KR102345261B1 - Network System and Integrated Security Method for User Terminals Connected to the Internal Network and External Network Performed by the Network System - Google Patents

Abstract

The present invention relates to a network system and an integrated security method for a user terminal connected to internal and external networks performed thereby. According to the present invention, an access of a first user terminal to an internal network is permitted by a control server when the first user terminal connected to the internal network corresponds to first internal policy information. Also, when authentication information on a second user terminal connected to an external network is verified as valid by an authentication control unit, a communication channel for the second user terminal is established. In addition, when the second user terminal with the communication channel established by the control server corresponds to second internal policy information, the communication channel of the second user terminal is finally resumed, such that the first user terminal connected to the internal network and the second user terminal connected to the external network can be integrated and managed by the control server. Therefore, security can be improved.

Description

{Network System and Integrated Security Method for User Terminals Connected to the Internal Network and External Network Performed by the Network System}

The present invention relates to a network system and an integrated security method for a user terminal connected to an internal network and an external network performed in the network system, and more particularly, by a control server, a first user terminal connected to the internal network is When the policy information is met, the access to the internal network of the first user terminal is permitted, and when the authentication information of the second user terminal connected to the external network is verified as valid by the authentication control unit, it is transmitted to the second user terminal. to establish a communication channel for the user terminal, and finally to resume the communication channel of the second user terminal when the second user terminal with the communication channel established by the control server conforms to the second internal policy information, A method of integrated security for a network system and a user terminal connected to an internal network and an external network performed in the network system, which enables the control server to manage the first user terminal connected to the first user terminal and the second user terminal connected to the external network will be.

Network-based environments such as online services are gradually expanding, and as non-face-to-face activities increase significantly due to the recent corona virus outbreak, various computing devices, specifically, the internal network of the network system and the external network through the Internet, etc. The introduction of networks for computing devices connected through a network is being made more actively. However, as the introduction of the network system increases, the security problem is also greatly increased. Accordingly, conventional techniques for strengthening the security of the internal network and the external network have been developed.

First, a monitoring server that monitors packets of each terminal is connected to the gateway or hub to which each terminal is connected to the internal network, and the monitoring server monitors packets transmitted from each terminal, A conventional security method has been developed in which a server receiving a packet transmitted from a corresponding terminal ignores packets transmitted from the corresponding terminal. However, in the case of the prior art, there is a problem in that the monitoring server continuously monitors whether a packet transmitted from each terminal is abnormal, so that the load of the monitoring server and the traffic of the corresponding network is increased, and the server that receives the packet Also, there is an additional problem that an unnecessary load on the server may occur because the modulated packet transmitted from the terminal is not fundamentally blocked, but must be ignored after receiving it first.

Next, in the case of a conventional security method for an external network of a network system, various security elements such as a firewall or a virtual private network (VPN) device are used to establish network security. However, as the size of the network increases, security devices must be provided for each component of the network, so there is a problem in that the security cost increases. Since it is possible to communicate with a server that provides A security vulnerability exists. In addition, since VPNs and firewalls are IP-based, additional problems that may be vulnerable to security for other layers may occur.

In addition, in the case of dualizing the security of the internal network and the security of the external network of the network system in this way, in terms of managing the network system, security for the user terminal accessing the internal network and the user terminal accessing the external network Since the security of the network system must be managed through a separate system, there is a problem in that it takes a lot of time and money to manage the network system.

Accordingly, there is a need to develop a new method for improving the conventional problems with respect to the internal network and the external network of the network system, and at the same time, for integrally managing the security of the user terminal accessing the internal network and the external network.

The present invention relates to a network system and an integrated security method for a user terminal connected to an internal network and an external network performed in the network system, and more particularly, by a control server, a first user terminal connected to the internal network is When the policy information is met, the access to the internal network of the first user terminal is permitted, and when the authentication information of the second user terminal connected to the external network is verified as valid by the authentication control unit, it is transmitted to the second user terminal. to establish a communication channel for the user terminal, and finally to resume the communication channel of the second user terminal when the second user terminal with the communication channel established by the control server conforms to the second internal policy information, Provides an integrated security method for a network system and a user terminal connected to an internal network and an external network performed by the network system, which enables the control server to manage the first user terminal connected to the first user terminal and the second user terminal connected to the external network aim to do

In order to solve the above problems, in one embodiment of the present invention, as an integrated security method for a first user terminal connected to an internal network and a second user terminal connected to an external network performed in a network system, the network system comprises: a control server, a blocking server, and an authentication control unit, wherein the control server provides first internal policy information corresponding to a first user terminal connected to the internal network to the first user terminal, and the first user terminal an internal network control step of allowing or blocking, by the blocking server, access to the internal network of the first user terminal based on a determination result according to the first internal policy information received from; By the authentication control unit, the authentication information received from the second user terminal connected to the external network is verified, and when the authentication information is verified as valid, an authentication token is generated and transmitted to the second user terminal, and the second An external network for transmitting routing information for establishing a communication channel for a service application and a service server installed in the second user terminal to the second user terminal based on the routing request information including the authentication token received from the user terminal control step; and, by the control server, in a state in which the established communication channel is stopped by the second user terminal in which the communication channel is established through the external network control step, second internal policy information corresponding to the second user terminal An integrated control step of providing to the second user terminal and resuming the communication channel stopped by the second user terminal based on a determination result according to the second internal policy information received from the second user terminal; to provide an integrated security method.

In an embodiment of the present invention, the authentication information includes identification information of the network system, identification information of the second user terminal, and user information about a user of the second user terminal, wherein the external network control step includes: , it is determined whether the identification information of the second user terminal and the user information included in the received authentication information are included in the database stored in the authentication control unit, and when it is determined that they are included, an authentication token is generated to generate the first 2 It can be provided to the user terminal.

In an embodiment of the present invention, the network system further includes an authentication verification unit, and in the integrated security method, the authentication information transmitted from the second user terminal through the external network control step by the authentication verification unit an authentication verification step of receiving and transmitting the authentication information to the authentication control unit when validated by verifying the identification information of the network system included in the authentication information; and the authentication verification unit receives the routing request information transmitted from the second user terminal through the external network control step, and verifies the identification information of the network system and the authentication token included in the routing request information. and a routing request verification step of transmitting the routing request information to the authentication control unit when verified as valid.

In an embodiment of the present invention, the step of controlling the external network includes the step of providing an external policy, and the step of providing the external policy includes an external policy from the second user terminal that has received the authentication token through the external network control step. receiving request information, and providing external policy information corresponding to the second user terminal to the second user terminal based on the external policy request information, wherein the external network control step includes: When the second user terminal provided with the policy information determines that the second user terminal conforms to the external policy information, the routing request information may be received from the second user terminal.

In an embodiment of the present invention, the network system further includes a distribution server, and the integrated security method includes, by the control server, the second user terminal from the second user terminal in the integrated control step. 2 A redirecting step of controlling the second user terminal to communicate with the distribution server when receiving a determination result determined not to conform to the internal policy information; and by the control server, when the second user terminal communicating with the distribution server through the redirecting step matches the second internal policy information, the communication channel stopped by the second user terminal is resumed It may further include; a communication channel resumption step.

In an embodiment of the present invention, the integrated security method is, by the control server, through the internal network control step, the internal network access is permitted or blocked at least one first user terminal and through the external network control step a status information layer on which status information of one or more second user terminals with established communication channels is displayed; and a policy setting layer that receives settings for the first internal policy information for the first user terminal and the second internal policy information for the second user terminal; The step of providing an interface to the manager terminal may be further included.

In order to solve the above problems, in an embodiment of the present invention, as a network system for performing an integrated security method for a first user terminal connected to an internal network and a second user terminal connected to an external network,

The network system includes a control server, a blocking server, and an authentication control unit, and provides, by the control server, first internal policy information corresponding to a first user terminal connected to the internal network to the first user terminal, an internal network control step of allowing or blocking, by the blocking server, access to the internal network of the first user terminal based on a determination result according to the first internal policy information received from the first user terminal; By the authentication control unit, the authentication information received from the second user terminal connected to the external network is verified, and when the authentication information is verified as valid, an authentication token is generated and transmitted to the second user terminal, and the second An external network for transmitting routing information for establishing a communication channel for a service application and a service server installed in the second user terminal to the second user terminal based on the routing request information including the authentication token received from the user terminal control step; and, by the control server, in a state in which the established communication channel is stopped by the second user terminal in which the communication channel is established through the external network control step, second internal policy information corresponding to the second user terminal An integrated control step of providing to the second user terminal and resuming the communication channel stopped by the second user terminal based on a determination result according to the second internal policy information received from the second user terminal; performing; to provide a network system.

According to an embodiment of the present invention, the control server permits or blocks access to the internal network of the first user terminal according to whether the first user terminal connected to the internal network conforms to the first internal policy information, and the authentication control unit After the communication channel for the second user terminal connected to the external network is established by the It is possible to exert the effect of integrally managing the security of the first user terminal connected to the network and the second user terminal connected to the external network.

According to an embodiment of the present invention, the control server provides a manager interface to the manager terminal, so that the manager can integrate the states of the first user terminal connected to the internal network and the second user terminal connected to the external network through the manager interface. can be confirmed, and the effect of setting policies for the first user terminal and the second user terminal can be exerted.

According to an embodiment of the present invention, since the control server controls each user terminal to communicate with the distribution server when the connection of the first user terminal and the second user terminal installed with the agent application is blocked, each user terminal Through communication with the distribution server, it is possible to exert the effect of allowing access by performing predetermined processes to conform to the policy.

According to an embodiment of the present invention, when the network connection of the first user terminal connected to the gateway of the internal network is to be blocked, the gateway address information set in the first user terminal is changed to the address information of the blocking server. , since it is possible to block in advance that the packet of the first user terminal to be blocked is transmitted to the network through the gateway, it is possible to reduce the load on the server corresponding to the network and the destination of the packet.

According to an embodiment of the present invention, since the first user terminal installed with the agent application can access the internal network when it meets the first internal policy information provided by the control server, various Policies can have the effect of improving the security of access to the internal network.

According to an embodiment of the present invention, the authentication information transmitted from the first user terminal on which the agent application is not installed includes not only the address information of the first user terminal, but also additional information such as packet size information, and the control server Since access to the internal network of the first user terminal is controlled based on the authentication information, it is possible to exert an effect of preventing access to the internal network by a malicious terminal having the same address information.

According to an embodiment of the present invention, when the control server does not permit the first user terminal to access the internal network, the address of the unauthorized first user terminal set in the remaining first user terminals connected to the internal network Since the information is changed to virtual address information, it is possible to exert an effect of improving the security of communication between the first user terminals connected to the internal network.

According to an embodiment of the present invention, since the second user terminal communicates with the authentication verification unit and the authentication control unit to establish a communication channel with the service server after access to the external network is permitted, access is permitted. It is possible to exhibit the effect of fundamentally blocking the access to the service server of the second user terminal until it is done.

According to an embodiment of the present invention, the authentication control unit can establish a communication channel with the service server after confirming the identification information of the second user terminal and the user information about the user of the second user terminal included in the authentication information. Since the authentication token is provided to the second user terminal, not only user information such as ID/PW, but also the second user terminal is checked, so that an unauthorized access to the second user terminal can be blocked.

