the program is loaded into the memory and performs a port scanning operation under the control of the computer processor. Other components, for example, the protocol scanning unit and the type estimating unit may be configured in the same manner as the port scanning unit to perform their own operations. Meanwhile, since detailed descriptions of the port scanning operation, the protocol scanning operation, and the type estimation operation have been described above, they will be omitted herein.

9 is a view for explaining a wireless care method according to an embodiment of the present invention. The wireless care method according to an embodiment of the present invention is for discriminating a fake device from among wireless devices (also referred to as 'target devices') close to the access control system 300 . For example, the components included in the access management system 300 using the wireless security unit 100, for example, the access management server 301, the DB storage device 303, and/or the IP-PBX (305) ) to determine access by unauthorized wireless devices.

Referring to FIG. 9 , a wireless care method according to an embodiment of the present invention includes estimating a type of a target device (S100); selecting a vulnerability according to the type of the target device (S300); attacking the vulnerability selected in step S300 (S400); and determining whether the target device is a fake device according to whether the attack on the target device is successful ( S500 ).

The wireless care method according to an embodiment of the present invention may further include a step (S200) of storing and managing vulnerability data for each wireless device type that corresponds to a vulnerability for each wireless device type (S200).

The above-described step of selecting the vulnerability ( S300 ) includes an operation of finding a vulnerability corresponding to the type of the target device with reference to the vulnerability data for each wireless device type.

The above-described step of attacking the target device (S400) may be a step of generating a vulnerability attack message for attacking the vulnerability selected in the step (S300) of selecting a vulnerability according to the type of the target device and transmitting the message to the target device.

In the step S500 of determining whether the above-described target device is a fake device, when the target device responds to the vulnerability attack message, it is determined that the target device is not a fake device, and the target device responds to the vulnerability attack message. If there is no response, it may be a step of determining that the target device is a fake device.

Hereinafter, it is assumed that the wireless care method according to an embodiment of the present invention is applied to the wireless security unit 100 described with reference to FIGS. 2 and 4 .

For the step of estimating the type of the target device ( S100 ), refer to the contents described with reference to FIG. 10 .

The step of storing and managing vulnerability data by type ( S200 ) is a step in which the wireless security unit 100 stores and manages the result of the step ( S100 ) of estimating the type of the target device in a recording medium.

The step of selecting a vulnerability ( S300 ) is a step in which the wireless security unit 100 selects a vulnerability according to the type of the target device. For example, the vulnerability attacker may select a vulnerability according to the type of the target device estimated by the type estimator. To this end, vulnerability data for each type is stored in the memory device, and the vulnerability attack unit may select a vulnerability corresponding to the type of the target device by referring to the vulnerability data for each type.

The step of attacking the target device ( S400 ) is a step in which the wireless security unit 100 attacks the vulnerability of the target device. For example, the vulnerability attack unit sends a vulnerability attack message to the target device. The vulnerability attack message is generated based on the vulnerability data selected according to the type of the target device. The vulnerability attack unit can directly generate a message for exploiting the vulnerability.

In the step of determining whether the target device is a fake device (S500), for example, the determination unit of the wireless security unit 100 determines that the target device is not a fake device when the target device responds to the vulnerability attack message. and, when the target device does not respond to the vulnerability attack message, it may be determined that the target device is a fake device.

As described above, the method of determining whether the target device described with reference to FIG. 9 is a fake device may be implemented by, for example, a computer program.

For example, according to an embodiment of the present invention, the method comprising: attacking a vulnerability of a target device, which is a target device for determining whether it is a fake device; and judging whether the target device is a fake device according to whether the attack on the vulnerability of the target device succeeds. A recordable medium is provided.

In another example, estimating the type of the target device (S100); selecting a vulnerability according to the type of the target device to be determined whether it is a fake device (S300); attacking the vulnerability selected in step S300 (S400); And according to whether the attack on the target device is successful, the program for executing the wireless care method comprising the step (S500) of determining whether the target device is a fake device to the wireless security unit 100 is read by a computer A recordable medium is provided.

10 is a diagram for explaining a method of estimating a type of a wireless device according to an embodiment of the present invention.

