KR20140075475A - Sysyem and method for controling access of unlicensed wlan ap - Google Patents

Sysyem and method for controling access of unlicensed wlan ap Download PDF

Info

Publication number
KR20140075475A
KR20140075475A KR1020120143858A KR20120143858A KR20140075475A KR 20140075475 A KR20140075475 A KR 20140075475A KR 1020120143858 A KR1020120143858 A KR 1020120143858A KR 20120143858 A KR20120143858 A KR 20120143858A KR 20140075475 A KR20140075475 A KR 20140075475A
Authority
KR
South Korea
Prior art keywords
controller
switch
access
wlan
open
Prior art date
Application number
KR1020120143858A
Other languages
Korean (ko)
Inventor
김정환
윤빈영
김상기
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020120143858A priority Critical patent/KR20140075475A/en
Publication of KR20140075475A publication Critical patent/KR20140075475A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The present invention relates to a method for controlling access of an unlicensed WLAN AP by a system for controlling access of an unlicensed WLAN AP, including steps of transmitting MAC addresses of APs, to which WLAN controller can access, to an open-flow controller by a WLAN controller, and storing the MAC addresses of the APs in a database by the open-flow controller; receiving and adding the MAC addresses to a flow entry of a flow table, and reporting an access port of the MAC addresses to the open-flow controller by an open-flow switch; recognizing that the switch is accessed through an MAC address which is not included in the flow entry to discard a packet by the switch when an ARP request message is transferred to the switch based on the access attempt of the unlicensed AP, and transmitting a discarded history to the open flow controller; and transmitting the discarded history to the WLAN controller by the open-flow controller.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an access control system and method for an unauthorized wireless LAN access point,

The present invention relates to an access control method of an unauthorized WLAN AP in an environment capable of accessing the Internet through a WLAN AP.

Internet access via a wireless LAN is a widely used method. However, the illegal access to the Internet through the wireless LAN installed in the company causes serious problems such as leakage of the company confidential information. In the public wireless LAN environment, the user's arbitrary wireless LAN AP (access point) And the like.

Recently, in enterprise environment, WLAN controller based solution that compensates for these shortcomings and performs overall management and control of AP installed in the company is widely adopted. The solution based on the wireless LAN controller enables the efficient configuration of the wireless LAN resources and the quality assurance type service such as VoIP through the wireless LAN controller and performs the configuration of the AP and the firmware update.

However, it still poses a risk of deteriorating network connection quality and leakage of company confidentiality due to unauthorized AP installation in the company. As a solution for this, there are solutions through channel search and detection in the wireless section, but the cost is high and the operation is still difficult.

In recent wired networks, OpenFlow technology is emerging that can control flow in a centralized way by separating data path and control from functions of switches and routers. The open flow controller performs actions (for example, Forward, Drop, etc.) to control the flow of packets according to the characteristics of the packets (for example, MAC address, IP address, Port, VLAN tag, ). For this interaction, an open-flow protocol is used between the controller and the switch and the router.

Accordingly, an embodiment of the present invention provides a method of controlling access to an unauthorized WLAN AP in an environment where an Internet connection through an enterprise environment or a hotspot wireless LAN AP is possible.

The access control method of an unlicensed wireless LAN access point according to an embodiment of the present invention is a method of controlling an access of an unauthorized access point of an unlicensed wireless access point Wherein the open flow controller adds the MAC address to the flow entry of the flow table and transmits the MAC address to the MAC, When an unauthorized access point attempts to connect and an ARP request message is transmitted to the switch, the access point recognizes that the switch is connected through a MAC address not present in the flow entry, and discards the packet , Transmitting the revoked history to the open flow controller Group and a step of transmitting the history to abolish the WLAN controller.

As described above, according to the embodiment of the present invention, the network access control through the WLAN AP can be performed by using an open flow based switch or a router It can effectively control and block illegal access.

In addition, the present invention can facilitate network access control for connection through a wireless LAN access point and an efficient access restriction policy setting and control based on an open flow at an edge switch end.

FIG. 1 is a diagram illustrating an overall configuration for controlling access to a wireless LAN AP according to an embodiment of the present invention.
2 is a flowchart illustrating a process of controlling an access of an unauthorized wireless LAN AP according to an embodiment of the present invention.
3 is a flowchart illustrating a process of blocking a WLAN AP having a fake MAC according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Throughout the specification, a terminal is referred to as a mobile station (MS), a mobile terminal (MT), a subscriber station (SS), a portable subscriber station (PSS) terminal, an AT, a user equipment (UE), or the like, and may include all or some of functions of a terminal, MT, SS, PSS, AT, UE,

In addition, a base station (BS) includes a node B, an evolved node B, an eNodeB, an access point (AP), a radio access station (RAS) a base transceiver station (BTS), a mobile multihop relay (MMR) -BS, or the like, and may include all or some of functions of a Node B, an eNodeB, an AP, a RAS, a BTS, and an MMR-BS.

Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise. Also, the terms " part, "" module," " module, "and " block" refer to units that process at least one function or operation, Lt; / RTI >

FIG. 1 is a diagram illustrating an overall configuration for controlling access to a wireless LAN AP according to an embodiment of the present invention.

Referring to FIG. 1, an overall configuration of an access control system of an unlicensed wireless LAN AP according to the present invention can be seen. The wireless LAN APs in the enterprise environment have a configuration of a wireless LAN as shown in FIG. The WLAN controller 140 manages the newly joined or exiting WLAN APs and sets a configuration suitable for the in-house environment.

Then, the wireless LAN controller 140 downloads a firmware image to the AP to install and configure the overall environment. The protocols used in this regard include the Lightweight Access Point Protocol (LWAPP), IETF RFC 5412, and the Control and Provisioning of Wireless Access Points (CAPWAP).

The network structure of the switch 120 and the router 130 based on the OpenFlow has the configuration shown on the right side of FIG. Existing routers or switches handle fast packet forwarding (data path) and high level routing decisions (control path, control path) within the same equipment. However, the open flow switch 120 separates these two functions. The data path portion remains in the switch 120 and the control path portion is separated into the controller 150. [ Communication between the open flow switch 120 and the controller 150 follows the open flow protocol. The open-flow protocol defines packet-received, send-packet-out, modify-forwarding, and get-stats messages. In the open flow switch 120, there are flow tables for processing the flow of the data path. A flow table consists of a flow entry and includes a set of packet fields to be matched and actions such as send-out-port, modify-field, and drop.

For example, when the open flow switch 120 receives a packet, the packet is sent to the controller 150 if the packet is a packet that has not been received before, that is, if there is no matching flow entry. The controller 150 then has rules or logic to process the packet and makes a decision on packet processing. So it may drop the packet and then instruct switch 120 to add a rule to forward the similar packet to the flow entry.

Therefore, through this configuration, the open flow controller 150 performs different actions according to the characteristics of the data packets flowing into the open flow switch 120 through the wireless LAN AP 110, The structure that can be done is equipped.

2 is a flowchart illustrating a process of controlling an access of an unauthorized wireless LAN AP according to an embodiment of the present invention.

First, a setup process between the WLAN controller 140 and the open flow controller 150 will be described.

The WLAN controller 140 establishes a connection for the communication of the open flow controller 150. The connection setting uses TCP or UDP protocol, and SSL may be used for secure communication (S110).

The WLAN controller 140 transmits the MAC information of the access permitted APs currently managed by the WLAN controller 140 to the open flow controller 150, and the open flow controller 150 stores the contents in the configuration DB (S120).

The open flow controller 150 issues an instruction to forward normal forwarding of the MAC information, and the switch 120 adds the corresponding MAC information to the flow table of the flow table at step S130.

The switch 120 reports to the open flow controller 150 which port the MAC addresses are connected to based on the information stored through the MAC learning. The open flow controller 150 informs the open flow controller 150 of the port information And stores it in the form of {port, MAC address list} to form a final white list.

Next, look at the process of disconnecting illegal APs with unregistered MAC addresses.

When the illegal AP 110a is connected, the terminal 100 is connected to the AP 110a and attempts to connect to the external network. When an AP 110a having an unallowable MAC address is connected to the switch 120 and attempts communication via the AT 100, an ARP request (ARP Request), which is a broadcasting message, is transmitted to the switch 120 (S150). As described above, the open flow switch 120 discards the packet because the connection via the MAC not in the flow entry is connected (S160).

At this time, the discard history is reported to the open flow controller 150 (S170), and the discard history is transmitted to the WLAN controller 140 (S180). The manager of the wireless LAN controller 140 may then take an offline action (e.g., locate and demolish the AP) for the unauthorized AP connection.

3 is a flowchart illustrating a process of blocking a WLAN AP having a fake MAC according to an embodiment of the present invention.

Referring to FIG. 3, when an attempt is made to connect a network through an AP 110a having a fake MAC address, an ARP request is transmitted to the switch (S190).

Since the open flow switch 120 has the same MAC address but different ports to be connected, the open flow controller 120 forwards the packet to the open flow controller 150 to forward the packet to the open flow controller 150 (S200). The open-flow controller 150 requests the list of AP MAC addresses, receives the changes, and updates the database (DB) in order to check whether a change has occurred in the configuration of APs managed recently (S210).

The case where the unauthorized AP 110a is the AP that moved the port will be described.

Here, if the non-serving AP 110a is the AP that moved the port after comparing with the existing setting in the database, the open flow controller 150 instructs the switch 120 to perform normal The switch 120 returns a MAC address of its own to the corresponding AP (S230), and then the switch 120 performs packet forwarding to the destination.

In addition, the open-flow controller 150 updates the flow entry in the switch 120 to reflect the changed port, MAC configuration (S240).

