KR102491184B1 - Network security system through dedicated browser - Google Patents

Abstract

In a network security system through a dedicated browser according to an embodiment, the dedicated browser receives an access rule from a server and sets an access right according to the access rule of a user when the user accesses a device through the dedicated browser by using the access rule generated by the server. The network security system through the dedicated browser according to an embodiment can block or allow the access of the user without a separate server operation by the browser. In addition, in an embodiment, when the user attempts to access the server (or device) by using the browser, it is possible to control whether to allow or block access to the device or a specific menu of the device through an access rule generated by an administrator. In addition, in an embodiment, the network security system provides a Rule Maker program for collecting and testing URLs needed to generate the access rule to be applied to the device user, stores the access rule generated through a rule maker on the server, and provides the dedicated browser, which can control the user's access by applying the access rules mapped by an operator to the users according to an access policy on the server. In addition, the network security system provides a connection screen with a bookmark function which provides the user with a list of devices permitted to access, allows the user to register and manage the frequently accessed devices of the permitted devices, and provides a list of main menus of the device and a menu name designated as shortcuts when logging in by using a redirection rule collected through the rule maker to conveniently and quickly access to the device.

Description

Network security system through dedicated browser {NETWORK SECURITY SYSTEM THROUGH DEDICATED BROWSER}

The present disclosure relates to a network security system, and more specifically, to a network security system capable of setting access rights to devices through a dedicated browser.

Unless otherwise indicated herein, material described in this section is not prior art to the claims in this application, and inclusion in this section is not an admission that it is prior art.

A browser is an application that not only allows you to view all information of a web server on the Internet, but also helps you search hypertext documents. The browser provides functions such as opening a web page, providing a list of recently visited internet addresses (URLs), remembering and managing frequently visited URLs, and saving and printing web pages. A web browser is a client program that uses HTTP or HTTPS communication protocols to request data from an Internet web server.

Among Internet-related technologies, the web browser is a field in which the speed of technology development is very fast. JAVA, Java Script, Dynamic HTML, VRML, etc. are all technologies related to this field. Since new technologies are developed and applied before technology standards are established, the type of information provided varies from time to time depending on the web browser program. Recently, Google's Chrome, Netscape Communicator, Microsoft's Internet Explorer, and Firefox, an open source browser, which faithfully express multimedia information, are widely used due to the high performance of computers and the enlargement of storage devices.

Network security is an essential element for securing a group network such as a company and preventing unauthorized access or operation. Network security aims to protect network data and infrastructure from external threats. Network security is a set of strategies and process technologies designed to protect a company's network from unauthorized access and damage. Common threats to network data and infrastructure include hackers, malware, and viruses, all of which attempt to access, infiltrate, and modify networks. A top priority in network security is to prevent these threats from invading and propagating through the network by controlling access.

Among the conventional network security methods, multiple lines of defense protect the network at the perimeter and inside the perimeter. Security begins with access control, managing unauthorized users, devices, and data access to the network through policies and controls. A firewall, either hardware or software, is another first line of defense, monitoring and controlling the traffic going in and out of your network, isolating your network from other untrustworthy networks, such as the Internet. Network security also uses intrusion detection and intrusion prevention systems that analyze network traffic to identify and respond to network threats.

1. Korean Patent Registration No. 10-2337184 (2021.12.03) 2. Korean Patent Registration No. 10-2318338 (2021.10.21)

In the network security system through a dedicated browser according to an embodiment, when a user accesses a device (server) through a dedicated browser, the dedicated browser receives an encrypted access rule mapped to the user in advance from the server, Set access rights according to user access rules.

A network security system through a dedicated browser according to an embodiment can block a user without a separate server operation by the browser. In addition, when a user attempts to access a server (or equipment) using a browser, the embodiment determines whether to allow access to the equipment or a specific menu of the equipment through an access rule created and encrypted by the administrator in advance. You can control whether or not to block.