According to an embodiment of the present invention, the authentication control unit provides the second internal policy information corresponding to the second user terminal, so that the second user terminal responds to the second internal policy information in the agent application installed on the second user terminal. Since the communication channel with the service server can be resumed when it is determined to be consistent, it is possible to exert the effect of allowing only the second user terminal that meets the policy set by the administrator of the network system to access the network system.

According to an embodiment of the present invention, the routing information provided to the second user terminal by the authentication control unit includes only the address information of the gateway through which communication with the service application of the second user terminal is established and the address information of the service server, so that the second It can have the effect of preventing the user terminal from accessing other components of the network system.

According to an embodiment of the present invention, since the authentication verification unit included in the network system verifies the information received from the second user terminal and transmits the information to the authentication control unit when verified as valid, the load of the authentication control unit is reduced. possible effect can be exerted.

1 schematically illustrates a network system for performing an integrated security method for a first user terminal connected to an internal network and a second user terminal connected to an external network according to an embodiment of the present invention.
2 schematically illustrates detailed steps of an integrated security method performed in a network system according to an embodiment of the present invention.
3 schematically shows detailed steps of an internal network control step performed in a network system according to an embodiment of the present invention.
4 schematically shows components of internal authentication information and access control information in the internal network control step according to an embodiment of the present invention.
5 shows gateway address information set in the first user terminal to which access to the internal network is not permitted and address information of the first user terminal not permitted to access the internal network set in the remaining first user terminals according to an embodiment of the present invention; schematically shown.
6 schematically illustrates components of exception policy information for a first user terminal on which a control server and an agent application are not installed according to an embodiment of the present invention.
7 schematically shows the execution processes of the authentication token providing step included in the external network control step performed in the network system and the authentication verification step performed by the authentication verification unit according to an embodiment of the present invention.
8 schematically illustrates the execution processes of the external policy request information verification step performed by the authentication verification unit and the external policy information providing step included in the external network control step according to an embodiment of the present invention.
9 schematically illustrates external policy information provided to a second user terminal according to an embodiment of the present invention.
10 schematically illustrates the routing information providing step included in the routing request verification step and the external network control step performed by the authentication verification unit according to an embodiment of the present invention.
11 schematically illustrates a process of establishing a communication channel for a service application according to routing information in a second user terminal according to an embodiment of the present invention.
12 schematically illustrates detailed steps of a redirect step and a communication channel resumption step performed by the control server according to an embodiment of the present invention.
13 schematically illustrates a state information layer of a manager interface displayed on a manager terminal according to an embodiment of the present invention.
14 schematically illustrates a policy setting layer of a manager interface displayed on a manager terminal according to an embodiment of the present invention.
15 schematically illustrates an internal configuration of a computing device according to an embodiment of the present invention.

Hereinafter, various embodiments and/or aspects are disclosed with reference to the drawings. In the following description, for purposes of explanation, numerous specific details are set forth to provide a thorough understanding of one or more aspects. However, it will also be recognized by one of ordinary skill in the art that such aspect(s) may be practiced without these specific details. The following description and accompanying drawings set forth in detail certain illustrative aspects of one or more aspects. These aspects are illustrative, however, and some of various methods may be employed in the principles of the various aspects, and the descriptions set forth are intended to include all such aspects and their equivalents.

Further, various aspects and features will be presented by a system that may include a number of devices, components and/or modules, and the like. It is also noted that various systems may include additional apparatuses, components, and/or modules, etc. and/or may not include all of the apparatuses, components, modules, etc. discussed with respect to the drawings. must be understood and recognized.

As used herein, “embodiment”, “example”, “aspect”, “exemplary”, etc. may not be construed as an advantage or advantage in any aspect or design being described over other aspects or designs. . The terms '~part', 'component', 'module', 'system', 'interface', etc. used below generally mean a computer-related entity, for example, hardware, hardware A combination of and software may mean software.

Also, the terms "comprises" and/or "comprising" mean that the feature and/or element is present, but excludes the presence or addition of one or more other features, elements, and/or groups thereof. should be understood as not

Also, terms including an ordinal number, such as first, second, etc., may be used to describe various elements, but the elements are not limited by the terms. The above terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, a first component may be referred to as a second component, and similarly, a second component may also be referred to as a first component. and/or includes a combination of a plurality of related listed items or any of a plurality of related listed items.

In addition, in the embodiments of the present invention, unless otherwise defined, all terms used herein, including technical or scientific terms, are generally understood by those of ordinary skill in the art to which the present invention belongs. have the same meaning as Terms such as those defined in a commonly used dictionary should be interpreted as having a meaning consistent with the meaning in the context of the related art, and unless explicitly defined in an embodiment of the present invention, an ideal or excessively formal meaning is not interpreted as

1 is a network system (A) for performing an integrated security method for first user terminals 9100 and 9200 connected to an internal network and a second user terminal 9300 connected to an external network according to an embodiment of the present invention. schematically shown.

1, the network system (A) can implement an internal network like a local area network (LAN) through the components included in the network system (A), and the network system ( A) can be connected to an external network such as the Internet. The network system (A) includes a plurality of components to implement an internal network, and the plurality of components include a switch 8000, a gateway 6200, a blocking server 2000, a control server 1000, and distribution. A server 7000 and a service server 5000 may be included. In addition, the network system (A) includes a plurality of components to connect to an external network, and the plurality of components include an authentication verification unit 4000, an authentication control unit 3000, a gateway 6100, and a service server ( 5000) and the control server 1000, and the like.

Meanwhile, the network system (A) may be connected to one or more user terminals through an internal network and an external network, and in an embodiment of the present invention, the user terminals connected to the internal network are connected to the first user terminals 9100 and 9200. Therefore, a user terminal connected to the external network is called a second user terminal 9300 .

In the plurality of components for implementing the internal network, the switch 8000 is connected to one or more first user terminals 9100 and 9200 and the blocking server 2000 to receive a packet received from the gateway 6200. Gateway 6200 by receiving packets transmitted to the first user terminal or blocking server 2000 corresponding to the destination of the packet, or from one or more connected first user terminals 9100 and 9200 or blocking server 2000; The packet may be transmitted to the first user terminals 9100 and 9200 or the blocking server 2000 corresponding to the destination of the packet.

On the other hand, when the first user terminals 9100 and 9200 are connected to the switch 8000, the corresponding first user terminals 9100 and 9200 identify the switch 8000, and also the corresponding first user terminals 9100 and 9200) propagate identification information including its own address information to other components connected to the switch 8000 in a broadcasting manner, and other components use the transmitted identification information to the first user terminal ( 9100 and 9200), and when each of the other components receives the identification information, it transmits identification information including its own address information to the corresponding first user terminals 9100 and 9200, and the first The user terminals 9100 and 9200 may identify other components connected to the switch 8000 based on the received identification information. In this way, the components connected to the switch 8000 can identify other components, and thereafter, data can be transmitted/received to and from other components through the switch 8000 .

As shown in FIG. 1, the components connected to the switch 8000 include one or more user terminals 9100 and 9200 and a blocking server 2000, and in another embodiment of the present invention, as shown in FIG. However, a separate switch may correspond to a component connected to the switch 8000, and the separate switch may also be connected to one or more of the above-described components.

The gateway 6200 relays communication with a local network including the switch 8000 and one or more components connected to the switch 8000 and one or more servers or separate local networks connected to the gateway 6200. . Accordingly, the gateway 6200 may receive data transmitted from a server and transmit it to the switch 8000 , and may transmit data received from the switch 8000 to one or more corresponding servers. Meanwhile, the gateway 6200 may be connected to a plurality of switches, and may transmit corresponding data to a specific switch corresponding to data transmitted from a server.

Meanwhile, although FIG. 1 shows the switch 8000 and the gateway 6200 separately, in another embodiment of the present invention, the gateway 6200 is integrated with the switch 8000, function can be performed. Accordingly, in the following, in order to facilitate the description of the present invention, a plurality of components (a plurality of first user terminals and a blocking server 2000) connected to the switch 8000 shown in FIG. 1 are connected to the gateway 6200. Assume that it is directly connected and explain it.

In addition, the network system (A) of the present invention may include a plurality of gateways, and each gateway may be connected to one or more components to form a local network.

The blocking server 2000 is connected to the gateway 6200 described above, and accesses the gateway 6200 of the first user terminals 9100 and 9200 connected to the gateway 6200 under the control of the control server 1000 to be described later. permit or block Specifically, when the blocking server 2000 blocks access to the gateway 6200 of the specific first user terminal, the blocking server 2000 addresses the gateway 6200 address information identified by the specific first user terminal. By controlling the specific first user terminal to change to information, the data to be transmitted by the specific first user terminal to the gateway 6200 is transmitted to the blocking server 2000 .

The control server 1000 is connected to the gateway 6200 and transmits and receives data for permitting or blocking network access of one or more first user terminals 9100 and 9200 connected to the corresponding gateway 6200, permitting or blocking and transmits the control information to the blocking server 2000 connected to the corresponding gateway 6200 . In addition, the control server 1000 is connected to a gateway 6100 for an external network to be described later, and transmits and receives data for resuming a communication channel for one or more second user terminals 9300 connected to the external network, Data for resumption are transmitted to the gateway 6100 for the external network.

On the other hand, the control server 1000 can communicate with the manager terminal 9400 used by the manager, and the first user terminals 9100 and 9200 and the second to which network access to the manager terminal 9400 is permitted or blocked. It is possible to provide the status of the corresponding network system (A) like the current status of the user terminal 9300, and also the first internal policy information, the second internal policy information, the external policy information and Exception policy information can be received and stored.

The distribution server 7000 is the first user terminal (9100 and 9200) or the second user terminal 9300 when the network access is blocked by the control server 1000 (access to the internal network is blocked, In case the established communication channel is continuously stopped), the first user terminal 9100 and 9200 or the second user terminal 9300 communicates with the corresponding first user terminal 9100 and 9200 or the second user terminal The first user terminal ( 9100 and 9200) or the second user terminal 9300 performs communication in accordance with the corresponding first internal policy information or second internal policy information.

On the other hand, preferably, the first user terminal 9200 communicating with the distribution server 7000 is an agent application 9210 that can determine whether the corresponding first user terminal 9200 matches the first internal policy information. This may correspond to the installed first type of first user terminal 9200, and the second user terminal 9300 that communicates with the distribution server 7000 is also used for the second internal policy information. It is preferable that the agent application 9310 that can determine whether the terminal is compatible is installed. A detailed description thereof will be provided later.

The service server 5000 is connected to the gateways 6100 and 6200, and communicates with a first user terminal 9200 or a second user terminal 9300 in which a service application corresponding to the service server 5000 is installed. carry out That is, the service server 5000 performs communication with the service application installed in the first user terminal 9200 or the second user terminal 9300 to the first user terminal 9200 or the second user terminal 9300. A predetermined service is provided to the user.

On the other hand, in the network system (A) shown in Figure 1, including a single service server 5000, in another embodiment of the present invention, the network system (A) may include a plurality of service servers, the plurality of Each of the service servers may provide a unique service to the user by performing communication with one or more service applications.

