KR102600443B1 - System for controlling network access and method of the same - Google Patents

Abstract

According to an embodiment disclosed herein, a gateway includes a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory, wherein the processor receives a data packet for a service request from a node. Check whether data flow authentication information corresponding to the data packet exists, and if it is confirmed that valid data flow authentication information exists, forward the data packet to the destination network, and determine if valid data flow authentication information exists. If it is confirmed not to do so, forwarding the data packet to an external server, forwarding the data packet to the external server, and then performing a data flow including the data flow authentication information from the external server according to the authentication result for the node. It may be configured to receive information about.

Description

System for controlling network access and method related thereto {SYSTEM FOR CONTROLLING NETWORK ACCESS AND METHOD OF THE SAME}

Embodiments disclosed in this document relate to a system and method for controlling network access.

Multiple devices can communicate data over a network. For example, a terminal can transmit or receive data to and from a server via the Internet. Networks may include public networks such as the Internet as well as private networks such as intranets.

When controlling a node's network access using tunneling or authentication information included in a data packet, it is possible to prevent unauthorized nodes or unsafe nodes from accessing the destination network in advance.

Conventionally, in order to control a node's network access in the above manner, the gateway existing at the border of the destination network (target service) uses tunneling, which is the minimum access control unit, or authentication information contained in the data packet to determine whether the node is authorized. In order to check, etc., an access control application (network access control application) that generates authentication information must be installed on the node.

If a node attempts to access the target service without the access control application installed, access to the destination network is blocked. From the point of view of the node user, there is no way to know why access to the destination network is blocked. There is a problem.

Additionally, in cases where the access control application cannot be installed (e.g., nodes with an older version of the operating system for which technical support required to install the access control application has ended, low-power IoT with low absolute hardware specifications, and operating systems not supported by the access control application) installed node, etc.), there is a problem in which the node cannot connect to the destination network.

A gateway according to an embodiment disclosed in this document includes a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory, wherein the processor receives a data packet for a service request from a node, Check whether data flow authentication information corresponding to the data packet exists, and if it is confirmed that valid data flow authentication information exists, forward the data packet to the destination network, and if the valid data flow authentication information does not exist, forward the data packet to the destination network. If confirmed, the data packet is forwarded to an external server, and after forwarding the data packet to the external server, the data flow including the data flow authentication information is verified from the external server according to the authentication result for the node. Can be configured to receive information.

In addition, the external server according to an embodiment disclosed in this document includes a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory, wherein the processor is configured to, when a data packet for a service request is obtained, , Transmits authentication support information to the node with reference to the data packet, obtains a network connection request including a source IP (internet protocol) from the node based on the authentication support information, and includes the network connection request. Based on the information, it is checked whether the node can connect to the destination network, and if it is confirmed that the node can connect, information about the data flow including data flow authentication information can be configured in the gateway.

In addition, the method of operating a gateway according to an embodiment disclosed in this document includes the steps of receiving a data packet for a service request from a node, checking whether data flow authentication information corresponding to the data packet exists, and valid If it is confirmed that data flow authentication information exists, the data packet is forwarded to the destination network, and if it is confirmed that the valid data flow authentication information does not exist, the data packet is forwarded to an external server and then forwarded to the node. It may include receiving information about the data flow including the data flow authentication information from the external server according to the authentication result.

According to embodiments disclosed in this document, a node can access a target service even if the access control application is not installed on the node.

In addition, according to embodiments disclosed in this document, a first access right is granted to the node that installs the access control application, and a second access right is granted to the node that performs the authentication process, so that the node can efficiently access the target service. You can connect.

Additionally, according to embodiments disclosed in this document, unauthorized transmission of data packets to an unauthorized destination network can be prevented.

In addition, according to the embodiments disclosed in this document, the security of the destination network can be improved by recovering the tunnel or data flow when the target application installed on the node is terminated or based on a security event received from the linked system. .

In addition, according to embodiments disclosed in this document, even when data packets received from a plurality of nodes include the same source IP, network connection is independently established for each node based on updated data flow authentication information. You can control it.

In addition, various effects that can be directly or indirectly identified through this document may be provided.

1 shows an architecture within a network environment according to various embodiments.
2 is a functional block diagram illustrating a database stored in a control server according to various embodiments.
Figure 3 shows a functional block diagram of a gateway according to various embodiments.
4A and 4B illustrate an operation for controlling transmission of data packets according to various embodiments.
Figure 5 is a diagram for explaining the operation of a gateway when a node without an access control application is installed attempts to access a service server.
Figures 6 to 10 are diagrams for explaining operations related to nodes on which an access control application is not installed.
FIG. 11 is a diagram illustrating data packets according to various embodiments related to authentication information required for creating a logical connection.
Figures 12 to 16 are diagrams for explaining operations related to a node on which an access control application is installed.
Figure 17 is a diagram for explaining the protocol inspection process.
Figure 18 is a diagram to explain the process of a gateway processing a service request.
Figure 19 is a diagram for explaining the structure of service request information in which a data flow header is inserted.
In relation to the description of the drawings, identical or similar reference numerals may be used for identical or similar components.

Hereinafter, various embodiments of the present invention are described with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, and should be understood to include various modifications, equivalents, and/or alternatives to the embodiments of the present invention.

In this document, the singular form of a noun corresponding to an item may include one or plural items, unless the relevant context clearly indicates otherwise. In this document: “A or B”, “at least one of A and B”, “at least one of A or B”, “A, B or C”, “at least one of A, B and C” and “A, Each of phrases such as “at least one of B, or C” may include any one of the items listed together in the corresponding phrase, or any possible combination thereof. Terms such as "first", "second", or "first" or "second" may be used simply to distinguish one component from another, and to refer to that component in other respects (e.g., importance or order) is not limited. One (e.g., first) component is said to be “coupled” or “connected” to another (e.g., second) component, with or without the terms “functionally” or “communicatively.” When mentioned, it means that any of the components can be connected to the other components directly (e.g. wired), wirelessly, or through a third component.

Each component (eg, module or program) described in this document may include singular or plural entities. According to various embodiments, one or more of the corresponding components or operations may be omitted, or one or more other components or operations may be added. Alternatively or additionally, multiple components (eg, modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each component of the plurality of components in the same or similar manner as those performed by the corresponding component of the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component may be executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations may be executed in a different order, omitted, or , or one or more other operations may be added.

As used in this document, the term "module", or "part" may include a unit implemented in hardware, software, or firmware, and may include terms such as logic, logic block, component, or circuit. Can be used interchangeably. A module may be an integrated part or a minimum unit of the parts or a part thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document may be implemented as software (e.g., a program or application) including one or more instructions stored in a storage medium (e.g., memory) that can be read by a machine. For example, the processor of the device may call at least one instruction among one or more instructions stored from a storage medium and execute it. This allows the device to be operated to perform at least one function according to the at least one instruction called. The one or more instructions may include code generated by a compiler or code that can be executed by an interpreter. A storage medium that can be read by a device may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not contain signals (e.g. electromagnetic waves), and this term refers to cases where data is semi-permanently stored in the storage medium. There is no distinction between temporary storage cases.

Methods according to various embodiments disclosed in this document may be provided and included in a computer program product. Computer program products are commodities and can be traded between sellers and buyers. A computer program product may be distributed in the form of a machine-readable storage medium (e.g. compact disc read only memory (CD-ROM)) or through an application store or between two user devices (e.g. smartphones). It may be distributed in person or online (e.g., downloaded or uploaded). In the case of online distribution, at least a portion of the computer program product may be at least temporarily stored or temporarily created in a machine-readable storage medium, such as the memory of a manufacturer's server, an application store server, or a relay server.

1 shows an architecture within a network environment according to various embodiments.

Referring to FIG. 1, nodes 103_1 and 103_2 may be various types of devices capable of performing data communication. For another example, the nodes 103_1 and 103_2 may be connected to portable devices such as smartphones or tablets, computer devices such as desktops or laptops, multimedia devices, medical devices, cameras, wearable devices, and virtual reality (VR) devices. ) may include devices, or home appliances, and is not limited to the above-mentioned devices. Nodes 103_1 and 103_2 may also be referred to as ‘electronic devices’ or ‘terminals.’