In addition, in the embodiment, a rule maker program for collection and testing of URLs necessary to create access rules to be applied to equipment users is provided, and access rules created through the rule maker are stored in the server. In addition, in the embodiment, a dedicated browser capable of controlling a user's access is provided by applying an access rule mapped to the user according to the administrator's access policy in the server.

The network security system through a dedicated browser according to the embodiment allows the user to register and manage a list of devices allowed to access and a specific device among devices allowed to access, so that the user can conveniently and quickly access the device Favorites tree It provides an access screen with the (Tree) function, and provides an access guide that shows the restricted or allowed menu list when accessing the site and the blocking status on a dedicated browser when blocking.

A network security system using a dedicated browser according to an embodiment provides functions for equipment registration management, user registration management, access rule generation and management, access status and history management, access statistics management, rule maker and browser management functions.

The network security system through a dedicated browser according to the embodiment generates an access rule including a block or allow rule according to an administrator's setting for equipment accessed through a network including the Internet and an intranet, encrypts and transmits it to the dedicated browser server; and a dedicated browser that receives the encrypted access rule and compares the user's device access request with the device access rule to determine the user's access authority.

Server in an embodiment; a user and equipment management module for creating a device group by registering a device to which an access rule is to be applied, and creating a user group by registering a user;

a rule and policy management module for generating access rules to be applied for each device group through a rule maker, mapping the generated access rules to user groups, and managing access policies; An access management module that monitors a page currently accessed by a user, temporarily blocks access when necessary, and manages access history; A statistics management module that creates access statistics graphs for each device and user; A service development module for generating access guide information that informs the user of a list of restricted or permitted menus and a blocked state when access is allowed to access a device in the list; and a rule maker and browser management module providing a dedicated browser to which blocking rules or permitting rules are applied and a rule maker generating access rules; A user access screen management module that provides a list of devices that are allowed to access to the user and a favorites tree that allows users to access devices conveniently and quickly by registering and managing frequently accessed devices among the devices that are allowed. can be configured to include

The above-described network security system through a dedicated browser makes it possible to easily create and apply access policies, thereby conveniently creating rules for restricting or permitting access and applying and canceling access policies. In addition, the convenience of creating access rules is improved by providing a rule maker program for collecting and testing URLs of menus to be restricted or permitted.

In addition, in the embodiment, when a user accesses a device, access rules created by an administrator are applied and executed through a dedicated browser, so URLs with restricted access can be fundamentally blocked in the embodiment. In addition, URL generated when a user clicks a restricted access menu is not sent to the corresponding device, and the connection is blocked to prevent unnecessary traffic generation.

In addition, it provides a user access screen showing a list of devices that allow users to access and a favorites tree that allows users to access devices conveniently and quickly by registering and managing frequently accessed devices among the devices that are allowed. In addition, by providing an access guide on a dedicated browser to show a list of menus to which access is restricted or allowed, inconvenience and rejection due to access restriction can be minimized.

In addition, in the embodiment, by providing a real-time access blocking function, when a user's access needs to be blocked by the administrator's judgment, it can be immediately blocked, and the blocked user's access can be immediately allowed, enabling emergency response.

In addition, in the embodiment, the administrator can conveniently change the access policy applied to the user, and through the easy change of the access policy, the change in the access authority of a specific user can be flexibly processed according to the request of the corresponding user and the approval of the administrator. .

In addition, user convenience is improved by providing a dashboard that can intuitively determine the access policy operation status and the access status of users and devices.

The effects of the present invention are not limited to the above effects, and should be understood to include all effects that can be inferred from the detailed description of the present invention or the configuration of the invention described in the claims.