The first user terminals 9100 and 9200 may be connected to the gateway 6200 to communicate with the gateway 6200 and other components connected to the gateway 6200 . Meanwhile, in the present invention, the first user terminals 9100 and 9200 may be divided into two types. The first type of first user terminal 9200 determines whether the first type of first user terminal 9200 conforms to the first internal policy information according to the first internal policy information provided from the control server 1000 . It corresponds to the first user terminal 9200 in which the agent application 9210 that can be determined is installed. In addition, the first type of first user terminal 9200 may install or remove any application, such as a desktop PC, a smartphone, or a notebook computer, according to a user's input or the first user terminal 9200 itself. The second type of first user terminal 9100 may correspond to the first user terminal 9100 in which the agent application cannot be installed. For example, the first user terminal 9100 of the second type corresponds to the first user terminal 9100 that cannot additionally install or delete any application, such as an agent application, such as a printer, scanner, or multifunction device, The second type of first user terminal 9100 may correspond to a first user terminal performing only a specific function or service.

Meanwhile, in the plurality of components included in the network system (A) for connecting to the external network, the authentication verification unit 4000 and the authentication control unit 3000 communicate with the second user terminal 9300 . to verify the second user terminal 9300, and when the second user terminal 9300 is verified normally, the second user terminal 9300 is connected to the network system A, specifically the service Control to establish a communication channel with the server (5000). That is, the authentication verification unit 4000 and the authentication control unit 3000 allow the second user terminal 9300 to establish a communication channel for exchanging service data with the network system A so that the second user It serves to control the terminal 9300 .

The gateway 6100 serves to relay communication between the second user terminal 9300 and the service server 5000 . The gateway 6100 is connected to the service server 5000 and transmits the data of the second user terminal 9300 to the service server 5000 corresponding to the data according to the data received from the second user terminal 9300. can provide In addition, the gateway 6100 is not exposed when the second user terminal 9300 attempts to access the network system A for the first time through an external network, and the second user terminal 9300 uses the authentication verification unit 4000 ) and when a communication channel with the service server 5000 is established through the authentication control unit 3000 , the second user terminal 9300 transmits data for communicating with the service server 5000 to the gateway 6100 . can do.

Meanwhile, in another embodiment of the present invention, the network system A may include a plurality of gateways 6100 and 6200, and each of the plurality of gateways 6100 and 6200 is a first user terminal 9100 connected to an internal network. and 9200) or the second user terminal 9300 connected to an external network and the service server 5000 may relay communication.

In addition, the network system (A) shown in FIG. 1 has a gateway 6200 relaying the first user terminals 9100 and 9200 connected to the internal network and a gateway relaying the second user terminal 9300 connected to the external network. Although each of 6100 is included, in another embodiment of the present invention, the network system A includes a single gateway, the first user terminals 9100 and 9200 connected to the internal network and the external network to which the gateway is connected. All of the second user terminals 9300 connected to may be relayed.

Meanwhile, the second user terminal 9300 includes an agent application 9310 and one or more service applications 9320 .

The agent application 9310 derives information for requesting permission to access the service server 5000 of the second user terminal 9300 from the authentication verification unit 4000 and the authentication control unit 3000, or It can be determined whether the corresponding second user terminal 9300 conforms to the policy information according to the policy information generated by the control unit 3000 or the control server 1000, and an operating system installed in the second user terminal 9300; OS) so that a communication channel between the service application 9320 and the service server 5000 installed in the second user terminal 9300 can be established. On the other hand, the agent application 9310 may be installed in the second user terminal 9300 through the distribution server 7000 included in the network system (A).

In addition, in an embodiment of the present invention, the agent application 9310 installed in the second user terminal 9300 communicates with the authentication control unit 3000 to provide external policy information to the second user terminal 9300. The second user terminal determines whether this is consistent with the second internal policy information provided by performing communication with the authentication control unit communication module 9311 and the control server 1000 capable of establishing a communication channel according to the determination result. It may include a control server communication module 9312 capable of determining whether 9300 matches, and resuming an established communication channel according to the determination result. Meanwhile, the control server communication module 9312 may correspond to the agent application 9210 installed in the first user terminal 9200 described above.

In another embodiment of the present invention, the agent application 9310 including the authentication control unit communication module 9311 and the control server communication module 9312 is not installed in the second user terminal 9300, but the authentication control unit communication module ( 9311) and the control server communication module 9312 may each be installed in the second user terminal 9300 as separate applications.

The network system (A) of the present invention may communicate with the second user terminal 9300 connected to an external network through two channels. Specifically, when the second user terminal 9300 first accesses the network system A through the agent application 9310, specifically, the authentication control unit communication module 9311, the second user terminal 9300 is authenticated. A communication channel for the second user terminal 9300 to access the service server 5000 through a channel (shown by a dotted line in FIG. 1) for performing communication with the verification unit 4000 (indicated by a solid line in FIG. 1) It is possible to perform a series of communication to establish And when the second user terminal 9300 establishes a communication channel, the agent application 9310 of the second user terminal 9300, specifically, the communication channel established in the control server communication module 9312 is stopped, The control server communication module 9312 may perform a series of communication for resuming a communication channel through the integrated control step performed by the control server 1000, and when the communication channel is resumed, the second user terminal The service application 9320 and the service server 5000 installed in the 9300 may perform a series of communication for providing a service to the user through the communication channel.

That is, the control server 1000 permits or blocks the access of the first user terminals 9100 and 9200 connected to the internal network, and the second user terminal 9300 connected to the external network communicates with the authentication control unit 3000 through the communication channel. By controlling whether to use the communication channel after this is established, the control server 1000 can manage the security of the first user terminals 9100 and 9200 and the second user terminal 9300 in an integrated manner.

2 schematically shows detailed steps of the integrated security method performed by the network system (A) according to an embodiment of the present invention.

As shown in FIG. 2, as an integrated security method for a first user terminal 9200 connected to an internal network and a second user terminal 9300 connected to an external network performed by the network system (A), the network system ( A) includes a control server 1000, a blocking server 2000, and an authentication control unit 3000, and by the control server 1000, a first corresponding to a first user terminal 9200 connected to the internal network. Internal policy information is provided to the first user terminal 9200, and based on a determination result according to the first internal policy information received from the first user terminal 9200, the blocking server 2000 causes the second 1 An internal network control step of allowing or blocking access to the internal network of the user terminal 9200; When the authentication information received from the second user terminal 9300 connected to the external network is verified by the authentication control unit 3000 and the authentication information is validated, an authentication token is generated and the second user terminal ( 9300) and establish a communication channel for the service application and service server installed in the second user terminal 9300 based on the routing request information including the authentication token received from the second user terminal 9300 an external network control step of transmitting routing information to the second user terminal 9300; and in a state in which the communication channel established by the second user terminal 9300 in which the communication channel is established through the external network control step is stopped by the control server 1000, the second user terminal 9300 provides second internal policy information corresponding to It may include; an integrated control step of resuming the communication channel stopped by (9300).

Specifically, the control server 1000 performs the internal network control step to obtain the first internal policy information corresponding to the first user terminal 9200, specifically, the first type of first user terminal 9200. transmit (S10). In step S10, the first internal policy information may be transmitted to the first user terminal 9200 through the gateway 6200 to which the first user terminal 9200 is connected. Meanwhile, the first user terminal 9200 determines whether the first user terminal 9200 matches the received first internal policy information (S11), preferably installed in the first user terminal 9200 Step S11 may be performed in the agent application.

On the other hand, the control server 1000 receives the determination result on the first internal policy information from the first user terminal 9200 (S12), and according to the determination result, the inside of the first user terminal 9200 Deriving access control information for controlling to permit or block network access (S13), and transmit the access control information to the blocking server 2000 connected to the same gateway 6200 as the first user terminal 9200 (S14) do.

The blocking server 2000 receiving the access control information performs control (S15) for permitting or blocking access to the internal network of the first user terminal 9200 according to the access control information. Specifically, in step S15, when it is desired to allow access to the internal network of the first user terminal 9200, data can be transmitted using the gateway address information set in the first user terminal 9200, and the first user When it is desired to block the access of the terminal 9200 to the internal network, the control is performed to change the gateway address information set in the first user terminal 9200 to predetermined address information.

As such, the internal network control step may permit or block access of the first user terminal 9200 connected to the internal network, and a detailed description of the internal network control step will be described later with reference to FIGS. 3 to 6 .

The external network control step performed by the authentication control unit 3000 receives authentication information from the second user terminal 9300 connected to the external network (S16). Specifically, when the user of the second user terminal 9300 executes the agent application 9310 installed in the second user terminal 9300, more specifically, the authentication control unit communication module 9311, the authentication control unit communication The module 9311 generates authentication information and transmits it to the authentication control unit 3000 .

The authentication control unit 3000 that has received the authentication information verifies the authentication information by determining whether the authentication information corresponds to the authentication information stored in the authentication control unit 3000 (S17), and verifies that the authentication information is valid In one case, an authentication token that enables the second user terminal 9300 to establish a communication channel is generated (S18), and the authentication token is transmitted to the second user terminal 9300 (S19). Meanwhile, when the authentication information is not verified as valid in the authentication control unit 3000 , the received authentication information may be discarded, and information indicating that the authentication information is not verified may be transmitted to the second user terminal 9300 .

On the other hand, the second user terminal 9300 derives routing request information for establishing a communication channel when receiving the authentication token (S20), and the authentication control unit 3000 receives the authentication token from the second user terminal 9300. Routing request information is received (S21). Specifically, routing request information including the authentication token received from the authentication control unit communication module 9311 of the second user terminal 9300 may be derived ( S20 ) and transmitted to the authentication control unit 3000 .

The authentication control unit 3000 derives routing information for establishing a communication channel between the second user terminal 9300 and the service server 5000 based on the received routing request information (S22), and the second user terminal ( 9300) to transmit the routing information (S23). Specifically, the authentication control unit 3000 determines the authentication token included in the routing request information, verifies the validity of the routing request information, and derives routing information when it is verified as valid (S22), and the routing information is Corresponding to the address information of the gateway in the service application 9320 of the second user terminal 9300, including address information of the gateway and the address information of the service server for performing communication with the second user terminal 9300 Through the gateway, communication can be performed to the service server corresponding to the address information of the service server.

In this way, the external network control step enables the second user terminal 9300 and the service server 5000 connected to the external network to establish a communication channel for communication, and specifically, the second user terminal 9300 When the communication channel established through the integrated control step performed by the control server 1000 can be used, the communication with the service server 5000 cannot be immediately performed by performing the external network control step. Communication can be performed by resuming the channel.

Meanwhile, a detailed description of the external network control step will be described later with reference to FIGS. 7 to 11 .

Specifically, the agent application 9310 of the second user terminal 9300, more specifically, the control server communication module 9312 stops using the communication channel established through the external network control step (S24), Thereafter, the integrated control step performed by the control server 1000 transmits second internal policy information to the second user terminal 9300 (S25). To this end, the control server 1000 transmits the second internal policy information to the second user terminal 9300 through a gateway 6100 connected to an external network, or through a separate communication channel to the second user terminal ( 9300), the second internal policy information may be transmitted.

The agent application 9310 of the second user terminal 9300 that has received the second internal policy information, specifically, the control server communication module 9312, includes the second user terminal 9300 in the second internal policy information. It is determined whether it matches (S26), and the control server 1000 receives the determination result from the second user terminal 9300 (S27).

On the other hand, in another embodiment of the present invention, the first internal policy information and the second internal policy information may be determined according to the type and user information of the corresponding first user terminal 9200 and the second user terminal 9300 . Also, the first internal policy information and the second internal policy information may be the same.