Next, the case of an AP having a fake MAC will be described.

If it is compared with the existing setting in the database, it is determined that the attempt to access the network from the MAC address permitted by the other port is made through the fake AP, and the packet is once dropped (S250) .

The open flow controller 150 sets a rule for ARP poisoning to the AP 110a. Here, ARP poisoning means returning a fake MAC address for the switch to the ARP response.

Accordingly, the switch 120 sends a spoofed MAC address, not its own MAC address, in the ARP response, so that the network connection attempt through the AP 110a is blocked (S260).

Thereafter, when the AP 110a continuously receives the ARP request (S270), the packet is automatically discarded by the flow entry of the switch 120 (S280).

As described above, according to the present invention, it is possible to efficiently perform an illegal access from an open flow-based switch or a router terminal connected to a network by a wireless LAN AP without using a method of searching for a channel in a wireless section, Control and shut down.

In addition, the present invention can facilitate network access control for connection through a wireless LAN access point and an efficient access restriction policy setting and control based on an open flow at an edge switch end.

The embodiments of the present invention described above are not implemented only by the apparatus and method, but may be implemented through a program for realizing the function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.

100: terminal 110: AP
120: switch 130: router
140: radio controller 150: open flow controller

Claims (1)

A method for an access control system of an unlicensed wireless LAN access point controlling access to an unauthorized wireless LAN access point,
The WLAN controller transmits a MAC address of APs permitted to access to an open flow controller, the open flow controller stores the MAC address in a database,
Wherein the open flow controller adds the MAC address to the flow entry of the flow table received by the switch and reports the connection port of the MAC addresses to the open flow controller,
When the unauthorized AP attempts to connect and an ARP request message is delivered to the switch, the unauthorized AP detects that the switch is connected through a MAC address that is not present in the flow entry, and discards the packet and transmits the aborted history to the open flow controller. And
Wherein the open flow controller transmits the history abolished to the wireless LAN controller
Containing
Access control method of unauthorized WLAN AP.
KR1020120143858A 2012-12-11 2012-12-11 Sysyem and method for controling access of unlicensed wlan ap KR20140075475A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020120143858A KR20140075475A (en) 2012-12-11 2012-12-11 Sysyem and method for controling access of unlicensed wlan ap

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020120143858A KR20140075475A (en) 2012-12-11 2012-12-11 Sysyem and method for controling access of unlicensed wlan ap

Publications (1)

Publication Number Publication Date
KR20140075475A true KR20140075475A (en) 2014-06-19

Family

ID=51128183

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020120143858A KR20140075475A (en) 2012-12-11 2012-12-11 Sysyem and method for controling access of unlicensed wlan ap

Country Status (1)

Country Link
KR (1) KR20140075475A (en)

Similar Documents

Publication Publication Date Title
US11652889B2 (en) Communication method and communications device
US11303727B2 (en) Method and system for routing user data traffic from an edge device to a network entity
US8826413B2 (en) Wireless local area network infrastructure devices having improved firewall features
Schulz-Zander et al. Programmatic Orchestration of {WiFi} Networks
US8817788B2 (en) Wireless communication terminal, method, program, recording medium, and wireless communication system
US8848708B2 (en) Method, apparatus and system for packet processing
US20070064673A1 (en) Flexible, scalable, wireless data forwarding and mobility for secure wireless networks
US20080107077A1 (en) Subnet mobility supporting wireless handoff
US20170013452A1 (en) Network re-convergence point
US20150365828A1 (en) Communication terminal, communication method, program, communication system, and information processing apparatus
US9288686B2 (en) Topology discovery based on SCTP/X2 snooping
US9826449B2 (en) Wireless client traffic continuity across controller failover and load-balancing
US9294986B2 (en) Topology discovery based on explicit signaling
Zhao et al. SDWLAN: A flexible architecture of enterprise WLAN for client-unaware fast AP handoff
CN108141743B (en) Methods, networks, apparatus, systems, media and devices handling communication exchanges
Mohammadnia et al. IoT-NETZ: Practical spoofing attack mitigation approach in SDWN network
US20120054830A1 (en) Network Relay Device and Relay Control Method of Received Frames
US20080259874A1 (en) Flow based layer 2 handover mechanism for mobile node with multi network interfaces
JP2015519761A (en) COMMUNICATION DEVICE, COMMUNICATION METHOD, COMMUNICATION SYSTEM, CONTROL DEVICE, AND PROGRAM
CN102740290B (en) Method for pre-authentication and pre-configuration, and system thereof
KR20140075475A (en) Sysyem and method for controling access of unlicensed wlan ap
US9231862B2 (en) Selective service based virtual local area network flooding
US10972910B1 (en) Restricting communication using operator determined barring
CN112219381B (en) Method and apparatus for message filtering based on data analysis
US20230318961A1 (en) Role information propagation in access switches

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination