KR102514618B1 - System for controlling network access based on controller and method of the same - Google Patents

Abstract

In accordance with one embodiment of the present disclosure, a node includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor, and storing a database, a target application, and a connection control application. The memory can store instructions which, when executed by the processor, cause the node to: make a network connection request of the target application to an external server through the connection control application, wherein the network connection request includes identification information of the target application and destination network identification information; receive a data flow from the external server, wherein the data flow includes certificate information corresponding to the destination network identification information; and process a data packet of the target application based on the certificate information. Therefore, the present invention is capable of effectively preventing a DDoS attack by reducing service requests from unauthenticated subjects.

Description

System for controlling controller-based network access and method therefor

Embodiments disclosed in this document relate to a system and method for controlling a controller-based network connection.

Multiple devices may communicate data over a network. For example, the terminal may transmit or receive data with a server through the Internet. The network may include a private network such as an intranet as well as a public network such as the Internet.

The terminal performs communication with the server by utilizing IP (Internet Protocol)-based TCP (Transmission Control Protocol) or UDP (User Datagram Protocol), and controls the connection between the source IP and destination IP authorized in TCP or UDP technology. Firewall technology may be used. In the case of such IP communication, since data packets are transmitted in plain text, there is a problem in that a third party can easily view important information of the data packet using sniffing technology such as tapping equipment or rouge WiFi. To solve this problem, VPN (Virtual Private Network) technology and tunneling technology for encrypting data packets between the terminal and the server are used.

As attacks such as key loggers, etc. are installed on a user's terminal to leak authentication information for access to a specific service and an attack by substituting an arbitrary password, personal information leakage and theft of services that are always connected to the Internet are occurring. .

Some services provide Multi Factor Authentication (MFA) to solve the above security problems, but in order to provide enhanced authentication methods for all services, a lot of money must be invested in modifying existing services. In particular, as various MFA technologies are scattered, it may be difficult to support all authentication methods preferred by users.

In addition, since the service is always connected to the Internet, that is, it is already sending and receiving data packets at the stage of general authentication (based on user ID and password input) or MFA, it prevents the attack itself by substituting a random password. There is no way to do it. That is, if a continuous attack on a specific ID occurs, it may be inconvenient from the user's point of view because only functions requiring authentication may be provided through additional authentication.

The above problems can be applied not only to Internet-connected services but also to unit systems used by companies. In this case, the unit system can be accessed, and authentication in the unit system can be more vulnerable to security because even the weaker security authentication system and minimum authentication standards are not observed than the above popular services.

In addition, as services diversify, users prefer technologies (e.g., OAuth, etc.) that enable integrated authentication for each service through one authentication information, but the current integrated authentication technology is HTTP in an insecure terminal and network environment. Since protocol-based technologies such as SSO (Single Sign On) are used, authenticating each service while being authenticated to the service for integrated authentication in a terminal and network environment that is practically insecure is a chain of authentication and personal information A more dangerous problem can arise in terms of deodorization.

Also, in a popularized service connected to the Internet, relaying all connections of each service through a gateway may cause operational and cost problems.

In addition, since only authenticated objects are accessed, and information that can be identified in each service corresponding to a service request is limited to source IP information, a problem in which it is impossible to identify which user and terminal has accessed may occur.

In addition, a proxy may not inspect or manipulate service processing request information for traffic that bypasses a secure session such as SSL/TLS between a terminal and a service server.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above problems in a network environment.

A node according to an embodiment disclosed herein includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor and storing a database, a target application, and an access control application. and the memory, when executed by the processor, the node performs a network access request of the target application to an external server through the access control application, and the network access request includes identification information of the target application and a destination network including identification information, receiving a data flow from the external server, wherein the data flow includes certificate information corresponding to the destination network identification information, and processing data packets of the target application based on the certificate information , can store commands.

A node according to another embodiment disclosed herein includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor to store a database, a target application, and an access control application. and the memory, when executed by the processor, causes the node to receive tunneling creation information from an external server through the access control application, and performs tunneling with a gateway corresponding to the tunneling creation information based on the tunneling creation information. and transmits proxy information and tunneling information set in the node to the external server, and if the proxy information and tunneling information do not correspond, receiving proxy server configuration information and proxy server configuration information from the external server, Commands for configuring a proxy based on the received proxy server setting information and the proxy server setting information may be stored.

A server according to an embodiment disclosed herein includes communication circuitry, a memory for storing a database, and a processor operatively connected to the communication circuitry and the memory, wherein the processor controls access control applications of nodes from a network An access request is received, the network access request includes identification information of a target application of the node, identification information of a destination network of the target application, an access policy included in the database, identification information of the target application, and the identification information of the target application. Based on the identification information of the destination network, it is checked whether access is possible, whether a data flow corresponding to the identification information of the destination network exists, and if the data flow does not exist, the domain policy included in the database is checked. Based on this, check domain information corresponding to the identification information of the destination network, check whether certificate information corresponding to the domain information exists, create a data flow including the domain information and the certificate information, and generate the It may be configured to transmit the data flow to the node and gateway.

A gateway according to an embodiment disclosed in this document includes a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory, wherein the processor receives a service processing request from a node and processes the service. Checking the existence of a data flow corresponding to the request, and if the data flow exists, inspecting the domain information included in the service processing request based on whether or not the domain information is included in the data flow, and based on the inspection result The service processing request may be forwarded or a service processing request failure result may be returned, and the service processing request failure result may be returned if the data flow does not exist.

A method of operating an access control application installed in a node according to an embodiment disclosed in this document includes performing a network access request of a target application to an external server, and the network access request includes identification information of the target application and destination network identification information. and receiving a data flow from the external server, the data flow including certificate information corresponding to the destination network identification information, and processing a data packet of the target application based on the certificate information. can include

A method of operating a server according to an embodiment disclosed in this document includes an operation of receiving a network access request from an access control application of a node, the network access request includes identification information of a target application of the node, and information of a destination network of the target application. An operation of including identification information and checking whether access is possible based on an access policy included in a database, identification information of the target application, and identification information of the destination network, data flow corresponding to the identification information of the destination network Operation of checking whether the data flow exists, operation of checking domain information corresponding to identification information of the destination network based on the domain policy included in the database, if the data flow does not exist, certificate information corresponding to the domain information It may include an operation of checking the existence of , an operation of generating a data flow including the domain information and the certificate information, and an operation of transmitting the generated data flow to the node and gateway.

A method of operating a gateway according to an embodiment disclosed in this document includes an operation of receiving a service processing request from a node, an operation of confirming the existence of a data flow corresponding to the service processing request, and, if the data flow exists, the data Based on whether domain information is included in the flow, domain information included in the service processing request is checked, and based on the inspection result, the service processing request is forwarded or a service processing request failure result is returned, or the data flow If does not exist, an operation of returning a failure result of the service processing request may be included.

According to the embodiments disclosed in this document, it is possible to provide a technology for safely accessing a service using an existing application access control technology, identifying and authenticating a connection target in the service, and easily applying it to a popularized service. Integrated authentication technology can be provided.

In addition, according to the embodiments disclosed in this document, by providing a method by which only an authenticated target can access a service server through an access control application and a gateway, a service request including an unnecessary service request transmitted from an unauthorized target or an attacking behavior is provided. By fundamentally blocking, DDoS (Distributed Denial of Service Attack) attacks can be effectively prevented by guaranteeing safe network access at all times between the authenticated target and the service server, and at the same time reducing service requests from unauthorized targets.

In addition, according to the embodiments disclosed in this document, among service requests passing through the gateway, service requests including service attack behavior information may be filtered in advance, and it is possible to check whether a target has performed the corresponding attack behavior, At the same time, continuous DDoS attack behavior can be blocked by isolating the network access of the attacker.

In addition, according to the embodiments disclosed in this document, due to the nature of HTTP, which is one of the representative service applications, session information that is not valid because it is not possible to know when the network connection of the terminal is terminated if the network connection to the terminal is not always maintained. and can prevent vulnerabilities from Session Hijacking attacks using this session information.

In addition, according to the embodiments disclosed in this document, the service server can remove invalid session information by releasing the data flow at the time of network connection termination, and by blocking service requests using invalid session information, A more secure network service may be provided.

According to the embodiments disclosed in this document, by controlling authentication through a network access control application, a unified service access and authentication structure can be provided without the need to apply a separate strong authentication method to each service.

According to embodiments disclosed in this document, a communication structure in which a proxy server requests service request information again from a service server after a security session or a general session is removed between a terminal and a proxy server may be provided.

According to the embodiments disclosed in this document, a connection based on domain information is provided between a terminal and a proxy through a private DNS (Domain Name System), and a service processing request is sent to a service server based on domain information set in the proxy server. A proxy can inspect or manipulate service processing request information even for traffic that bypasses a session by providing a forwarding network structure.

In addition to this, various effects identified directly or indirectly through this document may be provided.

1 shows an environment including a plurality of networks.
2 illustrates an architecture within a network environment according to various embodiments.
3 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
4 shows a functional block diagram of a node in accordance with various embodiments.
5A and 5B illustrate an operation of controlling transmission of a data packet according to various embodiments.
6 illustrates an example operation of a gateway according to various embodiments.
7 shows a signal flow diagram for setting a domain policy according to various embodiments.
8 shows a signal flow diagram for controller connection according to various embodiments.
9 illustrates a signal flow diagram for user authentication according to various embodiments.
10 shows a signal flow diagram for network access according to various embodiments.
11 illustrates an operational flow diagram for processing a service request at a gateway according to various embodiments.
12 shows a signal flow diagram for control flow update according to various embodiments.
13 illustrates a signal flow diagram for disconnection according to various embodiments.
14 illustrates a signal flow diagram for termination of application execution according to various embodiments.
15 is a flowchart illustrating a method of operating an access control application installed in a node according to various embodiments.
16 is a flowchart illustrating a method of operating a server according to various embodiments.
17 is a flowchart of a method of operating a gateway according to various embodiments.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, it should be understood that this is not intended to limit the present invention to the specific embodiments, but to cover various modifications, equivalents, and/or alternatives of the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one item or a plurality of items, unless the context clearly dictates otherwise. In this document, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A, Each of the phrases such as "at least one of B or C" may include any one of the items listed together in the corresponding one of the phrases, or all possible combinations thereof. Terms such as "first", "second", or "first" or "secondary" may simply be used to distinguish a given component from other corresponding components, and may be used to refer to a given component in another aspect (eg, importance or order) is not limited. A (e.g., first) component is said to be "coupled" or "connected" to another (e.g., second) component, with or without the terms "functionally" or "communicatively." When mentioned, it means that the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.

Each component (eg, module or program) of the components described in this document may include singular or plural entities. According to various embodiments, one or more components or operations among the corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, the actions performed by a module, program, or other component are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the actions are executed in a different order, or omitted. or one or more other actions may be added.

The term "module" used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document may be implemented as software (eg, a program or application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-temporary' only means that the storage medium is a tangible device and does not contain a signal (e.g. electromagnetic wave), and this term refers to the case where data is stored semi-permanently in the storage medium. It does not discriminate when it is temporarily stored.

Methods according to various embodiments disclosed in this document may be included and provided in a computer program product. Computer program products may be traded between sellers and buyers as commodities. A computer program product is distributed in the form of a device-readable storage medium (eg compact disc read only memory (CD-ROM)), or through an application store or between two user devices (eg smartphones). It can be distributed (e.g., downloaded or uploaded) directly or online. In the case of online distribution, at least part of the computer program product may be temporarily stored or temporarily created in a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.

1 shows an environment including a plurality of networks.

Referring to FIG. 1 , the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN.

The first network 10 may include a source node 101 . In FIG. 1 and embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances, but is not limited to the aforementioned devices. For example, source node 101 may include a server or gateway capable of transmitting data packets through an application. The source node 101 may also be referred to as 'electronic device' or 'terminal'. Meanwhile, the destination node 102 may include the same or similar device as the above-described source node 101 . For another example, the destination node 102 can be substantially the same as the destination network.

The source node 101 may attempt access to the second network 20 and transmit data to the destination node 102 included in the second network 20 . The source node 101 may transmit data to the destination node 102 via the gateway 103 .

If access to the first network 10 of the starting node 101 is approved, since the starting node 101 can communicate with all servers included in the first network 10, the starting node 101 is malicious. ) can be exposed from program attacks. For example, the origin node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browser 110a and business application 110b. ) may receive data of an untrusted or unsecured application such as the business application 110d.

The starting node 101 infected by the malicious program may attempt access to the second network 20 and/or data transmission. When the second network 20 is formed based on IP, such as VPN, it may be difficult to individually monitor a plurality of devices included in the second network 20, and application in the OSI layer Security at the layer or transport layer may be vulnerable. In addition, if the source node 101 includes a malicious application after the tunnel has already been created, the data of the malicious application will be delivered to other electronic devices (eg, the destination node 102) within the second network 20. can

2 illustrates an architecture within a network environment according to various embodiments.

Referring to FIG. 2 , nodes 201 and 206 may be various types of devices capable of performing data communication. For example, nodes 201 and 206 may include an authenticating node 201 and a non-certifying node 206 . For another example, the nodes 201 and 206 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, and a virtual reality (VR) device. ) device, or a home appliance, but is not limited to the aforementioned devices. For example, nodes 201 and 206 may include servers or gateways capable of transmitting data packets through applications. Nodes 201 and 206 may also be referred to as 'electronic devices' or 'terminals'.

The authentication node 201 may store a first target application 212 and an access control application 211 . The first target application 212 may transmit a data packet to the service server 205 through the gateway 203 under the control of the access control application 211 or, conversely, may receive a data packet. Some of the first target applications 212 may be trusted and/or secured applications, such as web browsers or business applications, while others may be untrusted or unsecured malicious programs, thus network access according to embodiments. The system may block access to the service server 205 of an unauthorized program (application) through network access control of the access control application 211 and isolate the corresponding program. For example, before the first target application 212 according to embodiments communicates with the service server 205 , the access control application 211 may check whether access is available from the controller 202 . If access is possible, the access control application 211 may control data packet transmission of the first target application 212 . That is, in order for the first target application 212 to access the network, it must go through the access control application 211, and the access control application 211 must be authorized from the controller 202. A data packet of the target application 212 may be transmitted based on a data flow based on a policy of the controller 202 .

The unauthenticated node 206 may store the second target application 216 . For example, the unauthenticated node 206 may be a node that does not have an access control application installed. According to an embodiment, the second target application 216 may access the service server 205 in a state in which safety is not guaranteed. In this case, the service server 205 may provide the second target application 216 with only functions suitable for the corresponding security level.

The controller 202 may be, for example, a server (or cloud server). The controller 202 can ensure reliable data transmission within the network environment by managing data transmission between the authentication node 201, the gateway 203, and the service server 205. For example, the controller 202 may allow the network access of the authorized authentication node 201 (or access control application 211) through policy information or blacklist information. The controller 202 may provide information enabling tunneling between the authentication node 201 and the gateway 203 to be created. Thus, the access control application 211 of the authentication node 201 can prevent disallowed applications from sending data packets for disallowed purposes, and allowed data packets through gateway 203 and created tunneling. Only this can provide a structure that can be transmitted to the service server 205.

According to the embodiment, network access of the first target application 212 may be blocked from the access control application 211 , the controller 202 , or the gateway 203 . According to one embodiment, the controller 202 is an access control application to perform various operations associated with network access of the authentication node 201 or access control application 211 (eg, registration, authorization, authentication, renewal, termination). 211 and control data packets can be transmitted and received. A flow through which the control data packet is transmitted (eg, 220) may be referred to as a 'control flow'. According to the embodiment, the controller 202 immediately retrieves tunneling and sessions according to security events received from the interworking system (eg, authentication node 201, gateway 203, or service server 205), thereby providing a secure network state at all times. can keep

The gateway 203 may be located at the boundary of the network to which the authentication node 201 belongs or the boundary of the network to which the service server 205 belongs. According to one embodiment, the gateway 203 may be connected to the controller 202 based on a cloud. According to the embodiment, the gateway 203 may relay communication with the service server 205 through a proxy for data packets received through authorized tunneling, and the service server 205 receives a service request from an authenticated subject. It is possible to provide a structure that allows processing. According to the embodiment, a flow in which data packets are transmitted between the access control application 211 and the gateway 203 may be referred to as a 'data flow'. Data flows can be created in granular units (eg applications) as well as nodes or IP units.

According to an embodiment, the gateway 203 may include a DNS server for processing domain information.

According to an embodiment, the gateway 203 may include modules for inspecting 5Tuples, TCP and UDP data packets, and modules for processing tunneling and secure session data packets. For example, the gateway 203 may check whether all data packets passing through the gateway 203 are data packets transmitted from an authorized target (eg, an authorized target from the controller 202).

According to the embodiment, the gateway 203 transfers data packets received through a tunnel such as authorized tunneling or session to a service server through a proxy included in the gateway 203 (eg, the proxy server module 233 of FIG. 6). Service processing with (205) can be relayed. For example, the gateway 203 may provide a mechanism for the service server 205 to process a service request received from an authenticated subject, and the service server 205 may be a non-authenticated node (not the gateway 203). 206) may provide a separated network structure capable of handling service requests. Therefore, the above network processing structure can solve the problem of the structure in which the service server 205 must process the service through the gateway 203.

According to various embodiments, the authentication node 201 may include a connection control application 211 and a network driver (not shown) for managing the network connection of the first target application 212 stored in the authentication node 201 . can For example, when an access event to the service server 205 of the first target application 212 included in the authentication node 201 occurs, the access control application 211 allows the first target application 212 to access. can decide whether If the first target application 212 is accessible, the access control application 211 may transmit a data packet to the gateway 203 . The access control application 211 may control transmission of data packets through a kernel including an operating system and a network driver within the authentication node 201 .

3 is a functional block diagram illustrating a database stored in a controller according to various embodiments. Although FIG. 3 shows only the memory 330, the controller includes a communication circuit for communicating with an external electronic device (eg, the communication circuit 430 of FIG. 4) and a processor for controlling the overall operation of the controller (eg, FIG. Four processors 410) may be further included.

Hereinafter, node 201 may include authentication node 201 of FIG. 2 . For example, the unauthenticated node 206 of FIG. 2 may not have network access controlled by the controller 202 because the access control application is not installed thereon.

Since the administrator can connect to the controller 202 and set connection-oriented policies to control access between the access control application 211 and the service server 205, network access is more detailed and secure than session management at the service level. can control.

The access policy database 311 may include information about networks and/or services to which the identified networks, nodes, or applications may access. For example, the controller 202, when requesting network access from the access control application 211, identifies a network based on a policy of the access policy database 311 (eg, a network to which the node 201 belongs), a node, A user (eg, a user of the node 201) and/or an application (eg, a target application 212 included in the node 201) may determine whether access to the service server 205 is possible. In , the controller 202 may create a whitelist of target applications 212 accessible to a specific service (eg, IP and port) based on the access policy database 311 .

The tunnel policy database 312 is a gateway (eg, gateway 203 of FIG. 2) and a proxy existing between service servers (eg, service server 205 of FIG. 2) on a connection path according to policies. (eg, the proxy server module 233 of FIG. 6) information may be included. For example, the tunnel policy database 312 includes a series of information (authentication information, encryption algorithm, tunnel end point, etc.) necessary for creating a tunnel with the gateway 203 and tunneling connected in advance through another gateway between the access routes. If so, it can include a series of information for use (such as collection of IP information allocated to nodes and whether or not to process alternatives).

The blacklist policy database 313 is a target (e.g., a node ID (eg, node ID ( identifier), an IP address, a media access control (MAC) address, or a user ID) may indicate a blacklist registration policy for blocking access.

The blacklist database 314 may include a list of objects blocked by the blacklist policy database 313 . For example, the controller 202 may isolate the node 201 by rejecting the network access request when identification information of the node 201 requesting network access is included in the blacklist database 314 .

The control flow table 315 is an example of a session table for managing a flow (eg, control flow) of control data packets generated between the node 201 and the controller 202 . When accessing the controller 202 is successful, control flow information may be generated by the controller 202 . The control flow information may include at least one of control flow identification information, an IP address identified during access to and authentication of a controller, a node ID, and a user ID. For example, when access to the service server 205 is requested from the node 201, the controller 202 may search for control flow information through control flow identification information received from the node 201, and the searched control flow Whether the node 201 can access the service server 205 by mapping at least one of the IP address, node ID, or user ID included in the information to the access policy database 311, data flow for data packet transmission It can be judged (determined) whether it is created or not.

According to one embodiment, a control flow may have an expiration time. The node 201 needs to update the expiration time of the control flow, and if the expiration time is not updated for a certain period of time, the control flow (or control flow information) may be removed. In addition, when it is determined that immediate disconnection is necessary according to the security event collected from the node 201 , the controller 202 may remove the control flow according to the connection termination request of the node 201 . When the control flow is removed, the connection of the node 201 may be blocked because the previously generated data flow is also removed.

The data flow table 316 is a table for managing a flow (eg, data flow) in which detailed data packets are transmitted between the node 201 and the gateway 203 and the service server 205 . Data flows can be created in TCP sessions, applications, or more granular units. The data flow table 316 may include data flow information for tunneling and session management of the application (eg, the first target application 212) of the node 201, the gateway 203, and the service server 205. there is. The data flow table 316 may include an application ID, destination IP address, and/or service port for identifying whether a data packet transmitted from a source is an authorized data packet. The data flow table 316 may be managed based on control flow IDs. In addition, the data flow table 316 may include state information including whether or not the data flow is valid and authorized destination information for determining whether data packets are forwarded based on source IP, destination IP, and port information of the data packet. can According to an embodiment, the data flow table 316 may further include information indicating whether tunneling or a session is created between the application and the gateway 203 . According to an embodiment, when accessing the service server 205 through a proxy, the data flow table 316 may include domain information for access to the service server 205 and certificate information for domain authentication.

According to an embodiment, the data flow table 316 may be equally stored in the node 201 , the gateway 203 , or the service server 205 .

The tunnel table 317 may include a list of tunnels created between the node 201 and the gateway 203.

The domain policy database 318 transmits a service processing request with the service server 205 through a proxy included in the gateway 203 existing between the network boundaries of the service server 205 or a separately separated proxy on an access path according to a policy. When a terminal attempts access to a domain address for relaying, information necessary to pass through the proxy (domain address resolution information, DNS server information to be allocated on the route, domain information set in the proxy, certificate required when accessing the domain, etc. ) may be included.

The proxy policy database 319 may include proxy information existing between service servers 205 on an access path according to policies.

4 shows a functional block diagram of a node in accordance with various embodiments.

Referring to FIG. 4 , a node may include a processor 410 , a memory 420 , and a communication circuit 430 . According to one embodiment, the node may further include a display 440 to interface with a user. According to an embodiment, the node may include the authenticated node 201 and non-certified node 206 of FIG. 2 .

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include a single processor core or may include a plurality of processor cores. For example, the processor 410 may include multi-cores such as dual-core, quad-core, and hexa-core. According to embodiments, the processor 410 may further include an internal or external cache memory. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or part of processor 410 is electrically or operatively coupled to other components within the node (e.g., memory 420, communication circuitry 430, or display 440). (coupled with) or connected to. The processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, command, or signal based on the received message, data, command, or signal. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .

The processor 410 may process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.

The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). can include The nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, and the like.

The memory 420 uses a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS). can include more.

According to one embodiment, the memory 420 may store the first target application 212 and the access control application 211 of FIG. 2 . Also, the memory 420 may store the second target application 216 of FIG. 2 . The access control application 211 may perform control flow creation and update functions with the controller 202 . To this end, the access control application 211 may include one or more security modules.

According to an embodiment, the memory 420 may store some of the information included in the memory of the controller (eg, the memory 330 of FIG. 3 ). For example, the memory 420 may store the data flow table 316 described in FIG. 3 .

The communication circuit 430 establishes a wired or wireless communication connection between the node and an external electronic device (eg, the controller 202, gateway 203 or service server 205 of FIG. 2) and performs communication through the established connection. can support According to one embodiment, the communication circuit 430 may be a wireless communication circuit (eg, cellular communication circuit, short-range wireless communication circuit, or global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN)). ) communication circuit, or power line communication circuit), and using a corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a cellular network, a long-distance communication such as the Internet, or a computer network It may communicate with an external electronic device through a network. The various types of communication circuits 430 described above may be implemented as a single chip or may be implemented as separate chips.

The display 440 may output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

A server (eg, controller) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

A gateway (eg, the gateway 203 of FIG. 2 ) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410, memory 420, and communication circuit 430 included in the gateway may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

5A and 5B illustrate an operation of controlling transmission of a data packet according to various embodiments.

Referring to FIG. 5A , the access control application 211 detects a request for network access to the service server 205 from the first target application 212 included in the authentication node 201, and the authentication node 201 or the connection It is possible to determine whether the control application 211 is connected to the controller 202 . If the authentication node 201 or the access control application 211 is not connected to the controller 202, the access control application 211 may block transmission of data packets in a kernel or network driver including an operating system. can Through the access control application 211, the authentication node 201 may block access of malicious applications in advance in the application layer of the OSI layer.

According to the embodiment, when the access control application 211 is not connected to the controller 202 or when a data packet to be transmitted is a data packet to be transmitted based on a tunnel but a corresponding tunnel does not exist, Data packets transmitted from the control application 211 are blocked by the gateway 203 and the access control application 211 can only request access to the controller 202 .

According to the embodiment, if the access control application 211 is not installed on the authentication node 201 or if a malicious application bypasses the control of the access control application 211, unauthorized data packets will be transmitted from the authentication node 201. can In this case, since the gateway 203 existing at the border of the network blocks data packets for which the corresponding tunnel does not exist, the data packets transmitted from the authentication node 201 (eg, data packets for TCP session creation) are sent to the service server. (205) may not be reached. In other words, the authentication node 201 can be isolated from the service server 205.

Referring to FIG. 5B, in the case of an unauthorized node 206 in which an access control application is not installed, the second target application 216 may provide a structure capable of always accessing the service server 205 through an existing network path. there is. For example, the service server 205 provides a separate network structure capable of processing a service request for an unauthorized node 206 rather than the gateway 203 so that the service server 205 must pass through the gateway 203. It can solve the problem of the inline structure incurring cost because the service must be processed.

6 illustrates an example operation of a gateway according to various embodiments.

Referring to FIG. 6 , a gateway 203 according to an embodiment disclosed in this document may include a DNS server module 213 , a tunneling module 223 and a proxy server module 233 . According to an embodiment, the gateway 203 does not have to include all of the DNS server module 213, the tunneling module 223 and the proxy server module 233, but the DNS server module 213, the tunneling module 223 and the proxy server module 213. At least one of the server modules 233 may be included.

The node 201 may request interpretation of domain information in order to access the service server 205, and a proxy existing within the tunneling section through the DNS server module 213 included in the gateway 203 or an external DNS server. It is possible to prevent the node 201 from directly accessing the service server 205 existing in the public IP band by receiving IP information capable of accessing the server. For example, DNS server module 213 may process domain resolution requests from node 201 .

In addition, the node 201 can access the proxy server module 233 with previously authorized tunnel and domain authentication information through data flow access control, and the controller 202 is included in the gateway 203 and the gateway 203 Data flow information may be transmitted to the proxy server module 233 or an external proxy server so that only authorized objects may access the service server 205 .

Node 201 may make a domain resolution request to gateway 203 . For example, node 201 may request a connection to pribit.com.

The gateway 203 may resolve the domain information of pribit.com through the DNS server module 213, deliver the resolved public IP information 211.1.1.1 to the proxy server module 233, and the node 201 ), private IP information (192.168.1.10) that can access the proxy server module 233 can be set and transmitted.

Tunneling module 223 may create tunneling with node 201 . For example, the tunneling module 223 may examine a data packet received through tunneling. For example, the tunneling module 223 may check whether a received data packet is received through a corresponding authorized tunnel. According to an embodiment, the tunneling module 223 may check whether a data packet is received through an authorized tunnel including a tunnel or a session, not only whether or not it is received through an authorized tunnel.

The node 201 may request access to the service server 205 based on private IP information (192.168.1.10) through pre-generated tunneling. The proxy server module 233 may be configured to process a service processing request transmitted from the node 201 based on private IP information (192.168.1.10) to public IP information (211.1.1.1).

That is, the proxy server module 233 checks the domain information included in the received service request information and the domain information included in the data flow, and transmits the service processing request information to the service server 205 only for objects accessed through the authorized data flow. By retransmitting, the proxy server module 233 performs access control of the service server based on the data flow information, and at the same time processes the service request passing through the proxy server module 233 and inspects or manipulates the processing request result returned by the service server in detail. We can provide you with a way to do it.

Through the above network structure, the gateway 203 identifies authenticated nodes, users, applications, etc. that could not be controlled by various access control technologies using conventional proxy servers, and can access the service server 205 for each target. Detailed control is possible and at the same time, when the target releases the connection, the corresponding data flow is removed from the proxy server module 233, so that the non-authentication target can be blocked from accessing the service server 205 through the proxy server module 233. there is.

7 shows a signal flow diagram for setting a domain policy according to various embodiments.

The node 201 may request access to all services of the node 201 to a proxy or request access to only some services to a proxy in order to control access to a public service (eg, SaaS service, etc.). For example, when inducing access to some services through a proxy, the controller 202 configures the domain of the DNS server to treat the public IP of the public domain as the proxy IP existing in the tunneling band, and the IP address of the DNS server during tunneling. It may be necessary to assign a control method that allocates and forwards the domain to a public IP after resolving the domain in the proxy server.

Referring to FIG. 7 , in operation 605, the controller 202 may set a domain policy. For example, an administrator may set a domain policy through a dedicated console or UI (User Interface), and transmit each setting information to the gateway 203 to set each server and module included in the gateway (operation 610). . In addition, if the DNS server and the proxy server are not included in the gateway 203 and are separated, the controller 202 may process related settings by transmitting them to each server.

In operation 615, the DNS server of the gateway 203 may configure the domain and IP. For example, the DNS server may set a domain for service access and IP information to be returned when the node 201 queries the corresponding domain.

In operation 620, when the node 201 establishes tunneling, the gateway 203 may set a DNS server IP to be queried during communication as a tunneling section. For example, the tunneling module of the gateway 203 may set the DNS server IP.

In operation 625, the proxy server of the gateway 203 may set information for processing a service request transmitted as private IP information as public IP information.

8 shows a signal flow diagram for controller connection according to various embodiments.

Since the node 201 needs to be authorized by the controller 202 to access or receive the network, the access control application 211 of the node 201 requests the controller 202 to create a control flow, thereby 201) can try to connect to the controller. According to an embodiment, node 201 may be substantially the same as authentication node 201 of FIG. 2 in which access control application 211 is installed.

Referring to FIG. 8 , node 201 may detect a controller connection event. For example, when the connection control application 211 is installed and executed within the node 201, the node 201 may detect that a connection to the controller 202 is requested.

At operation 705 , node 201 may request controller connection from controller 202 . For example, the access control application 211 may transmit identification information of the access control application 211 to the controller 202 . Additionally, the access control application 211 may include identification information of the node 201 (eg, terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or network Arbitrary identification information generated by the system itself may be further transmitted.

In operation 710, the controller 202 may identify whether or not the controller connection request (eg, the access control application 211 or the node 201) is accessible. According to one embodiment, the controller 202 determines whether information received from the node 201 is included in the access policy database 311, the node 201, the network to which the node 201 belongs, and/or the connection. Based on at least one of whether the identification information of the control application 211 is included in the blacklist database 314 , it is possible to check whether the controller connection requesting object is accessible.

If the connection is possible, at operation 715 the controller 202 may create a control flow between the node 201 (or the connection control application 211 ) and the controller 202 . In this case, the controller 202 generates control flow identification information in the form of random numbers, and converts identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 211 into a control flow table ( 315) can be stored. Information stored in the control flow table 315 may be used for user authentication of the node 201 , information update of the node 201 , policy check for network access of the node 201 , and/or validation.

In operation 720, the controller 202 connects from the access policy database 311 and the tunnel policy database 312 corresponding to the identified information (eg, the node 201 and source network information to which the node 201 belongs). Whitelist information of possible applications can be created. Depending on the embodiment, the controller 202 determines whether there is destination network information to which the node 201 requesting the current access can basically connect based on the identified information, the access policy database 311, and the tunnel policy database 312. You can check. In one embodiment, the controller 202 may send the application white list to the connection control application 211 at operation 725 .

In addition, if access is possible, the controller 202 may list tunneling types and gateways to which the node 201 can connect. For example, the controller 202 includes the type of node 201 included in the control flow in order for the node 201 to access the destination network, location information, environment, network information including the node 201, and the controller ( Tunneling that the node 201 can connect to based on at least one of identification information (eg, IP information) of the node 201 identified through 202 and identification information of the node 201 identified by the node 201 Types and gateways can be listed. For another example, the controller 202 provides information on the type of node 201 included in the control flow, location information, environment, network information including the node 201, and controller 201 in order for the node 201 to access the destination network. The node 201 can connect based on a combination of two or more of identification information (eg, IP information) of the node 201 identified through (202) and identification information of the node 201 identified in the node 201 Tunneling types and gateways can be listed.

The controller 202 can check the status of the listed gateways, and can identify a tunneling and gateway 203 optimized for the node 201 from among the listed gateways. For example, controller 202 can identify tunneling and gateway 203 as one. According to the embodiment, when tunneling and gateway 203 accessible to node 201 exist, controller 202 generates tunneling such as gateway 203 and tunneling authentication information for node 201 to create tunneling. Information may be transmitted to node 201 (act 725).

According to the embodiment, it is not a structure in which tunneling is created between the node 201 and the gateway 203, but through pre-connected tunneling that exists at the boundary between the gateway 203 present in the network to which the node 201 belongs and the destination network. In the case of an access structure or in the case of access through another tunneling technology between the node 201 and the destination network boundary, the controller 202 may not transmit tunneling creation information to the node 201 .

In operation 725 , the controller 202 may transmit control flow identification information to the node 201 in response to the controller connection request. Depending on the embodiment, if the object requesting controller access is unavailable or is included in the blacklist, the controller 202 may transmit access unavailability information in operation 725 without generating a control flow. In one embodiment, the controller 202 may transmit the application white list generated through the execution of operation 720 to the connection control application 211 .

In operation 730, the access control application 211, when tunneling creation is required (eg, when tunneling creation information is received from the controller 202), information for tunneling creation received from the controller 202 (eg, gateway 203 ) and a series of information necessary for tunneling creation, such as tunneling authentication information), the gateway 203 may be requested to create tunneling. The gateway 203 may create tunneling in response to the request of node 201 to create tunneling. According to the embodiment, when it is determined that tunneling creation is unnecessary by the controller 202 (eg, when tunneling creation information is not received from the controller 202, or when tunneling creation unnecessary information is received from the controller 202). etc.) the access control application 211 may not perform operation 730 .

At operation 735, the connection control application of node 201 may process the tunneling creation result. For example, when the node 201 completes tunnel creation with the gateway 203, a designated DNS server may be allocated during tunneling.

According to an embodiment, the access control application 211 may perform a check on the application. For example, the access control application 211 can perform a check for applications based on the white list of accessible applications received from the controller 202 . The access control application 211 may check whether the application exists (installed) in the node 201 based on the accessible application information, and in the case of the existing application, integrity and stability are checked according to the validation policy ( Above the application, tampering inspection, code signing inspection, fingerprint inspection) can be performed.

At operation 740, the connection control application 211 may transmit node 201 information. For example, the access control application 211 may transmit tunneling creation completion information, certificate and proxy setting information set in the node 201 , and assigned tunneling identification information (IP information) to the controller 202 . According to an embodiment, the access control application 211 may transmit the application check result to the controller 202 . For example, the access control application 211 may transmit information about existing applications and results of validation to the controller 202 .

At operation 745, the controller 202 may check the proxy policy (eg, proxy policy database 319 of FIG. 3) and the domain policy (eg, domain policy database 318 of FIG. 3). For example, the controller 202, when tunneling creation is completed based on the tunneling creation completion information received from the access control application 211, transmits the tunneling IP assigned to the node 201 and the corresponding tunneling creation information to a tunneling table (eg : Can be registered in the tunneling table 317 of FIG. 3), and information received from the node 201 can be updated in the control flow.

In addition, the controller 202 may identify a proxy server existing in the tunneling section of the gateway 203 to which the node 201 has access in the proxy policy, and set a proxy in the node 201 to proxy all service requests. You can check whether it will be processed or not.

According to the embodiment, when a proxy server needs to be set, the controller 202 may check whether the proxy server information received from the node 201 exists, and based on the received proxy server information and the proxy policy 319, the controller 202 needs to set the proxy server information. You can compare proxy server information. For example, when the received proxy server information and the proxy server information to be set are the same, the controller 202 may determine that proxy setting of the node 201 is completed. For another example, if the received proxy server information is different from the proxy server information to be set, or if the received proxy server information does not exist, the controller 202 determines whether a proxy is set, proxy server identification information (eg, IP information) and port information to node 201 (act 755).

In addition, the controller 202 can check whether a service server that the node 201 can access exists based on the access policy 311 and the domain policy, and can check domain information and certificate information for accessing the corresponding service server. there is. For example, when there is domain information and certificate information for accessing the service server, the controller 202 compares the certificate information received from the node 201 to determine an additional certificate or renewal certificate to be set in the node 201. Existence can be confirmed, and if certificate setting is required, certificate information can be returned to the node 201 (operation 755).

In addition, the controller 202 may check whether the application is valid based on the received application information, and if it is a valid application, the access policy and the tunnel policy to allow access of the node 201 connected to the network. Check the gateway 203 where 201 is located, and create data flow information based on the source IP, destination IP, and port information so that the node 201 can transmit data packets without a network access request procedure. .

The controller 202 may transmit the generated data flow to the gateway 203 and the access control application 211 (operations 750 and 755).

In operation 760, the access control application 211 may process the resulting value according to the received response. For example, the connection control application 211 may store the received control flow identification information and display a user interface screen indicating completion of the controller connection to the user. When the controller connection is completed, the request for network connection of the node 201 to the destination network may be controlled by the controller 202 .

According to another embodiment, controller 202 may determine that node 201 is unreachable. For example, if identification information of the node 201 and/or a network to which the node 201 belongs is included in a blacklist database, the controller 202 may determine that the node 201 is inaccessible. In this case, the controller 202 may transmit a response indicating that access to the controller is impossible in operation 725 without generating a control flow in operation 715 . Also, in this case, operations 730 to 755 may not be performed. Depending on the embodiment, if a controller connection needs to be retried, the connection control application 211 may perform operation 705 again.

In addition, the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed. Afterwards, when a data packet transmission request is detected, the access control application 211 may process the data packet to be transmitted based on the received data flow.

According to an embodiment, the access control application 211 may perform proxy setting and certificate setting, respectively, when proxy setting information or certificate information received from the controller 202 exists.

9 illustrates a signal flow diagram for user authentication according to various embodiments.

In order for the node 201 to be granted detailed access rights to the destination network, the access control application 211 of the node 201 may authenticate the user of the node 201 from the controller 202 . According to an embodiment, node 201 may be substantially the same as authentication node 201 of FIG. 2 in which access control application 211 is installed.

Referring to FIG. 9 , node 201 may receive an input for user authentication. An input for user authentication may be, for example, a user input for inputting a user ID and password. For another example, the input for user authentication may be a user input (eg, biometric information) for stronger authentication. In this case, the access control application 211 of the node 201 may request user authentication from the controller 202 in operation 805 . If the control flow between the node 201 and the controller 202 has already been created, the access control application 211 may transmit input information for user authentication together with control flow identification information.

At operation 810 , controller 202 may authenticate the user based on the information received from node 201 . For example, the controller 202 may use the user ID, password, and/or enhanced authentication information included in the received information and a database included in the memory of the controller 202 (e.g., the access policy database of FIG. 3). 311 or the blacklist database 314), it is possible to determine whether the user can access according to the access policy and whether the user is included in the blacklist.

If the user is authenticated, in operation 815, the controller 202 may add user identification information (eg, user ID) to identification information of the control flow. The added user identification information can be used for the authenticated user's controller access or network access.

In operation 820, the controller 202 connects from the access policy database 311 and the tunnel policy database 312 corresponding to the identified information (eg, the node 201 and source network information to which the node 201 belongs). Whitelist information of possible applications can be created. Depending on the embodiment, the controller 202 determines whether there is destination network information to which the node 201 requesting the current access can basically connect based on the identified information, the access policy database 311, and the tunnel policy database 312. You can check. In one embodiment, the controller 202 may send the application white list to the connection control application 211 in operation 825 .

In addition, if access is possible, the controller 202 may list tunneling types and gateways to which the node 201 can connect. For example, the controller 202 includes the type of node 201 included in the control flow in order for the node 201 to access the destination network, location information, environment, network information including the node 201, and the controller ( Tunneling that the node 201 can connect to based on at least one of identification information (eg, IP information) of the node 201 identified through 202 and identification information of the node 201 identified by the node 201 Types and gateways can be listed. For another example, the controller 202 provides information on the type of node 201 included in the control flow, location information, environment, network information including the node 201, and controller 201 in order for the node 201 to access the destination network. The node 201 can connect based on a combination of two or more of identification information (eg, IP information) of the node 201 identified through (202) and identification information of the node 201 identified in the node 201 Tunneling types and gateways can be listed.

The controller 202 can check the status of the listed gateways, and can identify a tunneling and gateway 203 optimized for the node 201 from among the listed gateways. For example, controller 202 can identify tunneling and gateway 203 as one. According to the embodiment, when tunneling and gateway 203 accessible to node 201 exist, controller 202 generates tunneling such as gateway 203 and tunneling authentication information for node 201 to create tunneling. Information may be transmitted to node 201 (act 825).

According to the embodiment, it is not a structure in which tunneling is created between the node 201 and the gateway 203, but through pre-connected tunneling that exists at the boundary between the gateway 203 present in the network to which the node 201 belongs and the destination network. In the case of an access structure or in the case of access through another tunneling technology between the node 201 and the destination network boundary, the controller 202 may not transmit tunneling creation information to the node 201 .

In operation 825, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In addition, the controller 202 may transmit accessible application information to the access control application 211 .

In operation 830, the access control application 211, when tunneling creation is required (eg, when tunneling creation information is received from the controller 202), information for tunneling creation received from the controller 202 (eg, gateway 203 ) and a series of information necessary for tunneling creation, such as tunneling authentication information), the gateway 203 may be requested to create tunneling. The gateway 203 may create tunneling in response to the request of node 201 to create tunneling. According to the embodiment, when it is determined that tunneling creation is unnecessary by the controller 202 (eg, when tunneling creation information is not received from the controller 202, or when tunneling creation unnecessary information is received from the controller 202). etc.) The access control application 211 may not perform operation 830.

At operation 835, the connection control application of node 201 may process the tunneling creation result. For example, when the node 201 completes tunnel creation with the gateway 203, a designated DNS server may be allocated during tunneling.

According to an embodiment, the access control application 211 may perform a check on the application. For example, the access control application 211 can perform a check for applications based on the white list of accessible applications received from the controller 202 . The access control application 211 may check whether the application exists (installed) in the node 201 based on the accessible application information, and in the case of the existing application, integrity and stability are checked according to the validation policy ( Above the application, tampering inspection, code signing inspection, fingerprint inspection) can be performed.

At operation 840, the connection control application 211 may transmit node 201 information. For example, the access control application 211 may transmit tunneling creation completion information, certificate and proxy setting information set in the node 201 , and assigned tunneling identification information (IP information) to the controller 202 . According to an embodiment, the access control application 211 may transmit the application check result to the controller 202 . For example, the access control application 211 may transmit information about existing applications and results of validation to the controller 202 .

At operation 845, the controller 202 may check the proxy policy (eg, proxy policy database 319 of FIG. 3) and the domain policy (eg, domain policy database 318 of FIG. 3). For example, the controller 202, when tunneling creation is completed based on the tunneling creation completion information received from the access control application 211, transmits the tunneling IP assigned to the node 201 and the corresponding tunneling creation information to a tunneling table (eg : Can be registered in the tunneling table 317 of FIG. 3), and information received from the node 201 can be updated in the control flow.

In addition, the controller 202 may identify a proxy server existing in the tunneling section of the gateway 203 to which the node 201 has access in the proxy policy, and set a proxy in the node 201 to proxy all service requests. You can check whether it will be processed or not.

According to the embodiment, when a proxy server needs to be set, the controller 202 may check whether the proxy server information received from the node 201 exists, and based on the received proxy server information and the proxy policy 319, the controller 202 needs to set the proxy server information. You can compare proxy server information. For example, when the received proxy server information and the proxy server information to be set are the same, the controller 202 may determine that proxy setting of the node 201 is completed. For another example, if the received proxy server information is different from the proxy server information to be set, or if the received proxy server information does not exist, the controller 202 determines whether or not a proxy is set, proxy server identification information (eg, IP information) and port information to node 201 (act 855).

In addition, the controller 202 can check whether a service server that the node 201 can access exists based on the access policy 311 and the domain policy, and can check domain information and certificate information for accessing the corresponding service server. there is. For example, when there is domain information and certificate information for accessing the service server, the controller 202 compares the certificate information received from the node 201 to determine an additional certificate or renewal certificate to be set in the node 201. Existence may be confirmed, and if certificate setting is required, certificate information may be returned to the node 201 (operation 855).

In addition, the controller 202 may check whether the application is valid based on the received application information, and if it is a valid application, the access policy and the tunnel policy to allow access of the node 201 connected to the network. Check the gateway 203 where 201 is located, and create data flow information based on the source IP, destination IP, and port information so that the node 201 can transmit data packets without a network access request procedure. .

The controller 202 may transmit the generated data flow to the gateway 203 and the access control application 211 (operations 850 and 855).

In operation 860, the access control application 211 may process the resulting value according to the received response. For example, the access control application 211 may store the received control flow identification information and display a user interface screen indicating completion of user authentication to the user. When user authentication is complete, the request for network access of the node 201 to the destination network may be controlled by the controller 202 .

According to another embodiment, controller 202 may determine that user authentication of node 201 is not possible. For example, if identification information of the node 201 and/or the network to which the node 201 belongs is included in the blacklist database, the controller 202 may determine that the node 201 is inaccessible and user authentication is not possible. . In this case, the controller 202 may not reflect user identification information in operation 815 and may transmit a response indicating that access to the controller is impossible in operation 825 . Also, in this case, operations 830 to 855 may not be performed.

In addition, the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed.

According to an embodiment, the access control application 211 may perform proxy setting and certificate setting, respectively, when proxy setting information or certificate information received from the controller 202 exists.

10 shows a signal flow diagram for network access according to various embodiments.

After node 201 is authorized by controller 202, node 201 controls the network access of other applications stored in node 201 through node 201's access control application 211 to provide trusted data. delivery can be guaranteed. According to an embodiment, node 201 may be substantially the same as authentication node 201 of FIG. 2 in which access control application 211 is installed.

In operation 905 , the connection control application 211 may detect a network connection event of another application stored in the node 201 (eg, the first target application 212 of FIG. 2 ).

In operation 910, the access control application 211 may check the existence of a data flow corresponding to identification information of the application requesting network access, destination network identification information, and port information. Depending on the embodiment, if a data flow exists but is not valid, the access control application 211 may drop the data packet. According to another embodiment, if a data flow exists, the access control application 211 may transmit a data packet based on the data flow. According to the embodiment, the access control application 211 of the node 201 may perform a network access request in operation 915 without performing operation 910 .

When the data flow needs to be updated, such as when the data flow does not exist or when the authentication time expires and renewal is required, in operation 915, the access control application 211 may request the controller 202 to access the network. For example, the network access request may include control flow identification information, destination network identification information, and port information.

In operation 920, the controller 202 determines the access requested identification information (eg, destination network identification information) in the access policy corresponding to the identified information (eg, node, user, source network identification information) based on the control flow identification information. and port information) and whether the destination network is accessible can be checked. According to an embodiment, the controller 202 may check whether the target application can access the gateway 203 or the service server 205 . Depending on the embodiment, the controller 202 may transmit a connection failure result to the connection control application 211 of the node 201 when network access is impossible (operation 935).

If accessible, the controller 202 may check whether tunneling between the node 201 and the gateway 203 has been created and domain information based on the tunnel table and the domain policy in operation 925 . For example, if tunneling has not been created, the controller 202 may send a connection failure result to the access control application (operation 935).

When tunneling is created, the controller 202 may check whether a valid data flow corresponding to identification information and port information of the destination network exists in the data flow table. According to the embodiment, if a valid data flow exists in the data flow table, the controller 202 may transmit the corresponding data flow to the gateway 203 and the access control application 211 (operations 930 and 935).

According to an embodiment, when there is no valid data flow, the controller 202 may check a list of domains mapped with destination network identification information requested for network access based on a domain policy. When the domain list exists, the controller 202 may check whether certificate information for accessing each domain information exists. Depending on the embodiment, when a certificate for access to the corresponding domain information is required, it may be confirmed whether a certificate is set in the node 201 based on control flow information of the node 201 of the controller 202 .