Referring to FIG. 10 , the method for estimating the type of a wireless device according to an embodiment of the present invention includes a port scanning step (S110) of finding an open port of a target device, a port scanning step ( Based on the results of the protocol scanning step (S120), the above-described scanning steps (S110, S120) to find the protocol used in the open port found as a result of the port scanning step (S110) Thus, it may include a Type Assumption step (S130) of estimating the type of the target device.

Hereinafter, it is assumed that the method of estimating the type of a wireless device according to an embodiment of the present invention is applied to the above-described wireless security unit 100, and a method of estimating the type of a wireless device according to an embodiment of the present invention is described below. to explain

The port scanning step ( S110 ) is to find an open port of the wireless device 15 . That is, the port scanning step S110 is a step of performing the port scanning operation described with reference to FIG. 9 .

Also in this embodiment, for the purpose of explanation of the present invention, the open port of the wireless device 15a is port 80, the off port of the wireless device 15b is port 23, and the open port of the wireless device 15c is is port 5555, and it is assumed that the open port of the wireless device 15d is port 5559

The port scanning step ( S110 ) is to find an open port of the wireless device 15 . For example, as a result of performing the port scanning step S110 , the open port of the wireless device 15a is port 80, the off port of the wireless device 15b is port 23, and the open port of the wireless device 15c is port 5555, and the open port of the wireless device 15d is found to be port 5559.

The protocol scanning step S120 is a step for knowing the type of protocol actually used in the open port. That is, the protocol scanning step S120 is a step of performing the protocol scanning operation described with reference to FIG. 9_Delete. On the other hand, the open port is obtained as a result of the port scanning step (S110).

For example, in the protocol scanning step S120 , an operation of finding out the type of protocol used in port 80, which is an open port of the wireless device 15a, is performed. In addition, in the protocol scanning step (S120), the protocol used in port 23 of the wireless device 15b, the protocol used in port 5555 of the wireless device 15c, and port 5559 of the wireless device 5d are used It performs the operation of finding out what protocol to use. As such, the protocol scanning step S120 is a step of finding out the types of protocols actually used for all open ports of the wireless device 15 .

The protocol scanning step (S120) includes the steps of checking the type of the open port, creating a packet for protocol confirmation, transmitting the packet for protocol confirmation to the target device having the open port, and transmitting the packet for protocol confirmation and checking whether a response exists from a target device. On the other hand, the step of checking the type of the open port is a step of performing the above-described operation of checking the type of the open port, and the step of writing the packet for checking the protocol is performing the operation of writing the packet for checking the protocol. and the step of checking whether a response is received from the target device is a step of performing an operation of checking whether a response is received from the above-described target device. Therefore, a more detailed description of these steps will be omitted.

In the step of checking the type of open port, it is checked whether the open port obtained by the port scanning operation corresponds to a well-known port, a registered port, or a dynamic port. perform the action

According to one embodiment, the step of checking the type of the open port. By referring to the port type data, an operation of finding out the type of the open port obtained by the port scanning operation is performed.

According to an embodiment, the step of creating the protocol confirmation packet includes creating the protocol confirmation packet according to the type of the open port.

For example, in the step of creating a packet for protocol confirmation, port 80 of the wireless device 15a is a well-known port using the World Wide Web HTTP protocol, so the It performs the operation of creating a packet for protocol confirmation.

In addition, in the step of creating the protocol confirmation packet, if there is no response to the protocol confirmation packet created using the web HTTP protocol from the wireless device 15a, port 80 of the wireless device 15a uses the web HTTP protocol It decides not to do so, and uses a protocol other than the World Wide Web HTTP protocol to create a packet for protocol confirmation.

That is, in the step of writing the protocol confirmation packet, in order to find out the type of protocol actually used in the open ports of the wireless device 15, the protocol confirmation packet is created until a response is received as in the above-described operations. .

The step of transmitting the protocol confirmation packet to the wireless device is a step of transmitting the protocol confirmation packet to the target device. The step of transmitting the protocol confirmation packet to the target device includes transmitting the protocol confirmation packet until a response is received from the target device.