1 is a diagram showing the configuration of a network security system according to an embodiment
2 is a diagram showing the configuration of a server 100 according to an embodiment
3 is a diagram showing a data processing configuration of a rule maker and browser management module 150 according to an embodiment;
4 is a diagram showing a data processing configuration of the connection management module 170 according to an embodiment
5 is a diagram showing a data processing configuration of a user and equipment management module 140 according to an embodiment
6A is a diagram showing a data processing configuration of a rule and policy management module 120 according to an embodiment;
6B is a diagram showing the configuration of a user access screen management module 180 according to an embodiment
7 is a diagram showing a data processing configuration of a statistics management module 160 according to an embodiment
8 is a diagram showing a data processing block of a dedicated web browser according to an embodiment;
9A is a diagram showing a data processing configuration of a rule processing module 260 according to an embodiment;
9B is a diagram showing a data processing configuration of a rulemaker according to an embodiment;
9C is a diagram showing a data processing configuration of a rule creation and registration module according to an embodiment;
10 is a diagram showing a signal flow of a secure network system through a dedicated browser according to an embodiment

Advantages and features of the present invention, and methods for achieving them, will become clear with reference to the embodiments described below in detail in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in various different forms, and only the present embodiments make the disclosure of the present invention complete, and common knowledge in the art to which the present invention belongs It is provided to fully inform the holder of the scope of the invention, and the present invention is only defined by the scope of the claims. Like reference numerals designate like elements throughout the specification.

In describing the embodiments of the present invention, if it is determined that a detailed description of a known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description will be omitted. In addition, terms to be described below are terms defined in consideration of functions in the embodiments of the present invention, which may vary according to the intention or custom of a user or operator. Therefore, the definition should be made based on the contents throughout this specification.

1 is a diagram showing the configuration of a network security system according to an embodiment.

Referring to FIG. 1 , a network security system according to an embodiment may include a server 100, a dedicated browser 200, and a management target device 300. The server 100 according to the embodiment creates access rules for the dedicated browser 200 and the managed device 300, monitors users, and blocks access in real time. Here, the management target device 300 may include various servers and devices that can be accessed through a web browser, a website server, and the like.

In an embodiment, the server 100 creates an access rule including a block or allow rule according to a manager's setting for equipment accessed through a network including the Internet and an intranet. Dedicated browser 200, which is executed when a user attempts to access a device on the user access screen provided with a list of allowed devices and a favorite function, receives an encrypted access rule from the server 100, and receives the user's device access request and device access request. The user's access authority is determined by comparing access rules. For example, the network security system shown in FIG. 1 may be implemented in the form of a program such as an application or an agent and loaded into a medium capable of reading the corresponding program. When implemented by being divided into a plurality of programs, each program may be loaded on different media. For example, some of the functions may be installed in a terminal outputting a dedicated browser, and the remaining functions may be installed in the server 100 . "

In addition, in the embodiment, when an attempt is made to access a device using a dedicated browser, whether to allow or block access to the device or a specific menu of the device can be controlled by a pre-generated access rule. In addition, in the embodiment, a rule maker program for collecting and blocking URLs necessary to create equipment access rules to be applied to users is provided, and a dedicated device capable of controlling user access by applying the generated access rules Provides a browser (teloneBrower). In addition, in the embodiment, there is a list of devices that are allowed to access and a favorites function, and an access screen for users to request a change in access authority is provided, and a list of restricted or allowed menus (URLs) when accessing the site is displayed as an access guide (Access Guide). Guide) is provided to the user to minimize inconvenience and reluctance due to access restrictions.

2 is a diagram showing a configuration of a server 100 according to an embodiment.

Referring to FIG. 2, the server 100 according to the embodiment includes a database 110, a rule and policy management module 120, a service development module 130, a user and device management module 140, a rule maker and browser management module. 150, a statistics management module 160, an access management module 170, and a user access screen management module 180. The term 'module' used in this specification should be interpreted as including software, hardware, or a combination thereof, depending on the context in which the term is used. For example, the software may be machine language, firmware, embedded code, and application software. As another example, the hardware may be a circuit, processor, computer, integrated circuit, integrated circuit core, sensor, micro-electro-mechanical system (MEMS), passive device, or combination thereof.

The user and device management module 140 registers devices to which device registration management access rules are applied, and creates and manages device groups. Also, the user and equipment management module 140 registers users to create user groups.

The rule and policy management module 120 creates access rules to be applied for each device group, maps the created access rules to user groups, registers and manages the access policies, and encrypts the access rules with a dedicated browser when a user accesses the device according to the mapping policy and send it In addition, in the embodiment, category information including a menu name and a page name is registered and managed for detailed analysis of the user's access propensity.