Gateway 101 may be connected to nodes 103_1 and 103_2. For example, the gateway 101 provides the nodes 103_1 and 103_2 with a structure in which communication is possible only when a data flow authorized by the control server 102 exists, so that the nodes 103_1 and 103_2 can connect to the service servers 105_1 and 103_2. It can support access to 105_2). Additionally, the gateway 101 may provide the nodes 103_1 and 103_2 with a structure in which communication cannot be performed if a data flow does not exist.

According to the embodiment, the gateway 101 receives a data packet for connection to the destination network from a node, checks whether data flow authentication information corresponding to the data packet exists, and determines whether valid data flow authentication information exists. If confirmed, the node's service request can be supported by forwarding the data packet to the destination network. If it is determined that valid data flow authentication information does not exist, the data packet can be forwarded to an external server (e.g., authentication server 104) to support authentication of the node. Additionally, information about the data flow including data flow authentication information can be received from an external server according to the authentication result for the node.

According to the embodiment, if it is confirmed that a data flow does not exist, the gateway 101 checks whether the data packet is a data packet of an authenticable protocol, and if the data packet is confirmed to be a data packet of an authenticable protocol, the gateway 101 determines whether the data packet is a data packet of an authenticable protocol. The data packet is sent to the authentication server 104 by performing a network address translation (NAT) process that converts the destination IP and destination port of the packet to an external server IP and external server port corresponding to the external server (e.g., authentication server 104). It can be forwarded to .

According to the embodiment, when the access control application is installed, the gateway 101 receives a tunnel creation request for creating a tunnel from the node 103_1, and creates a tunnel with the node 103_1 based on the tunnel creation request, You can communicate with nodes through a tunnel.

Additionally, the service servers 105_1 and 105_2 may be various types of devices capable of performing data communication. For another example, the service servers 105_1 and 105_2 may support portable devices such as smartphones or tablets, computer devices such as desktops or laptops, multimedia devices, medical devices, cameras, wearable devices, and VR (virtual devices). reality) device, or home appliance device, and is not limited to the above-mentioned devices. Service servers (105_1, 105_2) may also be referred to as ‘electronic devices’ or ‘terminals.’

The nodes 103_1 and 103_2 may transmit data packets to the service servers 105_1 and 105_2 or receive data packets from the service servers 105_1 and 105_2. Some of the target applications included in nodes 103_1 and 103_2 may be trusted and/or secure applications, such as web browsers or business applications, while others may be untrusted or unsecured malicious programs. The network access control system according to can block unauthorized programs (applications) from accessing the service servers (105_1, 105_2) and isolate the programs (for example, blacklist registration).

The control server 102 can ensure reliable data transmission within a network environment by managing data transmission between the gateway 101 and the service servers 105_1 and 105_2. For example, the control server 102 may allow an authorized access control application to access the network through policy information or blacklist information. The control server 102 may provide authentication information to perform authentication between the gateway 101 and the service servers 105_1 and 105_2. Accordingly, the access control application can prevent unauthorized nodes from transmitting data packets to unauthorized destinations.

According to embodiments, a node's network access may be blocked by an access control application, control server 102 or gateway 101. According to one embodiment, the control server 102 transmits and receives control data packets to the gateway 101 to perform various operations (e.g., registration, approval, authentication, renewal, termination) associated with the network connection of the gateway 101. can do. The flow through which control data packets are transmitted may be referred to as ‘control flow’. According to the embodiment, the control server 102 can always maintain a secure network state by immediately reclaiming the tunnel according to a security event received from a linked system (e.g., gateway), or by immediately reclaiming the tunnel when the target application is terminated. . Additionally, the above structure can be applied substantially in the same way to the relationship between the access control application and the control server 102.

According to embodiments, control server 102 may communicate with authentication server 104. For reference, Figure 1 shows a case where the control server 102 and the authentication server 104 are separated, but the present invention is not limited to this, and the control server 102 and the authentication server 104 are integrated into one. It may be composed of a server (eg, an external server).

Figure 2 is a functional block diagram illustrating a database stored in the control server 102 according to various embodiments. Although FIG. 2 shows only a memory, the control server 102 may further include a communication circuit for communicating with an external electronic device and a processor for controlling the overall operation of the control server 102.

The administrator can connect to the control server 102 and set connection-oriented policies to control access between the access control application, gateway 101, and service server, so network access is more detailed and safer than managing sessions at the service level. can be controlled.

The access policy database 211 includes at least some of the information for identification of the node (node unique identification information, user information corresponding to the node, information on services that the target application of the node can access, etc.) and authentication (certificate, etc.) can do. For example, when a network connection request is obtained from a target application controlled by a connection control application, the control server 102 configures the node, target application, and /Or it may be determined whether the user can connect to the destination (eg, service server or gateway 101). In addition, even when the access control application is not installed, when a network connection request is obtained from the target application, the control server 102 detects the node identified at the time of the network connection request based on the policy of the connection policy database 211, the target application. And/or it may be determined whether the user can connect to the destination (eg, service server or gateway).

According to the embodiment, the control server 102 uses a method for identifying a connection target and identification information (e.g., a MAC address-based identification method of the node, an identification method based on authentication information transmitted by the node when requesting network access, and the router 201). How to identify the application requesting network access within the network, and accordingly, destination IP and port information included in the IP header, protocol information (e.g. TCP, UDP, etc.), MAC address, application identification information, IP assigned to the node, and received network interface You can check whether connection is possible and create a data flow based on (identification information, etc.).

The tunnel policy database 212 may include a series of information (e.g., authentication information, encryption algorithm, tunnel endpoint IP, etc.) required to create a tunnel to connect to the gateway 101 on the connection path according to the connection policy. You can. If there is a tunnel already connected to another gateway (not shown) on the access path, a series of information for using it (collection of IP information assigned to the node and replacement processing, etc.) may be included. For example, the control server 102 may provide a tunnel and gateway 101 optimized for the node based on a tunnel policy when a node connected to the gateway 101 requests network access.

The authentication policy database 213 determines whether to authenticate network access based on the identification information of the node when connecting to the network of a node connected to the gateway 101 according to the access policy 211, and a series of information related to the authentication method when performing authentication. may include information. In addition, the authentication policy database 213 may include certificate information (e.g., Mutual-TLS) issued in advance to the connection target (e.g., node), and the proxy included in the gateway 101 may provide information to the connection target (e.g., node). , node) may include certificate information (e.g., TLS) to induce a secure session to be created.

The protocol policy database 214 is protocol information that can communicate with the connection target service, and includes protocol identification signature information, protocol version information, protocol header information, and protocol information to identify the protocol information included when transmitting and receiving data packets. can do. In addition, the protocol policy database 214 inspects the data packet to what extent (length) and identifies the protocol, providing information on whether to process it as a normal protocol, information on the timing of a network connection attempt or protocol inspection cycle, and who performs the protocol inspection. It includes a series of information related to network disconnection, control flow release, and isolation in case of non-compliance with the protocol.

The service policy database 215 stores service IP, port information, and protocol information (e.g., a node) that can be accessed through a proxy (e.g., a proxy included in the gateway 101) according to the connection policy 211. : HTTP, FTP, IoT-specific protocols, etc.) may be included. In addition, the service policy database 215 includes whether service request filtering is necessary, service request filtering processing method, filtering information (e.g., personal information, harmful service request information), and prevents unnecessary or dangerous service requests from the proxy in advance. It can contain a series of information for According to the embodiment, when QoS (Quality of Service) for a service request is required, the service policy database 215 sets the number of service requests possible in a certain time unit and sets the number of service requests in the proxy accordingly. may include information.

The control flow table 216 is an example of a session table for managing the flow (eg, control flow) of control data packets generated between the access control application and the control server 102. When successfully connecting to the control server 102, control flow information may be generated by the control server 102. Control flow information may include identification information of the control flow, an IP address identified when connecting to and authenticating the control server 102, node identification information, target application identification information, and information additionally identified through linkage with the service server. You can. For example, when connection to a service server is requested, the control server 102 may search for control flow information through control flow identification information, and may store the identification information included in the searched control flow information in the connection policy database 211. By mapping to , it is possible to determine (determine) whether the node can connect to the service server and whether a data flow for transmitting data packets is created.

According to one embodiment, a control flow may have an expiration time. The access control application must periodically/non-periodically update the expiration time of the control flow, and if the expiration time is not updated within a certain period of time, the control flow (or control flow information) may be removed. In addition, when it is determined that immediate access blocking is necessary according to security events collected from the target application and/or the gateway 101, or when a connection termination request from the target application is obtained, the control server 102 may remove the control flow. You can. When the control flow is removed, the previously created data flow is also removed, so access to the service server through the corresponding gateway 101 may be blocked.

The data flow table 217 is a table for managing the flow (e.g. data flow) in which detailed data packets are transmitted between the node and the gateway 101, and includes the target application of the node, the gateway 101, and the service server. It may contain data flow information for managing tunnels and/or sessions.

Since data flow identification information (e.g., ID) for identifying a data flow and node identification information (e.g., MAC address information) can create one or more logical connections with a service server, the data flow table 217 is a control It can be managed based on flow ID.

According to the embodiment, the data flow table 217 is an application and the minimum identification unit of the application, information for the gateway 101 to determine whether network connection is possible based on the source IP, destination IP, and service port information of the data packet, A series of information required to create a tunnel with the gateway 101 on the access path (authentication information, encryption algorithm, Tunnel End Point IP, etc.), data flow status information regarding whether the data flow is available, and the corresponding data flow. In the case of periodic authentication, at least some of the required authentication expiration time information may be included.

According to an embodiment, the data flow table 217 may include authentication information. For example, authentication information is a set of information to check whether an allowed node has transmitted a data packet, and the authentication information is checked for each protocol (e.g., for TCP, TCP SYN packet inspection, and for UDP, data packet star authentication information check or authentication information test at regular intervals (or cycles), inspection method, etc.), information for decrypting authentication information, algorithm information for generating and verifying authentication information, and a series of information included in the algorithm (e.g. HMAC OTP When created, information such as Secret Key, etc.) may be included.

According to an embodiment, the data flow table 217 may include certificate information issued in advance to process a request for creating a secure session from an authorized connection target (eg, node).

Additionally, the data flow table may include information about security sessions.

According to an embodiment, the data flow table 217 may include service information. For example, service information includes service IP and port information that permitted access targets can access through proxy, protocol information (e.g. HTTP, FTP, IoT-specific protocol, etc.), whether service request filtering is necessary, and service request filtering processing method. , may include filtering information (e.g. personal information, harmful service request information). In addition, the service information is a series of information to block unnecessary or dangerous service requests in advance at the proxy, and when QoS (Quality of Service) for service requests is required, the number of service requests available in a certain time unit is set. Accordingly, the proxy may include a series of information to adjust the number of service requests. According to an embodiment, service information may be generated based on the service policy 318.

According to the embodiment, the data flow table 217 may be equally stored in the node and/or gateway 101 where the access control application is installed.

The tunnel table 218 may include identification information of the tunnel created between the target application and the gateway 101 and the IP of the tunnel. For example, the control server 102 may determine whether a tunnel between the target application and the gateway 101 has been created based on the tunnel table 218. In addition, the tunnel table 218 is a table for managing the tunnel connected between the target application and the gateway 101. If a valid tunnel exists, the tunnel table 218 includes a tunnel ID for managing and identifying the tunnel, the gateway 101, and the control server ( 102) It can be composed of a control flow ID for control between the devices and additional information to manage TEP (tunnel end point), TSP (tunnel start point), tunnel algorithm and type, encryption level, etc.

The blacklist database 219 may include a list of targets blocked by the blacklist policy database 220. For example, if the identification information of the target application requesting network access is included in the blacklist database 219, the control server 102 may isolate the target application by rejecting the network connection request.

The blacklist policy database 220 is a target (e.g., node ID (identifier), IP) identified through analysis of security event risk, occurrence cycle, and/or behavior among security events periodically collected from the node or gateway 101. It may indicate a blacklist registration policy to block access by (at least one of) an address, a media access control (MAC) address, and a user.

Figure 3 shows a functional block diagram of the gateway 101 according to various embodiments. Referring to FIG. 3, the gateway 101 may include a processor 310, a memory 320, and a communication circuit 330.

The processor 310 may control the overall operation of the gateway 101. In various embodiments, the processor 310 may include one processor core (single core) or may include a plurality of processor cores. For example, the processor 310 may include multi-core, such as dual-core, quad-core, or hexa-core. Depending on embodiments, the processor 310 may further include a cache memory located internally or externally. Depending on embodiments, the processor 310 may be configured with one or more processors. For example, the processor 310 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).

All or a portion of the processor 310 is electrically or operatively coupled to other components (e.g., memory 320, communication circuitry 330) within the control server 102. It can be with) or connected to. The processor 310 may receive commands from other components of the gateway 101, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 310 can interpret and process messages, data, instructions, or signals received from the memory 320 and the communication circuit 330. Processor 310 may generate new messages, data, instructions, or signals based on received messages, data, instructions, or signals. The processor 310 may provide processed or generated messages, data, instructions, or signals to the memory 320 and the communication circuit 330.

The processor 310 can process data or signals generated or generated by a program. For example, the processor 310 may request instructions, data, or signals from the memory 320 to execute or control a program. The processor 310 may record (or store) or update instructions, data, or signals to the memory 320 in order to execute or control a program.

The memory 320 may store commands for controlling the gateway 101, control command codes, control data, or user data. For example, the memory 320 may include at least one of an application program, an operating system (OS), middleware, or a device driver.

Memory 320 may include one or more of volatile memory or non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). It can be included. Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, etc.

The memory 320 uses non-volatile media such as a hard disk drive (HDD), solid state disk (SSD), embedded multi media card (eMMC), and universal flash storage (UFS). More may be included.

The communication circuit 330 may support establishment of a wired or wireless communication connection between the gateway 101 and an external electronic device (e.g., a control server, service server, etc. of FIG. 1), and performance of communication through the established connection. According to one embodiment, the communication circuit 330 may be a wireless communication circuit (e.g., a cellular communication circuit, a short-range wireless communication circuit, or a global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (e.g., a local area network (LAN) ) communication circuit, or power line communication circuit), and using the corresponding communication circuit, a short-range communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a long-distance communication such as a cellular network, the Internet, or a computer network It can communicate with external electronic devices through a network. The various types of communication circuits 330 described above may be implemented as one chip or may be implemented as separate chips.

For reference, in the above, the structure of the gateway 101 was described, but the same/similar structure is applied to the control server 102, nodes 103_1, 103_2, authentication server 104, and/or service servers 105_1, 105_2. The explanation may apply.

4A and 4B illustrate an operation for controlling transmission of data packets according to various embodiments.

Referring to FIG. 4A, in a state in which a network connection request to the service server from a target application (e.g., malware) is detected by the access control application, the access control application or gateway 101 is connected to the control server 102. If not, the access control application may block the transmission of data packets in the kernel or network driver that includes the operating system. Through the access control application, the control server can block the access of malicious nodes in advance at the application layer of the OSI layer.

The node 103 connected to the access control application must connect to an external server (e.g., control server 102) to perform authentication, and when connecting to the service server 105 after performing authentication, the connection network information is sent to the control server ( 102) can be queried to check whether connection is possible, and if connection is possible, data packets can be transmitted to the service server 105.

The gateway 101 checks the data packet received from the target application through an external server (e.g., control server 102), and if it is a data packet transmitted by an authorized target application, transmits a response data packet to the target application. It can be allowed to do so. For example, the gateway 101 can check whether a tunnel has been created with the target application through which the data packet was received, and forward the data packet to the destination only when the tunnel has been created. As a result, unauthorized nodes are basically unable to communicate with each other, and even authorized nodes cannot transmit and receive data packets unless a tunnel determined by the control server 102 is created.

Additionally, referring to FIG. 4B, when a data packet is received from the target application, the gateway 101 determines whether the node and/or the target application are authenticated, and if the node and/or the target application are not authenticated, the gateway 101 determines whether the node and/or the target application are authenticated. Packets can be dropped.

Figure 5 is a diagram for explaining the operation of the gateway 101 for each target application type.

Referring to FIG. 5, when a node 103 that does not have a connection control application installed attempts to connect to the service servers 105_1 and 105_2, the gateway 101 can check whether the service request is according to a general protocol. . In the case of a general-purpose protocol that can be processed by the proxy of the gateway 101 (e.g., IETF RFC standard protocols such as HTTP and FTP), the gateway 101 can perform detailed service access control by data flow. . On the other hand, in the case of a native protocol that cannot be processed by the proxy, the gateway 101 can perform connection control and data packet inspection by data flow.

Figure 6 schematically shows the data packet forwarding process from a node on which an access control application is not installed.

Referring to FIG. 6, in operation 605, the node 103 on which the access control application is not installed may transmit a series of data packets for accessing the service server, and the data packets are transmitted at the boundary between the service server and the node. It can be passed through the gateway 101 located there.

Then, in operation 610, the gateway 101 may check whether the data packet is transmitted from the node 103 on which the access control application is not installed by referring to the data flow information obtained from the control server 102. If it is confirmed that the access control application is transmitted from the node 103 that is not installed, the gateway 101 determines whether there is a data flow accessible to the service server IP and port based on the source IP (e.g., node IP). You can check it.

In operation 615, if it is confirmed that an accessible data flow exists, the corresponding node 103 has already obtained the minimum authentication and access authority from the control server 102, so the gateway 101 connects the control server 102 Based on the data flow obtained from , the data packet can be forwarded to the service server. At this time, by updating the time or timestamp information corresponding to the last data packet forwarding point, the corresponding node 103 continuously performs network access through periodic data flow synchronization between the gateway 101 and the control server 102. The control server 102 can be made aware that there is.

On the other hand, if no data flow exists, the node 103 may be considered an unauthorized node. In this case, the gateway 101 instructs the node 103 to install an access control application or communicates with the authentication server 104 for separate authentication, so that the data packet obtained from the node 103 can be authenticated. It is possible to check whether it is a protocol data packet (e.g., a data packet using the HTTP protocol).

In operation 625, if it is a data packet of an authenticable protocol, the destination IP and port included in the IP header of the data packet are processed by NAT (Network Address Translation) based on the external server IP and external server port information to connect to the external server. Forwarding the data packet to (e.g., authentication server 104), at operation 630, authentication server 104 may receive the data packet. If it is not a data packet of an authenticable protocol (e.g., a data packet using the HTTP protocol), the gateway 101 may drop the data packet, but is not limited to this, and is not limited to this. Similar to the case of a data packet using the HTTP protocol), it may be forwarded to the authentication server 104 after NAT processing.

Figure 7 schematically shows the authentication process when a node 103 that does not have an access control application installed transmits a service request.

Referring to FIG. 7 , in operation 705, a node 103 that does not have the access control application installed may run the application to attempt to connect to a service, and may accordingly transmit a service request in operation 710. In operation 715, the service request of node 103 may be forwarded to an external server (eg, authentication server 104) after NAT processing through the gateway 101. However, it is not limited to this, and the node 103 may directly transmit a service request to the authentication server 104.

Then, in operation 720, the authentication server 104 may receive a service request, and in operation 725, return authentication-related service information for installing an access control application or performing separate authentication to the node 103.

Then, in operation 730, the node 103 receives the service connection result and attempts to connect to the network by installing an access control application according to the received service connection result (e.g., authentication-related service information) or connects to the network through an authentication procedure. Connection can be made. This will be explained with reference to FIG. 8.

Figure 8 schematically shows authentication-related service information output through the display of the node.

The node (user) either (i) installs an access control application (network access control application) based on the authentication-related service information shown in FIG. 8 or (ii) uses a separate authentication method (user ID) provided by the authentication server 104. The authentication process can be performed through (based authentication, QR authentication, Multi Factor Authentication, etc.). When authentication for the node is completed, the control server 102 generates data flow information including service server information that the node can access and transmits it to the gateway 101, and the node can then access the service server. do.

Figure 9 schematically shows a process in which the node 103 performs an authentication procedure according to a separate authentication method provided by an external server (eg, authentication server 104).

Referring to FIG. 9, when the node 103 transmits an authentication request to the authentication server 104, it is transmitted to the gateway 101 as in operation 905, and then after NAT processing through the gateway 101 in operation 910. It may be forwarded to the authentication server 104, but is not limited to this, and the node 103 may directly transmit the authentication request to the authentication server 104.

At operation 915, when an authentication request is received, processing for the authentication request may be performed by the authentication server 104 or a control server 102 that includes authentication server functionality, and at operation 920, the authentication server 104 may: The authentication request may be processed by processing an authentication request received from the node 103 or another authentication system (eg, Multi Factor Authentication, etc.) connected to the authentication server 104.

The authentication server 104 may check the authentication request-related information transmitted by the node 103 and, if authentication fails, return authentication failure information to the node 103.

If authentication is successful, in operation 925, the authentication server 104 connects the control server based on the node identification information (operating system information of the authenticated node, terminal type information, etc.), source IP information, user identification information, etc. identified during the authentication process. You can request authentication at (102).

Additionally, when an authentication request is made through authentication server redirection from the gateway 101, the authentication server may request authentication from the controller including data flow identification information and security session identification information included in the authentication request information.

When a node performs initial authentication, the control server 102 receives authentication request information (node identification information (operating system information of the authenticated node, terminal type information, etc.), source IP information, user information, etc.) received from the authentication server 104. You can create a control flow according to (identification information, etc.) and add it to the control flow table.

Additionally, in operation 930, the control server 102 checks the connection policy database to determine whether a service server to which the node 103 can connect exists, and if a service server to which the node 103 can connect exists, the node 103 Information to check the source IP, destination IP, service port information, and protocol of data packets transmitted and received between the service servers so that the service server can be accessed. Protocol identification signature to identify the protocol information included when transmitting and receiving data packets. and version information, header information, protocol information, etc., and, if necessary, to what extent (length) the data packet is inspected to identify the protocol, information on whether to process it as a normal protocol, and when a network connection is attempted or periodically. Protocol information including information about whether to perform a test and status information about whether the test is completed or whether more tests are needed, service IP and port information that can be accessed through the proxy included in the gateway 101, and protocol information. (e.g. HTTP, FTP, IoT-specific protocols, etc.) and whether service request filtering is necessary, service request filtering processing method, filtering information (e.g. personal information, harmful service request information), and any unnecessary or unnecessary information in advance by the proxy. If a series of information to block dangerous service requests and QoS (Quality of Service) for service requests are required, a series of sets to set the number of service requests possible in a certain time unit and adjust the number of service requests in the proxy accordingly A series of information, including certificate information to check whether the connection target is allowed when creating a security session, authentication information for the corresponding node to perform a service request based on the data flow header, and to inspect or create it at the gateway. Data flow information may be generated, and in operation 935, the data flow information may be transmitted to the gateway 101, and in operation 940, authentication request result information may be returned to the authentication server 104.

At this time, the OTP may be generated based on the OTP generation information included in the authentication information, the authentication information may be encrypted using the authentication information encryption/decryption key, and then returned including a data flow header combined with the data flow identification information.

Meanwhile, when the node performs authentication by authentication service redirection from the gateway rather than by initial authentication, the control server 102 uses the received service server identification information (IP or domain, port information) and the authentication request received from the authentication server. Data flow can be searched based on information (node identification information (operating system information of the authenticated node, terminal type information), source IP information, user identification information).

If a data flow does not exist, control server 102 may return authentication failure information.

If a data flow exists, the control server 102 generates an OTP based on the OTP generation information included in the data flow authentication information, encrypts the authentication information using the authentication information encryption/decryption key, and then combines it with the data flow identification information. It can be returned including a data flow header.

Then, in operation 945, when the authentication server 104 returns the authentication request processing result to the node 103, the node 103 provides the service with the second access authority (e.g., minimal access authority) without installing the access control application. You can connect to the server.

The case where a node whose authentication has been completed requests deauthentication as described above will be described with reference to FIG. 10.

Referring to FIG. 10, the node 103 may transmit a deauthentication request to an external server (e.g., the authentication server 104) through the deauthentication request function. In this case, the deauthentication request is transmitted to the gateway in operation 1005. Afterwards, the relevant data packet may be forwarded to the authentication server after NAT processing in the gateway 101 as in operation 1010, but the present invention is not limited thereto, and the node 103 may transmit a request for deauthentication to the authentication server 104. there is.