The control server 1000 controls (S28) the communication channel to resume use or stop using the communication channel that has been established after being established according to the received determination result. Specifically, when the determination result is that the second user terminal 9300 does not conform to the second internal policy information, the second user terminal ( 9300), and when the determination result is that the second user terminal 9300 conforms to the second internal policy information, the second user terminal 9300 can be controlled to resume the stopped communication channel. .

In this way, the control server 1000 controls the access of the first user terminal 9200 connected to the internal network through the internal network control step, and the second user terminal 9300 with the communication channel established through the integrated control step. By controlling access, security for all user terminals connected to the internal network and external network can be managed in an integrated way.

3 schematically shows detailed steps of an internal network control step performed by the network system A according to an embodiment of the present invention.

As shown in FIG. 3 , in the internal network control step, the first type of first user terminal 9200 connected to the gateway 6200 by the control server 1000 and installed with the agent application 9210 installed. provides the first internal policy information corresponding to the first type of the first user terminal 9200 to the first type of the first user terminal 9200 derived from the agent application 9210 is the first a policy determination result receiving step of receiving a determination result as to whether or not it conforms to the internal policy information; It is connected to the gateway 6200 and requests internal authentication information to the first user terminal 9100 of the second type in which the agent application 9210 is not installed, and the first user terminal 9100 of the second type is not installed. ) an internal authentication information verification step of verifying the internal authentication information received from; and the first type of first user terminal 9200 and the second type according to the determination result received through the policy determination result receiving step and the verification result for the internal authentication information in the internal authentication information verification step. Access control information derivation step of deriving access control information for controlling access to the internal network for each of the first user terminals 9100 and providing it to the blocking server 2000; including, the blocking server 2000, Connection to the gateway 6200 for each of the first type of first user terminal 9200 and the second type of first user terminal 9100 based on the access control information received through the access control information derivation step A connection control step of controlling the ; can be performed.

Specifically, the control server 1000 performs the policy determination result receiving step to provide a first internal policy corresponding to the first user terminal 9200 of the first type to the first user terminal 9200 of the first type. The information is transmitted (S30 and S31) to the first user terminal 9200 of the first type through the gateway 6200, and the agent application 9210 installed in the first user terminal 9200 of the first type is It is determined whether the first type of first user terminal 9200 matches the received first internal policy information.

More specifically, the first internal policy information includes one or more policies, such as whether the firewall is set on the first user terminal, whether or not the operating system system of the first user terminal is updated, and the agent application 9210 is the It may be determined whether the type 1 first user terminal 9200 follows each policy. Accordingly, the agent application 9210 is given the right to access the operating system (OS) installed in the first type of first user terminal 9200 in order to determine whether the policy conforms. can

Thereafter, in the policy determination result receiving step, a determination result of whether the first type of first user terminal 9200 conforms to the first internal policy information is received from the agent application 9210 through the gateway 6200. (S33 and S34).

In another embodiment of the present invention, the step of receiving the policy determination result is performed when the first type of first user terminal 9200 accesses the gateway 6200 for the first time, or accesses the gateway 6200. Afterwards, it may be periodically performed according to a preset period.

On the other hand, the control server 1000 performs an internal authentication information verification step for the first user terminal 9100 of the second type in which the agent application 9210 is not installed, and the first user terminal of the second type ( 9100) receives internal authentication information. Specifically, in the internal authentication information verification step, the internal authentication information is requested (S35 and S36) from the first user terminal 9100 of the second type through the gateway 6200, and the second type first The user terminal 9100 derives internal authentication information according to the received request for internal authentication information (S37).

Thereafter, the internal authentication information verification step receives the internal authentication information derived from the first user terminal 9100 of the second type through the gateway 6200 (S39), and verifies the received internal authentication information (S39). S40). More specifically, the internal authentication information verification step verifies whether the received internal authentication information is included in the exception policy information stored in the control server 1000, which will be described in detail later.

The control server 1000, which has received the determination result for the first internal policy information and verified the internal authentication information, performs the access control information derivation step and transmits the determination result by the first type of first user Deriving access control information for allowing or blocking access to a network (internal network) for each of the terminal 9200 and the second type of first user terminal 9100 that has transmitted the internal authentication information (S41), and the The access control information is transmitted to the blocking server 2000 through the gateway 6200 (S42 and S43).

More specifically, in the step of deriving access control information, the determination result derived from the agent application 9210 of the first type of first user terminal 9200 is the first type of the first user terminal 9200 of the first When it is determined that the internal policy information is satisfied, third control information for controlling to allow access to the internal network of the first type of first user terminal 9200 is included in the access control information, and on the contrary, the first type When the determination result derived from the agent application 9210 of the first user terminal 9200 of the first type determines that the first user terminal 9200 of the first type does not conform to the first internal policy information, the first type Fourth control information for controlling to block access to the internal network of the first user terminal 9200 may be included in the access control information.

In addition, in the access control information derivation step, when the internal authentication information derived from the second type first user terminal 9100 is verified as valid, the internal network of the second type first user terminal 9100 The first control information for controlling to allow access is included in the access control information, and, conversely, when the internal authentication information derived from the first user terminal 9100 of the second type is verified as invalid, the second Second control information for controlling to block access to the internal network of the two types of the first user terminal 9100 may be included in the access control information.

In another embodiment of the present invention, the access control information derived in the access control information derivation step includes one or more control information for controlling access to the internal network of each of the one or more user terminals to be permitted or blocked, and according to the type of the user terminal The control information may correspond to the third control information or the fourth control information, or may correspond to the first control information or the second control information.

The blocking server 2000 receiving the access control information from the control server 1000 performs the access control step, and controls to allow or block access to the internal network for each user terminal.

More specifically, in the access control step, when the first control information for the second type of first user terminal 9100 is included in the access control information, the second type of first user terminal 9100 control to permit access to the internal network of ) to block access to the internal network.

Similarly, in the access control step, when the third control information for the first type of first user terminal 9200 is included in the access control information, the inside of the first type of first user terminal 9200 is Control to allow network access, and when the access control information includes fourth control information for the first type of first user terminal 9200, the first type of first user terminal 9200 Control to block access to the internal network.

In one embodiment of the present invention, the access control step controls the address information of the gateway 6200 set in the first user terminal not to be changed when permitting the internal network access of the first user terminal, When the network access of the user terminal is blocked, the control is performed so that the address information of the gateway 6200 set in the first user terminal is changed to the address information of the blocking server 2000 . Accordingly, since data to be transmitted from the first user terminal controlled to be changed to the address information of the blocking server 2000 to the gateway 6200 is transmitted to the blocking server 2000 by detour, the blocked first user terminal It can have the effect of fundamentally blocking the data of

In another embodiment of the present invention, when the access to the gateway 6200 of the first user terminal is permitted or blocked by the blocking server 2000, the control server 1000 is 1 Receive status information on permission or block access of a user terminal, and transmit it to the manager terminal so that an administrator using the manager terminal can easily recognize the status of permission or block access of the first user terminal may be

4 schematically shows components of internal authentication information and access control information in the internal network control step according to an embodiment of the present invention.

As shown in FIG. 4 , the internal authentication information verification step requests the first user terminal 9100 of the second type for internal authentication information including address information of the first user terminal, and the second type It can be verified whether the address information included in the internal authentication information received from the first user terminal 9100 of is stored in the control server 1000 .

Specifically, as shown in (A) of Figure 4, the internal authentication information verification step in requesting the internal authentication information to the first user terminal 9100 of the second type, the first user terminal of the second type Requests internal authentication information including address information of 9100, and the second type of first user terminal 9100 derives internal authentication information including its own address information according to the request, and the control server 1000 ) to send

More specifically, the address information of the user terminal includes the IP address and the MAC address of the user terminal, and the internal authentication information verification step includes not only the address information of the user terminal, but also the installed operating system system information of the user terminal, and information on the connected network. Requests internal authentication information including name information, connected port information, and packet size information transmitted from the user terminal to the network. Accordingly, the first user terminal 9100 of the second type derives internal authentication information including respective pieces of information according to a request and transmits it to the control server 1000 .

Accordingly, the internal authentication information verification step verifies the internal authentication information by determining whether each information included in the internal authentication information is included in the exception policy information stored in the control server 1000 . As such, requesting that the internal authentication information includes not only the address information of the user terminal but also various information is simply verifying the address information. Since network access is permitted in the Therefore, in order to improve this problem, the internal authentication information verification step requests internal authentication information including various information including address information from the first user terminal 9100 of the second type.

On the other hand, as shown in (B) of FIG. 4, the access control information derived in the access control information derivation step is based on the type of the first user terminals 9100 and 9200 to allow or block network (internal network) access. It includes different control information according to the Specifically, the access control information derived based on the internal authentication information in the access control information derivation step includes first control information when it is intended to allow the network access of the first user terminal 9100 of the second type, The second type of control information is included in the case of blocking network access of the first user terminal 9100 of the second type.

In addition, the access control information derived based on the determination result derived from the agent application 9210 installed in the first type of first user terminal 9200 in the access control information derivation step is the first type of first user terminal ( 9200) includes third control information when it is intended to allow network access, and includes fourth control information when it is desired to block network access of the first type of first user terminal 9200.

On the other hand, the access control information derived based on the internal authentication information and the determination result in the access control information derivation step is the first control information or the second type of the first user terminal 9100 corresponding to the internal authentication information. The second control information may be included, and third control information or fourth control information for the first type of first user terminal 9200 corresponding to the determination result may be further included.

5 is a view of the gateway 6200 address information set in the first user terminal to which access to the internal network is not permitted according to an embodiment of the present invention and the first user terminal to which access to the internal network set in the remaining first user terminals is not permitted according to an embodiment of the present invention. Address information is schematically shown.

The access control information includes first control information and the second type of first user terminal ( 9100), and the access control step includes a second control information corresponding to the second control information when the second control information is included in the access control information. With respect to the first type of user terminal 9100 , the address information of the gateway 6200 set in the first user terminal of the second type may be controlled to be changed to the address information of the blocking server 2000 .

Meanwhile, in FIG. 5(A), only changing the address information of the gateway 6200 in order to block access to the network (internal network) of the first type of first user terminal is illustrated, but the access control step is performed in the second type In the case of blocking access to the network (internal network) of the first user terminal 9100 of

Specifically, when the first user terminal #1 of the first type shown on the left side of FIG. 5A is first connected to the gateway, IP254 and MAC254, which are address information of the gateway, are identified through a broadcasting method. Meanwhile, the identified address information of the gateway may be stored in an Address Resolution Protocol (ARP) cache table of the first user terminal #1 of the first type.

In addition, even in the case where network access of the first type of first user terminal #1 is previously controlled to be permitted according to the access control information on the first type of first user terminal #1, in FIG. As shown, address information of a gateway 6200 may be stored in the first user terminal #1 of the first type.

On the other hand, fourth control information for controlling to block the network access of the first user terminal #1 of the first type to the access control information derived based on the determination result transmitted from the first user terminal #1 of the first type When is included, the address information of the gateway 6200 stored by the access control step performed by the blocking server 2000 of the first type of first user terminal #1 is shown in FIG. 5(A). may be changed as indicated.

Specifically, as the access control step is performed, the address information of the gateway 6200 stored in the first type of first user terminal #1, which is controlled to block access to the network, is changed to the address information of the blocking server 2000. . In the diagram on the right side of FIG. 5A , the address information of the gateway 6200 is changed to IP101 and MAC101 corresponding to the address information of the blocking server 2000 .