Also, in an embodiment, the rule and policy management module 120 changes the access policy applied to the corresponding user for a specific period according to the manager's permission change when a request for a change of access authority is generated by a specific user.

In an embodiment, the rule and policy management module 120 may change authority by temporarily changing a user group to which a specific user belongs.

The access management module 170 monitors the page currently accessed by the user, temporarily blocks the access if necessary, and manages the access history.

The statistics management module 160 generates a graph of access statistics for each device and user. In addition, a report is generated by analyzing the user's access tendency in detail by category information including menu names and page names.

The service development module 130 creates access guide information that informs the user of a restricted or permitted access menu list and a blocked state when access is blocked, when trying to access a device in the access-allowed list. In the embodiment, a list of menus to which access is restricted or allowed is provided to the user through access guide information, so that inconvenience and rejection due to restriction or permission of access can be reduced. In addition, the service development module 130 according to the embodiment provides a dashboard capable of intuitively determining the access policy operation status and the access status of users and devices.

In addition, the user access screen management module 180 provides the user with a list of devices allowed to access, allows the user to register and manage frequently accessed devices among the devices allowed, and designates the main menu list of the device and a shortcut when logging in. Provides a connection screen with a favorites function that enables convenient and quick access to equipment by providing menu names.

In addition, the user access screen management module 180 provides a permission change request screen through which the user can request to change his or her access permission for a specific period of time.

3 is a diagram showing a data processing configuration of the rule maker and browser management module 150 according to an embodiment. Referring to FIG. 3 , the rule maker and browser management module 150 according to the embodiment may include a rule maker and browser version management unit 151 and a rule maker and browser download management unit 152 . The version management unit of rule maker and browser manages versions of rule maker and browser.

In addition, the rule maker and browser download management unit 152 according to the embodiment provides a rule maker program. URLs to be restricted or allowed are collected through the rule maker according to the embodiment, and access restriction rules and rules to be allowed are created using the collected URLs. In addition, it provides an environment to test whether access is blocked or allowed by the created rule. In addition, the rule maker and browser download management unit 156 according to the embodiment provides a dedicated browser for access. An access-only browser is a dedicated browser used when a user accesses a device, and the access restriction rules and permission rules created by the administrator are applied and executed. In the embodiment, access-restricted URLs are fundamentally blocked. For example, when a user clicks a URL with restricted access, the generated URL is not sent to the corresponding device, and the connection is blocked to prevent unnecessary traffic from occurring.

In addition, the rule maker and download management unit 152 downloads and installs the rule maker or dedicated browser on the user's PC or terminal when the manager and the user access the equipment (server) for the first time through the connection screen, and the version of the rule maker or dedicated browser In case of change, a new rule maker or dedicated browser is registered and managed to be downloaded and installed on the user's PC or terminal.

4 is a diagram showing a data processing configuration of the connection management module 170 according to an embodiment. 4, the access management module 170 according to the embodiment includes a connection status management unit 171, a message progress display unit 173, a connection history management unit 175, a blocking status management unit 177, a blocking history management unit ( 179) may be configured. The access management module 170 according to the embodiment performs connection status and history management. In the embodiment, the page currently accessed by the user is monitored, access can be temporarily blocked if necessary, and access history can be managed.

The access status management unit 171 manages the status of web access, including whether web access is permitted, progressed, or blocked, and the message progress display unit 173 displays a web access or blocking progress message. The access history management unit 175 manages access and blocking records of web pages, the blocking status management unit 177 manages the blocking status of web pages, and the blocking history management unit 179 manages the blocking history of web pages.

In addition, the access management module 170 according to the embodiment provides a real-time access blocking function. Through this, when a user's access needs to be blocked by the operator's judgment, it can be immediately blocked, and the blocked user's access is allowed immediately to enable emergency response.