At operation 1015, the authentication server 104 receives a deauthentication request, and processing the deauthentication request may be performed by the authentication server 104 or a control server 102 including an authentication server function, and at operation 1020, The authentication server 104 can process a deauthentication request by processing a deauthentication request received from the node 103 or a deauthentication request from another authentication system (e.g., Multi Factor Authentication, etc.) connected to the authentication server 104. there is.

The authentication server 104 may check the information related to the deauthentication request transmitted by the node 103 and, if the deauthentication request fails, return the deauthentication failure information to the node 103.

In operation 1025, if the information for de-authentication is valid, the authentication server 104 based on the identified node identification information (operating system information of the authenticated node, terminal type information, etc.), source IP information, user identification information, etc. The control server 102 may be requested to deauthenticate the node 103.

In operation 1030, the control server 102 performs deauthentication request information (node identification information (operating system information of the authenticated node, terminal type information, etc.), source IP information, user identification information) received from the authentication server 104. A control flow can be removed, and a series of data flow information dependent on the control flow can be removed.

In operation 1035, the control server 102 may propagate the removed data flow information to the gateway 101, and in operation 1040, the result of processing the deauthentication request may be returned to the authentication server 104.

Then, in operation 1045, the authentication server 104 returns a deauthentication request processing result to the node 103, and when deauthentication is completed, the node 103 must then install an access control application or perform a separate authentication process. You may be in a state where you can connect to the service server.

11 illustrates a data packet according to various embodiments related to authentication information required for creating a logical connection.

Referring to FIG. 11, a UDP data packet 1110 including node (terminal) header information may include an IP header, a node header (Device Header), and a payload. For example, node header 1130 may include node identification information and node authentication information.

Additionally, the TCP data packet 1120 including node header information may include an IP header, TCP header, node header, and payload. For example, node header 1130 may include node identification information and node authentication information.

According to the embodiment, the node authentication information may be information for commonly authenticating all network connections transmitted from the node 103 or for authenticating by network connection unit (destination IP and port).

The node 103 inserts the node identification information and authentication information previously given by the control server 102 (e.g., for TCP, inserts TCP SYN packets, for UDP, inserts authentication information for each data packet or at regular intervals ( (or cycle), insertion of authentication information, insertion method and timing, etc.), information for encryption of authentication information, algorithm information for generating authentication information, and a series of information included in the algorithm (e.g. information such as Secret Key when generating HMAC OTP) A node header may be created based on at least one of the following and included in the data packet. The node header included in the data packet may be authenticated by the gateway 101 or the control server 102 to check whether it is a normally transmitted data packet.

FIG. 12 schematically shows the steps of connecting a node 103 on which a connection control application is installed to an external server (eg, control server 102).

Referring to FIG. 12, at operation 1205, a connection control application installed on node 103 may request a connection to control server 102 to create a control flow (control data packet flow and a series of sessions).

At operation 1210, the control server 102 verifies the connection request and, based on a policy database (e.g., a connection policy database and a tunnel policy database, a blacklist database, etc.), collects information (type of node, etc.) that the connection control application has requested to connect. Check whether the node 103 is accessible by referring to location information, environment and network containing the node, access control application information, user or device authentication information to identify whether the node is an authorized node, etc. You can check whether node and network identification information (node ID, IP, MAC address, etc.) is included in the blacklist.

If the node 103 is unavailable for connection or is included in the blacklist, the control server 102 transmits unconnectable information to the node 103, and the node 103 stops running the access control application and terminates it. , related error information can be output.

On the other hand, in operation 1215, if it is determined that the node is reachable, the control server 102 generates a control flow, generates a control flow ID in the form of a random number, and provides node and network identification information (node ID, IP, MAC address, etc.) can be added to the control flow table.

In operation 1220, the control server 102 refers to the connection policy database and tunnel policy database matching the identified information (node, source network information, etc.) to determine the destination network to which the currently connected node 103 can connect by default. You can check whether information exists and create whitelist information for accessible applications.

The control server 102 may return control flow ID and application whitelist information to identify the control flow.

In addition, the control server 102 connects to the node 103 by referring to the type of the node 103, location information, environment, network including the node 103, IP of the node 103, etc. By listing possible tunnel types and gateways 101 and checking the status (throughput, failure status) of the listed gateways, the optimal tunnel and optimal gateway can be identified.

In operation 1225, if there is a tunnel and a gateway accessible to the node 103, the control server 102 may transmit a series of information, such as a gateway and tunnel authentication for creating a tunnel, to the node 103.

In operation 1230, when it is necessary to create a new tunnel, the node 103 creates the corresponding gateway 101 based on a series of information required for tunnel creation, such as the gateway and tunnel authentication for tunnel creation received from the control server 102. A tunnel can be created by requesting tunnel creation.

When tunnel creation is completed, the control server 102 may obtain tunnel creation completion information and/or dedicated IP information set according to tunnel creation, register the tunnel dedicated IP and corresponding tunnel creation information in the tunnel table, and node (103 ) can be updated in the control flow.

In operation 1235, if a new tunnel is not created and the node 103 is connected through a tunnel previously connected between the gateway 101 existing in the network to which it belongs and the gateway 101 existing at the border of the destination network, or When connecting between the node 103 and the destination network boundary through another tunnel technology, the control server 102 may not transmit separate tunnel creation information to the node 103. If tunnel creation is not required, an application whitelist check may be performed.

In operation 1240, the control server 102 refers to the connection policy database and the service policy database to determine the gateway where the node is located in order to allow the node connected to the network to access the network according to the application installation list transmitted by the node 103. Information to check the source IP, destination IP, service port information, and protocol of data packets sent and received by the application so that the node can allow network access without a network connection request procedure, including when transmitting and receiving data packets. Protocol identification signature and version information, header information, protocol information, etc. to identify the protocol information, and if necessary, to what extent (length) the data packet is inspected to identify the protocol and process it as a normal protocol. , whether the protocol check will be performed by a network access control application or by transmitting data packet information to the controller, information about whether the protocol will be checked at the time of a network connection attempt or periodically, and whether the check has been completed or whether further checks are required. Protocol information including status information on whether it is needed, service IP and port information that can be accessed through the proxy included in the gateway, protocol information (e.g. HTTP, FTP, IoT-specific protocol, etc.), and whether service request filtering is necessary. , service request filtering processing method, filtering information (e.g. personal information, harmful service request information), a series of information to block unnecessary or dangerous service requests in advance at the proxy, and QoS (Quality) for service requests. of Service, a set of information to set the number of service requests possible in a certain time unit and adjust the number of service requests in the proxy accordingly, and certificate information to check whether the connection target is allowed when creating a secure session. Create/update/process data flow information including, and in operations 1245 and 1250, transmit the information to the node 103 and the gateway, and in operation 1255, the gateway 101 receives the data flow information. You can.

And, when the node 103 and/or the gateway 101 receives updated data flow information from the control server 102, it can update the data flow information by referring to it.

Figure 13 schematically shows the user authentication steps of the node 103 on which the access control application is installed.

Referring to FIG. 13, in operation 1305, the access control application of node 103 generates a control flow with an external server (e.g., control server 102) and then transmits authentication information using a user ID and password or an enhanced authentication method. You can request user authentication by doing this.

In operation 1310, the control server 102 receives a user authentication request, and determines whether the user of the node 103 can access the user based on the information requested for authentication by the access control application (user ID and password, enhanced authentication information, etc.). It checks whether the user is recognized and whether the user is included in the blacklist to check whether the user is blocked. If access is not possible or is included in the blacklist, information about the inability to access can be transmitted to the node 103. .

In operation 1315, if it is confirmed that the user is able to connect, the control server 102 searches the control flow table for the corresponding control flow with reference to the control flow ID, and adds user identification information (user ID) to the control flow's identification information. It can be added, and as a result of user authentication, the authentication completion status and the access policy information of the authenticated user can be returned to the node 103.

In operation 1320, the control server 102 refers to the connection policy database and tunnel policy database matching the identified information (node, source network information, etc.) to determine destination network information to which the currently connected node 103 can connect. You can check whether it exists and create whitelist information for accessible applications.

If connection is possible, the corresponding node 103 must send information such as the type, location information, environment, and network containing the node included in the control flow to the control server 102 in order to connect to the destination network. List the types of tunnels and gateways that the node 103 can connect to through the IP of the node identified through the node and the IP of the node identified in the node, and check the status (throughput, failure status) of the listed gateway to optimize Tunnels and optimal gateways can be identified.