The step of checking whether a response exists from the target device that has transmitted the protocol confirmation packet includes monitoring whether a response to the protocol confirmation packet comes from the target device, and when a response comes, the protocol used for the response is transferred from the corresponding open port. Executes an operation that determines that the protocol is actually used.

The type estimating step (S130) is a type of estimating each type of target devices using at least one result of the above-described photo scanning step (S110) and the protocol scanning step (S120). This is a step of performing an estimation operation. That is, the type estimation step S130 is a step for performing the above-described type estimation operation.

According to an embodiment, the step of estimating the type ( S130 ) includes estimating the type of service from the type of protocol found as a result of performing the protocol scanning operation, and estimating the type of the target device from the type of service. do. Here, the step of estimating the type of service from the type of protocol is a step of estimating the type of the service from the type of the protocol described above, and the step of estimating the type of the target device from the type of the service is the above-described service. This is a step of estimating the type of the target device from the type. Therefore, for a detailed description of these steps, please refer to the description of the embodiment of Fig. 1_Delete_Delete and Fig. 9_Delete_Delete.

As described above, the response to the protocol confirmation packet may include at least one of banner information and service information of the target device.

According to an embodiment, the Type Assumption step ( S130 ) includes at least one of banner information and service information of a target device, a result of performing the above-described photo scanning operation, and protocol scanning ( Protocol Scanning), at least one result of the operation results is used.

For example, in the type estimation step S130 , a first estimation operation, a second estimation operation, a comparison operation, and a type determination operation may be performed. For a detailed description of the first estimating operation, the second estimating operation, the comparing operation, and the type determining operation, refer to the description of the embodiment described with reference to FIG. 9 .

As another example, the type estimation operation S130 may perform a port scanning operation, a protocol scanning operation, and a type estimation operation. For a detailed description of the first estimating operation, the second estimating operation, the comparing operation, and the type determining operation, refer to the description of the embodiment described with reference to FIG. 9 .

As described above, the method of estimating the type of the wireless device according to an embodiment of the present invention described with reference to FIG. 10 may be implemented by, for example, a computer program. That is, a computer-readable program for executing all or some steps of each step constituting the method for estimating the type of the wireless device according to the embodiment of the present invention described with reference to FIG. It may be stored in a recording medium. The program for causing the wireless security unit 100 to execute all or some of the steps constituting the method according to the embodiment of the present invention stored in the recording medium as described above may be loaded into the memory under the control of the computer processor and executed.

For example, according to an embodiment of the present invention, a result of performing a port scanning step (S110) and a port scanning step (S110) to find an open port of a target device A type of estimating the type of the target device based on the results of the protocol scanning step (S120) and the above-described scanning steps (S110, S120) to find the protocol used in the open port found with A computer-readable recording medium is provided for causing the wireless security unit 100 to execute a method for estimating the type of the wireless device including the Type Assumption step ( S130 ). For a description of each of these steps, please refer to the description above.

As described above, the method of estimating the type of the wireless device according to an embodiment of the present invention described with reference to FIG. 10 may be implemented by, for example, a computer program. That is, a computer-readable program for executing all or some steps of each step constituting the method for estimating the type of the wireless device according to the embodiment of the present invention described with reference to FIG. It may be stored in a recording medium. The program for causing the wireless security unit 100 to execute all or some of the steps constituting the method according to the embodiment of the present invention stored in the recording medium as described above may be loaded into the memory under the control of the computer processor and executed.

For example, according to an embodiment of the present invention, a result of performing a port scanning step (S110) and a port scanning step (S110) to find an open port of a target device A type of estimating the type of the target device based on the results of the protocol scanning step (S120) and the above-described scanning steps (S110, S120) to find the protocol used in the open port found with A computer-readable recording medium is provided for causing the wireless security unit 100 to execute a method for estimating the type of the wireless device including the Type Assumption step ( S130 ). For a description of each of these steps, please refer to the description above.

As such, a person skilled in the art to which the present invention pertains can make various modifications and variations from the description of the above-described specification. Therefore, the scope of the present invention should not be limited to the described embodiments and should be defined by the claims described below as well as the claims and equivalents.