The access management module 170 according to the embodiment performs a series of data processing necessary for access management through data stored in the access status database, the access history database, the blocking status database, and the blocking history database.

5 is a diagram showing a data processing configuration of the user and equipment management module 140 according to an embodiment. Referring to FIG. 5 , the user and equipment management module 140 according to the embodiment may include a user management unit 141, a user group management unit 143, an equipment management unit 145, and an equipment group management unit 147. there is. The user management unit 141 manages user information, and the user group management unit 143 manages created user group information. The equipment management unit 145 manages equipment information, and the equipment group management unit 147 manages generated equipment group information. The user and equipment management server 140 according to the embodiment processes a series of data required for user and equipment management through data stored in a user management database, equipment management database, account management database, user group management database, and equipment group management database. carry out The user and device management module 140 according to the embodiment performs device registration management of the security system through a web browser. In the embodiment, devices to which access rules are applied are registered, and device groups are created and managed. The user and equipment management server 140 according to the embodiment performs user registration management. In the embodiment, users are registered, and user groups are created and managed.

6A is a diagram illustrating a data processing configuration of the rule and policy management module 120 according to an embodiment. Referring to FIG. 6A, the rule and policy management module 120 according to the embodiment includes a rule management unit 121, a policy management unit 123, a rule encryption and rule transmission unit 124, and an authority change management unit 125. can be configured. The rule management unit 121 manages rules created for each user and device group, the policy management unit 123 manages security policies created for each user and device group, and the rule encryption and rule transmission unit 124 manages the established policies. According to the user’s dedicated browser, the access rule is encrypted and transmitted, and the permission change management unit 125 requests a specific user to change his or her access permission, the access policy applied to the user for a specific period of time according to the administrator’s approval of the permission change can be changed. To this end, the authority change management unit 125 provides an approver screen for approval of authority change and a function of processing authority change.

The rule and policy management module 120 according to the embodiment performs rule and policy management through data stored in a rule management database, policy management database, equipment management database, URL management database, user group management database, and equipment group management database. Perform a series of necessary data processing. The rule and policy management module 120 according to the embodiment creates access rules, manages access policies, and encrypts access rules and transmits them to dedicated browsers.

The rule and policy management module 120 according to the embodiment performs equipment group classification and rule creation. In the embodiment, since devices with the same URL scheme must be put in the same group, an access rule can be created by designating a representative device among devices in one group. In the embodiment, the created access rule is equally applied to all devices in the corresponding group. In addition, the same device can be included in different groups, and devices with different URL schemes can be put in the same device group as devices to which the same access rule is applied for each device group by setting different access rules for each device. In addition, the rule and policy management module 120 according to the embodiment may perform an access blocking priority policy. For example, only a URL page designated by an access rule may be blocked from access, and access to all other pages may be permitted. In addition, in the embodiment, a permission priority policy may be performed.

In addition, the rule and policy management module 120 according to the embodiment may perform an automatic blocking policy. In the embodiment, when a user's group is changed, the user is automatically logged out, and when the policy applied to the user group is temporarily suspended, the related user can close the browser being accessed. In addition, in the embodiment, an easy access policy can be created and applied. can In the embodiment, it is possible to conveniently apply an access policy by creating a rule for limiting or permitting access. In the embodiment, an access rule to be applied for each device group may be created, and the created access rule may be mapped to a user group and managed. In addition, it registers and manages category information including menu names and page names for detailed analysis of user access tendencies.

In addition, the rule and policy management module 120 according to the embodiment may perform real-time rule change. For example, a rule applied to a user's browser may be changed in real time. Specifically, when the administrator pauses the currently applied policy, the currently running browser is immediately stopped, and when the administrator maps the user with a rule that reflects the new blocking policy, the user accesses the website (system/equipment) with the browser to which the new rule is applied. will be able to do

6B is a diagram showing the configuration of a user access screen management module 180 according to an embodiment. Referring to FIG. 6B, the user access screen management module 180 according to the embodiment includes an equipment list management unit 181, a recent access list management unit 182, a favorites tree management unit 183, and a permission change application management unit 184. can be configured including

The equipment list management unit 181 shows a list of devices for which access is allowed to the user, the recent access list management unit 182 shows the recently accessed equipment list in the latest order, and the favorite tree management unit 183 allows the user to access frequently Directly register the desired equipment on the favorites tree, use the redirection rule created by the rule maker to provide a menu name that can be directly accessed when logging in to the equipment, and also allow the user to change the menu designated as a shortcut when logging in to the equipment The number of clicks to go to the desired menu can be drastically reduced so that the user can access the equipment quickly. In addition, the permission change request management unit 184 provides a permission change request screen through which the user can request to change their access permission for a specific period of time.

7 is a diagram showing a data processing configuration of the statistics management module 160 according to an embodiment. Referring to FIG. 7 , the statistics management module 160 according to the embodiment may include a device statistics management unit 161, a user statistics management unit 163, and a dashboard management unit 165. The device statistics management unit 161 manages statistics for allowing or blocking access to webpages for each device, and the user statistics management unit 163 manages statistics for accessing or blocking webpages for each user. In addition, a report is generated by analyzing the user's access tendency in detail by category information including menu names and page names. The statistics management module 160 generates a graph of access statistics for each device and user.

The dashboard management unit 165 manages statistical information output to the dashboard. In addition, the policy deletion history management unit 166 manages the restoration of the history of policy deletion by the administrator, and the user history management unit 167 registers history such as server log-in/out, equipment registration, user registration, etc., excluding the user's access history, and manage

The statistics management module 160 according to the embodiment uses data stored in the dashboard database, access history database, equipment management database, statistics management database, user group management database, equipment group management database, policy deletion database, and user history database. It performs a series of data processing required for statistics management.

8 is a diagram illustrating a data processing block of a dedicated browser according to an embodiment.

8, the browser 200 according to the embodiment includes a dedicated web browser engine 210, a Jsp/Html processing module 220, an event processing module 230, a main form configuration module 240, and a message transmission module. 250, a rule processing module 260, and an access guide module 270. The web browser engine 210 converts web pages of HTML documents and other resources into interactive visual representations on the user's device. The Jsp/Html processing module 220 inserts Java code into HTML to dynamically generate a web page in a web server and deliver it to a web browser engine. 9A is a diagram showing a data processing configuration of the rule processing module 260 according to an embodiment. The rule processing module 260 according to the embodiment decrypts the access rule sent from the server, compares it with the URL selected by the user, and blocks or permits the access rule reception processing unit 261, and collects URLs selected by the user when access is allowed URL message collection unit 262, URL message processing unit 263 that processes the collected URLs to send them to the main form guide unit 264, main form guide unit 264 that draws the URL page form, and the URL selected by the user. It may be configured to include a URL message transmission unit 265 that is sent to the message transmission module 250.

9B is a diagram showing a data processing configuration of a rulemaker according to an embodiment.

Referring to FIG. 9B, the rule maker according to the embodiment includes a dedicated browser 10, a URL collection and analysis module 20, a rule test module 30, a rule creation and registration module 40, an upload module 50, It can be configured to include an import and export module (60). The dedicated browser 10 receives the encrypted access rule and compares the user's device access request with the device access rule to determine the user's access authority.

Specifically, the dedicated browser 10 connects the device selected by the administrator in the server, displays the web page, and then, when the administrator clicks the menu and button to be blocked or allowed, the generated URL is sent to the URL collection and analysis module 20. send. In addition, for access rule testing, access rules are received from the rule test module 30, a blocked or permitted menu list is provided through an access guide, and the received access rule is applied to allow the administrator to test the access rule. let it do

The URL collection and analysis module 20 collects access and blocked URL data from dedicated browsers and analyzes the collected URL data. The rule test module 30 sends the generated access rule or blocking rule to the dedicated browser 10 to test whether the access rule or blocking rule is applied. The rule creation and registration module 40 creates an access rule to be applied for each device group based on the URL analysis result. In the embodiment, the rule creation and registration module 40 checks whether or not the access rule generated through the rule test module 30 is applied after generating the access rule including the block rule and the allow rule, and collects the URL according to the check result can be analyzed to create access blocking rules and allowing rules according to URL characteristics and access policies. The upload module 50 uploads the collected URL list to the server. The import and export module 60 may import and export previously collected URL list files.

