KR102588357B1 - System for controlling network access and method of the same - Google Patents

Abstract

A gateway according to an embodiment disclosed in this document includes a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory, wherein the processor receives a service request from a node and responds to the service request. Verify the existence of a data flow that is corresponding and authorized from an external server, check whether the protection information token included in the service request corresponds to the data flow, and if the protection information token corresponds to the data flow, Based on the protection information token, generate protection information to be inserted into the service request, insert the protection information to be inserted into the service request into the service request, and forward the protection information token to the service server. It may consist of identification information processed by the gateway to maintain the flow of information to be protected between the target and the service server.

Description

System for controlling network access and method related thereto {SYSTEM FOR CONTROLLING NETWORK ACCESS AND METHOD OF THE SAME}

Embodiments disclosed in this document relate to a system and method for controlling network access.

Multiple devices can communicate data over a network. For example, a terminal can transmit or receive data to and from a server via the Internet. Networks may include public networks such as the Internet as well as private networks such as intranets.

Based on connectivity control such as logical connection, tunnel, and security session, nodes connected to the gateway connect to the network only when authorized through various authentication, permission, and safety verification procedures. Nodes that are not authorized through various checks are connected to the network. Because access was not granted, unspecified targets of network border technology using existing IP-based filtering technology were always able to connect.

Nodes form a mutual trust relationship between the gateway and the controller, and can access services connected to the gateway through the granted connection, but service servers (e.g. Web Server, Web Application Server, etc.) that exist in Layer 7 (Application Layer) Since it can still only identify the source IP address of Layer 3 (Network Layer), there may be problems in identifying detailed information about whether the target is authorized and which target is accessing it.

To solve the above problem, the service server performs a separate authentication procedure (e.g., user ID and password input-based authentication or Multi Factor Authentication, OAuth authentication, etc.) to identify the user and generate unique identification information to By inserting it into the protocol, methods such as maintaining mutual authentication between the node and the service and identifying the target are used based on the identification information inserted during the subsequent service request.

However, this authentication method based on inserting identification information between nodes and services exposes identification information in the communication section of the two communication targets, and in particular, nodes that have blind spots that cannot be controlled by the IP network stack (OSI 7 Layer) are vulnerable to malware. If an infected or intentional hijacker steals the identification information received from the service and requests the service by inserting the stolen identification information into another node, the service can be used by receiving authentication and related permissions from the hijacked node. This can exist.

To solve the above vulnerabilities, the service uses random tokens rather than fixed identification information, but as theft and attack methods are still becoming more sophisticated, the same vulnerabilities may occur with identification information using random tokens.

Various embodiments disclosed in this document are intended to provide a system and method for solving the above-described problems in a network environment.

A gateway according to an embodiment disclosed in this document includes a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory, wherein the processor receives a service request from a node and responds to the service request. Confirm the existence of a data flow that is corresponding and authorized from the external server, check whether the protection information token included in the service request corresponds to the data flow, and if the protection information token corresponds to the data flow, the data flow Based on this, generate protection information that corresponds to the protection information token and be inserted into the service request, and insert the protection information to be inserted into the service request into the service request and forward it to the service server, wherein the protection information token is configured to: It may consist of identification information processed by the gateway to maintain the flow of information to be protected between the authorized target and the service server.

A server according to an embodiment disclosed in this document includes a communication circuit, a memory for storing a database, and a processor operatively connected to the memory and the communication circuit, wherein the processor receives a network connection request from a node. The network connection request includes identification information of the destination network of the node, and whether the node can access the destination network is checked based on the database. If access is possible, the node is checked based on the database. To connect to the destination network, the node determines the connection method of the node, whether to perform a logical connection authentication-based connection or an authorized channel or session-based connection, and selects a logical connection, channel, or session between the gateway and the node. Configured to check whether at least one can be created, to generate a data flow for the node to connect to the destination network, and to transmit the data flow to the gateway and the node, wherein the data flow includes authentication information and the When the gateway returns a service request result to the node, among the protection information that the gateway must remove and return, it includes protection information that must be updated in the data flow and information related to the creation of a protection information token to be generated by the gateway, and the protection information token may consist of identification information processed by the gateway to maintain the flow of information to be protected between the authorized target and the service server.

A method of operating a gateway according to an embodiment disclosed in this document includes receiving a service request from a node, confirming the existence of a data flow corresponding to the service request and authorized from the external server, and included in the service request. An operation of checking whether the protected information token corresponds to the data flow, and if the protected information token corresponds to the data flow, generating protected information that corresponds to the protected information token and is inserted into the service request based on the data flow. An operation of inserting protection information to be inserted into the service request into the service request and forwarding it to the service server, wherein the protection information token is used as a gateway to maintain the flow of information to be protected between the authorized target and the service server. It may consist of identification information processed by .

According to the embodiments disclosed in this document, there is no identification information given by the service in the service request and return information received or transmitted by the node, so there is no information to steal, so network access can be controlled so that session hijacking is impossible. .

In addition, according to the embodiments disclosed in this document, node information identified and authenticated through a control flow (flow of control data packets) connected between the node and the controller, and the controller and the gateway, and the connection between the node and the gateway through the controller. By identifying and matching the granted connection and data flow (flow of data packets between nodes and services) information and inserting the identification and authentication information or protection information of nodes that the service can recognize at the gateway and transmitting them to the service. The service can provide a way to identify a node by querying the controller for the received identification information without a separate node and authentication process.

According to the embodiments disclosed in this document, if the information returned by the service to the node includes important identification and authentication and other information, the corresponding information is removed from the gateway and transmitted to the node, so that the actual identification and authentication information exists only in the gateway and service sections that exist in the section where the node communicates with the service, and since the corresponding information does not exist in the node and gateway section, vulnerabilities in network access can be resolved.

In addition, according to the embodiments disclosed in this document, important information that should not be transmitted to the node is removed through the connection structure between the node, controller, and gateway, and related information is managed (and storage, insertion, etc.), thereby enabling logical separation between the node and the gateway, and between the gateway and the service server.

In addition, according to embodiments disclosed in this document, the controller stores pre-identified information (e.g., user and node, application identification information) and protected information (e.g., node type, compliance information, etc.) The information (e.g. Access Token, etc.) identified or issued by performing authentication from a certification authority is inserted and transmitted to the service at the gateway that responds to the node's service request. The service then receives the inserted information without interconnecting a separate controller. Instead of performing authentication and authorization processing based on its own or through linking with a third-party certification authority, the above information is deleted and transmitted when the service request returns and passes through the gateway, so the node It can provide a state in which important information cannot be acquired or manipulated.

In addition, according to the embodiments disclosed in this document, the gateway is a commonly used node within an area identified by the domain or IP address and port information of the node and service server identified at the time of return after the node requests service to the service server. Authentication and protection information is stored, authentication and protection information is deleted and transmitted to the node, and when the node makes a service request to the corresponding service server, it responds to the identified domain or IP address, port information, and node identification information. By inserting and transmitting the stored information, the service server can provide a network connection method that does not expose authentication and important information to nodes in the same service environment as before.

In addition, according to the embodiments disclosed in this document, when information that needs to be protected is processed only in the continuous flow of a specific function of the service (e.g., adding to shopping cart -> entering shipping information -> payment -> completion step) During the processing process, the service adds, updates, and removes important information. In this case, when processing information subject to protection based on service classification, a vast amount of information is managed by the gateway and unnecessary information is transmitted to the service. problems can be prevented.

In addition, according to the embodiments disclosed in this document, the gateway grants unique and temporarily usable identification information to the node to manage protected information processed in the continuous flow between the node and the service server, and protects the identification information. Target information can be managed separately from information subject to protection that must be managed in common.

In addition, according to the embodiments disclosed in this document, redirection-based authentication and transaction processing included in authentication technologies or payment protocols such as SSO (Single Sign On), SAML (Security Assertion Markup Language), OAuth, etc. In this case, even when transmission and exchange of identification information occurs between two different domains, the protected information that occurs in a continuous flow is processed based on the assigned identification information to provide more detailed authentication and important information between different domains. It can be protected.

In addition, various effects that can be directly or indirectly identified through this document may be provided.

Figure 1 shows an environment including multiple networks.
Figure 2 shows an architecture within a network environment according to various embodiments.
3 is a functional block diagram showing a database stored in a controller according to various embodiments.
Figure 4 shows a functional block diagram of a node according to various embodiments.
Figure 5 shows an example of a structure for inserting protection information of an authorized target when forwarding service request information according to various embodiments.
Figure 6 shows a signal flow diagram for controller connection according to various embodiments.
7 shows a signal flow diagram for user authentication according to various embodiments.
Figure 8 shows a signal flow diagram for network access according to various embodiments.
Figure 9 shows a signal flow diagram for processing a service request according to various embodiments.
Figure 10 shows an operation flowchart for processing service request results according to various embodiments.
Figure 11 shows a signal flow diagram for control flow update according to various embodiments.
Figure 12 shows a signal flow diagram for network connection release according to various embodiments.
Figure 13 shows a signal flow diagram for terminating application execution according to various embodiments.
FIG. 14 shows a flowchart explaining a gateway operation method according to various embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the present invention are described below with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, but should be understood to include various modifications, equivalents, and/or alternatives to the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one or plural items, unless the relevant context clearly indicates otherwise. In this document, “A or B”, “at least one of A and B”, “at least one of A or B”, “A, B or C”, “at least one of A, B and C” and “A, Each of phrases such as “at least one of B, or C” may include any one of the items listed together in the corresponding phrase, or any possible combination thereof. Terms such as "first", "second", or "first" or "second" may be used simply to distinguish one component from another, and to refer to that component in other respects (e.g., importance or order) is not limited. One (e.g., first) component is said to be “coupled” or “connected” to another (e.g., second) component, with or without the terms “functionally” or “communicatively.” When mentioned, it means that any of the components can be connected to the other components directly (e.g. wired), wirelessly, or through a third component.