In operation 1325, if there is a tunnel and a gateway accessible to the node 103, the control server 102 may transmit a series of information, such as a gateway and tunnel authentication for creating a tunnel, to the node 103.

Rather than a structure in which a tunnel is created between the node 103 and the gateway 101, a tunnel is pre-connected between the gateway 101 existing in the network to which the node 103 belongs and the gateway 101 existing at the border of the destination network. When connecting through the network, or when connecting through another tunnel technology between the node 103 and the destination network boundary, separate tunnel creation information may not be transmitted to the node 103.

In operation 1330, the node 103 processes the user authentication request processing result received from the control server 102, and when tunnel creation is required, the gateway 101 for tunnel creation received from the control server 102 ) and tunnel authentication, a tunnel can be created by requesting the corresponding gateway 101 to create a tunnel based on a series of information required for tunnel creation.

When tunnel creation is completed, the node 103 may transmit tunnel creation completion information and IP information, if there is a dedicated IP set according to tunnel creation, to the control server 102. In operation 1335, when an application whitelist is received from the control server 102, a result of checking whether the corresponding application is installed on the node 103 may be transmitted to the control server 102.

In operation 1340, when the tunnel creation is completed according to the result of the tunnel creation process, the control server 102 registers the tunnel dedicated IP assigned to the node 103 and the corresponding tunnel creation information in the tunnel table and sends the serial number transmitted by the node 103. Information can be updated in the identified control flow. In addition, in order to allow a node connected to the network according to the application installation list transmitted by the node 103, the gateway where the node is located is checked in the connection and service policy, and the node is allowed to access the network without a network access request procedure. Information to check the source IP, destination IP, service port information, and protocol of data packets transmitted and received by the application. Protocol identification signature and version information, header to identify protocol information included when transmitting and receiving data packets. Information, protocol information, etc., and if necessary, to what extent (length) the data packet will be inspected to identify the protocol, information on whether to process it as a normal protocol, whether the access control application will perform the protocol inspection, or data packet information. Protocol information and gateway information, including information about whether to transmit to the controller and perform a protocol check, when a network connection is attempted or periodically, and status information about whether the check has been completed or whether more testing is needed. Service IP and port information that can be accessed through the included proxy, protocol information (e.g. HTTP, FTP, IoT-specific protocol, etc.) and whether service request filtering is necessary, service request filtering processing method, filtering information (e.g. personal information, harmful Service request information), a series of information to block unnecessary or dangerous service requests in advance from the proxy, and the number of service requests that can be made in a certain period of time if QoS (Quality of Service) for the service request is required. You can set and generate data flow information including a series of information to adjust the number of service requests in the proxy accordingly, and certificate information to check whether the connection target is permitted when creating a security session. In operations 1345 and 1350, the control server 102 transmits corresponding information to the node 103 and the gateway 101, and in operation 1355, the gateway 101 may receive data flow information.

If tunnel creation is unnecessary or tunnel creation is completed by the control server 102, the control server 102 can obtain tunnel creation completion information and/or dedicated IP information set according to tunnel creation, and the node The tunnel dedicated IP assigned to (103) and the corresponding tunnel creation information can be registered in the tunnel table, and a series of information transmitted by node 103 can be updated in the identified control flow.

And, when updated data flow information is received from the control server 102, the node 103 can update the data flow information stored in the node 103 by referring to it.

Figure 14 schematically shows the network connection processing steps of the node 103 on which the connection control application is installed.

Referring to FIG. 14, in operation 1405, the connection control application of node 103 may detect the network connection of the target application. In operation 1410, it may be confirmed whether data flow information exists based on target application identification information and destination IP and port information in order to communicate with the destination network (1410). If a valid data flow exists, the access control application can transmit data packets to the gateway. If a data flow exists but is not valid (e.g., in a non-transmittable state or if network access was previously denied by the control server 102), the data packet may be dropped.

In operation 1415, if the data flow does not exist or if the data flow needs to be updated due to reasons such as the authentication time expiring, a network connection request may be transmitted.

In operation 1420, the control server 102 refers to the connection policy database matching the information identified on the control flow (node, application, source network information, etc.) and identifies the connection request (destination IP and service port information, etc.). You can check whether is included and whether it is possible to connect to the service server mapped with the corresponding identification information.

If connection to the mapped service server is not possible, the control server 102 may transmit a connection inaccessibility result to the node 103, and data packets may be dropped accordingly.

If connection to the mapped service server is possible, the control server 102 can check whether a tunnel has been created in the tunnel table to connect to the corresponding network.

In operation 1425, if the tunnel has not been created, the control server 102 refers to at least part of the tunnel policy database and the protocol policy database to check whether a tunnel must be created to access the corresponding service, and the tunnel must be created. If it is confirmed that the node 102 should be created, the control server 102 may transmit an unreachable result to the node 103.

If it is confirmed that a tunnel has already been created or that tunnel creation is unnecessary, the control server 102 collects valid data corresponding to the information requested for connection by the node 103 (destination IP and service port information, etc.) in the data flow table. You can check whether a flow exists.

If a valid data flow exists, the corresponding information (network connection request result) can be transmitted to the node 103 and/or the gateway 101.

In operation 1430, if there is no valid data flow, the control server 102 transmits and receives data packets using source IP, destination IP, service port information, and information for checking the protocol of data packets transmitted and received by the application. Protocol identification signature and version information, header information, protocol information, etc. to identify the protocol information included in the protocol, and if necessary, to what extent (length) the data packet is inspected to identify the protocol and decide whether to process it as a normal protocol. information about whether the protocol check will be performed by a network access control application or by transmitting data packet information to the controller, information about whether the protocol will be checked at the time of a network connection attempt or periodically, and whether the check has been completed or checked. Protocol information including status information about whether more is needed, service IP and port information accessible through the proxy included in the gateway, protocol information (e.g. HTTP, FTP, IoT-specific protocols, etc.), and service request filtering. It includes whether it is necessary, service request filtering processing method, filtering information (e.g. personal information, harmful service request information), a series of information to block unnecessary or dangerous service requests in advance at the proxy, and QoS for service requests. If (Quality of Service) requires it, set the number of service requests possible in a certain time unit and set the number of service requests in the proxy accordingly, a series of information to check whether the connection target is allowed when creating a security session. Data flow information including certificate information, etc. may be generated, the corresponding information may be transmitted to the gateway 101 in operation 1440, and a network connection request processing result may be transmitted to the node 103 in operation 1435.

And, the connection control application can process the connection request result received from the control server 102.

If data flow information is received from the control server 102, the access control application can update the data flow information stored in the node 103, and if the network connection request is successful, the data packet is sent to the gateway 101. It can be sent to .

Figure 15 schematically shows the tunneling-based data packet forwarding process of the node 103 on which the access control application is installed.

Referring to FIG. 15, in operation 1505, when tunnel creation is necessary, the node 103 uses the gateway 101 for tunnel creation and tunnel authentication received from an external server (e.g., control server 102) to create the tunnel. Tunnel creation can be requested from the gateway 101 based on a series of necessary information.

In operation 1505, the gateway 101 may perform a data flow check, and a tunneling-related module within the gateway 101 may check the data packet received from the node 103 to confirm that it is a data packet for tunnel creation processing. It is possible to check whether it is a port that is being used, and if it is confirmed that it is a port that a tunneling-related module is receiving, the data packet is forwarded, and in operation 1515, tunnel creation is processed by referring to the data packet related to the tunnel creation request, and operation is performed. At 1520, the tunnel creation result may be transmitted to the node 103.

If the port is not being received by the tunneling-related module, and the data packet attempts to connect to an unauthorized source IP and destination IP and port, the gateway 101 may drop the data packet.

Then, in operation 1525, the node 103 receives the tunnel creation result, and when the tunnel creation is completed, in operation 1530, the node 103 can connect to the service server (transmit a data packet) based on tunneling.

In operation 1535, the gateway 101 may perform a data flow check, referencing the accessible data flow information received from the control server 102 based on the tunneling IP assigned to the node 103, and detecting the corresponding node ( 103) can determine whether access to the service server is possible. In operation 1540, if a connection is available, the data packet is forwarded to the service server, and in operation 1545, the service server can receive the data packet.

If the data packet attempts to connect to an unauthorized source IP, destination IP, or port, the gateway 101 may drop the data packet.

Figure 16 schematically shows the data packet forwarding process based on data packet authentication of the node 103 on which the access control application is installed.

Referring to FIG. 16, in operation 1605, if a logical connection (e.g., creation of a TCP session based on TCP authentication, creation of a UDP-related session or flow based on UDP authentication, etc.) is required between the node 103 and the service server, the node 103 may request creation of a logical connection to the service server based on a series of information required to create authentication information for logical connection authentication received from the control server 102.

At operation 1610, gateway 101 may perform a data flow check, based on authentication information received from control server 102, to verify a series of data packets for a logical connection received from node 103. You can check whether the authentication information for the logical connection is valid and whether it is possible to connect to the service server with the authentication information.

In operation 1615, if the authentication information is valid, the gateway 101 forwards the data packet to the service server, and if the authentication information is invalid or is a network connection request from a service server that cannot be connected with the authentication information, the gateway 101 forwards the data packet to the service server. It can be processed as a drop.

Then, in operation 1620, a logical connection is created, in operation 1625, the logical connection creation result is transmitted to node 103, and in operation 1630, when node 103 receives the logical connection creation result, in operation 1635, Node 103 may transmit data packets to the service server based on the logical connection.

In operation 1640, the gateway 101 checks the data flow information received from the control server 102 based on the logical connection information assigned to the node 103, and in operation 1645, the node 103 is a service server. If access is available, the data packet is forwarded to the service server, and in operation 1650, the service server can receive the data packet.

If the data packet attempts to access a service based on an unauthorized logical connection, the gateway 101 may drop the data packet.

Through this process, the gateway 101 can perform network access and data packet transmission control only for the node 103 to which an authentication-based logical connection has been granted.

Figure 17 is a flowchart schematically showing the process by which the gateway 101 inspects the protocol.

Referring to FIG. 17, in operation 1705, the gateway 101 may receive a data packet transmission event from the network kernel of the operating system, and in operation 1710, it may perform a data flow check.

For example, the gateway 101 uses one or more of the destination IP, port information, protocol information (e.g. TCP, UDP, etc.), and source IP or logical connection information included in the received IP header to provide data flow information. You can check whether exists.

If there is no valid data flow, gateway 101 may drop the data packet.

In operation 1715, if a valid data flow exists, the gateway 101 determines the protocol check status included in the protocol information included in the data flow (whether the protocol check is necessary, whether the protocol check is completed by the previous data packet transmission check, It is possible to determine whether a protocol inspection is necessary based on (whether a protocol inspection is necessary periodically, etc.).

If protocol checking is not required, gateway 101 may forward the data packet to the service server.

If protocol checking is necessary, the protocol checking may be performed by the gateway 101 or an external server (e.g., control server 102).

In operation 1720, when the gateway 101 directly performs the protocol check, the gateway 101 performs a protocol check to identify whether a protocol is allowed in the data packet based on information for checking the protocol of the data packet included in the data flow. It checks whether signature and version information, header information, and protocol information are included or complied with, and, if necessary, data packets can be inspected up to the inspection range (length) included in the protocol information.

If the protocol check is successful, the protocol check status changes to completed, and the data packet can be forwarded.

In operation 1725, if the protocol check fails, the gateway drops the corresponding data packet and removes the data flow, and in operation 1730, the protocol check result including control flow identification information may be transmitted to the control server 102. . In operation 1735, the control server 102 may receive the protocol inspection result and determine the risk level by referring to the corresponding protocol policy database and blacklist policy database.

In operation 1740, if the risk is low, the control server 102 may remove the corresponding data flow and propagate the updated data flow to the gateway 101. On the other hand, if the risk is high, the control server 102 removes the control flow and tunnel so that the corresponding node 103 can no longer maintain network connection and sends the updated control flow, data flow, and tunnel information to the gateway 101. It can be spread. If the risk is serious, the control server 102 may add the identified node 103 to the blacklist so that it can no longer access it after performing the control flow removal procedure.

And the gateway 101 may process the result as it receives the protocol test result transmission result from the control server 102.

Meanwhile, although not shown in FIG. 17, the same/similar explanation may be applied even when protocol inspection is performed by the control server 102.

For example, the gateway 101 checks all of the data packets or, if necessary, the inspection range included in the protocol information to identify whether the protocol is allowed in the data packet based on the information for inspecting the protocol of the data packet included in the data flow. Data packets of up to (length) can be collected.

Additionally, the gateway 101 may request a protocol inspection from the control server 102 including the collected data packets and data flow identification information.

The control server 102 may check whether the data packet contains or complies with signature and version information, header information, and protocol information, based on the identified data flow information and protocol information included in the data flow.

If the inspection is successful, the control server 102 may change the inspection status of the received data packet of the data flow to completed and return the updated data flow information to the gateway 101.

On the other hand, if the check fails, the control server 102 can determine whether there is a risk based on the corresponding protocol policy and blacklist policy according to the protocol check result. If the risk is low, the control server 102 may remove the data flow and propagate updated data flow information to the gateway 101. On the other hand, if the risk is high, the control server 102 removes the control flow and tunnel so that the corresponding node 103 can no longer maintain network connection and sends the updated control flow, data flow, and tunnel information to the gateway 101. It can be spread. If the risk is serious, the control server 102 may add the corresponding node 103 to the blacklist so that it can no longer access it after performing the control flow removal procedure described above.

Figure 18 is a flowchart schematically showing the process by which the gateway 101 processes a service request.

Referring to FIG. 18, when a service request event is received in operation 1805, the gateway 101 performs a data flow check in operation 1810 and can check whether data flow header information is present in the received service request. .

In operation 1845, if data flow header information does not exist, the gateway 101 redirects to the authentication server, and may transmit the destination IP or domain identification information and port information included in the service request header during redirection.

If data flow header information exists, the gateway 101 uses the data flow identification information of the data flow header information, the destination IP and port information included in the received IP header, and protocol information (e.g. TCP, UDP, etc.) You can check whether data flow information exists.

In operation 1840, if the data flow exists but is invalid (e.g., data packet transmission is not possible, etc.) or if the data flow does not exist, the gateway 101 may reject the service request.

In operation 1815, the gateway 101 decrypts the encrypted authentication information through an authentication information encryption/decryption key based on the authentication information of the identified data flow and performs OTP verification to check whether the corresponding data flow header information is valid. can do.

If the data flow header information is invalid, the gateway 101 may reject the service request.

If the data flow header information is valid, the gateway 101 generates an OTP based on the OTP generation information included in the authentication information, encrypts the authentication information using the authentication information encryption/decryption key, and then combines it with the data flow identification information to generate data. Flow header information can be updated with existing service request information. Through this, reuse of the same data flow header information can be prevented.

If a valid data flow exists, the gateway 101 may check whether service information allowing the service request exists in the data flow information based on the destination IP or domain identification information and port information included in the received service request header. .

If there is no service information allowing the service request, the gateway 101 may reject the service request.

If there is service information allowing a service request, the gateway 101 can check whether QoS is required through the service request QoS information included in the service information.

In operation 1820, if service request QoS is required, the gateway 101 may perform service request QoS processing. The gateway 101 can check the number of service requests per certain time included in the service request QoS information, and if it is confirmed that the number of service requests exceeds the allowable number per certain time, the service request is scheduled according to the service request QoS method. You can process it after a time delay or reject the service request to induce a re-request for the service.

In operation 1825, if the service request QoS is not required, the gateway 101 may filter the service request information and select the protocol (e.g., HTTP, FTP, or IoT) of the service request through the service filtering information included in the service information. You can check whether the dedicated protocol for the device, etc.) is normal.

If the protocol of the service request is abnormal, the gateway 101 may reject the service request.

Meanwhile, when filtering service request information, if replacement of information is necessary, the gateway 101 can replace the request information through replacement information or rules included in the service filtering information and transmit the service request. there is.

On the other hand, when filtering of the service request is not required and/or replacement of service request information is not required, the gateway 101 may transmit the corresponding service request.

If blocking is required for a service request, the gateway 101 may refuse to transmit the service request.

The gateway 101 may generate authentication information using an authentication information generation algorithm and additional information included in the authentication information of the data flow. Afterwards, the authentication information can be encrypted using the encryption algorithm and encryption key included in the authentication information. Then, in operation 1825, the gateway 101 inserts a data flow header combining encrypted authentication information and data flow identification information into the service request information according to the protocol standard of the service application, and transmits the corresponding service request in operation 1830. there is.

In operation 1835, after transmitting a service request or processing a service request rejection, the gateway 101 may reflect the number of service request processing times in QoS statistical information included in service information in the data flow.

Meanwhile, the gateway 101 can update the data flow through the following process.

For example, the gateway 101 updates processing time or Timestamp information when forwarding a data packet or service request from the node 103, based on the data flow received from the control server 102, and periodically updates the control server 102. You can request update of data flow information at (102).

And, the control server 102 can check whether data flow information exists by referring to the received data flow identification information.

If a data flow does not exist, the corresponding node 103 has terminated the network connection, so the control server 102 displays invalid data flow information so that it can no longer access the data flow information through the corresponding gateway 101. can be returned to the gateway 101.

In addition, the control server 102 checks the last connection processing time of the data flow, and if re-authentication is required because the time available after initial authentication has expired according to the authentication policy, or if the connection to the node 103 is released, the corresponding The data flow and control flow of the node 103 are removed, and since the node 103 has terminated its network connection, invalid data flow information is transferred to the gateway 101 so that it can no longer be connected through the gateway 101. It can be returned.

Additionally, the gateway 101 may delete invalid data flows based on the received data flow information.

Referring to FIG. 19, the structure of service request information in which a data flow header is inserted by the gateway 101 can be confirmed.

The proxy included in the gateway 101, based on the authentication information included in the data flow, sends data flow header information that can identify the service request target from the service server to a part suitable for the protocol of the service application (e.g., in the case of HTTP) It can be inserted into the header area and retransmitted to the service server, and the service server's response value to the service request can be returned to the node 103.

The data flow header can be inserted in the data packet flow between the node 103, the gateway 101, and the service server to check whether the data packet is authenticated by the service server based on the data flow received from the control server 102. there is.

These data flow headers may include data flow identification information and encrypted authentication information.

Since data packets in an IP network have no identifiable information other than 5 Tuples information (protocol, source IP, port, destination IP, port), the service server determines whether the node 103 assigned the IP is actually authenticated. And it is unknown whether the application, which is the actual subject of communication, was transmitted by an authorized party.

Therefore, when processing a service request, the service server queries the control server 102 with the data flow identification information included in the data flow header to check whether an authenticated subject has connected, and uses the authentication information stored by the control server 102. Additional information about the target can be received and authenticated.

Additionally, encrypted authentication information in addition to the data flow identification information included in the data flow header can be used to check whether the authenticated gateway 101 has forwarded the service request.

At this time, the encrypted authentication information is encrypted authentication information only for those authenticated (i.e., when a data flow exists) through the authentication information encryption/decryption key included in the authentication information of the data flow received from the control server 102. can be decrypted.

The decrypted authentication information may not be a fixed value at each data packet authentication time like data flow identification information, but may include information in the form of OTP (One-Time Password) and Random Generation that changes at each authentication time.

In addition, the gateway 101 generates OTP information that changes at each service request forwarding time based on the information for OTP generation and verification included in the authentication information of the data flow, and encrypts the value to create data flow identification information. Service request information including data flow header information inserted can be forwarded.

According to an embodiment of the present invention, when a node attempts to access a service without a security session, if the gateway inserts a data flow header into the service information through user authentication and returns it, the node and service server continuously insert the data flow header. service request and return are performed using the gateway, and the gateway identifies and inspects the data flow based on the header information included in the service request and return information between the node and the service server, and data packets received from a plurality of nodes accordingly. Even if they contain the same source IP, network access can be controlled independently for each node.

The above description is merely an illustrative explanation of the technical idea disclosed in this document, and those skilled in the art in the technical field to which the embodiments disclosed in this document belong will understand without departing from the essential characteristics of the embodiments disclosed in this document. Various modifications and variations will be possible.

Accordingly, the embodiments disclosed in this document are not intended to limit the technical ideas disclosed in this document, but rather to explain them, and the scope of the technical ideas disclosed in this document is not limited by these embodiments. The scope of protection of the technical ideas disclosed in this document shall be interpreted in accordance with the claims below, and all technical ideas within the equivalent scope shall be interpreted as being included in the scope of rights of this document.

Claims (11)

In the gateway,
communication circuit;
Memory; and
a processor operatively connected to the communication circuit and the memory, the processor comprising:
Receive data packets for service requests from the node,
Check whether data flow authentication information corresponding to the data packet exists,
If valid data flow authentication information is confirmed to exist, forward the data packet to the destination network,
If it is confirmed that the valid data flow authentication information does not exist, forwarding the data packet to an external server,
A gateway, configured to forward the data packet to the external server and then receive information about the data flow including the data flow authentication information from the external server according to an authentication result for the node. According to claim 1,
The processor,
After forwarding the data packet to the external server, receiving the data flow information including the data flow authentication information from the external server as the authentication result satisfies authentication conditions,
The authentication condition corresponds to at least one of installation information of the access control application of the node and authentication process performance information of the node. According to claim 2,
The processor,
After the access control application of the node is installed, a tunnel creation request for creating a tunnel is received from the node,
Create the tunnel with the node based on the tunnel creation request,
A gateway configured to communicate with the node via the tunnel. According to claim 1,
The processor,
An OTP is generated based on the OTP (One-Time Password) generation information included in the node authentication information,
Update data flow authentication information based on the OTP and data flow identification information,
A gateway, configured to insert the updated data flow authentication information into the data packet and forward it to the destination network. According to claim 1,
The processor,
If it is confirmed that the valid data flow authentication information exists, determine whether QoS is required for the service request based on QoS (Quality of Service) information included in the data flow,
If it is confirmed that the QoS is required for the service request, check whether the service request satisfies a threshold service request condition corresponding to the QoS information,
If it is confirmed that the service request does not satisfy the threshold service request condition, the gateway is configured to cause the service request to be transmitted after a preset time has elapsed or to cause the node to retransmit the service request. According to claim 5,
The processor,
When it is confirmed that the service request satisfies the threshold service request condition or that the QoS is not required for the service request, whether the protocol of the data packet is normal based on the filtering information included in the data flow Check whether
If the protocol of the data packet is confirmed to be normal, determine whether replacement of the information included in the data packet is necessary based on the filtering information,
If it is determined that the substitution is necessary, the gateway is configured to replace the information included in the data packet based on at least some of the substitution information and substitution rules included in the filtering information and forward it to the destination network. According to claim 1,
The processor,
If it is confirmed that the data flow authentication information does not exist, check whether the data packet is a data packet of an authenticable protocol,
If the data packet is confirmed to be a data packet of the authenticable protocol, convert the destination IP (internet protocol) and destination port of the data packet into an external server IP and external server port corresponding to the external server and then forward the data packet. Gateway. On an external server,
communication circuit;
Memory; and
a processor operatively connected to the communication circuit and the memory, the processor comprising:
When a data packet for a service request is obtained, authentication support information is transmitted to the node with reference to the data packet,
Obtaining a network connection request including a source IP (internet protocol) from the node based on the authentication support information,
Check whether the node can connect to the destination network based on the information included in the network connection request,
An external server, configured to transmit information about the data flow, including data flow authentication information, to the gateway if the connection is confirmed to be available. According to claim 8,
The processor,
When an access control application is installed in the node based on the authentication support information, first access authority to the destination network is granted to the node,
An external server, configured to grant the node a second access authority to the destination network when an authentication process is performed based on the authentication support information. In the method of operating the gateway,
Receiving a data packet for a service request from a node;
Checking whether data flow authentication information corresponding to the data packet exists; and
If it is confirmed that valid data flow authentication information exists, the data packet is forwarded to the destination network, and if it is confirmed that the valid data flow authentication information does not exist, the data packet is forwarded to an external server and then sent to the node. A method comprising receiving information about a data flow including the data flow authentication information from the external server according to an authentication result. According to claim 10,
The step of forwarding the data packet to the destination network includes:
Generating an OTP (One-Time Password) based on OTP (One-Time Password) generation information included in the node authentication information;
updating data flow authentication information based on the OTP and data flow identification information; and
Inserting the updated data flow authentication information into the data packet and forwarding it to the destination network.

Images