In this way, the address information of the gateway 6200 stored in the first user terminal from which access to the network is blocked is changed to the address information of the blocking server 2000, and thereafter, the A packet is transmitted to the blocking server 1000 according to the changed address information, and the blocking server 1000 drops the received packet or, when receiving the packet, the first user terminal and the distribution server ( 7000) to perform communication.

On the other hand, in the access control step, when the second control information is included in the access control information, for the remaining first user terminals except for the first user terminal of the second type corresponding to the second control information It is possible to control the address information of the first user terminal of the second type corresponding to the second control information set in the remaining first user terminals to be changed to virtual address information.

Specifically, in FIG. 5B , as the network (internal network) access of the first type of first user terminal 9200 is blocked, the first type of user terminals 9200 set in the remaining first user terminals Although only the case where the address information is changed, the access control step is performed in the second type first user terminal set in the remaining first user terminals as the network (internal network) access of the second type first user terminal is blocked. address information may be changed.

Specifically, the access control step includes not only controlling to change the address information of the gateway 6200 stored in the first user terminal to block access to the network, but also controlling the gateway 6200 except for the first user terminal. Control may also be performed on one or more remaining first user terminals connected to , based on the access control information.

More specifically, each of the first user terminals identifies one or more first user terminals that are already connected to the gateway 6200 through a broadcasting method when accessing the gateway 6200, and each of the one or more Address information of the user terminal can be stored in the ARP cache table. That is, as shown on the left side of FIG. 5B , as described in FIG. 5A , network access is provided to the first type of first user terminal #2 corresponding to the remaining first user terminal. IP2 and MAC2 corresponding to the address information of the first user terminal #1 of the first type controlled to be blocked are stored.

Thereafter, in the access control step, the gateway address information for the first type of first user terminal #1 is changed to the address information of the blocking server, and the first type of first information stored in one or more remaining first user terminals The address information of the user terminal #1 is changed to predetermined address information. In the right diagram of FIG. 5B, the address information of the first user terminal #1 of the first type stored in the first user terminal #2 of the first type corresponding to the remaining first user terminals is the blocking server (2000). As illustrated as being changed to the address information of It may be information.

As such, in the access control step, the address information of the first user terminal to be blocked stored in the remaining first user terminals except for the first user terminal to block access to the network is changed to predetermined address information, and the remaining By preventing communication between the first user terminal and the first user terminal to be blocked, the effect of protecting the remaining first user terminals may be exhibited.

In addition, the one or more remaining first user terminals described above correspond to one or more remaining first user terminals except for the first user terminals controlled to block access to the network through the access control step, but in another embodiment of the present invention The first user terminals whose network access is already blocked may not be included in the one or more remaining first user terminals.

6 schematically shows components of the exception policy information 1520 for the control server 1000 and the first user terminal on which the agent application is not installed according to an embodiment of the present invention.

6A schematically shows components included in the control server 1000 . The control server 1000, the policy determination result receiving unit 1100 for performing the policy determination result receiving step for the first type of first user terminal, the internal authentication information verification step for the second type of first user terminal Access control information for controlling the access to the network (internal network) of the corresponding first user terminal according to the information derived through the internal authentication information verification unit 1200, the policy determination result receiving step, and the internal authentication information verification step to be performed An access control information derivation unit 1300 that performs an access control information derivation step for deriving a include Each step is omitted as described above.

Meanwhile, the control server 1000 further includes a DB 1500 , and the DB 1500 includes policy information 1510 and exception policy information 1520 .

The policy information 1510 is provided to the agent application installed in the first type of first user terminal to determine whether the first type of first user terminal is compatible with the first internal policy information, authentication installed in the second user terminal External policy information provided to the control unit communication module 9311 to determine whether the second user terminal conforms and provided to the control server communication module 9312 installed in the second user terminal to determine whether the second user terminal conforms and second internal policy information.

The policy information 1510 may include one or more policies, the policy information 1510 may be input by an administrator on the administrator terminal 9400, and the control server 1000 may include the administrator terminal 9400. It may receive the policy information 1510 input from the , and store it in the DB 1500 .

The policy information 1510 may be different depending on the state or type of the first type of first user terminal and/or the user who uses the first type of first user terminal, and similarly, the state or type of the second user terminal It may be different depending on the type and/or the user who uses the second user terminal. For example, the first internal policy information may be different depending on whether the first type of first user terminal is a mobile terminal or a desktop terminal, and the network authority of the user who uses the first type of first user terminal; For example, when the network is a network operated within a company, the first internal policy information may be different according to a user's rank and department. Accordingly, the DB 1500 of the control server 1000 may store a plurality of policy information 1510 according to the state or type of the user terminal and/or the user.

The exception policy information 1520 corresponds to information for verifying the internal authentication information received from the first user terminal of the second type in the internal authentication information verification step. That is, the internal authentication information verification step may verify whether the received internal authentication information matches the exception policy information 1520 .

The exception policy information 1520 includes IP address information and MAC address information included in address information about the user terminal, name information of the user terminal in the network, information about the operating system of the user terminal, access port information, and It further includes information on the size of the packet transmitted from the user terminal. The exception policy information 1520 may also be input by an administrator on the manager terminal 9400, and the control server 1000 receives the exception policy information 1520 input from the manager terminal 9400 and receives the DB ( 1500) can be stored.

In the DB 1500 of the control server 1000 , exception policy information 1520 corresponding to a kind of standard for allowing an administrator to access a network may be stored for each one or more second type first user terminals. On the other hand, in requesting internal authentication information from the first user terminal of the second type in the internal authentication information verification step, internal authentication information including a plurality of pieces of information included in the exception policy information 1520 is requested, and the In the internal authentication information verification step, when the internal authentication information transmitted from the first user terminal of the second type corresponds to the exception policy information 1520 stored in the DB 1500 of the control server 1000, the internal authentication information verifies that it is valid.

In this way, the internal authentication information verification step does not verify only the address information of the first user terminal of the second type, but additionally verifies one or more pieces of information that can be provided by the first user terminal of the second type. In the case where the first user terminal is controlled to be able to access the network, it is possible to prevent other user terminals having the same address information as the first user terminal of the second type from indiscriminately accessing the network. can exert

7 schematically illustrates the steps of providing an authentication token included in the external network control step performed in the network system and performing the authentication verification step performed by the authentication verification unit 4000 according to an embodiment of the present invention.

As shown in FIG. 7 , the network system includes an authentication verification unit 4000 and an authentication control unit 3000 , and by the authentication verification unit 4000 , the second user terminal in which the agent application 9310 is installed. An authentication verification step of verifying the authentication information received from (9300) and transmitting the validated authentication information to the authentication control unit (3000); and the external network control step performed by the authentication control unit 3000 includes an authentication token providing step of generating an authentication token based on the authentication information received through the authentication verification step and providing the authentication token to the second user terminal 9300; Including, wherein the authentication information includes the identification information of the network system, the identification information of the second user terminal 9300, and user information about the user of the second user terminal 9300, the authentication verification step verifies the identification information of the network system included in the authentication information, and transmits the authentication information to the authentication control unit 3000 when verified as valid, and the authentication token providing step is from the authentication verification step It is determined whether the identification information of the second user terminal 9300 and the user information included in the received authentication information are included in the database stored in the network system, and when it is determined that they are included, an authentication token is generated and the It may be provided to the second user terminal 9300 .

Specifically, the user executes the agent application 9310 installed in the second user terminal 9300, the user inputs user information through the agent application 9310, and the second user terminal 9300 is the user's User information input may be received (S50). Meanwhile, the user information may correspond to one of various pieces of information that can identify a user who uses the second user terminal 9300 . For example, the user information may correspond to ID/PW information or may correspond to user-specific biometric information such as fingerprint information.

More specifically, as the user executes the authentication control unit communication module 9311 included in the agent application 9310 installed in the second user terminal 9300, the user information can be input through the authentication control unit communication module 9311. have.

On the other hand, the agent application 9310 derives authentication information including the received user information (S51). Specifically, the authentication information includes identification information of the network system, identification information of the second user terminal 9300, and the user information.

The identification information of the network system may correspond to identification information on a network implemented inside the network system. For example, when the network system implements a network within a company, the identification information of the network system may correspond to identification information for the corresponding company, such as an ID for the corresponding company. The identification information of the second user terminal 9300 may correspond to unique information for identifying the second user terminal 9300 used by the user, and the identification information of the second user terminal 9300 is the corresponding second It may correspond to unique information about the second user terminal 9300, such as a MAC address (Media Access Control Address) of the user terminal 9300 or a Unique Device Identifier (UDID) provided by iOS. Meanwhile, the identification information of the network system and the identification information of the second user terminal 9300 may be pre-stored in the memory of the second user terminal 9300 .

Meanwhile, the authentication information is generated in the form of packet data including a header and a body, the header includes identification information of the network system, and the body includes identification information of the second user terminal 9300 and the user information may include In this way, the agent application 9310 transmits the generated authentication information to the authentication verification unit 4000 (S52).

The authentication verification unit 4000 verifies the authentication information received from the second user terminal 9300 by performing the authentication verification step (S53). Specifically, in the authentication verification step, it is verified whether the identification information of the network system included in the header of the authentication information matches the identification information of the network system including the authentication verification unit 4000 ( S53 ). The authentication verification unit 4000 may store identification information of a network system including itself in order to verify the received authentication information.

On the other hand, if the authentication information received in the authentication verification step is verified as valid, the authentication information is transmitted to the authentication control unit 3000 (S54), and if the authentication information is not verified as valid, that is, the When the identification information of the network system included in the authentication information does not match the identification information of the network system including the authentication verification unit 4000, the received authentication information is dropped, or the second authentication information is transmitted The verification result of the authentication information may be transmitted to the agent application 9310 of the user terminal 9300 .

On the other hand, the authentication control unit 3000 performs the authentication token providing step to verify the body of the authentication information received from the authentication verification unit 4000 (S55), and according to the verification result, the second user terminal 9300 An authentication token capable of establishing communication between the service application and the service server may be generated (S56).

Specifically, the step of providing the authentication token verifies the identification information and user information of the second user terminal 9300 included in the body of the received authentication information. To this end, the authentication token providing step determines whether the identification information of the second user terminal 9300 and the user information are stored in the authentication control unit 3000 or a database included in the network system. In an embodiment of the present invention, identification information and user information of the second user terminal 9300 stored in the database may be received through the above-described manager terminal. In another embodiment of the present invention, as the user of the second user terminal 9300 performs a procedure such as user registration through the agent application 9310, the identification information of the second user terminal 9300 and The user information may be automatically stored.

On the other hand, the authentication token providing step verifies the authentication information (S55), generates an authentication token (S56) when the corresponding authentication information is verified as valid, and uses the generated authentication token through the authentication verification unit 4000 The agent application 9310 is transmitted to the second user terminal 9300 installed (S57 and S58). The authentication token generated through the authentication token providing step means that the second user terminal 9300 is authenticated, and thereafter, when the second user terminal 9300 transmits data to the authentication verification unit 4000, the authentication token is transmitted, and the authentication verification unit 4000 provides the corresponding data to the authentication control unit 3000 by confirming the authentication token.