Each component (eg, module or program) described in this document may include singular or plural entities. According to various embodiments, one or more of the corresponding components or operations may be omitted, or one or more other components or operations may be added. Alternatively or additionally, multiple components (eg, modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each component of the plurality of components in the same or similar manner as those performed by the corresponding component of the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component may be executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations may be executed in a different order, or omitted. Alternatively, one or more other operations may be added.

The term “module” used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be an integral part or the smallest unit of the part or part thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document may be implemented as software (e.g., a program or application) including one or more instructions stored in a storage medium (e.g., memory) that can be read by a machine. For example, the processor of the device may call at least one instruction among one or more instructions stored from a storage medium and execute it. This allows the device to be operated to perform at least one function according to the at least one instruction called. The one or more instructions may include code generated by a compiler or code that can be executed by an interpreter. A storage medium that can be read by a device may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not contain signals (e.g. electromagnetic waves), and this term refers to cases where data is semi-permanently stored in the storage medium. There is no distinction between temporary storage cases.

Methods according to various embodiments disclosed in this document may be provided and included in a computer program product. Computer program products are commodities and can be traded between sellers and buyers. A computer program product may be distributed in the form of a machine-readable storage medium (e.g. compact disc read only memory (CD-ROM)) or through an application store or between two user devices (e.g. smartphones). It may be distributed in person or online (e.g., downloaded or uploaded). In the case of online distribution, at least a portion of the computer program product may be at least temporarily stored or temporarily created in a machine-readable storage medium, such as the memory of a manufacturer's server, an application store server, or a relay server.

Figure 1 shows an environment including multiple networks.

Referring to FIG. 1, the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN.

The first network 10 may include a source node 101. In FIG. 1 and the embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances and is not limited to the above-mentioned devices. For example, source node 101 may include a server or communication device capable of transmitting data packets through an application. The source node 101 may also be referred to as an ‘electronic device’ or a ‘terminal’. Meanwhile, the destination node 102 may include the same or similar device as the above-described source node 101. As another example, the destination node 102 may be substantially the same as the destination network.

The source node 101 may attempt to access the second network 20 and transmit data to the destination node 102 included in the second network 20. The source node 101 may transmit data to the destination node 102 through the communication device 103. According to an embodiment, the communication device 103 may be a component included in the source node 101.

If the connection of the source node 101 to the first network 10 is approved, the source node 101 can communicate with all servers included in the first network 10, and therefore the source node 101 is malicious. ) may be exposed to program attacks. For example, the source node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browsers 110a and business applications 110b. ) It is possible to receive data from untrusted or unsecured applications, such as the business application 110d.

The source node 101 infected by a malicious program may attempt to connect to the second network 20 and/or transmit data. If the second network 20 is formed based on IP, such as a VPN, it may be difficult for the second network 20 to individually monitor a plurality of devices included in the second network 20, and application at the OSI layer may be difficult. Security at the layer or transport layer may be vulnerable. Additionally, if the source node 101 includes a malicious application after the channel has already been created, the data of the malicious application will be transmitted to another electronic device (e.g., the destination node 102) within the second network 20. You can.

Figure 2 shows an architecture within a network environment according to various embodiments.

Referring to FIG. 2, the nodes may include a first node 201 and a second node 207. For example, the first node 201 may be a node on which the access control application 211 is installed, and the second node 207 may be a node on which the access control application is not installed. Below, the first node 201 is described as node 201.

Node 201 may be various types of devices capable of performing data communication. As another example, the node 201 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances and is not limited to the above-mentioned devices. For example, node 201 may include a server or gateway that can transmit data packets through an application. Node 201 may also be referred to as an ‘electronic device’ or a ‘terminal’.

The node 201 may store the first target application 212, the second target application 213, and the access control application 211. The target application 212 is under the control of the access control application 211 and can transmit data packets to the destination network 205 through the gateway 203 or, conversely, receive data packets. Some of the first target applications 212 and second target applications 213 may be trusted and/or secure applications, such as web browsers or business applications, while others may be untrusted or unsecured malicious programs. , The network access system according to embodiments can block access of unauthorized programs (applications) to the destination network 205 and isolate the programs through network access control of the access control application 211. For example, before the target application 212 according to embodiments communicates with the destination network 205, the connection control application 211 may check whether connection is possible from the controller 202. If connection is possible, the connection control application 211 can control data packet transmission of the first target application 212 and the second target application 213. That is, in order for the first target application 212 and the second target application 213 to access the network, they must use the access control application 211, and the access control application 211 must be authorized by the controller 202. The control application 211 may transmit data packets of the first target application 212 and the second target application 213 based on a data flow based on the policy of the controller 202. According to the embodiment, the network connection of the first target application 212 may be controlled by creating a channel or session between the gateways 203, and the network connection of the second target application 213 may be controlled through a logical connection. there is.

According to the embodiment, the second node 207 is a node in which the access control application is not installed, and network access can be controlled through the gateway 203.

Controller 202 may be, for example, a server (or cloud server). The controller 202 can manage data transmission between the node 201, the gateway 203, and the destination network 205 to ensure reliable data transmission within the network environment. For example, the controller 202 may allow the authorized node 201 (or the access control application 211) to access the network through policy information or blacklist information. The controller 202 may provide information to create a channel between the node 201 and the gateway 203. Accordingly, the access control application 211 of the node 201 can prevent unauthorized applications from transmitting data packets for unauthorized purposes, and only allow data packets through the gateway 203 and the created channel. A structure can be provided that can be transmitted to this destination network (205).

According to an embodiment, the controller 202 may communicate with the authentication server 207 to perform additional authentication. For example, when an authentication request is received, the controller 202 may check with the authentication server 207 whether to perform additional authentication, and if additional authentication is performed, request authentication from the authentication server 207 to Information can be received. According to the embodiment, the authentication server 207 may include at least one of authentication-related technologies such as OAuth, SAML, LDAP, and Active Directory.

According to an embodiment, network access of the first target application 212 and the second target application 213 may be blocked from the access control application 211, the controller 202, or the gateway 203. According to one embodiment, the controller 202 is a connection control application (e.g., registration, approval, authentication, renewal, termination) to perform various operations associated with the network connection of the node 201 or the access control application 211. 211) and control data packets can be transmitted and received. The flow through which control data packets are transmitted (e.g., 220) may be referred to as a 'control flow'. According to the embodiment, the controller 202 can maintain a secure network state at all times by immediately reclaiming the channel according to a security event received from the interlocking system (e.g., node 201, gateway 203, or destination network 205). there is.

The gateway 203 may be located at the border of the network to which the node 201 belongs or the border of the network to which the destination network 205 belongs. According to one embodiment, the gateway 203 may be connected to the controller 202 on a cloud basis. According to the embodiment, the flow in which data packets are transmitted between the access control application 211 and the gateway 203 may be referred to as a 'data flow'. Data flows can be created at a node or IP level, as well as at more granular units (e.g. applications).

According to various embodiments, connectivity control technology allows only authorized entities, such as logical connections, channels, and sessions, to connect to the gateway. Existing IP (Internet Protocol) that can block access to the Internet (e.g., Internet, etc.) that requires control, can control access to the service only by authorized targets, and allows unspecified targets to connect at all times by identifying authorized targets. Problems in communication and identifying communication targets based on IP addresses can be improved.

In the case of service protocols based on existing IP communications (e.g. HTTP, FTP, etc.), the service identifies the authorized target, performs additional authentication, or additionally identifies important information of the communication target, and maintains that information by requesting service and By recording the return information in the header (e.g., session, cookie, etc. in the case of HTTP) or body (e.g., information for maintaining POST parameters, parameter information included in URI, etc.), the information is stored in the communication section between nodes or nodes and services. It is always exposed.

Therefore, the network access control technology according to the embodiments disclosed in this document starts from the gateway 203 that exists as a boundary between the node 201 to which the connectivity control technology is applied and the destination network 205. Since the area between the gateway 203 and the gateway 203 is an unreliable or unsafe section (e.g., a section where attacks such as Credential Stuffing, Session Hijacking, Man In The Middle Attack, etc. inevitably occur), node identification information and important information do not exist. It can be set to a minimized section, and the section between the gateway 203 and the destination network 205 is a trusted section (e.g., there are various vulnerabilities that can occur in an unreliable or unsafe section due to the intervention of a third party) It can be logically separated into (non-existent or minimized) sections.

That is, starting from the logically separated boundary, the gateway 203 processes service requests and request returns while preventing or minimizing attacks and vulnerable information that may occur between the node 201 and the gateway 203 section. It is possible to provide a structure that allows the identification information and important information of the node 201 to exist only in the section between the gateway 203 and the destination network 205, thereby eliminating the vulnerabilities inherent in the service protocol based on existing IP communication. It can be resolved and processed so that services included in the destination network can always communicate with safe and reliable authorized targets.

According to various embodiments, the node 201 may include a connection control application 211 and a network driver (not shown) for managing network connections of target applications 212 and 213 stored in the node 201. . For example, when a connection event to the destination network 205 of the target applications 212 and 213 included in the node 201 occurs, the connection control application 211 determines whether the target applications 212 and 213 can be connected. can be decided. If the target applications 212 and 213 are accessible, the connection control application 211 may transmit a data packet to the gateway 203. The access control application 211 can control the transmission of data packets within the node 201 through a kernel including an operating system and a network driver.

According to embodiments, destination network 205 may also be referred to as a service server.

3 is a functional block diagram showing a database stored in a controller according to various embodiments. Although FIG. 3 shows only the memory 330, the controller includes a communication circuit for performing communication with an external electronic device (e.g., the communication circuit 430 in FIG. 4) and a processor for controlling the overall operation of the controller (e.g., FIG. It may further include 4 processors 410).

The administrator can access the controller 202 and set a connection-oriented policy to control the connection between the access control application 211 and the destination network 205, so network access is more detailed and safer than managing sessions at the service level. can be controlled.

The connection policy database 311 may include information about networks and/or services to which an identified network, node, or application can access. For example, when the access control application 211 requests network access, the controller 202 identifies the network (e.g., the network to which the node 201 belongs), the node, It may be determined whether a user (e.g., a user of node 201) and/or an application (e.g., target application 212 included in node 201) can access the destination network 205. In the embodiment, Accordingly, the controller 202 may create a whitelist of target applications 212 that can be accessed through a specific service (eg, IP and port) based on the access policy database 311.

The channel and session policy database 312 contains information about a gateway (e.g., gateway 203 in FIG. 2) that exists between a service server (e.g., destination network 205 in FIG. 2) on a connection path according to a policy. may include. According to an embodiment, the channel and session policy database 312 contains a set of information for creating a channel between the node 201 and the gateway 203 (e.g., authentication and a set of information for creating tunneling), the node 201 ) and a series of information for authenticating the logical connection between the gateway 203 (e.g., authentication information generation and inspection method and series of information according to the protocol), and creating a session between the node 201 and the gateway 203. A set of information (e.g., a certificate and a set of information for creating a secure session) or a method for removing a session if it is not an authorized session when an own session is created between the node 201 and the gateway 203. It can include at least one of them. That is, the channel and session policy database 312 may check whether the node 201 or a communication target is authorized and include a series of information and policies required for connectivity control.

The blacklist policy database 313 is a target (e.g., node ID ( identifier), an IP address, a media access control (MAC) address, or a user ID). Additionally, the blacklist policy database 313 can be used as information to determine the risk level of an application according to the application inspection results and whether to temporarily or permanently isolate it depending on the risk level.

The blacklist database 314 may include a list of targets blocked by the blacklist policy database 313. For example, if the identification information of the node 201 requesting network access is included in the blacklist database 314, the controller 202 may isolate the node 201 by rejecting the network access request.

The control flow table 315 is an example of a session table for managing the flow (eg, control flow) of control data packets generated between the node 201 and the controller 202. When successfully connecting to the controller 202, control flow information may be generated by the controller 202. The control flow information may include at least one of control flow identification information, an IP address identified when connecting to and authenticating the controller, a node ID, or a user ID. For example, when connection to the destination network 205 is requested from the node 201, the controller 202 can retrieve control flow information through the control flow identification information received from the node 201, and the retrieved control flow Whether the node 201 can connect to the destination network 205 by mapping at least one of the IP address, node ID, or user ID included in the information to the connection policy database 311, data flow for data packet transmission You can determine (decide) whether to create it or not.

According to one embodiment, a control flow may have an expiration time. The node 201 must update the expiration time of the control flow, and if the expiration time is not updated within a certain period of time, the control flow (or control flow information) may be removed. Additionally, if it is determined that immediate connection blocking is necessary according to security events collected from the node 201, the controller 202 may remove the control flow according to the node 201's connection termination request. When the control flow is removed, the previously created data flow is also removed, so the connection to the node 201 may be blocked.

The data flow table 316 is a table for managing the flow (eg, data flow) in which detailed data packets are transmitted between the node 201, the gateway 203, and the destination network 205. Data flows can be created by TCP sessions, applications, or more granular units. The data flow table 316 can manage dependent data flows using a data flow ID for identifying the data flow and a control flow ID assigned to the transmitting subject.

According to an embodiment, the data flow table 316 contains each processing information (e.g. : logical connection authentication information or session creation or confirmation information), connectivity control information to identify the gateway 203 as an authorized node 201 (e.g., whether logical connection authentication-based access, authorized channel or session-based access, and Information to identify this, status information), channel and session information, and data packets of the authorized target based on this, and information on the authorized target to determine whether to forward based on the destination IP, service port, and service domain information of the service request. , may include status information including whether the corresponding data flow is valid.

According to an embodiment, the data flow table 316 may include authentication information. For example, the data flow table 316 contains information related to whether additional authentication must be performed for the node 201 to access the service, information previously set by the service provider, and authorization to be inserted through the gateway 203. It may include information that cannot be identified through general service protocols, such as the node's operating system and device type, user identification information, security compliance compliance information, and a series of information received from the authentication server. For example, the protected information of an authorized target is determined by checking whether it is an authorized target and inserting a series of information previously identified by the controller, whether to insert it into the header or into the body. Information that determines whether to insert) may be included. For example, protection information of authorized subjects may be generated based on the service policy database 317, and information related to whether additional authentication must be performed to access the service may be generated based on the authentication policy database 319. It can be.

According to the embodiment, when the service server returns a service request result to the node 201, the data flow table 316 stores protection information to be removed and returned from the gateway 203, and protection information to be removed and returned from the gateway 203 ( Whether to update or store in the data flow of 203), if a service request exists in the node 201, which of the protection information was stored or updated in the data flow among the protection information removed from the gateway 203 when the service result is returned Protected information to be reinserted, when connecting to a service, check whether authentication is required through the gateway 203 and redirect to the authentication server, or when the service server redirects a service request to the authentication server, between two mutually different domains identified during the authentication process. It may further include protection information to be shared or protected, protection information token generation method, and algorithm information. According to an embodiment, protection information may be generated based on the service policy database 317.

According to an embodiment, the protection information token may consist of identification information processed by the gateway to maintain the flow of information to be protected between the authorized target and the service server.

The data flow table 316 can be managed based on control flow ID.

According to the embodiment, the data flow table 316 may be stored equally in the node 201 and the gateway 203.

The service policy database 317 contains destination IP and port information, service domain information, protocol information (e.g. HTTP, FTP, IoT-specific protocols), and service providers that the connection target can access through the proxy according to the connection policy 311. This pre-set information may include protection information of an authorized target to be inserted through the gateway 203. According to an embodiment, the protection information of the authorized target may include information that cannot be identified through general service protocols, such as the node's operating system and device type, user identification information, security compliance compliance information, and a series of information received from the authentication server. You can. For example, the protected information of an authorized target is determined by checking whether it is an authorized target and inserting a series of information previously identified by the controller, whether to insert it into the header or into the body. It may further include information that determines whether to insert.

According to the embodiment, when the service server returns a service request result to the node 201, the service policy database 317 stores protection information to be removed and returned from the gateway 203, and protection information to be removed and returned from the gateway 203 ( 203) may include whether it needs to be updated or stored in the data flow. In addition, when a service request exists from the node 201, the service policy database 317 determines which of the protection information that was stored or updated in the data flow among the protection information removed from the gateway 203 when the service result is returned must be reinserted. Protected information, when accessing a service, checks whether authentication is required through the gateway 203 and redirects to the authentication server, or when the service server redirects a service request to the authentication server, it is shared or protected between two mutually different domains identified during the authentication process. It may further include protection information to be provided, protection information token generation method, and algorithm information. According to an embodiment, the protection information token may consist of identification information processed by the gateway to maintain the flow of information to be protected between the authorized target and the service server.

The channel and session table 318 may be a table for managing channels or sessions created between the node 201, the access control application 211, or the target applications 212 and 213 and the gateway 203. For example, when a channel or session is created between the node 201, the access control application 211 or the target application 212, 213 and the gateway 203, information related to the created channel or session is stored in the channel and session table ( 318). For another example, when a channel or session between the node 201, the access control application 211 or the target application 212, 213 and the gateway 203 is removed, information related to the removed channel or session is stored in the channel and session table. It can be updated at (318).

The authentication policy database 319 uses the connection policy 311 to identify the node, identify the user, or identify the target identified at the time of service access to an authentication server other than the controller 202 (e.g., OAuth, SAML, LDAP, Active Directory, etc.). (certification-related technologies, etc.) may include information to determine whether additional authentication needs to be performed. According to an embodiment, the authentication policy database 319 may include a series of information such as an authentication server and authentication method when additional authentication must be performed.

Figure 4 shows a functional block diagram of a node according to various embodiments.

Referring to FIG. 4 , a node may include a processor 410, memory 420, and communication circuit 430. According to one embodiment, the node may further include a display 440 to interface with the user.

The processor 410 can control the overall operation of the node. In various embodiments, the processor 410 may include one processor core (single core) or may include a plurality of processor cores. For example, the processor 410 may include multi-core, such as dual-core, quad-core, or hexa-core. Depending on embodiments, the processor 410 may further include a cache memory located internally or externally. Depending on embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or a portion of processor 410 is electrically or operatively coupled to other components within the node (e.g., memory 420, communication circuitry 430, or display 440). It can be (coupled with) or connected to. The processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process messages, data, commands, or signals received from the memory 420, the communication circuit 430, or the display 440. Processor 410 may generate new messages, data, instructions, or signals based on received messages, data, instructions, or signals. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420, communication circuit 430, or display 440.

The processor 410 can process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals to the memory 420 in order to execute or control a program.

The memory 420 may store commands for controlling nodes, control command codes, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.

Memory 420 may include one or more of volatile memory or non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). It can be included. Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, etc.

The memory 420 uses non-volatile media such as a hard disk drive (HDD), solid state disk (SSD), embedded multi media card (eMMC), and universal flash storage (UFS). More may be included.

According to one embodiment, the memory 420 may store the target applications 212 and 213 and the access control application 211 of FIG. 2 . The connection control application 211 may perform control flow creation and update functions with the controller 202. To this end, the access control application 211 may include one or more security modules.

According to one embodiment, the memory 420 may store some of the information included in the controller's memory (eg, memory 330 in FIG. 3). For example, memory 420 may store data flow table 316 described in FIG. 3 .

Communication circuitry 430 establishes a wired or wireless communication connection between a node and an external electronic device (e.g., controller 202, gateway 203, or destination network 205 of Figure 2) and performs communication over the established connection. can support. According to one embodiment, the communication circuit 430 may be a wireless communication circuit (e.g., a cellular communication circuit, a short-range wireless communication circuit, or a global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (e.g., a local area network (LAN) ) communication circuit, or power line communication circuit), and using the corresponding communication circuit, a short-range communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a long-distance communication such as a cellular network, the Internet, or a computer network It can communicate with external electronic devices through a network. The various types of communication circuits 430 described above may be implemented as one chip or may be implemented as separate chips.

The display 440 can output content, data, or signals. In various embodiments, the display 440 may display image data processed by the processor 410. Depending on embodiments, the display 440 may be configured with an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving touch input, etc. When the display 440 is configured as a touch screen, a plurality of touch sensors may be placed above the display 440 or below the display 440.

A server (eg, controller) according to one embodiment may include a processor 410, memory 420, and communication circuit 430. The processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

A gateway (eg, gateway 203 in FIG. 2) according to an embodiment may include a processor 410, a memory 420, and a communication circuit 430. The processor 410, memory 420, and communication circuit 430 included in the gateway may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.

Figure 5 shows an example of a structure for inserting protection information of an authorized target when forwarding service request information according to various embodiments.

Referring to FIG. 5, HTTP-based service request information 505 may include an HTTP header 510 and an HTTP body 530.

According to the embodiment, the HTTP header 510 may include the HTTP header 515 added by the gateway, and the HTTP header 515 added by the gateway 203 includes the data flow header 520 and the authorized target. Protected information 525 may be included. That is, the gateway 203 adds the data flow header 520 and the protection information 525 of the authorized target to the HTTP header 510 so that the service server existing in the destination network 205 can use the HTTP header 510. It is possible to identify whether the request is from an authorized target.

According to the embodiment, the HTTP body 530 may include an HTTP body 535 added by the gateway 203, and the HTTP body 535 added by the gateway 203 includes protection information 540 of the authorized target. may include. That is, the gateway 203 may insert or add the protection information 540 of the authorized target to the HTTP body 530.

According to an embodiment, the gateway 203 detects the authorized object's protected information (e.g., the node's operating system and device type, user identification information) based on the token information (e.g., the authorized object's protected information token 560). , information that cannot be identified through general service protocols, such as security compliance compliance information and a series of information received from the authentication server. For example, the protected information of an authorized target is determined by checking whether it is an authorized target and inserting a series of information previously identified by the controller, whether to insert it into the header or into the body. Information to determine whether to insert, protection information to be removed and returned from the gateway 203 when the service server returns a service request result to the node 201, protection information to be removed and returned to the data of the gateway 203 Whether it needs to be updated or stored in the flow, if a service request exists at the node 201, and when the service result is returned, which of the protection information removed from the gateway 203 should be reinserted among the protection information stored or updated in the data flow When accessing information and services, whether authentication is required is checked through the gateway 203 and redirected to the authentication server, or when the service server redirects a service request to the authentication server, information that needs to be shared or protected between two mutually different domains identified during the authentication process. Inserts a series of information that can be identified and processed by the service server into parts appropriate for the service protocol (e.g., header and body area for HTTP) according to the protection information, protection information token generation method, and algorithm information and retransmits it to the service server. It can perform the role of returning the service server's response value to the service request to the node.

According to an embodiment, the protection information token may consist of identification information processed by the gateway to maintain the flow of information to be protected between the authorized target and the service server.

According to the embodiment, if the service request result (reverse direction) received after forwarding the service request information includes the protection information of the authorized target as described above, the node 201 receives the information. Unnecessary protection information is removed so that the node 201 can re-insert and transmit the removed protection information in the gateway 203 when requesting a service. After updating and storing the data flow of the gateway 203 to correspond to the issued token information so that the result return can be continuously processed in a continuous series of flows, token information is inserted and the service request result is forwarded to the service server. It is possible to protect important information to be maintained with the node 201.

That is, the gateway 203 according to the embodiments disclosed in this document controls the node 201 so that it cannot transmit or receive protected information of an authorized target, thereby providing service to an unauthorized target from the gateway 203 or the service server. Can be configured to block requests.

Additionally, the HTTP-based service request information 545 transmitted from the node 201 may include an HTTP header 550. The gateway 203 may check whether the protection information token 560 of the authorized target exists in the HTTP header 555 added by the gateway included in the HTTP header 550. When receiving a service request by an authorized connectivity control element, the proxy included in the gateway 203 identifies the connection target and the service requested by the connection target through the data flow table, and identifies the authorized target in the service request information. With the protected information token, it can be confirmed whether the same information as the protected information token of the authorized target included in the data flow exists. That is, the gateway 203 can identify the data flow based on the protection information token of the authorized target, identify protection information corresponding to the protection information token, and then insert the protection information when forwarding the service request to the service server. You can forward it.

Figure 6 shows a signal flow diagram for controller connection according to various embodiments.

Since the node 201 needs to be authorized by the controller 202 to connect to or receive the network, the access control application 211 of the node 201 requests the controller 202 to create a control flow, thereby establishing the node ( 201), you can try to connect to the controller. According to the embodiment, the node 201 may be substantially the same as the node 201 of FIG. 2 on which the access control application 211 is installed.

Referring to FIG. 6, node 201 can detect a controller connection event. For example, when the access control application 211 is installed and executed within the node 201, the node 201 may detect that a connection to the controller 202 is requested.

In operation 605, node 201 may request controller connection to controller 202. For example, the access control application 211 may transmit identification information of the access control application 211 to the controller 202.

In operation 610, the controller 202 may identify whether the object requesting controller connection (e.g., the access control application 211 or the node 201) can be connected. According to one embodiment, the controller 202 determines whether information received from the node 201 is included in the connection policy database 311 or determines whether the node 201, the network to which the node 201 belongs, and/or the connection It is possible to check whether the object requesting controller access can be connected based on at least one of whether the identification information of the control application 211 is included in the blacklist database 314.

If connection is possible, in operation 615, the controller 202 allows the identified node 201 to authenticate through an authentication server 207 (e.g., authentication-related technology such as OAuth, SAML, LDAP, Active Directory, etc.) other than the controller 202. Whether additional authentication is performed can be checked based on the authentication policy 319. According to an embodiment, if there is no need to perform additional authentication, the controller 202 may perform operation 625. According to the embodiment, when additional authentication needs to be performed, the controller 202 may request authentication from the authentication server 207 based on the identified information and information set in the authentication policy 319 and receive the authentication result. (Action 620). According to the embodiment, when receiving an authentication inaccessibility result from the authentication server 207, the controller 202 may transmit connection inability information to the node 201 (operation 635).

When authentication completion information is received from the authentication server 207, the controller 202 uses authentication-related information received from the authentication server 207 (e.g., the service verifies the authentication information of the node through the authentication server and provides related authorization information). A set of information to confirm the authentication-related information of the node, such as an authentication token for receiving or receiving protected information) can be stored.

If authentication is complete or no additional authentication is required, in operation 625, the controller 202 may create a control flow between the node 201 (or access control application 211) and the controller 202. In this case, the controller 202 generates control flow identification information in the form of a random number and stores the identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 211 in the control flow table ( 315). The information stored in the control flow table 315 may be used for user authentication of the node 201, update of information of the node 201, confirmation of policy for network connection of the node 201, and/or validation.

In operation 630, the controller 202 based on the access policy database 311 and the channel policy database 312 corresponding to the identified information (e.g., node 201, source network information to which node 201 belongs). You can create whitelist information of accessible applications. According to the embodiment, the controller 202 provides destination network information to which the current connection requesting node 201 can basically connect based on the identified information, the connection policy database 311, and the channel and session policy database 312. You can check if it exists. In one embodiment, the controller 202 may transmit the application white list to the connection control application 211 in operation 635.

If connectivity is available, the controller 202 can list the channel types and gateways to which the node 201 can be connected. For example, in order for the node 201 to connect to the destination network, the controller 202 may use the type, location information, environment, and network information of the node 201 included in the control flow, and the controller ( The node 201 is based on at least one or a combination of two or more of the identification information (e.g., IP information) of the node 201 identified through 202) and the identification information of the node 201 identified through the node 201. You can list the channel types and gateways that can be connected.

The controller 202 can check the status (e.g., throughput, failure status) of the listed gateways, and identify the channel and gateway 203 optimized for the node 201 among the listed gateways. For example, the controller 202 may identify one channel and one gateway 203. According to the embodiment, when there is a channel and a gateway 203 accessible to the node 201, the controller 202 creates a channel such as a gateway 203 and channel authentication information for the node 201 to create a channel. Information may be transmitted to node 201 (act 635). According to an embodiment, a channel may include at least one of a tunnel and a session.

According to the embodiment, a channel is not created between the node 201 and the gateway 203, but through a pre-connected channel existing at the border of the gateway 203 and the destination network existing in the network to which the node 201 belongs. In the case of a connection structure or a connection between the node 201 and the destination network boundary through a different channel technology, the controller 202 may not transmit channel creation information to the node 201.

In operation 635, the controller 202 may transmit control flow identification information to the node 201 in response to the controller connection request. Depending on the embodiment, if the object requesting controller connection is unconnectable or included in the blacklist, the controller 202 may transmit unconnection information in operation 635 without generating a control flow. In one embodiment, the controller 202 may transmit the application white list created by performing operation 630 to the access control application 211.

When channel creation is required (e.g., when channel creation information is received from the controller 202), the access control application 211 generates information for channel creation received from the controller 202 (e.g., gateway (e.g., gateway) in operation 640. 203) and a series of information required for channel creation, such as channel authentication information, can request the gateway 203 to create a channel. The gateway 203 may create a channel in response to a channel creation request from the node 201. According to the embodiment, when channel creation is determined to be unnecessary by the controller 202 (e.g., when channel creation information is not received from the controller 202, or when channel creation unnecessary information is received from the controller 202) etc.) The access control application 211 may perform operation 645 without performing operation 640.

When a channel is created through operation 640, the access control application 211 checks whether the channel creation completion information and the dedicated IP set according to the channel creation exist, and transmits the channel creation completion information and the dedicated IP information to the controller 202. (action 650).

At operation 645, the access control application 211 may perform a check on the application. For example, the access control application 211 may perform a check on applications based on a white list of accessible applications received from the controller 202. According to the embodiment, the access control application 211 may check whether the application exists (installed) in the node 201 based on accessible application information.

In operation 650, the access control application 211 may transmit the test result to the controller 202. For example, the access control application 211 may transmit channel creation completion information and assigned channel identification information (IP information) to the controller 202. For another example, the access control application 211 may transmit a confirmation result of whether the application is installed to the controller 202 based on the application white list.

At operation 655, controller 202 may perform data flow processing. For example, when the channel creation completion information is received, the controller 202 stores the channel dedicated IP information assigned to the node 201 and the channel creation completion information in a channel and session table (e.g., the channel and session table of FIG. 3). 318)), and the information transmitted from the node 201 can be updated in the control flow corresponding to the node 201.

The controller 202 sets the connection policy (e.g., the access policy 311 in FIG. 3) and the gateway 203 where the node 201 is located in the service policy 317 to allow the node 201 connected to the network to access the network. You can check. Additionally, the controller 202 may generate a data flow including a destination IP, service port information, and service domain information so that the node 201 can control service processing requests without performing a network connection request procedure. According to an embodiment, the data flow includes connectivity control information to identify the gateway 203 as an authorized node 201 (e.g., whether a logical connection authentication-based connection, an authorized channel, or session-based connection, and information for identifying this). , status information), information related to whether the node 201 needs to perform additional authentication to access the service, and protection information of the authorized target to be inserted through the gateway 203 as information set in advance by the service provider ( Example: Information that cannot be identified through general service protocols, such as the node's operating system and device type, user identification information, security compliance compliance information, and a series of information received from the authentication server) may be included. For example, the protected information of an authorized target is determined by checking whether it is an authorized target and inserting a series of information previously identified by the controller, whether to insert it into the header or into the body. Information to determine whether to insert, protection information to be removed and returned from the gateway 203 when the service server returns a service request result to the node 201, protection information to be removed and returned to the data of the gateway 203 Whether it needs to be updated or stored in the flow, if a service request exists at the node 201, and when the service result is returned, which of the protection information removed from the gateway 203 should be reinserted among the protection information stored or updated in the data flow When accessing information and services, whether authentication is required is checked through the gateway 203 and redirected to the authentication server, or when the service server redirects a service request to the authentication server, information that needs to be shared or protected between two mutually different domains identified during the authentication process. It may include protection information, protection information token generation method, and algorithm information. In this case, the controller 202 may transmit the generated data flow to the gateway 203 and the access control application 211 of the node 201 (operations 660 and 665).

In operation 670, the access control application 211 may process a result value according to the received response. For example, the connection control application 211 may store the received control flow identification information and display a user interface screen to the user indicating that the controller connection is complete. Once the controller connection is completed, the network connection request for the destination network of the node 201 can be controlled by the controller 202.

According to another embodiment, controller 202 may determine that node 201 is unreachable. For example, if the identification information of the node 201 and/or the network to which the node 201 belongs is included in the blacklist database, the controller 202 may determine that the node 201 is inaccessible. In this case, the controller 202 may not generate a control flow in operation 625 and may transmit a response indicating that the controller connection is not possible in operation 635. Additionally, in this case, operations 640 to 665 may not be performed. Depending on the embodiment, if a retry of controller connection is required, the connection control application 211 may perform operation 605 again.

In addition, the access control application 211 can update the data flow of the node 201 when a data flow received from the controller 202 exists and transmit data packets based on a pre-allowed data flow when connecting to the network. Data flow can be managed so that Afterwards, when a data packet transmission request is detected, the access control application 211 may process the data packet to be transmitted based on the received data flow.

According to the embodiment, when the connection control application 211 receives network connection release information from the controller 202, it may terminate the application or block all network connections of the application.

7 shows a signal flow diagram for user authentication according to various embodiments.

In order for the node 201 to be granted detailed access rights to the destination network, the access control application 211 of the node 201 may receive authentication for the user of the node 201 from the controller 202. According to the embodiment, the node 201 may be substantially the same as the node 201 of FIG. 2 on which the access control application 211 is installed.

Referring to FIG. 7, node 201 may receive input for user authentication. The input for user authentication may be, for example, a user input of entering a user ID and password. For another example, the input for user authentication may be a user input for stronger authentication (e.g., biometric information). In this case, in operation 705, the access control application 211 of the node 201 may request user authentication from the controller 202. If a control flow between the node 201 and the controller 202 has already been created, the access control application 211 may transmit input information for user authentication along with control flow identification information.

At operation 710, controller 202 may authenticate the user based on information received from node 201. For example, the controller 202 may store the user ID, password, and/or enhanced authentication information contained in the received information and a database contained in the memory of the controller 202 (e.g., the access policy database of FIG. 3). Based on (311) or the blacklist database (314), it can be determined whether the user can access according to the access policy and whether the user is included in the blacklist.

Once the user is authenticated, at operation 715, the controller 202 authenticates the identified node 201 via an authentication server 207 (e.g., authentication-related technology such as OAuth, SAML, LDAP, Active Directory, etc.) other than the controller 202. Whether additional authentication is performed can be checked based on the authentication policy 319. According to an embodiment, if there is no need to perform additional authentication, the controller 202 may perform operation 725. According to the embodiment, when additional authentication needs to be performed, the controller 202 may request authentication from the authentication server 207 based on the identified information and information set in the authentication policy 319 and receive the authentication result. (Action 720). According to an embodiment, when receiving an authentication inability result from the authentication server 207, the controller 202 may transmit connection inability information to the node 201 (operation 735).

When authentication completion information is received from the authentication server 207, the controller 202 uses authentication-related information received from the authentication server 207 (e.g., the service verifies the authentication information of the node through the authentication server and provides related authorization information). A set of information to confirm the authentication-related information of the node, such as an authentication token for receiving or receiving protected information) can be stored.

When authentication is completed or additional authentication is not required, in operation 725, the controller 202 may add the user's identification information (e.g., user ID) to the identification information of the control flow. The added user identification information can be used to connect the authenticated user to the controller or network.

In operation 730, the controller 202 accesses the access policy database 311 and the channel policy database 312 corresponding to the identified information (e.g., node 201, source network information to which node 201 belongs). Whitelist information of possible applications can be created. According to the embodiment, the controller 202 determines whether there is destination network information to which the current connection requesting node 201 can basically connect based on the identified information, the connection policy database 311, and the channel policy database 312. You can check it. In one embodiment, the controller 202 may transmit the application white list to the connection control application 211 in operation 735.

If connectivity is available, the controller 202 can list the channel types and gateways to which the node 201 can be connected. For example, in order for the node 201 to connect to the destination network, the controller 202 uses the type, location information, environment, and network information containing the node 201 included in the control flow, and the controller ( The node 201 is based on at least one or a combination of two or more of the identification information (e.g., IP information) of the node 201 identified through 202) and the identification information of the node 201 identified through the node 201. You can list the channel types and gateways that can be connected.

