KR102514619B1 - System for controlling network access based on routing range and method thereof - Google Patents

Abstract

A node according to an embodiment disclosed in the present invention comprises: a communication circuit; a processor operatively connected to the communication circuit; and a memory operably coupled to the processor and storing a connection control application and a connection application, wherein the memory can store commands configured to cause the node, when executed by the processor, to: identify a network connection request via the connection control application, wherein the network connection request includes a data packet of the connection application and a destination internet protocol (IP) of the data packet; identify whether the destination IP is included in a designated inspection band; perform a network connection process in accordance with the network connection request based on data flow information if the destination IP is included in the designated inspection band; and transmit the data packet if the destination IP is not included in the designated inspection band.

Description

System for controlling network access based on routing band and method therefor

Embodiments disclosed in this document relate to a system and method for controlling network access based on a routing band.

Multiple devices may communicate data over a network. For example, a smartphone may transmit or receive data with a server via the Internet. The network may include a private network such as an intranet as well as a public network such as the Internet.

In order to control indiscriminate access to the network, a technology for limiting access to the network based on a transmission control protocol (TCP)/internet protocol (IP) is applied.

For example, NAC (network access controller) allows an authorized terminal to access the network by receiving an authorized IP address, and when an unauthorized terminal uses an unauthorized IP address, ARP spoofing (address resolution protocol spoofing) ) to block unauthorized terminals. A firewall is a method of determining whether or not to allow data packet transmission based on source IP, destination IP, and port information included in IP header information and a policy. A VPN (virtual private network) is a method of guaranteeing integrity and confidentiality of data packets by using a tunnel to which encryption is applied on the TCP/IP protocol.

However, ARP spoofing puts a load on the network, and recently, a technique to bypass it is being developed. Since the firewall is for controlling the flow of data packets, it may not be directly involved in the process of creating a connection between two nodes. In addition, VPN is weak in managing the flow of data packets after the tunnel is created. In addition, since the above technologies are based on TCP/IP, security of other layers (eg, application layer) among open system interconnection (OSI) layers may be vulnerable.

The structure of performing data flow inspection on all network access attempts occurring in the terminal can fundamentally block access to unauthorized applications and destinations by the controller.

However, as an example, when accessing a web service through a web browser, not only resources (e.g., JavaScript, image files, etc.) referred to by the web service exist within the web page information returned by the web service, but other Since resources referred to by web services also exist, each time a URL accessing a web service or a service request returns a different web page, several to dozens of network access requests occur each time a web page is called. , Accordingly, the web page loading time increases whenever a corresponding network connection request is made.

On the other hand, when accessing a web service existing in the internal network from the outside using a technology such as tunneling, the number of resources referred to by the web page is limited, so such a problem is not serious.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above problems in a network environment.

A node according to an embodiment disclosed in this document includes a communication circuit; a processor in operative connection with the communication circuitry; and a memory operably coupled with the processor, the memory storing a connection control application and a connection application, wherein the memory, when executed by the processor, causes the node to identify a network connection request via the access control application. , The network access request includes a data packet of the connection application and a destination IP (Internet Protocol) of the data packet, identifies whether the destination IP is included in a designated inspection band, and identifies whether the destination IP is included in the designated inspection band. If it is included in the band, perform network access processing according to the network access request based on data flow information, and if the destination IP is not included in the designated check band, instructions for transmitting the data packet can be saved

A method of operating a node according to an embodiment disclosed in this document includes identifying a network access request through the access control application, and the network access request includes a data packet of the access application and a destination IP (Internet Protocol Protocol) of the data packet. ), and identifying whether the destination IP is included in the designated inspection band, and if the destination IP is included in the designated inspection band, network access processing according to the network access request based on data flow information and, when the destination IP is not included in the designated inspection band, transmitting the data packet.

Embodiments of this document can reduce network access time by checking whether a data flow check is necessary for a network access request.

In addition, the embodiments of this document can maintain security while reducing network access time by distinguishing routing bands (or IP bands) requiring data flow inspection.

Embodiments of this document allow network access after being authenticated by the controller when data flow inspection is required, and may allow network access first.

Finally, the embodiments of this document not only attempt a single network access request to respond to single or multiple network access requests, but also perform multiple network access requests based on a queue to improve the performance of network access permission. provides a way to

In addition to this, various effects identified directly or indirectly through this document may be provided.

1 illustrates an architecture within a network environment according to various embodiments.
2 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
3 illustrates control flow information and data flow information according to various embodiments.
4 shows a functional block diagram of a node according to various embodiments.
5 describes an operation of controlling transmission of a data packet according to various embodiments.
6 illustrates an operation of processing and controlling a service request by a network driver according to various embodiments.
7 shows a signal flow diagram for controller connection according to various embodiments.
8 illustrates a signal flow diagram for user authentication according to various embodiments.
9 illustrates a signal flow diagram for network access according to various embodiments.
10 illustrates a flowchart for processing a service request by a gateway according to various embodiments.
11 illustrates a flowchart for receiving a service request processing result of a gateway according to various embodiments.
12 illustrates a signal flow diagram for control flow update according to various embodiments.
13 illustrates a signal flow diagram for control flow cancellation according to various embodiments.
14 illustrates a signal flow diagram for data flow cancellation according to various embodiments.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, it should be understood that this is not intended to limit the present invention to the specific embodiments, and includes various modifications, equivalents, and/or alternatives of the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one item or a plurality of items, unless the context clearly dictates otherwise. In this document, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A, Each of the phrases such as "at least one of B or C" may include any one of the items listed together in the corresponding one of the phrases, or all possible combinations thereof. Terms such as "first", "second", or "first" or "secondary" may simply be used to distinguish a given component from other corresponding components, and may be used to refer to a given component in another aspect (eg, importance or order) is not limited. A (e.g., first) component is said to be "coupled" or "connected" to another (e.g., second) component, with or without the terms "functionally" or "communicatively." When mentioned, it means that the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.

Each component (eg, module or program) of the components described in this document may include singular or plural entities. According to various embodiments, one or more components or operations among corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, operations performed by modules, programs, or other components are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations are executed in a different order, omitted, or , or one or more other operations may be added.

The term "module" used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of the present document may be implemented as software (eg, a program or application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-temporary' only means that the storage medium is a tangible device and does not contain a signal (e.g. electromagnetic wave), and this term refers to the case where data is stored semi-permanently in the storage medium. It does not discriminate when it is temporarily stored.

Methods according to various embodiments disclosed in this document may be included and provided in a computer program product. Computer program products may be traded between sellers and buyers as commodities. A computer program product is distributed in the form of a device-readable storage medium (eg compact disc read only memory (CD-ROM)), or through an application store or between two user devices (eg smartphones). It can be distributed (e.g., downloaded or uploaded) directly or online. In the case of online distribution, at least part of the computer program product may be temporarily stored or temporarily created in a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.

1 illustrates an architecture within a network environment according to various embodiments.

The nodes 201-1 and 201-2 shown in FIG. 1 may be various types of devices capable of performing data communication. For example, the nodes 201-1 and 201-2 may be portable devices such as smartphones or tablets, computer devices such as desktops or laptops, multimedia devices, medical devices, cameras, wearable devices, VR (virtual reality) devices, or home appliances, but is not limited to the aforementioned devices. For example, nodes 201-1 and 201-2 may include servers or gateways capable of transmitting data packets via applications. Nodes 201-1 and 201-2 may also be referred to as 'electronic devices' or 'terminals'.

The node 201-1 accesses the service servers 205-1 and 205-2 through the Internet, and the node 201-2 accesses the service servers 205-1 and 205-2 through the intranet. this can be assumed.

Nodes 201-1 and 201-2 may store connection applications 211-1 and 211-2 and access control applications 212-1 and 212-2.