9C is a diagram showing a data processing configuration of a rule creation and registration module according to an embodiment.

Referring to FIG. 9C, the rule creation and registration module 40 according to the embodiment includes a rule registration unit 41, a blocking rule generation unit 42, an allow rule generation unit 43, a redirection rule generation unit 44, a reference It may include a rule generator 45, an element rule generator 46, and an insight rule generator 47.

The rule registration unit 41 registers an access rule to be applied for each device group based on the URL analysis result. The blocking rule generator 42 generates a blocking rule among access rules, and the allow rule generator 43 generates an allow rule among access rules. When access to a specific page (URL) is attempted, the redirection rule generation unit 44 allows access to another page specified in the specific page, designates a menu to be directly accessed when the user logs in through the connection screen, and allows the user to Register the main menu so that the go menu can be changed, and create a redirection rule that handles application. The reference rule generation unit 45 creates a reference rule to provide a specific page as read-only when a specific page is accessed. The element rule generation unit 46 may extract an HTML script of an area selected by an administrator from a web page, and the corresponding HTML script may include a plurality of elements. Here, an element is a unit of information displayed on a web page, and a control class is inserted into the element to create an element rule that makes the corresponding menu and button invisible. The insight rule generation unit 47 creates an insight rule to register and manage category information including a menu name or page name together with a blocking rule and an allowing rule for detailed analysis of a user's access tendency.

10 is a diagram showing a signal flow of a network security system through a dedicated browser according to an embodiment.

Referring to FIG. 10, a network security system using a dedicated browser according to an embodiment may include a server, a client pc or terminal, and a target site. In the embodiment, the server may include a web server and an API program, the client PC or terminal may include a security program (Telone) and a dedicated browser (teloneBrower), and the target site may include a web server can be configured. In step S10, an equipment URL is selected from the user access screen. In step S20, the web server of the server runs an application program, and in step S30, the web server calls a security program (Telone) installed in the client PC or terminal. In step S40, the security program (Telone) calls a browser dedicated to the security program (TelOneBrowser). In step S50, the browser dedicated to the security program (TelOneBrowser) requests a blocking or allowing URL rule to the server. In step S60, the API program of the server transfers the blocked or allowed URL rule to the security program browser (TelOneBrowser). In step S65, the target site compares the blocked or allowed URL rule received from the server with the URL selected by the user, and if the URL is the same, the access is blocked or allowed.

In step S70, the URL visited by the user is encrypted in the browser (TelOneBrowser) for the security program of the client PC or terminal and transmitted to the server. In step S80, URL information received from the server is stored. In step S90, browser termination information is transferred from the security program browser (TelOneBrowser) of the client PC or terminal to the API program of the server. In step S100, the information received from the web server of the server is decoded and stored as a connection history database.

The above-described network security system through a dedicated browser makes it possible to easily create and apply access policies, thereby conveniently creating rules for restricting or permitting access and applying and canceling access policies. In addition, convenience is improved by providing a rule maker program for collecting and testing URLs of menus to be restricted or permitted. In addition, in the embodiment, when a user accesses a device, an access restriction or permission rule created by an administrator is received and executed through a dedicated browser, thereby blocking access-restricted URLs in the embodiment. In addition, URL generated when a user clicks a restricted access menu is not sent to the corresponding device, and the connection is blocked to prevent unnecessary traffic generation. In addition, by providing an access guide to the user and showing a list of menus to which access is restricted or allowed, inconvenience and rejection due to access restriction can be minimized. In addition, in the embodiment, by providing a real-time access blocking function, when a user's access needs to be blocked by the administrator's judgment, it can be immediately blocked, and the blocked user's access can be immediately allowed, enabling emergency response. In addition, it provides a dashboard that can intuitively judge the access policy operation status and the access status of users and devices to improve the administrator's convenience.