The controller 202 can check the status (e.g., throughput, failure status) of the listed gateways, and identify the channel and gateway 203 optimized for the node 201 among the listed gateways. For example, the controller 202 may identify one channel and one gateway 203. According to the embodiment, when there is a channel and a gateway 203 accessible to the node 201, the controller 202 creates a channel such as a gateway 203 and channel authentication information for the node 201 to create a channel. Information may be transmitted to node 201 (act 735). According to an embodiment, a channel may include at least one of a tunnel and a session.

According to the embodiment, a channel is not created between the node 201 and the gateway 203, but through a pre-connected channel existing at the border of the gateway 203 and the destination network existing in the network to which the node 201 belongs. In the case of a connection structure or a connection between the node 201 and the destination network boundary through a different channel technology, the controller 202 may not transmit channel creation information to the node 201.

In operation 735, the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In one embodiment, the controller 202 may transmit the application white list created through operation 730 to the access control application 211.

When channel creation is required (e.g., when channel creation information is received from the controller 202), the access control application 211 generates information for channel creation received from the controller 202 (e.g., gateway (e.g., gateway) in operation 740. 203) and a series of information required for channel creation, such as channel authentication information, can request the gateway 203 to create a channel. The gateway 203 may create a channel in response to a channel creation request from the node 201. According to the embodiment, when channel creation is determined to be unnecessary by the controller 202 (e.g., when channel creation information is not received from the controller 202, or when channel creation unnecessary information is received from the controller 202) etc.) The access control application 211 may perform operation 745 without performing operation 740.

When a channel is created through operation 740, the access control application 211 may check whether channel creation completion information and a dedicated IP set according to channel creation exist. The access control application 211 may transmit channel creation completion information and dedicated IP information to the controller 202 (operation 750).

At operation 745, the access control application 211 may perform a check on the application. For example, the access control application 211 may perform a check on applications based on a white list of accessible applications received from the controller 202. The access control application 211 can check whether the application exists (installed) on the node 201 based on accessible application information.

In operation 750, the access control application 211 may transmit the test result to the controller 202. For example, the access control application 211 may transmit channel creation completion information and assigned channel identification information (IP information) to the controller 202. For another example, the access control application 211 may transmit a confirmation result of whether the application is installed to the controller 202 based on the application white list.

At operation 755, controller 202 may perform data flow processing. For example, when the channel creation completion information is received, the controller 202 stores the channel dedicated IP information assigned to the node 201 and the channel creation completion information in a channel and session table (e.g., the channel and session table of FIG. 3). 318)), and the information transmitted from the node 201 can be updated in the control flow corresponding to the node 201.

The controller 202 sets the connection policy (e.g., the access policy 311 in FIG. 3) and the gateway 203 where the node 201 is located in the service policy 317 to allow the node 201 connected to the network to access the network. You can check. Additionally, the controller 202 may generate a data flow including a destination IP, service port information, and service domain information so that the node 201 can control service processing requests without performing a network connection request procedure. According to an embodiment, the data flow includes connectivity control information to identify the gateway 203 as an authorized node 201 (e.g., whether a logical connection authentication-based connection, an authorized channel, or session-based connection, and information for identifying this). , status information), information related to whether the node 201 needs to perform additional authentication to access the service, and protection information of the authorized target to be inserted through the gateway 203 as information set in advance by the service provider ( Example: Information that cannot be identified through general service protocols, such as the node's operating system and device type, user identification information, security compliance compliance information, and a series of information received from the authentication server) may be included. For example, the protected information of an authorized target is determined by checking whether it is an authorized target and inserting a series of information previously identified by the controller, whether to insert it into the header or into the body. Information to determine whether to insert, protection information to be removed and returned from the gateway 203 when the service server returns a service request result to the node 201, protection information to be removed and returned to the data of the gateway 203 Whether it needs to be updated or stored in the flow, if a service request exists at the node 201, and when the service result is returned, which of the protection information removed from the gateway 203 should be reinserted among the protection information stored or updated in the data flow When accessing information and services, whether authentication is required is checked through the gateway 203 and redirected to the authentication server, or when the service server redirects a service request to the authentication server, information that needs to be shared or protected between two mutually different domains identified during the authentication process. It may include protection information, protection information token generation method, and algorithm information. In this case, the controller 202 may transmit the generated data flow to the gateway 203 and the access control application 211 of the node 201 (operations 760 and 765).

In operation 770, the access control application 211 may process a result value according to the received response. For example, the access control application 211 may store the received control flow identification information and display a user interface screen to the user indicating that user authentication is complete. Once user authentication is completed, the node 201's network connection request to the destination network may be controlled by the controller 202.

According to another embodiment, the controller 202 may determine that user authentication of node 201 is not possible. For example, if the identification information of node 201 and/or the network to which node 201 belongs is included in the blacklist database, the controller 202 may determine that node 201 is inaccessible and user authentication is not possible. . In this case, the controller 202 may not reflect the user identification information in operation 725 and may transmit a response indicating that controller access is not possible in operation 735. Additionally, in this case, operations 740 to 765 may not be performed.

In addition, the access control application 211 can update the data flow of the node 201 when a data flow received from the controller 202 exists and transmit data packets based on a pre-allowed data flow when connecting to the network. Data flow can be managed so that

According to the embodiment, when the connection control application 211 receives network connection release information from the controller 202, it may terminate the application or block all network connections of the application.

Figure 8 shows a signal flow diagram for network access according to various embodiments.

After the node 201 is authorized by the controller 202, the node 201 controls the network access of other applications stored in the node 201 through the access control application 211 of the node 201, thereby controlling the network access of other applications stored in the node 201. Transmission can be guaranteed. According to the embodiment, the node 201 may be substantially the same as the node 201 of FIG. 2 on which the access control application 211 is installed.

Referring to FIG. 8, in operation 805, the connection control application 211 may detect a network connection event of another application (eg, the target application 212 in FIG. 2) stored in the node 201.

In operation 810, the access control application 211 may confirm the existence of a data flow corresponding to the identification information of the application requesting network access, destination network identification information, and port information. Depending on the embodiment, if a data flow exists but is not valid, the access control application 211 may drop the data packet. According to another embodiment, when a data flow exists, the access control application 211 may transmit data packets based on the data flow. According to an embodiment, the access control application 211 of the node 201 may perform a network connection request in operation 815 without performing operation 810.

When the data flow needs to be updated, such as when the data flow does not exist or when the authentication time has expired and needs to be updated, in operation 815, the access control application 211 may request network access from the controller 202. For example, a network connection request may include control flow identification information, target application identification information, destination network identification information, and port information.

In operation 820, the controller 202 collects the connection request identification information (e.g., identification information of the destination network) from the connection policy corresponding to the identified information (e.g., node, user, source network identification information) based on the control flow identification information. and port information) and whether the destination network is accessible. According to an embodiment, the controller 202 may check whether the target application can connect to the gateway 203 or the destination network 205. Depending on the embodiment, if network connection is not possible, the controller 202 may transmit a connection failure result to the connection control application 211 of the node 201 (operation 845).

If access is possible, the controller 202 is a connectivity control element for the authorized node 201 or target application to access the network based on the channel and session policy 312. Logical connection authentication-based access, authorized channel Alternatively, you can check whether session-based connection exists.

According to an embodiment, when performing connectivity control based on logical connection authentication, the controller 202 may perform a procedure for creating a data flow including information for logical connection authentication.

According to the embodiment, when connectivity control is performed based on a channel, the controller 202 may check whether a channel is created between the node 201 and the gateway 203. For example, if a channel is not created, the controller 202 may transmit a non-accessible result to the node 201. For another example, when a channel has been created, the controller 202 may perform a procedure to create a data flow.

According to an embodiment, when performing connectivity control based on a session, the controller 202 may perform a procedure for creating a data flow including information for session creation.

If connection is possible, in operation 825, the controller 202 determines whether the identified node 201 is authenticated by an authentication server 207 other than the controller 202, such as OAuth, SAML, LDAP, Active Directory, etc. It is possible to check whether additional authentication is performed through (related technology) based on the authentication policy (319). According to an embodiment, if there is no need to perform additional authentication, the controller 202 may perform operation 835. According to the embodiment, when additional authentication needs to be performed, the controller 202 may request authentication from the authentication server 207 based on the identified information and information set in the authentication policy 319 and receive the authentication result. (Operation 830). According to the embodiment, when receiving an authentication inability result from the authentication server 207, the controller 202 may transmit connection inability information to the node 201 (operation 845).

When authentication completion information is received from the authentication server 207, the controller 202 uses authentication-related information received from the authentication server 207 (e.g., the service verifies the authentication information of the node through the authentication server and provides related authorization information). A set of information to confirm the authentication-related information of the node, such as an authentication token for receiving or receiving protected information) can be stored.

If authentication is completed or additional authentication is not required, in operation 835, the controller 202 may check whether a valid data flow exists corresponding to the information (destination identification information, port information) requested for connection by the node 201. .

According to an embodiment, if a valid data flow exists, the controller 202 may perform operations 840 and 845 without creating a data flow.

According to an embodiment, when a valid data flow does not exist, the controller 202 may create a data flow including a source IP, a destination IP, service port information, and service domain information.