Each of the access applications 211-1 and 211-2 transmits data packets to the service servers 205-1 and 205-2 through the gateway 203 under the control of the access control applications 212-1 and 212-2. Or conversely, data packets can be received.

Some of the accessing applications 211-1 and 211-2 are allowed and/or secured applications, such as web browsers or business applications, while others are disallowed programs (e.g., malware, ransomware, and other unacceptable applications). unsecured applications) or insecure malicious programs (applications that have been infected with malware, forged or tampered with). According to embodiments, the access control applications 212-1 and 212-2 identify programs (or access applications) requesting transmission of data packets, and the data packets of disallowed programs are transmitted to the nodes 201-1 and 201. -2) can be prevented from being transmitted to the outside. In addition, according to embodiments, the access control applications 212-1 and 212-2 are not authorized through the secure session 220-1 between the access control applications 212-1 and 212-2 and the gateway 203. Access of the program to the service servers 205-1 and 205-2 may be blocked and the corresponding program may be quarantined.

For example, before the connection applications 211-1 and 211-2 according to the embodiments communicate with the service servers 205-1 and 205-2, the access control applications 212-1 and 212-2 are controllers From 202, whether or not access is possible is checked, and if access is possible, authentication with the gateway 203 may be performed through a data packet authenticated by the controller 202. When authentication is complete, the access control applications 212-1 and 212-2 may create a secure session 220-1 with the gateway 203.

According to various embodiments, the nodes 201-1 and 201-2 are access control applications for managing network access of the access applications 211-1 and 211-2 stored in the nodes 201-1 and 201-2. (212-1, 212-2) and a network driver (not shown). For example, when an access event for the service server 205-1 or 205-2 of the access application 211-1 or 211-2 stored in the node 201-1 or 201-2 occurs, the access control application 212-1 and 212-2 may determine whether the target applications 211-1 and 211-2 are accessible. If the access applications 211-1 and 211-2 are accessible, the access control applications 212-1 and 212-2 may transmit data packets to the gateway 203 over the secure session 220-1. The access control applications 212-1 and 212-2 may control transmission of data packets within the nodes 201-1 and 201-2 through a kernel including an operating system and a network driver.

The access control applications 212-1 and 212-2 may create a channel with the gateway 203 to access the service servers 205-1 and 205-2. Through the channel created between the nodes 201-1 and 201-2 and the gateway 203, the access control applications 212-1 and 212-2 control unauthorized access applications 211-1 and 211-2. Transmission of data packets to disallowed destinations may be prevented, and only allowed data packets may be transmitted to the service servers 205-1 and 205-2.

The controller 202 can be, for example, a server (or cloud server, or intranet). The controller 202 manages data transmission between the nodes 201-1 and 201-2, the gateway 203, and the service servers 205-1 and 205-2 to ensure reliable data transmission within the network environment. can For example, the controller 202 allows network access of authorized nodes 201-1 and 201-2 (or access control applications 212-1 and 212-2) through policy information or blacklist information. can do.

In addition, the controller 202 mediates the creation of the secure session 220-1 between the access control application 212-1 and the gateway 203, or the security events collected from the node 201-1 or the gateway 203. Accordingly, the secure session 220-1 may be removed. The access control application 212-1 can communicate with the service servers 205-1 and 205-2 only through the secure session 220-1 authorized by the controller 202, and the authorized secure session 220-1. If 1) does not exist, network access of the node 201-1 and the access control application 212-1 may be blocked.

In one embodiment, the connection application 211-1 may communicate with the service servers 205-1 and 205-2 through the secure session 220-1 authorized by the controller 202, and the authorized security If the session 220-1 does not exist, the network access of the access application 211-2 is blocked from the access control application 212-2, the controller 202 or the gateway 203, or a state in which safety is not guaranteed. Network access is permitted at , and the controller 202 may provide functions suitable for the corresponding security level to the node 201-2. According to one embodiment, the controller 202 may perform various operations associated with network access of the node 201-1 or access control applications 212-1 and 212-2 (eg, registration, authorization, authentication, renewal, termination). In order to perform the connection control application 212-1 and control data packets may be transmitted and received. A flow through which the control data packet is transmitted (eg, 230) may be referred to as a 'control flow'.

The controller 230 performs network access and channel control of the access control applications 212-1 and 212-2, and receives information when the access control applications 212-1 and 212-2 are terminated or from an interlocked security system. According to a security event, the channel between the nodes 201-1 and 201-2 and the gateway 203 is immediately recovered, thereby maintaining a secure network state at all times.

The gateway 203 may be located at a boundary of a network to which the nodes 201-1 and 201-2 belong or a boundary of a network to which the service servers 205-1 and 205-2 belong. According to one embodiment, the gateway 203 may be connected to the controller 202 based on a cloud. The gateway 203 may forward only authorized data packets among data packets received from the access control applications 212-1 and 212-2 to the service servers 205-1 and 205-2. A flow in which data packets are transmitted between the access control applications 212-1 and 212-2 and the gateway 203 (eg, 240-1 and 240-2) may be referred to as a 'data flow'. .

Data flows can be created not only on a node or IP basis, but also on a more granular basis (e.g., on an application basis). The gateway 203 performs authentication of the access control applications 212-1 and 212-2 before creating a secure session 220-1 between the access control applications 212-1 and 212-2 and the gateway 203, and , Indiscriminate network access by forwarding only the data packets transmitted through the secure session 220-1 among the data packets transmitted from the access control applications 212-1 and 212-2 to the service servers 205-1 and 205-2 can be blocked in advance.

2 is a functional block diagram illustrating a database stored in the controller 202 according to various embodiments, and FIG. 3 illustrates control flow information 340 and data flow information 350 among information included in the database.

Referring to FIG. 2 , the controller 202 may store databases 311 to 319 for controlling network access and data transmission in a memory 330 . Although FIG. 2 shows only the memory 330, the controller 202 may include external electronic devices (eg, nodes 201-1 and 201-2 in FIG. 1, gateway 203, or service servers 205-1 and 205-1). 2)) further includes a communication circuit (eg, the communication circuit 430 of FIG. 4 ) and a processor (eg, the processor 410 of FIG. 4 ) for controlling the overall operation of the controller 202 for performing communication with the can do. An administrator connects to the controller 202 and configures a connection-oriented policy for controlling access between the access control applications 212-1 and 212-2, the gateway 203, and the service servers 205-1 and 205-2. Since it can be configured, it is possible to control network access more precisely and safely than managing sessions at the service side.

The access policy database 311 may include information about networks and/or services to which the identified networks, nodes, or applications may access. For example, the controller 202 receives a network access request from the access control applications 212-1 and 212-2, the network identified based on the policy of the access policy database 311 (eg, node 201-1, networks to which 201-2) belongs), nodes, users (e.g., users of nodes 201-1 and 201-2), and/or applications (e.g., connections included in nodes 201-1 and 201-2). The applications 211-1 and 211-2 may determine whether access to the service servers 205-1 and 205-2 is possible. In one embodiment, the controller 202 may create a whitelist of access applications 211-1 and 211-2 accessible to specific services (eg, IP and port) based on the access policy database 311. .

The channel policy database 312 is a set of information (authentication information, encryption algorithm, tunnel If there is a channel connected in advance through another gateway between the endpoint IP (Tunnel End Point IP, etc.) and the access route, a series of information for using it (IP assigned to nodes 201-1 and 201-2) information collection and alternative processing, etc.).

The routing band policy database 313 may include information for identifying networks to which the nodes 201-1 and 201-2 are dependent, transport protocol and IP band information for performing network connectivity checks in the identified networks. there is. In addition, the routing band policy database 313 may include information such as permission of access after authentication or information on whether to authenticate after permission of access and blocking method. Here, the network to which the nodes 201-1 and 201-2 depend is the location of the node resolved through the IP of the node 201-1 and 201-2 identified by the controller 202 or the node 201-201-2. 1, 201-2), the location or network and boundary information of the nodes 201-1 and 201-2 interpreted through the IP transmitted, the header information inserted by the gateway 203 included in the control data packet, and the node ( It can be identified through GPS information transmitted by 201-1 and 201-2), network and boundary selection information by user selection, and the like. Hereinafter, an IP band may also be referred to as a 'band'.

The blacklist policy database 314 includes targets identified through analysis of risk, occurrence cycle, and/or behavior of security events among security events periodically collected by nodes 201-1 and 201-2 or gateway 203 ( Example: a blacklist registration policy for blocking access of at least one of a node identifier (ID), an IP address, a media access control (MAC) address, or a user ID) may be included.

The blacklist database 318 may include a list of objects blocked by the blacklist policy database 314 . For example, the controller 202 rejects the network access request when the identification information of the node 201-1 or 201-2 requesting network access is included in the blacklist database 318, thereby blocking the node 201-1 or 201 -2) can be isolated.

The control flow table 315 is an example of a session table for managing a flow of control data packets generated between the connection control applications 212-1 and 212-2 and the controller 202 (ie, control flow).

For example, referring to FIG. 3 , when the access control applications 212-1 and 212-2 successfully access the controller 202, control flow information 340 and control flow ID 342 (or 'control flow Also referred to as 'identification information') may be generated by the controller 202 . The control flow information 340 may include identification information 344 indicating at least one of an IP identified during controller access and authentication, a node, an application, or an object additionally identified through association with a service server. For example, when a network access request from the access control application 212 is received, the controller 202 converts the control flow ID and identification information included in the access request to the control flow ID 342 and control flow ID 342 included in the control flow information 340. By mapping with the identification information 344, access control applications 212-1 and 212-2 can connect to the service servers 205-1 and 205-2 and secure sessions 220-1 with the gateway 203 It is possible to determine whether or not to create a data flow for creation. State information 346 may indicate various states such as creation, authentication, renewal, termination, and the like of the control flow.

The routing band information 345 may include information on whether to check a corresponding network connection according to the set transmission protocol and destination IP band. In addition, the routing band information 345 may include information on whether or not to allow network access without a separate inspection in the case of an unconfigured destination IP band. Finally, the routing band information 345 is information for processing network access through methods such as permitting access after authentication or authentication and blocking method after allowing access as a method for inspecting network access when network access is inspected. can include Here, the node 201, such as a network driver (not shown) included in the network access control applications 212-1 and 212-2 and the access control applications 212-1 and 212-2, determines whether to check the network connection. -1, 201-2) may be determined when an application included in the network accesses or data packet transmission occurs.

According to an embodiment, since the control flow has an expiration time, the nodes 201-1 and 201-2 must update the expiration time of the control flow based on the time information 348. If not updated, the control flow (or control flow information 340) may be removed. In addition, immediate access is blocked according to security events collected from nodes 201-1 and 201-2, access control applications 212-1 and 212-2, other security applications (not shown), or gateways 203. The controller 202 may remove the control flow if it is determined that it is necessary or if a connection termination request is received from them. When the control flow is removed, the associated data flow is also removed, and the gateway 203 connects the access control applications 212-1 and 212-2 or the service servers 205-1 and 205 of the access applications 211-1 and 211-2. Access to -2) can be blocked.

The data flow table 316 is a table for managing a flow (eg, data flow) in which detailed data packets are transmitted between the nodes 201 - 1 and 201 - 2 and the gateway 203 .

The data flow table 316 includes data flow information for managing applications and gateways 203 of the source nodes 201-1 and 201-2 and channels and sessions of the destination service servers 205-1 and 205-2 ( 350) may be included.

The data flow information 350 may be generated in units of secure sessions, applications, or more granular units. The data flow table 316 may include an application ID, destination IP address, and/or service port for identifying whether a data packet transmitted from a source is an authorized data packet.

Referring to FIG. 3 , data flow information 350 may include a data flow ID 351 and a control flow ID 352 when the data flow is dependent on the control flow. In addition, the data flow information 350 is the source IP and destination IP of the data packet, and the service port information of the gateway 203 existing between the application and the minimum identification unit of the application and the service servers 205-1 and 205-2. It may include authorization target information 354 for determining whether or not the data packet can connect to the network based on , and/or state information 356 indicating whether the data flow is in a usable and valid state. The data flow information 350 may include authentication expiration time information required when the corresponding data flow is periodically authenticated.

The channel table 317 may include a dedicated channel IP allocated to the node 201-1 or 201-2 and channel creation information.

4 shows a functional block diagram of node 201 according to various embodiments. At least some of the configurations shown in FIG. 4 may be applied to the controller 202, gateway 203, or service servers 205-1 and 205-2.

Referring to FIG. 4 , a node 201 may include a processor 410 , a memory 420 , and a communication circuit 430 . According to one embodiment, node 201 may further include a display 440 to provide a user interface.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include a single processor core or may include a plurality of processor cores. For example, the processor 410 may include multi-cores such as dual-core, quad-core, and hexa-core. According to embodiments, the processor 410 may further include an internal or external cache memory. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or part of processor 410 is electrically or operatively (eg, memory 420, communication circuitry 430, or display 440) in node 201 (e.g., memory 420). It can be operatively coupled with or connected to. The processor 410 may receive commands from other components, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, command, or signal based on the received message, data, command, or signal. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .

The processor 410 may process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver. The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). can include The nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, and the like. The memory 420 uses a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS). can include more.

According to one embodiment, the memory 420 may store the connection applications 211-1 and 211-2 and the access control applications 212-1 and 212-2 of FIG. The access control applications 212 - 1 and 212 - 2 may perform network access and security session 220 - 1 creation with the gateway 203 and control flow creation and update functions with the controller 202 . To this end, the access control applications 212-1 and 212-2 may include one or more security modules. In one embodiment, the memory 420 may store the control flow information 340 and data flow information 350 of FIG. 3 .

In one embodiment, the connection applications 211 - 1 and 211 - 2 may include one or more security modules to create a secure session 220 - 1 with the gateway 203 .

The communication circuit 430 establishes a wired or wireless communication connection between the nodes 201-1 and 201-2 and an external electronic device (eg, the controller 202 or the gateway 203), and performs communication through the established connection. can support According to one embodiment, the communication circuit 430 may be a wireless communication circuit (eg, cellular communication circuit, short-range wireless communication circuit, or global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN)). ) communication circuit, or power line communication circuit), and using a corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a cellular network, a long-distance communication such as the Internet, or a computer network It may communicate with an external electronic device through a network. The various types of communication circuits 430 described above may be implemented as a single chip or may be implemented as separate chips.

The display 440 may output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integral touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

5 describes an operation of controlling transmission of a data packet according to various embodiments.

Referring to FIG. 5 , the access control application 212 detects a request for network access to the service server 205 from the access application 211 included in the node 201, and the node 201 or the access control application 212 ) can determine whether or not the controller 202 is in a connected state. When the node 201 or the access control application 212 is not connected to the controller 202, the access control application 212 may block transmission of data packets in a kernel or network driver included in an operating system. Through the access control application 212, the node 201 may block access of malicious applications in advance in an application layer among seven layers of open system interconnection (OSI).

In one embodiment, the access control application 212 is not connected to the controller 202, the access control application 212 has not been authenticated by the gateway 203, or the access control application 212 is not connected. If a secure session is not created between the gateways 203, data packets transmitted from the access control application 212 are blocked by the gateway 203, and the access control application 212 may request access to the controller 202. only Depending on the embodiment, even if the access control application 212 is not authenticated by the gateway 203, a data packet transmitted from the access control application 212 may not be blocked by the gateway 203.

According to another embodiment, if the access control application 212 is not installed on the node 201 or if a malicious application bypasses control of the access control application 212, unauthorized data packets may be transmitted from the node 201. there is. In this case, since the gateway 203 present at the boundary of the network blocks data packets that are received as an unauthorized secure session and data packets that do not have a data flow, the data packets transmitted from the node 201 (e.g., TCP session data packets for generation) may not reach the service server 205 . In other words, node 201 can be isolated from service server 205 .

6 illustrates an operation of processing and controlling a service request by the network driver 610 according to various embodiments.

Referring to FIG. 6 , application A and application B may each request transmission of a data packet.

The network driver 610 may be configured to perform a data flow routing bandwidth check in a designated IP band (611). The network driver 610 may determine whether to check the data flow routing bandwidth based on the destination IP of the data packet and determine whether to transmit the data packet based on the check result. Here, the exemplified inspection bands may be 10.10.1.1/24 (ie, 10.10.1.0 to 10.10.1.255) and 192.168.2.1/24 (ie, 192.168.2.0 to 192.168.2.255).

For example, since the destination IP (192.168.1.100) of the data packet of application A is not included in the set inspection band, the network driver 610 can transmit the data packet of application A without inspecting the data flow routing bandwidth (621). . For another example, since the destination IP (10.10.1.100) of the application B's data packet is included in the set inspection band, the network driver 610 may transmit the application B's data packet after performing the data flow inspection (615). Yes (625).

As described with reference to FIG. 6, when the access applications 211-1 and 211-2 access the network with the destination IP, the network driver 610 included in the access control applications 212-1 and 212-2 or the network The part that controls network access control, such as a module, checks whether the destination IP exists in the routing band based on the data flow routing band set by the controller 202, and allows network access if it does not exist in the routing band, In the case of a destination IP existing in a routing band, by performing data flow inspection, it is possible to efficiently perform network connection inspection because all network connections generated by the nodes 201-1 and 201-2 and the operating system are not inspected.

7 shows a signal flow diagram for controller connection according to various embodiments.

Since the node 201 needs to be authorized by the controller 202 to access the network, the access control application 212 of the node 201 requests the controller 202 to create a control flow so that the node 201 You can try to connect to the controller of

Referring to FIG. 7 , at operation 705 , node 201 (or connection control application 212 ) may detect a controller connection event. For example, when connection control application 212 is installed and/or executed within node 201, node 201 may detect that a connection to controller 202 is being requested.

At operation 710 , node 201 (or connection control application 212 ) may request controller 202 to connect to the controller. For example, the connection control application 212 can transmit identification information of the connection control application 212 to the controller 202 . Additionally, the access control application 212 may include identification information of the node 201 (eg, terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or network Arbitrary identification information generated by the system itself may be further transmitted.

In operation 715 , the controller 202 may identify whether or not the controller access request of the controller access request (eg, the access control application 212 and the node 201 ) is possible. According to one embodiment, the controller 202 controls whether information received from the node 201 is included in the access policy database 311, the node 201, the network to which the node 201 belongs, and/or access control. Based on at least one of whether the identification information of the application 212 is included in the blacklist database 314 , it is possible to determine whether the controller access of the object requesting the controller access is possible.

If the controller connection of the target that requested the controller connection is possible, the controller 202 generates a control flow (or control flow information 340) between the node 201 (or the access control application 212) and the controller 202 can do. In this case, the controller 202 generates the control flow identification information 342 in the form of a random number, and controls the identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 212 It can be stored in the flow table 315. Information (e.g., control flow information 340) stored in the control flow table 315 is used for user authentication of the node 201, information update of the node 201, policy check for network access of the node 201, and/or Or it can be used for validation.

At operation 720, the controller 202 may check the access policy and channel policy. The controller 202 may check an access policy corresponding to information identified in the access policy database 311 (eg, node 201 and source network information to which the node 201 belongs). The controller 202 may generate whitelist information of accessible applications based on the checked access policy. The controller 202 may check the channel policy through the IP of the node 201 identified in the channel policy database 312 . The controller 202 may check whether destination network information to which the connection-requested node 201 can be basically connected exists. If the controller connection of the target that requested the controller connection is possible, the controller 202 provides information necessary for the node 201 to access the destination network (eg, the type of node 201 included in the control flow, location information, environment, and Source network information including the node 201), channel types to which the node 201 can be connected, and information of the gateway 203 may be listed. The controller 202 may identify one channel and one gateway optimized for the node 201 from among the listed gateways by checking the status (eg, throughput, failure) of the listed gateways 203 . Here, the type of channel to which the node 201 can be connected and the information of the gateway 203 are assigned to the IP of the node 201 identified through the controller 202 and the IP of the node 201 identified by the node 201. based on which it can be identified.

Controller 202 can identify routing bandwidth information in routing bandwidth policy 313 . Here, the controller 202 includes the location or network and boundary information of the node 201 interpreted through the IP of the node 201 identified by the controller 202 or the IP transmitted by the node 201, and the control data packet. The network to which the node 201 is subordinated according to information such as header information inserted by the included gateway, GPS information transmitted by the node 201, network and boundary selection information selected by the user, and the network identified by the channel. , and routing band information for the network identified in the routing band policy 313 can be identified.

In other embodiments, the controller 202 may not perform operation 720. For example, if access to the controller of the target requesting access is not possible, the controller 202 may not perform operation 720 .

At operation 725 , the controller 202 may transmit a response to the controller connection request to the node 201 .

In one embodiment, the controller 202 may transmit the control flow information 340 including the control flow identification information 342 to the node 201 in response to the controller connection request. In one embodiment, the controller 202 may transmit the white list generated through the execution of operation 720 to the connection control application 212 . Depending on the embodiment, if the target for which access to the controller is requested is unavailable or included in the blacklist, the controller 202 may notify controller access failure in response to the controller access request without generating a control flow.

When there are channels and gateways accessible to the node 201, the controller 202 transmits information for the node 201 to create a channel (eg, a series of information such as gateway and channel authentication) to the node 201. can transmit According to an embodiment, when the node 201 accesses through a pre-connected channel between a gateway existing in the source network to which the node 201 belongs and a gateway existing at the boundary of the destination network (ie, the node 201 and the gateway) 203), or when access is made between the terminal and the destination network boundary through other channel technologies, the controller 202 may not transmit separate channel creation information to the node 201. there is.

Controller 202 may transmit routing bandwidth information to node 201 . For example, the controller 202 may transmit control flow information 340 to which the identified routing band information is added after identifying routing band information in the routing band policy 313 to the node 201 .

In one embodiment, node 201 may process the resulting value according to the received response. For example, the connection control application 212 may store the received control flow identification information and display a user interface screen indicating completion of the controller connection to the user. When the controller connection is completed, the network access request of the node 201 to the service server 205 may be controlled by the controller 202 .

Depending on the embodiment, the controller 202 may determine that the node 201 is inaccessible. For example, when controller access unavailability information is received, the node 201 may output a user interface screen indicating that controller access is unavailable to the user. For example, the user interface screen may include a user interface indicating that access to the node 201 is blocked and guiding isolation release through an administrator (eg, the controller 202).

In one embodiment, the access control application 212 of the node 201, the controller 202, and the gateway 203 may further perform operations 730 to 750. Depending on the embodiment, the access control application 212 of the node 201, the controller 202, and the gateway 203 may perform all or part of operations 730 to 770.

At operation 730, the access control application 212 may determine whether channel creation is necessary. For example, when the controller 202 transmits information for creating a channel (eg, a series of information such as gateway and channel authentication), the access control application 212 may determine that channel creation is necessary. For another example, if the controller 202 does not transmit separate channel creation information to the node 201, the access control application 212 may determine that channel creation is not necessary.