In addition, the authentication verification unit 4000 that has received the authentication token may store the authentication token, and then verify the authentication token included in the data received from the agent application 9310, and the second user terminal ( 9300) In addition, when the received authentication token is stored (S59), and then data is transmitted to the authentication verification unit 4000, the authentication token stored in the data may be included.

In this way, the authentication verification unit 4000 verifies the validity of data to be transmitted from the second user terminal 9300 to the authentication control unit 3000, and provides only the data verified as valid to the authentication control unit 3000, The security of the authentication control unit 3000 may be improved, and the load of the authentication control unit 3000 may be reduced.

On the other hand, as the second user terminal 9300 receives the authentication token generated in the authentication token providing step, it can be determined that the authentication information is normally verified in the agent application 9310 of the second user terminal 9300. , in another embodiment of the present invention, in the step of providing the authentication token, authentication result information indicating that verification of the authentication information has been normally performed together with the authentication token may be provided to the second user terminal 9300 .

FIG. 8 schematically illustrates the execution processes of the external policy information providing step included in the external policy request information verification step and the external network control step performed by the authentication verification unit 4000 according to an embodiment of the present invention.

As shown in FIG. 8 , after the authentication token providing step is performed by the authentication verification unit 4000 , the identification information of the network system and the authentication token are included from the second user terminal 9300 . receives the external policy request information, verifies the identification information of the network system and the authentication token included in the external policy request information, and when verified as valid, the external policy request information to the authentication control unit 3000 Transmitting external policy request information verification step; And the external network control step performed by the authentication control unit 3000 is based on the external policy request information received through the external policy request information verification step, the second user terminal 9300 and the second user terminal ( 9300), an external policy information providing step of providing the external policy information to the second user terminal 9300 by deriving the external policy information corresponding to the user.

Specifically, the second user terminal 9300 provided with the authentication token immediately transmits routing information for establishing a communication channel of a service application installed in the second user terminal 9300 and a service server included in the network system. It can be transmitted to the authentication verification unit 4000, but preferably, the authentication control unit communication module 9311 of the agent application 9310 checks whether the second user terminal 9300 is in a state capable of accessing the service server. Transmits external policy request information for determining to the authentication verification unit 4000, the authentication verification unit 4000 and the authentication control unit 3000 through the external policy request information verification step and the external policy information providing step External policy information corresponding to the second user terminal 9300 is derived and provided to the second user terminal 9300 .

To this end, the agent application 9310, specifically the authentication control unit communication module 9311, after receiving the authentication token, generates external policy request information including the authentication token (S60), and transmits the external policy request information to the It transmits to the authentication verification unit 4000 (S61). Meanwhile, the external policy request information may be generated in the form of packet data including a header and a body, the header may include identification information of a network system, and the body may include the authentication token.

Meanwhile, the authentication verification unit 4000 verifies the external policy request information received from the second user terminal 9300 by performing the external policy request information verification step (S62). Specifically, the external policy request information verification step verifies whether the identification information of the network system included in the header of the external policy request information matches the identification information of the network system including the authentication verification unit 4000, and It is verified whether the authentication token included in the body of the external policy request information corresponds to the authentication token generated by the authentication control unit 3000 included in the network system (S62).

Next, when the external policy request information received in the external policy request information verification step is verified as valid, the external policy request information verification step transmits the external policy request information to the authentication control unit 3000 (S63), If the external policy request information is not verified as valid, the received external policy request information is dropped, or the external policy request information is sent to the agent application 9310 of the second user terminal 9300 that has transmitted the external policy request information. Verification results for the requested information can be transmitted.

Meanwhile, the authentication control unit 3000 derives external policy information corresponding to the external policy request information received from the authentication verification unit 4000 by performing the external policy information providing step (S64). Specifically, the external policy information providing step derives external policy information corresponding to the external policy request information from among one or more external policy information stored in a database included in the network system (S64). To this end, the administrator may input one or more external policy information according to the type and/or user type of the second user terminal 9300 through the administrator terminal, and the network system may input one or more external policy information input by the administrator. can be stored in the database.

In another embodiment of the present invention, the type of the second user terminal 9300 may correspond to the type of the second user terminal 9300 such as a desktop, a smart phone, and a tablet PC, and the type of the user is the network system. In the case of operating in this company, it may correspond to the user's rank and/or department.

Then, in the step of providing the external policy information, the derived external policy information is transmitted (S65 and S66) to the second user terminal 9300 in which the agent application 9310 is installed through the authentication verification unit 4000 (S65 and S66). The agent application 9310 determines the state of the second user terminal 9300 according to the received external policy information (S67), and when it is determined that it matches the external policy information, the authentication verification unit 4000 is requested for routing information for establishing communication between the service application of the second user terminal 9300 and the service server.

Meanwhile, the external policy information and the second internal policy information are the same in that they are provided to the second user terminal 9300, but include one or more policies included in the external policy information and the second internal policy information. One or more policies may be different. Specifically, the external policy information includes policies that the second user terminal 9300 must be verified essential in connecting the second user terminal 9300 to a network system through an external network, and the second internal policy information may include policies for verifying the security elements of the second user terminal 9300 in performing communication with the actual service server after the communication channel is established. For example, the security element may correspond to a policy regarding whether to set a screen saver of the second user terminal 9300 and policies regarding whether to set a login password of the second user terminal 9300 .

9 schematically illustrates external policy information provided to the second user terminal 9300 according to an embodiment of the present invention.

As shown in FIG. 9 , the external policy information includes one or more policies, and in the routing request verification step, the agent application of the second user terminal 9300 receiving the external policy information through the external policy information providing step When it is determined in 9310 that the corresponding second user terminal 9300 conforms to the external policy information, the routing request information may be received from the second user terminal 9300 .

Specifically, as shown in FIG. 9 , the external policy information includes one or more policies, and the external policy information may include different policies depending on the type of the second user terminal 9300 and/or the type of the user. , the external policy information can be set by an administrator.

The external policy information may correspond to information for confirming the state of the second user terminal 9300 when the second user terminal 9300 establishes a communication channel with the network system, specifically, the service server 5000. have. For example, the external policy information includes a policy on whether one or more vaccine software is installed on the second user terminal 9300, a policy on whether or not a firewall is set on the second user terminal 9300, and a policy on whether or not a firewall is set in the second user terminal 9300. ) policy on whether the operating system is updated to the latest version, a policy on whether one or more software included in the blacklist is installed in the second user terminal 9300, and one or more software included in the whitelist in the second user terminal 9300 It can include policies on whether to install or not.

On the other hand, the agent application 9310, specifically the authentication control unit communication module 9311, the second user terminal 9300 in which the agent application 9310 is installed based on the external policy information provided from the authentication control unit 3000 is It may be determined whether or not it conforms to one or more policies included in the external policy information. To this end, the agent application 9310 may be given an authority to access the inside of the operating system of the second user terminal 9300 .

Accordingly, when it is determined that the second user terminal 9300 matches the external policy information provided by the agent application 9310, the agent application 9310 is installed in the second user terminal 9300. The service application 9320 and routing information for establishing communication with the service server 5000 corresponding to the service application 9320 may be requested from the authentication verification unit 4000 .

On the other hand, when it is determined that the agent application 9310 does not match the external policy information provided by the second user terminal 9300, the agent application 9310 checks the routing information with the authentication verification unit ( 4000) is not requested. In addition, the agent application 9310 additionally displays on the corresponding second user terminal 9300 that it does not conform to the external policy information, or performs communication with the distribution server included in the network system to obtain the external policy information. The second user terminal 9300 by performing an operation such as installing one or more software for conformance to the second user terminal 9300 or removing the software included in the blacklist installed in the second user terminal 9300 It is also possible to perform a series of processes to conform to the provided external policy information.

As such, in an embodiment of the present invention, the network system is routing for establishing a communication channel between the service application 9320 and the service server 5000 immediately when the second user terminal 9300 is provided with the authentication token. Rather than providing information, the second user terminal 9300 and external policy information corresponding to the user are provided to the authentication control unit communication module 9311 of the agent application 9310, and the authentication control unit communication module of the agent application 9310 Since the second user terminal 9300 can request routing information only when it is determined that the second user terminal 9300 conforms to the external policy information in (9311), the second user terminal 9300 including elements that threaten security is a service server It is possible to exert the effect of preventing communication with (5000) in advance.

On the other hand, in another embodiment of the present invention, the process of determining whether the second user terminal 9300 in the agent application 9310 conforms to the external policy information according to the external policy information is routed in the agent application 9310 In addition to being performed to request information, the above process may be performed even after communication channels of the service application 9320 and the service server 5000 are established according to routing information, and the second user terminal 9300 is When it is determined that the external policy information does not match, the established communication channel may be disconnected.

10 schematically shows a routing information providing step included in the routing request verification step and the external network control step performed by the authentication verification unit 4000 according to an embodiment of the present invention.

As shown in FIG. 10 , the authentication verification unit 4000 includes a service application 9320 and a service installed in the second user terminal 9300 received from the second user terminal 9300 provided with the authentication token. Performs a routing request verification step of verifying routing request information for requesting routing for establishing a communication channel of the server 5000, and transmitting the verified routing request information to the authentication control unit 3000, the authentication control unit The external network control step performed by (3000) includes routing information for establishing a communication channel between the service application 9320 and the service server 5000 based on the routing request information received through the routing request verification step. and providing routing information derived and provided to the second user terminal 9300, wherein the routing request information includes identification information of the network system and the authentication token, and the routing request verification step includes: The identification information of the network system and the authentication token included in the routing request information are verified, and when verified as valid, the routing request information is transmitted to the authentication control unit 3000, and the routing information providing step includes: Routing information including address information of the service server 5000 and address information of a gateway relaying communication between the service application 9320 and the service server 5000 based on the routing request information received through the request verification step can be derived to provide the routing information to the second user terminal 9300 .

Specifically, as described above, when the agent application 9310 determines that the second user terminal 9300 conforms to the external policy information in the authentication control unit communication module 9311, the second user Generates routing request information requesting routing information for establishing communication between the service application 9320 installed in the terminal 9300 and the corresponding service server 5000 (S70), and the authentication verification unit for the routing request information It transmits to (4000) (S71). Meanwhile, the routing request information may be generated in the form of packet data including a header and a body, the header may include identification information of a network system, and the body may include the authentication token.

On the other hand, the authentication verification unit 4000 verifies the routing request information received from the second user terminal 9300 by performing the routing request verification step (S72). Specifically, the routing request verification step verifies whether the identification information of the network system included in the header of the routing request information matches the identification information of the network system including the authentication verification unit 4000, and the routing It is verified whether the authentication token included in the body of the request information corresponds to the authentication token generated by the authentication control unit 3000 included in the network system (S72).

Subsequently, if the routing request information received in the routing request verification step is verified as valid, the routing request verification step transmits the routing request information to the authentication control unit 3000 (S73), and if the routing request information is If it is not verified as valid, the received routing request information is dropped, or the verification result for the routing request information can be transmitted to the agent application 9310 of the second user terminal 9300 that has transmitted the routing request information. have.

On the other hand, the authentication control unit 3000 performs the routing information providing step, based on the routing request information received from the authentication verification unit 4000, the service application 9320 and the service server installed in the second user terminal 9300 ( 5000) derives routing information for establishing communication (S74). Specifically, the routing information derived in the routing information providing step includes address information of the service server 5000 to establish communication and a gateway relaying communication between the service server 5000 and the service application 9320 to establish communication. address information may be included.