The controller 202 may generate data flow information based on identification information of the node 201 , identification information of the destination network, and port information so as to allow access of the application requesting the connection of the node 201 . In this case, the controller 202 may add domain information to the data flow if the domain list exists, and may add certificate information to the data flow if certificate setting is required. The controller 202 may transmit the generated data flow to the node 201 and the gateway 203 (operations 930 and 935). Depending on embodiments, operation 935 may not be performed when the generated data flow does not exist.

At operation 940 , the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 . For example, when the connection control application 211 receives a network connection failure result from the controller 202, it may drop a data packet to be transmitted by the target application. For another example, when a data flow is received from the controller 202, the access control application 211 may transmit a data packet based on the received data flow.

According to the embodiment, the access control application 211 may set a certificate based on certificate information included in the received data flow when the network access request is successful and certificate setting is required, and may transmit a data packet after the certificate is set. .

In one embodiment, after performing operation 910, the access control application 211 may perform validation on the access application according to the validation policy. For example, the access control application 211 may further perform an integrity and stability test of the access application (forgery or tampering test, code signing test, fingerprint test, etc.). The access control application 211 may perform operation 915 when the validation result is successful.

11 illustrates an operational flow diagram for processing a service request at a gateway according to various embodiments. Depending on the embodiment, the operations shown in FIG. 11 may be performed through the gateway 203 of FIG. 2 .

Referring to FIG. 11 , in operation 1005, the gateway 203 may detect a service processing request event. For example, a service processing request may include one or a plurality of data packets. For another example, the proxy server included in the gateway 203 may detect a service processing request event by receiving a data packet or a service processing request.

In operation 1010, the proxy server of the gateway 203 may check whether a data flow corresponding to the source IP, destination IP, and port information included in the service processing request information exists.

Depending on the embodiment, when a valid data flow does not exist, the gateway 203 may return a service processing request failure result in operation 1025 . For example, the proxy server included in the gateway 203 may return information for forwarding or redirecting a service processing request to a specified path according to a service processing policy or return service request failure information.

Depending on the embodiment, when a valid data flow exists and domain information is not included in the data flow, the gateway 203 may forward the service processing request (operation 1020).

If a valid data flow exists and the domain information is included in the data flow, in operation 1015, the proxy server of the gateway 203 may check the domain information. For example, the proxy server of the gateway 203 may check whether the domain information included in the service request information is included in the domain information in the data flow. According to the embodiment, if the domain information included in the service request information is not included in the domain information in the data flow, since the node 201 cannot access the service server, the proxy server may return a service processing request failure result. may (act 1025).

Depending on the embodiment, when the domain information included in the service request information is included in the domain information in the data flow, the proxy server may forward the service processing request information based on the IP and port of the service server corresponding to the domain information. Yes (act 1020).

12 shows a signal flow diagram for control flow update according to various embodiments.

Referring to FIG. 12 , in operation 1105, the access control application 211 may detect a control flow update event.

In operation 1110, the access control application 211 may request a control flow update from the controller 202 based on the control flow identification information.

In operation 1115, the controller 202 may check whether a control flow exists in a control flow table (eg, the control flow table 315 of FIG. 3) based on the received control flow identification information. Depending on the embodiment, when the control flow does not exist (eg, when the connection is disconnected by another security system, when the connection is disconnected by its own risk detection, etc.), the controller 202 determines that the connection of the node 201 is valid. Therefore, a connection failure result may be transmitted to the connection control application 211 (operation 1120).

The controller 202 may update the update time when a control flow exists in the control flow table (eg, the control flow table 315 of FIG. 3 ). In this case, the controller 202 may transmit identification information of the updated control flow to the connection control application 211 (operation 1120).

In one embodiment, the controller 202 is required to perform re-authentication among data flows subordinate to the identified control flow, or if there is a data flow to which access is no longer possible, the controller 202 transmits information about the corresponding data flow to an access control application ( 211) (operation 1120).

At operation 1125 , the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 . For example, the access control application 211 may block all network accesses of applications when the control flow update result is impossible. For another example, the access control application 211 may update the data flow when the control flow update result is normal and updated data flow information exists.

13 illustrates a signal flow diagram for disconnection according to various embodiments.

Referring to FIG. 13 , in operation 1205, the node 201 terminates the node 201, terminates the access control application 211, terminates the target application, no longer uses the network connection, and information identified from the interworking system. At least one of connection termination requests may be detected based on . In this case, at operation 1210, node 201 or access control application 211 may request controller 202 to remove the control flow.

In operation 1215, the controller 202 may remove the identified control flow based on the received control flow identification information.

In operation 1220, the controller 202 may remove all data flows dependent on the removed control flow. Thus, node 201 can no longer connect to the destination network based on the removed data flow.

In operation 1225, the controller 202 may request the gateway 203 to remove all data flows dependent on the removed control flow. The gateway 203 may remove the data flow, and thus data packets corresponding to source network, destination network, and port information included in the removed data flow may no longer be transmitted.

14 illustrates a signal flow diagram for termination of application execution according to various embodiments.

Referring to FIG. 14 , in operation 1305, the access control application 211 of the node 201 may check in real time whether or not the running application is terminated, and may detect an application execution end event.

Depending on the embodiment, the access control application 211 may check whether a data flow corresponding to terminated application identification information and PID (Process ID and Child Process ID Tree) information exists.

At operation 1310 , the connection control application 211 may issue a data flow removal request to the controller 202 . For example, the access control application 211 may transmit identification information of a terminated application or identification information of a data flow corresponding to the terminated application to the controller 202 and may perform a data flow removal request.

In operation 1315, the controller 202 may delete the data flow requested to be removed. In addition, the controller 202 may perform a removal request for the removed data flow to the gateway 203 (operation 1320). The gateway 203 may remove the data flow, and thus data packets corresponding to source network, destination network, and port information included in the removed data flow may no longer be transmitted.

15 is a flowchart illustrating a method of operating an access control application installed in a node according to various embodiments. The operations shown in FIG. 15 can be performed through the access control application 211 of FIG. 2 .

Referring to FIG. 15 , in operation 1405, the access control application 211 may request a network access of the target application to an external server. For example, the network access request may include identification information of a target application and identification information of a destination network.

At operation 1410, the access control application 211 may receive a data flow from an external server. For example, the data flow may include domain information and certificate information corresponding to destination network identification information.

In operation 1415, the access control application 211 may process the data packet of the target application based on the domain information and certificate information. For example, when it is necessary to set a certificate based on a data flow, the access control application 211 may set a certificate and transmit a data packet.

16 is a flowchart illustrating a method of operating a server according to various embodiments. The operations shown in FIG. 16 may be performed through the controller 202 of FIG. 2 .

Referring to FIG. 16 , at operation 1505 , the controller 202 may receive a network connection request from a node's access control application.

In operation 1510, the controller 202 may check whether access is possible based on the access policy included in the database, identification information of the target application, and identification information of the destination network.

In operation 1515, the controller 202 may check whether a data flow corresponding to the identification information of the destination network exists.

In operation 1520, if there is no data flow, the controller 202 may check domain information corresponding to the identification information of the destination network based on the domain policy included in the database.

In operation 1525, the controller 202 may check whether certificate information corresponding to the domain information exists.

At operation 1530, the controller 202 may generate a data flow including domain information and certificate information.

At operation 1535, the controller 202 may transmit the generated data flow to the node and gateway.

17 is a flowchart of a method of operating a gateway according to various embodiments. Operations shown in FIG. 17 may be performed through the gateway 203 of FIG. 2 .

Referring to FIG. 17 , in operation 1605, the gateway 203 may receive a service processing request from a node. A service processing request may include one or a plurality of data packets.

In operation 1610, the gateway 203 may check existence of a data flow corresponding to the service processing request. For example, the proxy server of gateway 203 can confirm the existence of a data flow.

In operation 1615, if the data flow exists, the gateway 203 checks the domain information included in the service processing request based on whether the domain information is included in the data flow, and if the check result is successful based on the check result Service processing requests can be forwarded. In addition, the gateway 203 may return a service processing request failure result when the inspection result is failure based on the inspection result. In addition, the gateway 203 may return a service processing request failure result when the data flow does not exist.