100: wireless security department
200: server rack
201, 202, 205: lock
203, 207: Server
N2: In-house wired and wireless communication network
N1: network
U1, U2: Smartphone
300: access management system
301: access control server
303: DB storage device
305: IP-PBX

Claims (5)

In the server rack system that can store the server,
Server rack 200 that can store a plurality of servers;
a locking device 202 operatively coupled to the door of the server rack 200 to open or close the door of the server rack 200; and
Includes; access management system 300 for managing locking and unlocking of the locking device 202;
The access control system 300 transmits the access control phone number to the lock device 202, but periodically updates the access control phone number and transmits it to the lock device 202,
The locking device 202 is provided with a display unit for displaying the access control phone number received from the access control system 300,
The access management system 300 stores and manages the ID of the locking device 202 and the most recently updated phone number for access management in correspondence with each other,
When an occupant calls the access control phone number, the access control system 300 allows the entrant to enter and exit the server rack 200 operatively coupled to the locking device 202 using the caller number of the entrant. It is checked whether there is an authority to do so, and a release signal is transmitted to the locking device 202 only when the entrant has the authority to enter and exit,
The locking device 202 opens the door of the server rack 200 when receiving a release signal from the access control system 300,
The access management system 300 is
access management server 301;
DB storage device 303 for storing the authority DB; and
wireless security unit 100; includes,
The access management server 301 is connected to the DB storage device 303 through the in-house wired and wireless communication network (N3),
The authority DB is
The ID of the locking device 202 and the most recently updated phone number for access control correspond to each other, and at least one or more having the authority to enter and exit the server rack 200 operatively coupled to the locking device 202 . The phone number of the person and the ID of the locking device 202 correspond to each other,
The access management server 301 stores and manages the ID of the locking device 202 and the most recently updated access control phone number in the authorization DB by matching them with each other,
The access control server 301, when an entrant receives a call to the access control phone number, searches the authority DB, and the server rack 200 in which the entrant's calling number is operatively coupled to the locking device 202. It is checked whether the person has the authority to enter and exit, and if the caller's number is included in the authority DB, a release signal is transmitted to the locking device 202,
The wireless security unit 100 may detect a wireless signal of a wireless device connected to the in-house wired and wireless communication network N3, and may determine whether the detected wireless device is a fake device,
The wireless security unit 100 performs a type estimation operation for estimating the type of the wireless device, and an operation for determining whether the wireless device is a fake device by attacking the wireless device with a weakness according to the type of the wireless device, ,
The type estimation operation is an operation of estimating the type of the wireless device according to the results of the port scanning operation and the protocol scanning operation,
The port scanning operation is an operation of finding an open port of the wireless device,
The protocol scanning operation is an operation of finding a protocol used in an open port found as a result of the port scanning operation,
The protocol scanning operation is
The operation of confirming the type of the open port, the operation of creating a protocol confirmation packet according to the type of the open port and transmitting the packet to the wireless device having the open port, and from the wireless device It is an operation to check whether a response to the protocol confirmation packet is received,
The operation of determining the type of the open port is to determine whether the open port corresponds to any of a well-known port, a registered port, or a dynamic port. is action,
The response includes at least one of banner information and service information of the wireless device having the open port,
The banner information or the service information includes information indicating the type of wireless device,
The type estimation operation is
A first estimating operation for estimating the type of service from the protocol found as a result of performing the protocol scanning operation, a second estimating operation for estimating the type of service from information indicating the type of the wireless device, and estimating by the first estimating operation The operation of comparing the type of service estimated by the second estimation operation with the type of service estimated by the second estimating operation, and when both of the comparison results are different, from the information indicating the type of the wireless device, the method of the wireless device having the open port Perform an operation to estimate the type,
In the protocol scanning step, if there is no response as a result of checking whether a response to the protocol check packet is received from the wireless device, the protocol check packet returns to another protocol not used for the protocol check packet. Creating a packet for protocol confirmation and performing the operation of transmitting to the wireless device having the open port (Open Port), the server rack system. delete delete delete delete

Images