Next, in the routing information providing step, the derived routing information is transmitted (S75 and S76) to the second user terminal 9300 in which the agent application 9310 is installed through the authentication verification unit 4000 (S75 and S76). On the other hand, the agent application 9310, specifically, the authentication control unit communication module 9311, based on the received routing information, a service application 9320 via a gateway corresponding to the address information of the gateway included in the routing information and A path (routing) for establishing a communication channel of the service server 5000 may be set ( S77 ).

11 schematically illustrates a process of establishing a communication channel for a service application 9320 according to routing information in the second user terminal 9300 according to an embodiment of the present invention.

11, the routing information provided to the second user terminal 9300 through the routing information providing step is an operating system installed in the second user terminal 9300 in the agent application 9310 System) 9330 may control a kernel of the operating system 9330 so that the service application 9320 and the service server 5000 perform communication through the gateway.

Specifically, the authentication control unit communication module 9311 of the agent application 9310 is included in the operating system 9330 installed in the second user terminal 9300 based on the routing information provided through the routing information providing step. By controlling the kernel, the service application 9320 and the service server 5000 may be routed to perform communication through the gateway.

The kernel may provide various services necessary to perform the service application 9320 and provide networking with other second user terminals 9300 by controlling the hardware of the second user terminal 9300, and accordingly The authentication control unit communication module 9311 of the agent application 9310 may be authorized to control the kernel of the operating system 9330 .

Accordingly, the authentication control unit communication module 9311 of the agent application 9310, the service application 9320 includes the service server 5000 included in the routing information through the gateway corresponding to the address information of the gateway included in the routing information. ), the kernel is controlled to establish communication with the service server 5000 corresponding to the address information.

In this way, the service application 9320 and the service server 5000 can communicate only through the communication channel established according to the routing information, and the service application 9320 is a specific service server ( 5000), unnecessary communication with other components included in the network system can be blocked in advance, so that the security of the network system can be improved.

On the other hand, in another embodiment of the present invention, when a communication channel between the service application 9320 and the service server 5000 is established, the communication channel is encrypted to improve the security of data transmitted and received through the communication channel. and various encryption methods, such as a Transport Layer Security (TLS) protocol, may be used as the encryption method. Also, the section to be encrypted in the communication channel may correspond only to the section between the service application 9320 and the gateway.

As such, the second user terminal 9300 establishes a communication channel through the above-described external network control step, and immediately stops the established communication channel rather than performing communication with the service server 5000 through the communication channel. Thereafter, the control server resumes the stopped communication channel when the second user terminal 9300 meets the second internal policy through the above-described integrated control step.

Meanwhile, in FIG. 12 , a redirection step and a communication channel resumption step performed when the second user terminal 9300 does not conform to the second internal policy through the integrated control step will be described.

12 schematically illustrates detailed steps of a redirect step and a communication channel resumption step performed by the control server 1000 according to an embodiment of the present invention.

12, the network system further includes a distribution server 7000, and the integrated security method is, by the control server 1000, the second user terminal 9300 in the integrated control step. When receiving a determination result determined that the second user terminal 9300 does not conform to the second internal policy information, the second user terminal 9300 controls to communicate with the distribution server 7000 from a redirect step; and when the second user terminal 9300 communicating with the distribution server 7000 through the redirecting step by the control server 1000 matches the second internal policy information, the second user It may further include; a communication channel resumption step of resuming the communication channel stopped by the terminal (9300).

Specifically, it is determined that the second user terminal 9300 does not conform to the second internal policy information in the control server communication module 9312 of the agent application 9310 installed in the second user terminal 9300 (S80) In one case, the second user terminal 9300 transmits the determination result to the control server 1000, and the control server 1000 receives the determination result (S81). On the other hand, as the determination result is determined by the control server communication module 9312 that the second user terminal 9300 does not conform to the second internal policy information, the second user terminal 9300 sets the second internal policy It may correspond to information requesting communication with the distribution server 7000 so as to conform to the information.

The control server 1000 receiving the determination result performs a redirect step to generate redirect information that allows the second user terminal 9300 and the distribution server 7000 to communicate (S82), and the redirection The information is transmitted to the second user terminal 9300 (S83). Specifically, the redirect information includes address information for the distribution server 7000, and the second user terminal 9300 communicates with the distribution server 7000 based on the address information on the distribution server 7000. can be made to perform

On the other hand, the second user terminal 9300 performs communication with the distribution server 7000 based on the received redirect information (S84), and the distribution server 7000 allows the second user terminal 9300 to A series of communication processes may be performed to install a specific application to comply with the second internal policy information, to delete an installed specific application, or to change an element set in the second user terminal 9300 .

Next, after the agent application 9310 installed in the second user terminal 9300 performs a series of communication processes with the distribution server 7000, the control server communication module 9312 is again the second user terminal 9300 ) determines whether or not the second internal policy information conforms to the second internal policy information (S85), transmits the determination result to the control server 1000, and the control server 1000 receives the determination result (S86).

On the other hand, the control server 1000 controls (S87) the agent application 9310 of the second user terminal 9300 to resume the stopped communication channel when the determination result is that the determination result matches the communication channel Perform the restart phase. On the other hand, when the determination result does not match the determination result, the control server 1000 may perform the redirecting step again.

13 schematically illustrates a state information layer of a manager interface displayed on a manager terminal 9400 according to an embodiment of the present invention.

As shown in FIG. 13 , in the integrated security method, one or more first user terminals and the external network control to which the internal network access is permitted or blocked through the internal network control step by the control server 1000 Interface providing to the manager terminal 9400 communicating with the control server 1000 a manager interface including a status information layer on which status information of one or more second user terminals for which a communication channel has been established through the steps is displayed It may include further steps.

Specifically, the control server 1000 provides a manager interface to the manager terminal 9400 through the interface providing step, and the manager interface may include a plurality of layers.

13A illustrates a layer in which the resource usage status of the control server 1000 is displayed. As shown in (A) of FIG. 13, information on the processor (CPU) usage rate and memory usage rate of the control server 1000 is displayed on the corresponding layer, and the blocking server, the authentication verification unit and the authentication control unit status is displayed, and the overall security status of the network system can be displayed.

13(B) shows the status information of one or more first user terminals blocked or permitted to access the internal network by the control server 1000 and one or more second user terminals blocked or permitted to use the established communication channel. It includes a state information layer on which state information is displayed.

Address information of one or more first and second user terminals, manufacturer information, first access time information, last activity date and time information, information on whether an agent application is installed, etc. may be displayed in the state information layer, as shown in FIG. As shown in (B), the state information layer may additionally display state information about one or more gateways, one or more switches, etc. included in the network system as well as the first and second user terminals.

13(C) shows the status of one or more applications installed in one or more first user terminals blocked or allowed access to the internal network and one or more second user terminals blocked or permitted to use an established communication channel. Show the layers. In the layer, information on a user terminal that has installed the corresponding application for each of the one or more applications is displayed, copyright holder information of the corresponding application, information on commercial availability, usage information, user information authorized to use the application, and the corresponding application User information for which the use of is not authorized, information on whether the use of the corresponding application can be restricted, information on whether the corresponding application can be deleted, and the like may be displayed.

Meanwhile, in the layer, applications that can be used without purchasing a separate license, such as freeware, and applications that can be purchased by purchasing a license may be displayed in different colors according to the information on whether or not commercial use is available to visually distinguish them.

14 schematically illustrates a policy setting layer of the manager interface displayed on the manager terminal 9400 according to an embodiment of the present invention.

14, in the integrated security method, by the control server 1000, the first internal policy information for the first user terminal and the second internal policy information for the second user terminal The method may further include an interface providing step of providing a manager interface including a policy setting layer for receiving settings to the manager terminal 9400 that communicates with the control server 1000 .

Specifically, the control server 1000 provides a manager interface to the manager terminal 9400 through the interface providing step, and the manager interface may include a plurality of layers.

14A shows a layer in which policy information (first internal policy information, second internal policy information, and external policy information) provided for each connected first and second user terminals of the network system is displayed. . In the layer shown in FIG. 14A , policies according to user information of the first user terminal and user information of the second user terminal are displayed. Specifically, when the network system is a system operated by a company, as shown in FIG. 14A , the user information may correspond to a department of the corresponding company or a position in the corresponding department.

In another embodiment of the present invention, in the layer, a policy according to the type of the first user terminal and the second user terminal may be displayed instead of displaying the policy according to the user information, and according to the type of the user information and the user terminal, the policy may be displayed. A policy may be displayed.

In addition, the layer displays the date information on which the administrator registered the corresponding policy information and the date information on which the registered policy information is modified, and the operation status of the first user terminal and the second user terminal according to the policy information can be displayed. have.

14 (B) to (D) schematically show one embodiment of a policy setting layer. As shown in (B) to (D) of FIG. 14 , the policy setting layer includes a policy name input area in which a name for the corresponding policy information can be input.

Also, as shown in (B) of FIG. 14 , the policy setting layer includes a user security policy setting area that can receive security policies that can be set by the user. Through the user security policy setting area, you can set a policy on whether the user boots the user terminal or sets a password to use the operating system of the user terminal, can be set.

Meanwhile, as shown in (C) of FIG. 14 , the policy setting layer includes a usage restriction setting area that can receive policies on whether to use hardware elements of the user terminal. Through the use restriction setting area, a policy can be set to enable the use of hardware elements of the corresponding user terminal, a policy can be set not to use (block), or a policy can be set to monitor the usage status while being used.

Finally, as shown in FIG. 14D , the policy setting layer includes an inspection item setting area that can receive policies for inspecting whether specific information is stored in the user terminal. Through the inspection item setting area, it is possible to set a policy to inspect whether specific information such as a resident registration number, e-mail address, mobile phone number, etc. is stored in the corresponding user terminal.

In this way, since the policy setting layer allows the administrator to receive various policies for the user terminal, it is possible to exert the effect of variously configuring the policy information used to access the network system.

15 schematically illustrates an internal configuration of a computing device according to an embodiment of the present invention.

Components included in the above-described network system shown in FIG. 1 may include components of the computing device 11000 shown in FIG. 15 .

15, the computing device 11000 includes at least one processor 11100, a memory 11200, a peripheral interface 11300, an input/output subsystem ( It may include at least an I/O subsystem) 11400 , a power circuit 11500 , and a communication circuit 11600 . In this case, the computing device 11000 may correspond to a component included in the network system shown in FIG. 1 .

The memory 11200 may include, for example, high-speed random access memory, magnetic disk, SRAM, DRAM, ROM, flash memory, or non-volatile memory. . The memory 11200 may include a software module, an instruction set, or other various data required for the operation of the computing device 11000 .

In this case, access to the memory 11200 from other components such as the processor 11100 or the peripheral device interface 11300 may be controlled by the processor 11100 .

Peripheral interface 11300 may couple input and/or output peripherals of computing device 11000 to processor 11100 and memory 11200 . The processor 11100 may execute a software module or an instruction set stored in the memory 11200 to perform various functions for the computing device 11000 and process data.

The input/output subsystem may couple various input/output peripherals to the peripheral interface 11300 . For example, the input/output subsystem may include a controller for coupling a peripheral device such as a monitor or keyboard, mouse, printer, or a touch screen or sensor as required to the peripheral interface 11300 . According to another aspect, input/output peripherals may be coupled to peripheral interface 11300 without going through an input/output subsystem.