The above description is only an illustrative example of the technical idea disclosed in this document, and those skilled in the art to which the embodiments disclosed in this document belong will be within the scope of the essential characteristics of the embodiments disclosed in this document. Many modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are not intended to limit the technical idea disclosed in this document, but to explain, and the scope of the technical idea disclosed in this document is not limited by these embodiments. The scope of protection of technical ideas disclosed in this document should be interpreted according to the scope of the following claims, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of this document.

Claims (20)

In node,
communication circuit;
a processor in operative connection with the communication circuitry; and
a memory operably coupled with the processor, wherein the memory stores a database, a target application, and a connection control application, wherein the memory, when executed by the processor, causes the node to:
Performing a network access request of the target application to an external server through the access control application, the network access request including identification information of the target application and destination network identification information;
Receiving a data flow from the external server, wherein the data flow includes certificate information and proxy server information corresponding to the destination network identification information;
Setting a certificate based on the certificate information and setting a proxy server based on the proxy server information;
When the certificate setting and the proxy server setting are completed, the data packet of the target application is transmitted,
Store instructions configured to transmit certificate information or proxy information set in the node through the access control application to the external server;
The certificate information is information about a certificate to be set for authentication with the proxy server in order to access the destination network;
The proxy server information is information determined by the external server to control data packets through a proxy server existing between the node and the destination network. delete The method of claim 1, wherein the instructions are the node,
Receiving tunneling creation information from the external server;
Create tunneling with a gateway corresponding to the tunneling creation information based on the tunneling creation information;
When the tunneling is created, the node is assigned a Domain Name System (DNS) server. The method of claim 1, wherein the instructions are the node,
If the proxy information transmitted to the external server does not correspond to the gateway to which the node is to be connected, receiving proxy server setting status and proxy server setting information from the external server through the access control application;
A node configured to set a proxy based on whether or not the received proxy server is set and the proxy server setting information. The method of claim 1, wherein the instructions are the node,
Performing a domain information analysis request to the node and the gateway through which tunneling is created through the access control application;
receiving a domain analysis result from the gateway, the domain analysis result including IP information;
Request access to the destination network from the gateway based on the IP information;
The IP information is processed as identification information of the destination network in a proxy included in the gateway. The method of claim 1, wherein the instructions are the node,
If there is a policy allowing the node to access the network without requesting a data flow, receive a data flow accessible without request from the external server through the access control application;
A node that transmits the data packet based on a data flow accessible without the request. In node,
communication circuit;
a processor in operative connection with the communication circuitry; and
a memory operably coupled with the processor, wherein the memory stores a database, a target application, and a connection control application, wherein the memory, when executed by the processor, causes the node to:
Receiving tunneling creation information from an external server through the access control application;
Create tunneling with a gateway corresponding to the tunneling creation information based on the tunneling creation information;
Transmitting proxy information and tunneling information set in the node to the external server;
If the proxy information and the tunneling information do not correspond, receiving proxy server setting information and proxy server setting information from the external server;
A node for storing instructions for setting a proxy based on whether the received proxy server is set and the proxy server setting information. The method of claim 7, wherein the instructions are the node,
Transmitting certificate information set in the node to the external server through the access control application;
If the certificate information does not correspond to the gateway information to which the node is to be accessed, receiving whether or not to set a certificate and certificate setting information from the external server;
A node configured to set a certificate based on whether or not the received certificate is set and the certificate setting information. in the server,
communication circuit;
a memory for storing a database; and
a processor in operative connection with the communication circuitry and the memory, the processor comprising:
Receive a network access request from an access control application of a node, the network access request including identification information of a target application of the node and identification information of a destination network of the target application;
Check whether access is possible based on an access policy included in the database, identification information of the target application, and identification information of the destination network;
Check whether a data flow corresponding to the identification information of the destination network exists;
If the data flow does not exist, check domain information corresponding to identification information of the destination network based on a domain policy included in the database;
Check whether certificate information corresponding to the domain information exists,
configured to generate a data flow including the domain information and the certificate information, and transmit the generated data flow to the node and the gateway;
The server, wherein the certificate information is information about a certificate to be set for the node to access the destination network. The method of claim 9, wherein the processor,
If access is possible, the node checks whether a tunnel has been created in the tunnel table included in the database;
When the tunnel is not created in the node, a connection failure result is transmitted to the node;
If the tunnel is created, the server configured to check whether the data flow exists. The method of claim 9, wherein the processor,
Receiving a connection request including identification information of the node and identification information of the access control application from the access control application;
Based on the identification information of the node and the identification information of the access control application, whether access is possible is checked, and if access is possible, control flow identification information and a white list of accessible applications are generated;
Listing gateways and tunneling types related to the node based on the tunnel policy included in the database;
Selecting a gateway and tunneling based on the status of each of the listed gateways;
The server configured to transmit the control flow identification information and the application whitelist, information of the selected gateway and information for creating the tunneling to the node. The method of claim 9, wherein the processor,
Receiving tunnel creation completion information and proxy setting information from the access control application;
Updating the database based on the tunnel creation completion information;
Identifying a proxy included in a gateway corresponding to the node based on a proxy policy included in the database;
The server configured to return identification information of the proxy and whether or not the proxy is set to the access control application when the proxy and the proxy setting information are different or the proxy setting information does not exist. The method of claim 9, wherein the processor,
Setting a domain policy based on the database,
Transmitting the set domain policy to the gateway;
A server configured to transmit the set domain policy to a Domain Name System (DNS) server or proxy server. in the gateway,
communication circuit;
Memory; and
a processor in operative connection with the communication circuitry and the memory, the processor comprising:
Receive a service processing request from a node;
confirming existence of a data flow corresponding to the service processing request and authorized from an external server, the data flow including domain information;
When domain information included in the data flow includes domain information included in the service processing request, forwarding the service processing request to a service server corresponding to the domain information;
Returning a service processing request failure result when the domain information included in the data flow does not include the domain information included in the service processing request;
Returning the service processing request failure result if the data flow does not exist. The method of claim 14, wherein the processor,
Receive a domain resolution request from the node;
Based on the domain information included in the domain analysis request, a domain analysis result is generated as IP information and returned;
Receiving a destination network access request based on the IP information from the node;
A gateway that permits the node to access the destination network based on the IP information and the domain information. The method of claim 14, wherein the processor,
a DNS server module processing a domain resolution request of the node;
a tunneling module that creates tunneling with the node; and
A gateway comprising a proxy server module that processes domain information by matching it with IP information. 17. The method of claim 16,
The DNS server module receives a domain policy from an external server, sets public IP information corresponding to the domain information based on the domain policy,
When tunneling with the node is created, the tunneling module sets private IP information of the DNS server module to be queried during communication through the tunneling;
wherein the proxy server module is configured to process a service processing request transmitted from the node based on the private IP information as the public IP information. In the operating method of the access control application installed in the node,
performing a network access request of a target application to an external server, the network access request including identification information of the target application and destination network identification information;
receiving a data flow from the external server, the data flow including certificate information and proxy server information corresponding to the destination network identification information;
setting a certificate based on the certificate information;
setting a proxy server based on the proxy server information;
transmitting a data packet of the target application when certificate setting and proxy server setting are completed; and
transmitting certificate information or proxy information set in the node to the external server; including,
The certificate information is information about a certificate to be set for authentication with the proxy server in order to access the destination network;
The proxy server information is information determined by the external server to control data packets through a proxy server existing between the node and the destination network. In the method of operating the server,
receiving a network connection request from an access control application of a node, the network connection request including identification information of a target application of the node and identification information of a destination network of the target application;
checking whether access is possible based on an access policy included in a database, identification information of the target application, and identification information of the destination network;
checking whether a data flow corresponding to the identification information of the destination network exists;
if the data flow does not exist, checking domain information corresponding to identification information of the destination network based on a domain policy included in the database;
checking whether certificate information corresponding to the domain information exists;
generating a data flow including the domain information and the certificate information; and
transmitting the generated data flow to the node and gateway; including,
The method of claim 1 , wherein the certificate information is information about a certificate to be set for the node to access the destination network. In the operation method of the gateway,
receiving a service processing request from a node;
confirming existence of a data flow corresponding to the service processing request, the data flow including domain information;
checking whether domain information included in the data flow includes domain information included in the service processing request; and
When domain information included in the data flow includes domain information included in the service processing request, the service processing request is forwarded to a service server corresponding to the domain information, or
If the domain information included in the data flow does not include the domain information included in the service processing request, a service processing request failure result is returned, or
returning a result of failure of the service processing request if the data flow does not exist; Including, how.

Images