At operation 735 , access control application 212 may request gateway 203 to create a channel. When it is determined that channel creation is necessary, the access control application 212 may request the gateway 203 to create a channel. For example, the access control application 212 may transmit a channel creation request including a series of channel creation information (eg, gateway and channel authentication) received from the controller 202 to the gateway 203 .

In operation 740, the gateway 203 may create a channel based on a series of information (eg, gateway and channel authentication) for channel creation. At operation 745 , the gateway 203 may transmit a response including a channel creation result to the access control application 212 . The channel creation result may include channel dedicated IP allocated to the node 201 and corresponding channel creation information.

At operation 750, the access control application 212 may perform a check of the application. When it is determined that channel creation is not necessary, or when a response including a channel creation result is received from the gateway 203, the access control application 212 may perform application inspection. For example, when the white list is received from the controller 202 , the access control application 212 may check whether applications included in the white list are installed in the node 201 . In the case of applications included in the white list among the applications installed on the node 201, the access control application 212 checks the integrity and stability of the application (eg whether or not the application is forged or tampered with, code signing inspection, fingerprint inspection) according to the validation policy. at least one of them) can be checked.

At operation 755 , the access control application 212 may send the application's test results to the controller 202 .

The controller 202 may check whether the application is valid based on the check result. If the application is valid, the controller 202 checks the gateway 203 where the node 201 is located in the access policy and service policy for the node 201 to allow the node 201 to access the network, and then operates 760 can be performed.

In operation 760, the controller 202 registers the dedicated channel IP allocated to the node 201 and corresponding channel creation information in the channel table 317 when the channel creation is completed according to the result of the channel creation process, and the node 201 The transmitted series of information may be updated to the identified control flow information 340 .

The node 201 may generate a data flow (or data flow information 350) based on source IP, destination IP, and service port information so that the node 201 can control network access processing without a network access request procedure.

At operation 765 , the controller 202 may transmit a response to the connection control application 212 transmission of the connection application check result. For example, controller 202 can send data flow information 350 to connection control application 212 .

When receiving the updated data flow information 350 from the controller 202 , the node 201 may update the data flow information 350 stored in the node 201 . When network connection release information is received from the controller 202 , the connection application 211 may be terminated or all network access of the connection application 211 may be blocked.

Also, at operation 770 , the controller 202 may transmit the data flow information 350 to the gateway 203 .

8 illustrates a signal flow diagram for user authentication according to various embodiments. Operations shown in FIG. 8 may be implemented after the signal flow diagram of FIG. 6 , for example.

In order for the node 201 to receive detailed access rights to the destination network, the access control application 212 of the node 201 may authenticate the user of the node 201 from the controller 202 .

Referring to FIG. 8 , in operation 805 , node 201 may receive an input for user authentication. An input for user authentication may be, for example, a user input for inputting a user ID and password. For another example, the input for user authentication may be a user input (eg, biometric information) for stronger authentication.

For example, when the access control application 212 is executed, the node 201 may display a user interface screen for receiving information necessary for controller access. The user interface screen may include an input window for inputting controller access information (eg, IP or domain), an input window for inputting a user ID, and/or an input window for inputting a password. After information is input into the input windows, the node 201 may detect a controller connection event by receiving an input to a button for user authentication. For example, if controller access information, user ID, and password are input, the node 201 may receive an input for a button for accessing the controller as a user. As another example, when only the controller access information is input and the user ID and password are not input, the node 201 may receive an input for a button for accessing the controller as a guest.

At operation 810 , node 201 may request user authentication from controller 202 . For example, the access control application 212 may transmit input information for user authentication to the controller 202 . If the control flow between the node 201 and the controller 202 has already been created, the access control application 212 may transmit input information for user authentication together with control flow identification information.

At operation 815 , controller 202 may authenticate the user based on the information received from node 201 . For example, the controller 202 may use the user ID, password, and/or enhanced authentication information included in the received information and a database included in the memory of the controller 202 (eg, the access policy database 311 of FIG. 2 ). ) or the blacklist database 318), it is possible to determine whether the user is accessible according to the access policy and whether the user is included in the blacklist.

When the user is authenticated, the controller 202 checks the control flow information 340 in the control flow table 315 based on the control flow identification information transmitted by the node 201, and in the checked control flow information 340 User identification information (e.g. user ID) can be added. The added user identification information can be used for the authenticated user's controller access or network access.

In operation 820, the controller 202 performs an access policy corresponding to the information identified in the access policy database 311 and the channel policy database 312 (eg, node 201, source network information to which the node 201 belongs), and You can check the channel policy.

The controller 202 may generate white list information of accessible applications based on the access policy checked in the access policy database 311 . The controller 202 may return a connection completion state as a connection result, a control flow ID for identifying a control flow, and a generated application whitelist when requesting user authentication from the node 201 and continuously updating node information.

The controller 202 may check the channel policy through the IP of the node 201 identified in the channel policy database 312 . Based on the checked channel policy, the controller 202 may check whether destination network information to which the node 201 requesting access can be basically connected exists. If the controller connection of the target that requested the controller connection is possible, the controller 202 provides information necessary for the node 201 to access the destination network (eg, the type of node 201 included in the control flow, location information, environment, and Source network information including the node 201), channel types to which the node 201 can be connected, and information of the gateway 203 may be listed. The controller 202 may identify one channel and one gateway optimized for the node 201 from among the listed gateways by checking the status (eg, throughput, failure) of the listed gateways 203 . Here, the type of channel to which the node 201 can be connected and the information of the gateway 203 are assigned to the IP of the node 201 identified through the controller 202 and the IP of the node 201 identified by the node 201. based on which it can be identified.

Controller 202 can identify routing bandwidth information in routing bandwidth policy 313 . Here, the controller 202 includes the location or network and boundary information of the node 201 interpreted through the IP of the node 201 identified by the controller 202 or the IP transmitted by the node 201, and the control data packet. The network to which the node 201 is subordinated according to information such as header information inserted by the included gateway, GPS information transmitted by the node 201, network and boundary selection information selected by the user, and the network identified by the channel. , and routing band information for the network identified in the routing band policy 313 can be identified.

In other embodiments, the controller 202 may not perform operation 820. For example, if it is not possible to access the controller of the object requesting access, the controller 202 may not perform operation 820 .

At operation 825 , controller 202 may transmit a response to the user authentication request to node 201 . In one embodiment, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In one embodiment, the controller 202 may transmit the white list generated through the execution of operation 820 to the connection control application 212 . Depending on the embodiment, if the object for which access to the controller is requested is unavailable or is included in the blacklist, the controller 202 may notify the controller 202 of inability to access the controller in response to the user authentication request.

When there are channels and gateways accessible to the node 201, the controller 202 transmits information for the node 201 to create a channel (eg, a series of information such as gateway and channel authentication) to the node 201. can transmit According to an embodiment, when the node 201 accesses through a pre-connected channel between a gateway existing in the source network to which the node 201 belongs and a gateway existing at the boundary of the destination network (ie, the node 201 and the gateway) 203), or when access is made between the terminal and the destination network boundary through other channel technologies, the controller 202 may not transmit separate channel creation information to the node 201. there is.

Controller 202 may transmit routing bandwidth information to node 201 . For example, the controller 202 may transmit control flow information 340 to which the identified routing band information is added after identifying routing band information in the routing band policy 313 to the node 201 .

In one embodiment, node 201 may process the resulting value for user authentication. For example, the node 201 may output a user interface screen indicating completion of user authentication to the user through a display.