The power circuit 11500 may supply power to all or some of the components of the terminal. For example, the power circuit 11500 may include a power management system, one or more power sources such as batteries or alternating current (AC), a charging system, a power failure detection circuit, a power converter or inverter, a power status indicator, or a power source. It may include any other components for creation, management, and distribution.

The communication circuit 11600 may enable communication with another computing device using at least one external port.

Alternatively, as described above, if necessary, the communication circuit 11600 may transmit and receive an RF signal, also known as an electromagnetic signal, including an RF circuit, thereby enabling communication with other computing devices.

This embodiment of FIG. 15 is only an example of the computing device 11000, and the computing device 11000 may omit some components shown in FIG. 15 or further include additional components not shown in FIG. 15, or 2 It may have a configuration or arrangement that combines two or more components. For example, a computing device for a communication terminal in a mobile environment may further include a touch screen or a sensor in addition to the components shown in FIG. 15 , and various communication methods (WiFi, 3G, LTE) are provided in the communication circuit 11600 . , Bluetooth, NFC, Zigbee, etc.) may include a circuit for RF communication. Components that may be included in the computing device 11000 may be implemented as hardware, software, or a combination of both hardware and software including an integrated circuit specialized for one or more signal processing or applications.

Methods according to an embodiment of the present invention may be implemented in the form of program instructions that can be executed through various separate computing devices and recorded in a computer-readable medium. In particular, the program according to the present embodiment may be configured as a PC-based program or an application dedicated to a mobile terminal. The application to which the present invention is applied may be installed in a separate computing device including a user terminal through a file provided by the file distribution system. For example, the file distribution system may include a file transmission unit (not shown) that transmits the file in response to a request from a separate computing device.

The device described above may be implemented as a hardware component, a software component, and/or a combination of the hardware component and the software component. For example, devices and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA). , a programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions, may be implemented using one or more general purpose or special purpose computers. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. A processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For convenience of understanding, although one processing device is sometimes described as being used, one of ordinary skill in the art will recognize that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that can include For example, the processing device may include a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as parallel processors.

Software may comprise a computer program, code, instructions, or a combination of one or more thereof, which configures a processing device to operate as desired or is independently or collectively processed You can command the device. The software and/or data may be any kind of machine, component, physical device, virtual equipment, computer storage medium or device, to be interpreted by or to provide instructions or data to the processing device. , or may be permanently or temporarily embody in a transmitted signal wave. The software may be distributed over networked computing devices, and may be stored or executed in a distributed manner. Software and data may be stored in one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the embodiment, or may be known and available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic such as floppy disks. - includes magneto-optical media, and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language codes such as those generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

According to an embodiment of the present invention, the control server permits or blocks access to the internal network of the first user terminal according to whether the first user terminal connected to the internal network conforms to the first internal policy information, and the authentication control unit After the communication channel for the second user terminal connected to the external network is established by the It is possible to exert the effect of integrally managing the security of the first user terminal connected to the network and the second user terminal connected to the external network.

According to an embodiment of the present invention, the control server provides a manager interface to the manager terminal, so that the manager can integrate the states of the first user terminal connected to the internal network and the second user terminal connected to the external network through the manager interface. can be confirmed, and the effect of setting policies for the first user terminal and the second user terminal can be exerted.

According to an embodiment of the present invention, since the control server controls each user terminal to communicate with the distribution server when the connection of the first user terminal and the second user terminal installed with the agent application is blocked, each user terminal Through communication with the distribution server, it is possible to exert the effect of allowing access by performing predetermined processes to conform to the policy.

According to an embodiment of the present invention, when the network connection of the first user terminal connected to the gateway of the internal network is to be blocked, the gateway address information set in the first user terminal is changed to the address information of the blocking server. , since it is possible to block in advance that the packet of the first user terminal to be blocked is transmitted to the network through the gateway, it is possible to reduce the load on the server corresponding to the network and the destination of the packet.

According to an embodiment of the present invention, since the first user terminal installed with the agent application can access the internal network when it meets the first internal policy information provided by the control server, various Policies can have the effect of improving the security of access to the internal network.

According to an embodiment of the present invention, the authentication information transmitted from the first user terminal on which the agent application is not installed includes not only the address information of the first user terminal, but also additional information such as packet size information, and the control server Since access to the internal network of the first user terminal is controlled based on the authentication information, it is possible to exert an effect of preventing access to the internal network by a malicious terminal having the same address information.

According to an embodiment of the present invention, when the control server does not permit the first user terminal to access the internal network, the address of the unauthorized first user terminal set in the remaining first user terminals connected to the internal network Since the information is changed to virtual address information, it is possible to exert an effect of improving the security of communication between the first user terminals connected to the internal network.

According to an embodiment of the present invention, since the second user terminal communicates with the authentication verification unit and the authentication control unit to establish a communication channel with the service server after access to the external network is permitted, access is permitted. It is possible to exhibit the effect of fundamentally blocking the access to the service server of the second user terminal until it is done.

According to an embodiment of the present invention, the authentication control unit can establish a communication channel with the service server after confirming the identification information of the second user terminal and the user information about the user of the second user terminal included in the authentication information. Since the authentication token is provided to the second user terminal, not only user information such as ID/PW, but also the second user terminal is checked, so that an unauthorized access to the second user terminal can be blocked.

According to an embodiment of the present invention, the authentication control unit provides the second internal policy information corresponding to the second user terminal, so that the second user terminal responds to the second internal policy information in the agent application installed on the second user terminal. Since the communication channel with the service server can be resumed when it is determined to be consistent, it is possible to exert the effect of allowing only the second user terminal that meets the policy set by the administrator of the network system to access the network system.

According to an embodiment of the present invention, the routing information provided to the second user terminal by the authentication control unit includes only the address information of the gateway through which communication with the service application of the second user terminal is established and the address information of the service server, so that the second It can have the effect of preventing the user terminal from accessing other components of the network system.

According to an embodiment of the present invention, since the authentication verification unit included in the network system verifies the information received from the second user terminal and transmits the information to the authentication control unit when verified as valid, the load of the authentication control unit is reduced. possible effect can be exerted.

As described above, although the embodiments have been described with reference to the limited embodiments and drawings, various modifications and variations are possible from the above description by those skilled in the art. For example, the described techniques are performed in an order different from the described method, and/or the described components of the system, structure, apparatus, circuit, etc. are combined or combined in a different form than the described method, or other components Or substituted or substituted by equivalents may achieve an appropriate result.

Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

Claims (7)

An integrated security method for a first user terminal connected to an internal network and a second user terminal connected to an external network performed in a network system, the method comprising:
The network system includes a control server, a blocking server and an authentication control unit,
By the control server, first internal policy information corresponding to the first user terminal connected to the internal network is provided to the first user terminal, and a determination result according to the first internal policy information is obtained from the first user terminal an internal network control step of receiving, and allowing or blocking, by the blocking server, access to the internal network of the first user terminal based on the determination result;
By the authentication control unit, the authentication information received from the second user terminal connected to the external network is verified, and when the authentication information is verified as valid, an authentication token is generated and transmitted to the second user terminal, and the second An external network for transmitting routing information for establishing a communication channel for a service application and a service server installed in the second user terminal to the second user terminal based on the routing request information including the authentication token received from the user terminal control step; and
By the control server, in a state in which the established communication channel is stopped by the second user terminal in which the communication channel is established through the external network control step, the second internal policy information corresponding to the second user terminal is transmitted to the An integrated control step of providing to a second user terminal and resuming the communication channel stopped by the second user terminal based on a determination result according to the second internal policy information received from the second user terminal; and ,
The network system further comprises a distribution server,
The integrated security method is
When the control server receives, from the second user terminal in the integrated control step, a determination result determined that the second user terminal does not conform to the second internal policy information, the second user terminal distributes the distribution Redirect step of controlling to perform communication with the server; and
By the control server, when the second user terminal, which communicated with the distribution server through the redirecting step, conforms to the second internal policy information, resuming the communication channel stopped by the second user terminal Communication channel resumption step; further comprising, the integrated security method.
The method according to claim 1,
The authentication information is
It includes identification information of the network system, identification information of the second user terminal, and user information about a user of the second user terminal,
The external network control step is
It is determined whether the identification information of the second user terminal and the user information included in the received authentication information are included in the database stored in the authentication control unit, and when it is determined that they are included, an authentication token is generated to generate the second An integrated security method provided to the user terminal.
The method according to claim 1,
The network system further includes an authentication verification unit,
The integrated security method is
When the authentication information transmitted from the second user terminal is received through the external network control step by the authentication verification unit and verified as valid by verifying the identification information of the network system included in the authentication information an authentication verification step of transmitting the authentication information to the authentication control unit; and
By the authentication verification unit, receiving the routing request information transmitted from the second user terminal through the external network control step, and verifying the identification information of the network system and the authentication token included in the routing request information, A routing request verification step of transmitting the routing request information to the authentication control unit when verified as valid; further comprising, an integrated security method.
The method according to claim 1,
The external network control step includes an external policy providing step,
The step of providing the external policy is
Receive external policy request information from the second user terminal that has received the authentication token through the external network control step, and transmit external policy information corresponding to the second user terminal to the second user based on the external policy request information provided to the terminal,
The external network control step is
Receiving the routing request information from the second user terminal when the second user terminal that has received the external policy information through the external policy providing step determines that the second user terminal conforms to the external policy information, Integrated security method.
delete The method according to claim 1,
The integrated security method is
Status information of one or more first user terminals to which access to the internal network is permitted or blocked through the internal network control step by the control server and one or more second user terminals for which a communication channel is established through the external network control step, by the control server a state information layer in which is displayed; and
An administrator performing communication with the control server through an administrator interface including a; The integrated security method further comprising the step of providing an interface to the terminal.
A network system for performing an integrated security method for a first user terminal connected to an internal network and a second user terminal connected to an external network, comprising:
The network system includes a control server, a blocking server and an authentication control unit,
By the control server, first internal policy information corresponding to the first user terminal connected to the internal network is provided to the first user terminal, and a determination result according to the first internal policy information is obtained from the first user terminal an internal network control step of receiving, and allowing or blocking, by the blocking server, access to the internal network of the first user terminal based on the determination result;
By the authentication control unit, the authentication information received from the second user terminal connected to the external network is verified, and when the authentication information is verified as valid, an authentication token is generated and transmitted to the second user terminal, and the second An external network for transmitting routing information for establishing a communication channel for a service application and a service server installed in the second user terminal to the second user terminal based on the routing request information including the authentication token received from the user terminal control step; and
By the control server, in a state in which the established communication channel is stopped by the second user terminal in which the communication channel is established through the external network control step, the second internal policy information corresponding to the second user terminal is transmitted to the An integrated control step of providing to a second user terminal and resuming a communication channel stopped by the second user terminal based on a determination result according to the second internal policy information received from the second user terminal; and ,
The network system further comprises a distribution server,
The network system is
When the control server receives, from the second user terminal in the integrated control step, a determination result determined that the second user terminal does not conform to the second internal policy information, the second user terminal distributes the distribution Redirect step of controlling to perform communication with the server; and
By the control server, when the second user terminal, which communicated with the distribution server through the redirecting step, conforms to the second internal policy information, resuming the communication channel stopped by the second user terminal A network system that further performs a communication channel resumption step.

Images