In addition, it provides users with a list of devices that are allowed to access, allows users to register and manage frequently accessed devices among the devices that are allowed, and uses redirection rules collected through rule makers to display the main menu list of the devices and log-in. Provides a connection screen with a favorites tree function that enables convenient and quick access to equipment by providing menu names designated as shortcuts.

In addition, by allowing the user to change the menu designated as a shortcut when logging in to the device, the user can drastically reduce the number of clicks to go to the desired menu, allowing the user to quickly access the device, providing the user with the convenience of the desired device. This reduces the inconvenience and rejection caused by restrictions on equipment access. In addition, it provides a permission change application screen that allows users to request their access rights to be changed for a specific period of time if necessary, thereby relieving the inconvenience of related tasks due to access restrictions and increasing the flexibility of users' device access tasks.

The disclosed content is only an example, and can be variously modified and implemented by those skilled in the art without departing from the subject matter of the claim claimed in the claims, so the protection scope of the disclosed content is limited to the specific not limited to the examples.

Claims (10)

In the network security system through a dedicated browser,
A server for generating access rules including blocking or permitting rules according to administrator settings for equipment accessed through networks including the Internet and intranet, encrypting them, and transmitting them to a dedicated browser; and
a dedicated browser that receives and decodes the access rule, compares the user's device access request with the device access rule, and determines the user's access authority; and
the server; Is
a user and device management module for creating a device group by registering a device to which an access rule is to be applied, and creating a user group by registering a user;
a rule and policy management module for generating access rules to be applied for each device group, mapping the generated access rules to user groups, and managing access policies that change and apply the mapped access rules in real time;
An access management module that monitors a page currently accessed by a user, temporarily blocks access when necessary, and manages access history;
A statistics management module that creates access statistics graphs for each device and user;
A user access screen management module that creates a favorites tree that provides a user with an access screen and provides a shortcut function to a desired menu when logging in after accessing the equipment;
A service development module that generates access guide information that informs the user of a restricted or permitted menu list and a blocked state when access is allowed, when trying to access a device in the list of permitted access; and
a rule maker and browser management module providing a dedicated browser to which blocking rules or permitting rules are applied; A network security system comprising a.
delete The method of claim 1, further comprising: the rule and policy management module; silver
A network security system characterized by changing access rights by temporarily changing an access policy to which a specific user is mapped.
The method of claim 1, further comprising: the rule and policy management module; silver
A network security system characterized by registering and managing category information including menu names and page names for detailed analysis of user access tendencies.
According to claim 1, wherein the statistics management module; silver
A network security system characterized in that a report is generated by analyzing user access tendencies in detail by category information including menu names and page names.
The method of claim 1, wherein the rule and policy management module
Blocking or allowing rules for each device group are created through the rule maker, and blocking or allowing access policies are created by mapping the created blocking or allowing rules to device groups and user groups.
By including devices with different URL schemes in the same device group, blocking or allowing rules for devices with different URL schemes are created for each device, or the same device is included in different groups to create blocking or allowing rules for each device group. network security system.
According to claim 1,
The rule and policy management module;
A network security system characterized in that it performs automatic blocking policies and compulsory blocking policies for each group, temporarily suspends or reapplies rules applied to user groups, and performs real-time rule changes.
According to claim 1,
The rule maker and browser management module;
A network security system characterized by managing downloads and versions of rule makers and dedicated browsers.
The method of claim 6, wherein the rule maker; Is
A network security system characterized by collecting URLs that restrict access and URLs that allow access, generating blocking or allowing rules, and performing access and blocking tests according to the generated blocking or allowing rules.
The method of claim 6, wherein the rule maker
When access to a specific page (URL) is attempted, a redirection rule for accessing to another page specified in the specific page and a control class are inserted into the element, which is a unit of information displayed on the web page, so that the corresponding menu and A network security system characterized by creating an access rule including an element rule that makes a button invisible and a reference rule that provides read-only access to a specific page when a specific page is accessed.

Images