According to an embodiment, the data flow includes connectivity control information to identify the gateway 203 as an authorized node 201 (e.g., whether a logical connection authentication-based connection, an authorized channel, or session-based connection, and information for identifying this). , status information), information related to whether the node 201 needs to perform additional authentication to access the service, and protection information of the authorized target to be inserted through the gateway 203 as information set in advance by the service provider ( Example: Information that cannot be identified through general service protocols, such as the node's operating system and device type, user identification information, security compliance compliance information, and a series of information received from the authentication server) may be included. For example, the protected information of an authorized target is determined by checking whether it is an authorized target and inserting a series of information previously identified by the controller, whether to insert it into the header or into the body. Information to determine whether to insert, protection information to be removed and returned from the gateway 203 when the service server returns a service request result to the node 201, protection information to be removed and returned to the data of the gateway 203 Whether it needs to be updated or stored in the flow, if a service request exists at the node 201, and when the service result is returned, which of the protection information removed from the gateway 203 should be reinserted among the protection information stored or updated in the data flow When accessing information and services, whether authentication is required is checked through the gateway 203 and redirected to the authentication server, or when the service server redirects a service request to the authentication server, information that needs to be shared or protected between two mutually different domains identified during the authentication process. It may include protection information, protection information token generation method, and algorithm information. In this case, the controller 202 may transmit the generated data flow to the gateway 203 and the access control application 211 of the node 201 (operations 840 and 845).

In operation 850, the access control application 211 of the node 201 may process the result of the response received from the controller 202. For example, when the connection control application 211 receives a network connection unavailable result from the controller 202, the connection control application 211 may drop the data packet that the target application wants to transmit. As another example, when a data flow is received from the controller 202, the access control application 211 may transmit data packets based on the received data flow. In this case, the access control application 211 may update the existing data flow with the received data flow.

Figure 9 shows a signal flow diagram for processing a service request according to various embodiments.

When a service request is received from an authorized target, the gateway 203 inserts and forwards information related to the authorized target to determine whether the service request is received from an authorized target on the service server existing in the destination network 205. You can perform network access control to check.

At operation 905, a proxy included in gateway 203 may receive a service request.

In operation 910, the gateway 203 collects the destination IP and port information included in the received IP header and the destination IP and port information or service domain information included in the service request, and the connectivity control type and identification information of the service request (e.g., You can check whether a data flow exists corresponding to (identification by logical connection, identification by channel, identification by certificate). According to the embodiment, the gateway 203 may check whether a data flow corresponding to the service domain information of the received service request exists.

According to an embodiment, when a data flow does not exist, or when a data flow exists but is invalid (e.g., access by unauthorized connectivity control type and identification information, or access by authorized connectivity control type and identification information, but the access is not valid), In case of impossible destination IP and port information or service domain information), the gateway 203 may reject the service request (operation 925).

According to an embodiment, if a data flow exists but authentication is required, the gateway 203 may redirect to the authentication server 207 based on authentication information included in the data flow, in operation 930.

According to an embodiment, if a data flow exists and authentication is not required, gateway 203 may perform operation 915.

At operation 915, the gateway 203 may check whether a protected information token is present in the service request and, if so, whether the protected information token is included in the protected information of the corresponding data flow.

According to an embodiment, when the protected information token is included in the protected information of the data flow, the gateway 203 sends the protected information of the authorized target discovered based on the protected information token (e.g., the service server requests a service to the node 201). When returning a result, the protection information to be removed and returned from the gateway 203, whether the protection information to be removed and returned should be updated or stored in the data flow of the gateway 203, and whether a service request exists in the node 201. In this case, when the service result is returned, among the protection information removed from the gateway 203, among the protection information stored or updated in the data flow, the protection information to be reinserted is checked and whether authentication is required through the gateway 203 when accessing the service. When redirecting to a server or when a service server redirects a service request to an authentication server, the service request information is redirected according to the protection information to be shared or protected between two mutually different domains identified during the authentication process, protection information token generation method, and algorithm information). Protected information that can be identified and processed by the service server can be inserted into parts appropriate for the protocol (e.g., header and body areas for HTTP).

According to an embodiment, the gateway 203 may generate authentication information based on the authentication information generation algorithm and protection information included in the authentication information of the data flow. According to the embodiment, the gateway 203 may encrypt the authentication information with an encryption algorithm and an encryption key included in the authentication information, and provides a data flow header combining the encrypted authentication information and data flow identification information according to the service protocol standard. Can be inserted into request information.

According to the embodiment, the gateway 203 is information set in advance by the service provider, and protects information of the authorized target to be inserted through the gateway 203 (e.g., node's operating system and device type, user identification information, security compliance compliance). It may include information that cannot be identified through general service protocols, such as information or a series of information received from an authentication server. For example, the protected information of an authorized target is determined by checking whether it is an authorized target and inserting a series of information previously identified by the controller, whether to insert it into the header or into the body. Information that determines whether to insert) may be inserted into the header and body of the service request information according to the service protocol standard and the service request may be transmitted (operation 920).

In operation 920, the gateway 203 may forward a service request containing authentication information and protection information to the service server.

According to the embodiment, when returning a service request result to the node 201, the gateway 203 checks the protection information updated in the data flow among the protection information removed and returned by the gateway, and updates the protection information in the data flow. The service request may be transmitted by inserting into the service request (operation 920).

That is, the gateway 203 according to an embodiment disclosed in this document protects the protection information related to the node 201 by updating it in the data flow existing in the gateway 203, and transmits the protection information to the service server to secure the node ( A structure can be provided that identifies the node 201 as an authorized target and processes the service. If there is a service request again from the node 201, the updated protection information is reinserted into the data flow and sent to the service server. By forwarding, it is possible to provide a network environment that allows the node 201 to receive services from the service server without transmitting protection information to the node 201.

Figure 10 shows an operation flowchart for processing service request results according to various embodiments.

When the service request result is received, the gateway 203 secures the network connection of the node 201 by removing the protection information and forwarding it to the node 201 so that the protection information inserted in the service request is not returned to the node 201. It can be controlled safely.

In operation 1005, a proxy included in the gateway 203 may receive a service request result.

In operation 1010, the gateway 203 may check whether a protection information token exists in the service request result, and if the protection information token exists, may check whether the protection information token is included in the protection information of the corresponding data flow. According to an embodiment, the protection information token may consist of identification information processed by the gateway to maintain the flow of information to be protected between the authorized target and the service server.

According to an embodiment, when the protected information token is included in the protected information of the data flow, the gateway 203 identifies information that needs to be stored and updated in the data flow among the protected information of the authorized target discovered based on the protected information token. and the protection information of the authorized target of the data flow can be updated and stored. According to the embodiment, the gateway 203 is the result of redirection to the authentication server for information for storage and update, or when the information is protected information to be shared and protected between two different domains, the authorized target included in the associated data flow Protected information can also be updated and stored.

According to an embodiment, if a protected information token does not exist in the service request result, the gateway 203 may generate a new protected information token. Additionally, the gateway 203 can identify information that needs to be stored and updated in the data flow among the protection information of the authorized target based on the data flow, and update and store the protected information of the authorized target of the data flow. According to the embodiment, the gateway 203 is the result of redirection to the authentication server for information for storage and update, or when the information is protected information to be shared and protected between two different domains, the authorized target included in the associated data flow Protected information can also be updated and stored.

According to an embodiment, when generating a new protected information token, the gateway 203 may generate the protected information token based on a protected information token generation method and algorithm included in the data flow.

At operation 1015, the gateway 203 may remove the protected information token from the service request result so that the authorized node 201 cannot reuse a previously used token. In this case, if a new token is generated, the gateway 203 may insert the generated token into the service request result (operation 1020). As another example, the gateway 203 may generate an updated token based on the protection information token generation method and algorithm of the data flow and insert it into the service request result (operation 1020). According to an embodiment, the updated token may be a token used to identify protected information to be inserted into the service request at the gateway 203 when the node 201 performs the service request again.

Additionally, in operation 1015, if the data flow header information and the authorized target's protection information inserted at the time of the service request exist in the service request result information, the gateway 203 removes the data flow header information and the authorized target's protection information. can do.

In operation 1025, the gateway 203 may forward a service request result in which an updated (or generated) protection information token is inserted to the node 201.

Figure 11 shows a signal flow diagram for control flow update according to various embodiments.

Referring to FIG. 11, in operation 1105, the access control application 211 may detect a control flow update event.

In operation 1110, the access control application 211 may request a control flow update from the controller 202 based on control flow identification information.

In operation 1115, the controller 202 may check whether a control flow exists in a control flow table (e.g., control flow table 315 of FIG. 3) based on the received control flow identification information. Depending on the embodiment, when a control flow does not exist (e.g., when the connection is disconnected by another security system, when the connection is disconnected due to its own risk detection, etc.), the controller 202 determines that the connection of the node 201 is valid. Since this is not done, a connection failure result can be transmitted to the access control application 211 (operation 1120).

If a control flow exists, the controller 202 can check the data flow corresponding to the control flow.

According to the embodiment, the controller 202 may update the update time included in the control flow and search for data flow information corresponding to the control flow.

According to an embodiment, the controller 202 may return the corresponding data flow information when re-authentication must be performed among the data flows or when there is a data flow that is no longer accessible (operation 1120).

In operation 1125, the access control application 211 of the node 201 may process the result of the response received from the controller 202. For example, the access control application 211 may block all network connections of the application when the control flow update result is impossible. For another example, the access control application 211 may update the data flow if the control flow update result is normal and updated data flow information exists.