According to another embodiment, the controller 202 may determine that user authentication is impossible. For example, if the user's identification information is included in the blacklist database, the controller 202 may determine that user authentication is impossible. In this case, in operation 825, the controller 202 may transmit information indicating that user authentication is impossible to the node 201, and the node 201 may output a user interface screen indicating that user authentication has failed through the display. can For example, node 201 may display a user interface screen via access control application 212 . The user interface screen may include a user interface indicating that access to the node 201 is blocked and guiding isolation release through an administrator (eg, the controller 202).

In one embodiment, the connection control application 212 of the node 201, the controller 202, and the gateway 203 may further perform operations 830 to 850. Depending on the embodiment, the access control application 212 of the node 201, the controller 202, and the gateway 203 may perform all or part of operations 830 to 870.

At operation 830, the access control application 212 may determine whether channel creation is necessary. For example, when the controller 202 transmits information for creating a channel (eg, a series of information such as gateway and channel authentication), the access control application 212 may determine that channel creation is necessary. For another example, if the controller 202 does not transmit separate channel creation information to the node 201, the access control application 212 may determine that channel creation is not necessary.

At operation 835 , access control application 212 may request gateway 203 to create a channel. When it is determined that channel creation is necessary, the access control application 212 may request the gateway 203 to create a channel. For example, the access control application 212 may transmit a channel creation request including a series of channel creation information (eg, gateway and channel authentication) received from the controller 202 to the gateway 203 .

In operation 840, the gateway 203 may create a channel based on a series of information (eg, gateway and channel authentication) for channel creation. In operation 845, the gateway 203 may transmit a response including a channel creation result to the access control application 212. The channel creation result may include channel dedicated IP allocated to the node 201 and corresponding channel creation information.

At operation 850, the access control application 212 may perform a check of the application. When it is determined that channel creation is not necessary, or when a response including a channel creation result is received from the gateway 203, the access control application 212 may perform application inspection. For example, when the white list is received from the controller 202 , the access control application 212 may check whether applications included in the white list are installed in the node 201 . In the case of applications included in the white list among the applications installed on the node 201, the access control application 212 checks the integrity and stability of the application (eg whether or not the application is forged or tampered with, code signing inspection, fingerprint inspection) according to the validation policy. at least one of them) can be checked.

At operation 855 , the access control application 212 may send the application's test result to the controller 202 .

The controller 202 may verify whether the application is valid based on the inspection result. If the application is valid, the controller 202 checks the gateway 203 where the node 201 is located in the access policy and service policy for the node 201 to allow the node 201 to access the network, and then operates 860 can be performed.

In operation 860, the controller 202 registers the dedicated channel IP allocated to the node 201 and corresponding channel creation information in the channel table 317 when the channel creation is completed according to the result of the channel creation process, and the node 201 The transmitted series of information may be updated to the identified control flow information 340 . The node 201 may generate a data flow based on source IP, destination IP, and service port information so that the node 201 can control network access processing without a network access request procedure.

At operation 865 , the controller 202 may transmit a response to the transmission of the application check result of the connection control application 212 . For example, controller 202 can send data flow information 350 to connection control application 212 .

When receiving the updated data flow information 350 from the controller 202 , the node 201 may update the data flow information 350 stored in the node 201 . When network connection release information is received from the controller 202 , the connection application 211 may be terminated or all network access of the connection application 211 may be blocked.

Also, at operation 870 , the controller 202 may transmit the data flow information 350 to the gateway 203 .

9 shows a signal flow diagram for network access according to various embodiments, and operations shown in FIG. 9 may be implemented after the signal flow diagram of FIG. 7 or 8 , for example. The operations of FIG. 9 may be performed by node 201 , connection application 211 of node 201 , or network driver.

Referring to FIG. 9 , in operation 910 , node 201 may detect a network connection event of connection application 211 . For example, node 201 may detect, via access control application 212, that a connection application is attempting to connect to a destination network.

At operation 920 , node 201 may check a routing bandwidth based on routing bandwidth information 345 of control flow information 340 . In one embodiment, the connection control application 212 identifies the destination IP for communication with the destination network when a network connection event is detected, and the identified destination based on the routing band information 345 of the control flow information 340 It can be checked whether the IP exists in the routing bandwidth for checking the data flow.

At operation 930, node 201 may determine whether the identified destination IP is included in the routing band.

As a result of the determination in operation 930, when the identified destination IP is not included in the routing bandwidth for examining the data flow, the node 201 may perform operation 980. As a result of the determination in operation 930, when the identified destination IP is included in the routing bandwidth for examining the data flow, the node 201 may perform operation 940.

At operation 940, node 201 may check the data flow. For example, the access control application 212 may check whether a data flow corresponding to identification information, destination IP and/or port information of the connection application exists. When the data flow is confirmed in operation 940 , the node 201 may perform operation 950 .

At operation 950, node 201 may determine whether pre-transmission data flow inspection is required. For example, the node 201 may check whether the data flow inspection method for the destination IP allows inspection after data packet transmission in the routing bandwidth information 345 .

As a result of the determination in operation 950, if data flow inspection before transmission is required, the node 201 may perform operation 960. If the data flow is not checked in operation 940 and as a result of the determination in operation 950, it is necessary to check the data flow before transmission, the node 201 may perform operation 960.

As a result of the determination in operation 950, if the data flow check before transmission is not required, the node 201 may perform operation 970.

At operation 960, node 201 may perform data flow based network access processing. Operations according to data flow-based network access processing may be described below with reference to FIG. 11 .

At operation 970, node 201 may transmit a network connection requested data packet. Depending on the embodiment, the node 201 generates a data flow for temporarily allowing data packet transmission, allows data packets to be received until a network access request result is received, and transmits the network access requested data packet and request network access.

At operation 975, node 201 may perform queue-based network access processing. For example, the node 201 performs a network access request whenever a network access request is required, or after storing network access request information in a queue to reduce the load according to the network access request with the controller 202, When time elapses or a certain number of network access request information is accumulated, network access requests may be processed in batches. To process one or more network connection requests, access control application 212 may perform validation procedures according to validation policies. For example, the access control application 212 checks the integrity and safety of the access control application 212 and the access application according to the validation policy (eg, falsification or tampering of the application, code signing inspection, fingerprint inspection) And, according to the access policy received from the controller 202, it is possible to check whether access to the destination IP and port of the connection application installed in the node 201 is possible.

The access control application 212 includes a control flow ID 342 for identifying a control flow generated with the controller 202 before a network access event, application identification information (eg, identification information 344), and information about a server to be accessed. A network access request may be transmitted to the controller 202 based on one or more pieces of network access information including destination IP and port information. Operations according to queue-based network access processing may be described below with reference to FIG. 10 .

At operation 980, connection control application 212 may transmit the data packet. According to an embodiment, operation 990 may be performed. For example, when allowing network access that is not included in the routing band according to the setting of the routing band information 345, the access control application 212 provides identification information of the access application, destination IP, port information, and access time information. It can record network access information including.

FIG. 10 is a flowchart for processing a service request by a gateway according to various embodiments, and operations shown in FIG. 10 may be implemented after operation 975 of FIG. 9 , for example.

Referring to FIG. 10 , in operation 1005, node 201 may confirm a queue-based network connection request. The node 201 stores the network access request information in the queue to reduce the load caused by the network access request with the controller 202, and when a certain amount of time elapses or a certain number of network access request information accumulates in the queue, the queue-based It can be confirmed that a network access request is required.

At operation 1010 , connection control application 212 may request a network connection from controller 202 . In this case, the access control application 212 may transmit connection application identification information and identification information (eg, destination IP and service port) of the service server 205 to the controller 202 together with identification information of the control flow. The node 201 processes the network access request information stored in the queue for a certain period of time or a certain number of network access request information into one network access request, and grants the controller 202 a network connection based on the one network access request. can request

At operation 1015, the controller 202 may ascertain the connection policy and channel policy associated with the connection application in response to the request received from the access control application 212. The controller 202 may check whether the access application satisfies the access policy of the access policy database 311 . For example, the controller 202 includes identification information (eg, node, connection application, user, source network information) of a target (eg, node, access application) requesting network access and requested target (eg, service server 205 ). )) is included in the access policy database 311 and whether or not access to the service server of the target requesting network access is possible.

If the connection application cannot access the network, the controller 202 may transmit information indicating that access is unavailable to the node 201 in operation 1020 . In this case, the connection control application 212 may output a user interface screen indicating that connection is impossible through the display.

If the connection application can access the network, the controller 202 can check whether a channel has been created in the channel table to access the corresponding network. If the channel is not created, or if a channel must be created in order to access the corresponding service according to the channel policy, the controller 202 may transmit information indicating that access is impossible to the node 201 in operation 1020. .

When a channel is created, or when a channel policy does not require a channel to be created to access a corresponding service, the controller 202 receives information requested by the node 201 (eg, destination IP and service) in the data flow table. port information, etc.), it is possible to check whether a valid data flow exists.

If there is no valid data flow, the controller 202 will create a data flow allowing a destination (eg, connection application) to access the network between the node 201 and the service servers 205-1 and 205-2. can The controller 202 may generate one or more data flow information 350 including source IP, destination IP, service port information, and the like. For example, the controller 202 may generate data flow information 350 corresponding to the number of network connections included in the network access request.

At operation 1020 , the controller 202 may transmit a response to the network connection request of the connection control application 212 to the node 201 . For example, the controller 202 may transmit the data flow information 350 generated through the execution of operation 1015 to the connection control application 212 . Depending on the embodiment, when the connection requesting target cannot be accessed, the controller 202 may notify the network connection failure in response to the network access request. If the network access request fails, the node 201 deletes the data flow created to temporarily allow network access, stores the data flow information 350 received from the controller 202, and then the data flow information 350 ), network access and data packets may be controlled not to be transmitted. If the network access request is successful, the node 201 updates the data flow information 350 generated to temporarily allow network access with the data flow information 350 received from the controller 202, and then data flow information ( 350), it is possible to control network access and data packet transmission.

Also, at operation 1025 , the controller 202 may transmit data flow information 350 to the gateway 203 .

11 illustrates a flowchart for receiving a service request processing result of a gateway according to various embodiments, and operations shown in FIG. 11 may be implemented after operation 960 of FIG. 9 , for example.

Referring to FIG. 11 , in operation 1105, the node 201 may check a data flow based network access request. The node 201 determines that a data flow-based network access request is necessary if the data flow does not exist or if the data flow inspection method in the routing band information including the destination IP requires inspection before data packet transmission. can

In one embodiment, if a data flow exists but is not valid (eg, transmission unavailable state), node 201 may drop (DROP) the data packet. In another embodiment, node 201 may transmit data packets if there is a valid data flow. However, if the data flow does not exist or if the data flow needs to be updated, the node 201 may perform a validation procedure according to the validation policy. Here, the node 201 may check whether an application included in the white list is installed in the node 201 when the white list is received from the controller 202 . In the case of applications included in the white list among the applications installed on the node 201, the access control application 212 checks the integrity and stability of the application (eg whether or not the application is forged or tampered with, code signing inspection, fingerprint inspection) according to the validation policy. at least one of them) can be checked. Node 201 may then perform operation 1110 .

At operation 1110 , node 201 may request a network connection from controller 202 . In this case, the access control application 212 may transmit connection application identification information and identification information (eg, destination IP and service port) of the service server 205 to the controller 202 together with identification information of the control flow.

At operation 1115 , the controller 202 may ascertain the access policy and channel policy associated with the connection application in response to the request received from the access control application 212 . The controller 202 may check whether the access application satisfies the access policy of the access policy database 311 . For example, the controller 202 includes identification information (eg, node, connection application, user, source network information) of a target (eg, node, access application) requesting network access and requested target (eg, service server 205 ). )) is included in the access policy database 311 and whether or not access to the service server of the target requesting network access is possible.

If the connection application cannot access the network, the controller 202 may transmit information indicating that access is unavailable to the node 201 in operation 1120 . In this case, the connection control application 212 may output a user interface screen indicating that connection is impossible through the display.

If the connection application can access the network, the controller 202 can check whether a channel has been created in the channel table to access the corresponding network. If the channel is not created, or if a channel must be created in order to access the corresponding service according to the channel policy, the controller 202 may transmit information indicating that access is not possible to the node 201 in operation 1120. .

When a channel is created, or when a channel policy does not require a channel to be created to access a corresponding service, the controller 202 receives information requested by the node 201 (eg, destination IP and service) in the data flow table. port information, etc.), it is possible to check whether a valid data flow exists.

If there is no valid data flow, the controller 202 will create a data flow allowing a destination (eg, connection application) to access the network between the node 201 and the service servers 205-1 and 205-2. can The controller 202 may generate one or more data flow information 350 including source IP, destination IP, service port information, and the like. For example, the controller 202 may generate data flow information 350 corresponding to the number of network connections included in the network access request.

At operation 1120 , the controller 202 may transmit a response to the network connection request of the connection control application 212 to the node 201 . For example, the controller 202 may transmit the data flow information 350 generated through the execution of operation 1115 to the connection control application 212 . Depending on the embodiment, when the connection requesting target cannot be accessed, the controller 202 may notify the network connection failure in response to the network access request. If the network connection request fails, node 201 may drop the data packet. If the network connection request is successful, the node 201 may transmit a data packet.

Also, at operation 1125 , the controller 202 may transmit data flow information 350 to the gateway 203 .

12 illustrates a signal flow diagram for control flow update according to various embodiments.

Referring to FIG. 12 , in operation 1205, the access control application 212 may request a control flow update.

In one embodiment, the access control application 212 may request a control flow update from the controller 202 to maintain the control flow and data flow. In one embodiment, the access control application 212 may request a control flow update including identification information of the control flow for each specified period.

In one embodiment, the access control application 212, if there is a network access record that is not included in the routing band, may transmit information on the network access record when requesting a control flow update.

At operation 1210, the controller 202 may update (check) the control flow. For example, the controller 202 determines whether the control flow information 340 indicated by the received identification information exists in the control flow table 315, and if the control flow information 340 exists, the data flow information 350 subordinate thereto You can check if exists. When the connection is released by another security system, the update time elapses, or the connection is released due to risk detection, the control flow may not exist. If the control flow does not exist, the controller 202 may return connection unavailable information to the node 201 . If the control flow exists, the controller 202 may update the update time or expiration time of the control flow, and store network connection record information in the control flow if it exists. Also, the controller 202 may search for data flows subordinate to the corresponding control flow. For example, if re-authentication needs to be performed in the searched data flow or there is a data flow to which access is no longer possible, the controller 202 may return corresponding data flow information to the node 201 .

For example, if the update (check) fails, the controller 202 may send connection unavailable information to the node 201 . In this case, the node 201 may terminate the access control application 212 or block the access control application 212 from accessing the network. For another example, if the update (check) succeeds, the controller 202 may update the expiration time of the control flow and the data flow dependent thereon. The controller 202 may transmit updated control flow information and data flow information to the node 201 . In this case, the node 201 may update control flow information 340 and data flow information 350 .

In operation 1215 , the controller 202 may transmit update (check) result information to the connection control application 212 . For example, if the update (check) fails, the controller 202 may transmit unreachable information. For another example, if the update (check) is successful, the controller 202 may transmit the updated control flow information 340 and data flow information 350 subordinate thereto to the access control application 212 . In this case, the node 201 may update control flow information 340 and data flow information 350 .

The access control application 212 may process update (check) result information. If the control flow update result indicates that access is impossible, the access control application 212 may terminate the access application 211 or block all network access of the access application 211 . If the control flow update result indicates normal and there is updated data flow information 350 , the connection control application 212 may update the data flow table 316 in the connection control application 212 .

13 illustrates a signal flow diagram for control flow cancellation according to various embodiments.

Referring to FIG. 13 , in operation 1305, the node 201 may request the controller 202 to terminate the control flow. For example, the node 201 may request control flow termination when the connection control application 212 is terminated, when the network connection is not used for a specified amount of time, or when a connection termination request is received from another system.

At operation 1310 , controller 202 can remove the control flow corresponding to the identification information received from node 201 . The controller 202 may also remove the data flow dependent on the removed control flow.

At operation 1315 , the controller 202 may request the gateway 203 to remove the data flow.

At operation 1320, gateway 203 may block connection control application 212 from accessing the network by removing the data flow.

Through the operations of FIG. 13 , the gateway 203 periodically performs a data flow update procedure with the controller 202 and returns invalid data flow information 350 according to the termination of the connection application of the node 201 or disconnection from the network. It is received, and an invalid session may be removed by matching with session information stored in the gateway 203. Accordingly, embodiments according to the present disclosure may prevent a target for which authentication is not valid according to a property in which the status of the node 201 is unknown, such as HTTP, in an authenticated state.

14 illustrates a signal flow diagram for data flow cancellation according to various embodiments.

Referring to FIG. 14 , in operation 1405 the access control application 212 may detect termination of the access application 211 . The access control application 212 may monitor in real time whether the connection application 211 running on the node 201 is terminated.

In operation 1410, the access control application 212 may request the controller 202 to terminate the data flow. For example, the access control application 212 may transmit data flow identification information allocated to the terminated connection application 211 or identification information of the access application 211 to the controller 202 to request termination of the data flow. .

At operation 1415 , the controller 202 may remove the data flow based on the data flow identification information received from the node 201 or the identification information of the connection application 211 . The controller 202 may identify and search a control flow based on the received data flow identification information or the identification information of the connection application 211 and may remove a data flow subordinate to the identified and searched control flow.

In operation 1420, the controller 202 requests the gateway 203 to remove the data flow, and in operation 1425, the gateway 203 removes the data flow, thereby providing a service corresponding to the removed data flow of the connection control application 212. Access to the server 205 may be blocked. After that, the connection application 211 can no longer transmit data packets to the destination network.

The above description is only an illustrative example of the technical idea disclosed in this document, and those skilled in the art to which the embodiments disclosed in this document belong will be within the range that does not depart from the essential characteristics of the embodiments disclosed in this document. Many modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are not intended to limit the technical idea disclosed in this document, but to explain, and the scope of the technical idea disclosed in this document is not limited by these embodiments. The scope of protection of technical ideas disclosed in this document should be interpreted according to the scope of claims below, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of this document.

Claims (16)

In node,
communication circuit;
a processor in operative connection with the communication circuitry; and
a memory operably coupled with the processor, wherein the memory stores a connection control application and a connection application, wherein the memory, when executed by the processor, causes the node to:
Identifying a network access request through the access control application, the network access request including a data packet of the access application and a destination IP (Internet Protocol) of the data packet,
Identifying whether the destination IP is included in a designated inspection band based on routing band information received from an external server;
When the destination IP is not included in the designated inspection band, transmit the data packet;
If the destination IP is included in the designated inspection band,
When a data flow corresponding to the network access request exists, transmitting or dropping the data packet based on the data flow;
When the data flow corresponding to the network access request does not exist,
identify a data flow inspection method for the destination IP;
If the data flow inspection method does not require data flow inspection before transmission of the data packet: the data packet is temporarily transmitted until a network access request result is received from the external server, and based on the network access request Requesting network access to the external server to update the data flow received from the external server;
When the data flow inspection method requires inspection of the data flow before transmission of the data packet: requesting a network connection to the external server based on the network connection request, updating the data flow received from the external server, and By transmitting or dropping the data packet based on the updated data flow,
storing instructions for performing network access processing according to the network access request based on data flow information;
The routing band information is determined by the external server as an IP band for the access control application to control transmission of data packets based on data flow. delete The method according to claim 1, wherein the instructions are the node,
If the data flow inspection method does not require inspection of the data packet before transmission of the data packet:
Stores network access requests that occur during a specified time in a queue,
A node that batch-processes network access requests stored in the queue after the specified time elapses. The method according to claim 1, wherein the instructions are the node,
If the data flow inspection method does not require inspection of the data packet before transmission of the data packet:
Stores the specified number of network access requests in a queue,
A node for batch processing the specified number of network access requests after the specified number of network access requests are stored in the queue. delete The method according to claim 1, when the data flow inspection method requires inspection of the data flow prior to transmission of the data packet, the instructions cause the node to:
Check the data flow for the destination IP;
If the data flow is valid, transmit the data packet;
If the data flow is invalid or needs to be updated, validation is performed;
After performing the validation, requesting network access for transmitting the data packet to the external server;
Receiving a response to the network access request from the external server;
A node that, based on the response, causes the data packet to be dropped or forwarded. The method according to claim 1, wherein the designated inspection band is set based on a routing band policy database in the external server,
The designated inspection band indicates an IP band requiring data flow inspection. The method according to claim 1, wherein the instructions are the node,
Requesting an update of a control flow to the external server, and the update request of the control flow includes information about the access record when there is an access record for a network including a destination IP not included in a test band,
A node configured to receive an updated control flow from the external server. In the operation method performed at the node,
Identifying a network access request through an access control application, the network access request including a data packet of the access application and a destination IP (Internet Protocol) of the data packet,
Identifying whether the destination IP is included in a designated inspection band based on routing band information received from an external server;
transmitting the data packet when the destination IP is not included in the designated inspection band; and
If the destination IP is included in the designated inspection band,
When a data flow corresponding to the network access request exists, transmitting or dropping the data packet based on the data flow;
When the data flow corresponding to the network access request does not exist,
identify a data flow inspection method for the destination IP;
If the data flow inspection method does not require data flow inspection before transmission of the data packet: the data packet is temporarily transmitted until a network access request result is received from the external server, and based on the network access request Requesting network access to the external server to update the data flow received from the external server;
When the data flow inspection method requires inspection of the data flow before transmission of the data packet: requesting a network connection to the external server based on the network connection request, updating the data flow received from the external server, and performing network access processing according to the network access request based on data flow information by transmitting or dropping the data packet based on the updated data flow;
The routing band information is determined by the external server as an IP band for the access control application to control transmission of data packets based on data flow. delete The method of claim 9,
If the data flow inspection method does not require inspection of the data packet before transmission of the data packet:
An operation of storing network access requests occurring during a specified time in a queue; and
and processing the network access requests stored in the queue in a batch after the specified time has elapsed. The method of claim 9,
If the data flow inspection method does not require inspection of the data packet before transmission of the data packet:
An operation of storing a specified number of network access requests in a queue; and
and processing the specified number of network access requests in a batch after the specified number of network access requests are stored in the queue. delete The method of claim 9,
Checking the data flow for the destination IP;
Transmitting the data packet if the data flow is valid;
If the data flow is invalid or needs to be updated, performing validation;
After performing the validation, requesting a network connection for transmitting the data packet from the external server;
receiving a response to the network connection request from the external server; and
and dropping or transmitting the data packet based on the response. The method of claim 9,
The designated inspection band is set based on a routing band policy database in the external server,
The designated inspection band indicates an IP band requiring data flow inspection. The method of claim 9,
Requesting the external server to update the control flow, the request for updating the control flow includes information on the access record when there is a record of access to a network including a destination IP not included in the test band, and ,
and receiving an updated control flow from the external server.

Images