12 illustrates a signal flow diagram for disconnection according to various embodiments.

Referring to FIG. 12, in operation 1205, the node 201 terminates the node 201, terminates the connection control application 211, terminates the target application, no longer uses the network connection, and collects information identified from the interworking system. Based on , at least one of the connection termination requests can be detected. In this case, in operation 1210, the node 201 or the access control application 211 may request the controller 202 to remove the control flow.

At operation 1215, the controller 202 may remove the identified control flow based on the received control flow identification information.

In operation 1220, the controller 202 may remove all data flows dependent on the removed control flow. Accordingly, node 201 can no longer connect to the destination network based on the removed data flow.

In operation 1225, the controller 202 may request the gateway 203 to remove all data flows dependent on the removed control flow. The gateway 203 may remove the data flow, and thus data packets corresponding to the source network, destination network, and port information included in the removed data flow can no longer be transmitted.

Figure 13 shows a signal flow diagram for terminating application execution according to various embodiments.

Referring to FIG. 13, in operation 1305, the access control application 211 of the node 201 can check in real time whether the running application is terminated and detect an application execution termination event.

Depending on the embodiment, the access control application 211 may check whether a data flow corresponding to the terminated application identification information and PID (Process ID and Child Process ID Tree) information exists.

In operation 1310, the access control application 211 may request the controller 202 to remove a data flow. For example, the access control application 211 may transmit identification information of a terminated application or identification information of a data flow corresponding to the terminated application to the controller 202 and perform a data flow removal request.

At operation 1315, the controller 202 may delete the data flow for which removal has been requested. Additionally, the controller 202 may perform a removal request for the removed data flow to the gateway 203 (operation 1320). The gateway 203 may remove the data flow, and thus data packets corresponding to the source network, destination network, and port information included in the removed data flow can no longer be transmitted.

FIG. 14 shows a flowchart explaining a gateway operation method according to various embodiments. The operations shown in FIG. 14 may be performed through the gateway 203 of FIG. 2.

At operation 1405, gateway 203 may receive a service request from the node.

In operation 1410, the gateway 203 may confirm the existence of a data flow that corresponds to the service request and is authorized from an external server.

In operation 1415, the gateway 203 may check whether the protection information token included in the service request corresponds to the data flow.

In operation 1420, if the protection information token corresponds to the data flow, the gateway 203 may generate protection information corresponding to the protection information token based on the data flow and to be inserted into the service request. According to an embodiment, the protection information token may consist of identification information processed by the gateway to maintain the flow of information to be protected between the authorized target and the service server.

In operation 1425, the gateway 203 may insert protection information to be inserted into the service request into the service request and forward it to the service server.

The above description is merely an illustrative explanation of the technical idea disclosed in this document, and those skilled in the art in the technical field to which the embodiments disclosed in this document belong will understand without departing from the essential characteristics of the embodiments disclosed in this document. Various modifications and variations will be possible.

Accordingly, the embodiments disclosed in this document are not intended to limit the technical ideas disclosed in this document, but rather to explain them, and the scope of the technical ideas disclosed in this document is not limited by these embodiments. The scope of protection of the technical ideas disclosed in this document shall be interpreted in accordance with the claims below, and all technical ideas within the equivalent scope shall be interpreted as being included in the scope of rights of this document.

Claims (18)

In the gateway,
communication circuit; Memory; and
a processor operatively connected to the communication circuit and the memory, the processor comprising:
Receive service requests from nodes,
Confirm the existence of a data flow that corresponds to the service request and is authorized by an external server,
Verify that the protected information token included in the service request corresponds to the data flow,
If the protection information token corresponds to the data flow, generate protection information corresponding to the protection information token based on the data flow and to be inserted into the service request,
Insert the protection information to be inserted into the service request into the service request and forward it to the service server,
When returning a service request result to the node, remove the protection information token from the service request result, generate a new protection information token, insert it into the service request result, and forward it to the node,
The protected information token consists of identification information processed by the gateway to maintain the flow of information to be protected between the authorized target and the service server. The method of claim 1, wherein the processor:
Based on the data flow, when returning a service request result to the node, check the protection information updated in the data flow among the protection information removed and returned by the gateway,
A gateway, configured to further insert updated protection information in the data flow into the service request and forward it to the service server. The method of claim 1, wherein the processor:
If the data flow exists but requires authentication, the gateway is configured to redirect to an authentication server based on authentication information included in the data flow. The method of claim 1, wherein the processor:
Check whether the service request was received through at least one of a tunnel, security session, or logical connection authorized from an external server,
A gateway, configured to determine whether a data flow corresponding to identification information or service domain information of a destination network of the service request exists. The method of claim 1, wherein the processor:
Generate authentication information to be inserted into a service request based on the authentication information included in the data flow,
A gateway, configured to further insert authentication information to be inserted into the service request and information related to the node into the service request and forward it to the service server. According to claim 5,
Information related to the node is:
A gateway comprising at least one of an operating system of the node, a device type of the node, user identification information of the node, security compliance information, or information received from an authentication server. According to claim 5,
Information related to the node is:
A gateway comprising a method of inserting information for confirming whether the node is an authorized target, information identified in relation to the node by the external server, and information related to the node. The method of claim 5, wherein the processor:
A gateway, configured to insert authentication information to be inserted into the service request, protection information to be inserted into the service request, and information related to the node into the header and body of the service request. The method of claim 1, wherein the processor:
Generate authentication information to be inserted into a service request based on the authentication information generation algorithm included in the data flow,
Encrypt the authentication information to be inserted into the service request based on the data flow,
The gateway, configured to insert a data flow header combining encrypted authentication information and identification information of the data flow into the service request. The method of claim 1, wherein the processor:
Receive a service request result from the service server,
Check whether the service request result includes a protected information token,
Check whether the protection information token included in the service request result corresponds to the data flow,
When the protection information token included in the service request result corresponds to the data flow, identify information that needs to be updated in the data flow among the information corresponding to the protection information token included in the service request result and update the data flow,
A gateway configured to forward service request results to the node. 11. The method of claim 10, wherein the processor:
The protective information inserted at the time of the service request is removed from the service request result,
A gateway configured to forward service request results to the node. 11. The method of claim 10, wherein the processor:
If the service request result does not include a protection information token, generate a new protection information token based on the data flow and update it in the data flow,
When returning a service request result to the node based on the data flow, identify protection information that needs to be updated in the data flow among the protection information that the gateway must remove and return, and update the protection information in the data flow,
The protective information inserted at the time of the service request is removed from the service request result,
A gateway configured to forward service request results to the node. The method of claim 11 or 12, wherein the processor:
When returning a service request result to the node based on the data flow, whether the protection information that must be updated in the data flow among the protection information that the gateway must remove and return is protection information that must be shared or protected between different domains. Check and
The gateway, configured to also update protected information included in an associated data flow to the data flow if it is protected information that needs to be shared or protected. On the server,
communication circuit; memory to store the database; and a processor operatively connected to the memory and the communication circuitry; Includes, and the processor,
Receiving a network connection request from a node, the network connection request including identification information of a destination network of the node,
Check whether the node can connect to the destination network based on the database,
If connection is possible, determine the connection method of the node based on the database, whether the node performs a logical connection authentication-based connection or an authorized channel or session-based connection to connect to the destination network,
Check whether at least one of a logical connection, channel, or session can be created between the gateway and the node,
The node creates a data flow to connect to the destination network,
configured to transmit the data flow to the gateway and the node,
The data flow includes authentication information, protection information that must be updated in the data flow among protection information that the gateway must remove and return when the gateway returns a service request result to the node, and information related to the creation of a protection information token to be generated by the gateway. Including,
The protection information token consists of identification information processed by the gateway to maintain the flow of information to be protected between the authorized target and the service server,
The protection information token is inserted when forwarding a service request from the gateway to the service server, and is removed and a new protection information token is generated and inserted when forwarding a service request result from the gateway to the node. 15. The method of claim 14, wherein the processor:
Based on the database, check whether to request additional authentication from the authentication server,
If additional authentication request is required, request authentication from the authentication server and receive authentication results and authentication-related information,
Update the data flow corresponding to the data flow identification information based on the authentication-related information,
A server configured to transmit an updated data flow to the gateway. According to claim 15,
The above authentication-related information is:
A server including an authentication token for the service to verify authentication information for a service request of an authenticated target through the authentication server and receive related authorization information or protection information. According to claim 14,
When the data flow returns a service request result to the node, among the protection information that the gateway must remove and return, information related to whether the protection information that must be updated in the data flow is protection information that must be shared or protected between different domains. More including servers. In the method of operating the gateway,
An operation of receiving a service request from a node;
An operation of confirming the existence of a data flow corresponding to the service request and authorized from an external server;
Checking whether the protection information token included in the service request corresponds to the data flow;
If the protection information token corresponds to the data flow, generating protection information corresponding to the protection information token based on the data flow and to be inserted into the service request;
Inserting protection information to be inserted into the service request into the service request and forwarding it to the service server; and
When returning a service request result to the node, removing the protection information token from the service request result, generating a new protection information token, inserting it into the service request result, and forwarding it to the node; Including,
The protection information token is comprised of identification information processed by the gateway to maintain the flow of information to be protected between the authorized target and the service server.