KR20140075475A - Sysyem and method for controling access of unlicensed wlan ap - Google Patents
Sysyem and method for controling access of unlicensed wlan ap Download PDFInfo
- Publication number
- KR20140075475A KR20140075475A KR1020120143858A KR20120143858A KR20140075475A KR 20140075475 A KR20140075475 A KR 20140075475A KR 1020120143858 A KR1020120143858 A KR 1020120143858A KR 20120143858 A KR20120143858 A KR 20120143858A KR 20140075475 A KR20140075475 A KR 20140075475A
- Authority
- KR
- South Korea
- Prior art keywords
- controller
- switch
- access
- wlan
- open
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
Description
The present invention relates to an access control method of an unauthorized WLAN AP in an environment capable of accessing the Internet through a WLAN AP.
Internet access via a wireless LAN is a widely used method. However, the illegal access to the Internet through the wireless LAN installed in the company causes serious problems such as leakage of the company confidential information. In the public wireless LAN environment, the user's arbitrary wireless LAN AP (access point) And the like.
Recently, in enterprise environment, WLAN controller based solution that compensates for these shortcomings and performs overall management and control of AP installed in the company is widely adopted. The solution based on the wireless LAN controller enables the efficient configuration of the wireless LAN resources and the quality assurance type service such as VoIP through the wireless LAN controller and performs the configuration of the AP and the firmware update.
However, it still poses a risk of deteriorating network connection quality and leakage of company confidentiality due to unauthorized AP installation in the company. As a solution for this, there are solutions through channel search and detection in the wireless section, but the cost is high and the operation is still difficult.
In recent wired networks, OpenFlow technology is emerging that can control flow in a centralized way by separating data path and control from functions of switches and routers. The open flow controller performs actions (for example, Forward, Drop, etc.) to control the flow of packets according to the characteristics of the packets (for example, MAC address, IP address, Port, VLAN tag, ). For this interaction, an open-flow protocol is used between the controller and the switch and the router.
Accordingly, an embodiment of the present invention provides a method of controlling access to an unauthorized WLAN AP in an environment where an Internet connection through an enterprise environment or a hotspot wireless LAN AP is possible.
The access control method of an unlicensed wireless LAN access point according to an embodiment of the present invention is a method of controlling an access of an unauthorized access point of an unlicensed wireless access point Wherein the open flow controller adds the MAC address to the flow entry of the flow table and transmits the MAC address to the MAC, When an unauthorized access point attempts to connect and an ARP request message is transmitted to the switch, the access point recognizes that the switch is connected through a MAC address not present in the flow entry, and discards the packet , Transmitting the revoked history to the open flow controller Group and a step of transmitting the history to abolish the WLAN controller.
As described above, according to the embodiment of the present invention, the network access control through the WLAN AP can be performed by using an open flow based switch or a router It can effectively control and block illegal access.
In addition, the present invention can facilitate network access control for connection through a wireless LAN access point and an efficient access restriction policy setting and control based on an open flow at an edge switch end.
FIG. 1 is a diagram illustrating an overall configuration for controlling access to a wireless LAN AP according to an embodiment of the present invention.
2 is a flowchart illustrating a process of controlling an access of an unauthorized wireless LAN AP according to an embodiment of the present invention.
3 is a flowchart illustrating a process of blocking a WLAN AP having a fake MAC according to an embodiment of the present invention.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.
Throughout the specification, a terminal is referred to as a mobile station (MS), a mobile terminal (MT), a subscriber station (SS), a portable subscriber station (PSS) terminal, an AT, a user equipment (UE), or the like, and may include all or some of functions of a terminal, MT, SS, PSS, AT, UE,
In addition, a base station (BS) includes a node B, an evolved node B, an eNodeB, an access point (AP), a radio access station (RAS) a base transceiver station (BTS), a mobile multihop relay (MMR) -BS, or the like, and may include all or some of functions of a Node B, an eNodeB, an AP, a RAS, a BTS, and an MMR-BS.
Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise. Also, the terms " part, "" module," " module, "and " block" refer to units that process at least one function or operation, Lt; / RTI >
FIG. 1 is a diagram illustrating an overall configuration for controlling access to a wireless LAN AP according to an embodiment of the present invention.
Referring to FIG. 1, an overall configuration of an access control system of an unlicensed wireless LAN AP according to the present invention can be seen. The wireless LAN APs in the enterprise environment have a configuration of a wireless LAN as shown in FIG. The
Then, the
The network structure of the
For example, when the
Therefore, through this configuration, the
2 is a flowchart illustrating a process of controlling an access of an unauthorized wireless LAN AP according to an embodiment of the present invention.
First, a setup process between the
The
The
The
The
Next, look at the process of disconnecting illegal APs with unregistered MAC addresses.
When the illegal AP 110a is connected, the
At this time, the discard history is reported to the open flow controller 150 (S170), and the discard history is transmitted to the WLAN controller 140 (S180). The manager of the
3 is a flowchart illustrating a process of blocking a WLAN AP having a fake MAC according to an embodiment of the present invention.
Referring to FIG. 3, when an attempt is made to connect a network through an AP 110a having a fake MAC address, an ARP request is transmitted to the switch (S190).
Since the
The case where the unauthorized AP 110a is the AP that moved the port will be described.
Here, if the non-serving AP 110a is the AP that moved the port after comparing with the existing setting in the database, the
In addition, the open-
Next, the case of an AP having a fake MAC will be described.
If it is compared with the existing setting in the database, it is determined that the attempt to access the network from the MAC address permitted by the other port is made through the fake AP, and the packet is once dropped (S250) .
The
Accordingly, the
Thereafter, when the AP 110a continuously receives the ARP request (S270), the packet is automatically discarded by the flow entry of the switch 120 (S280).
As described above, according to the present invention, it is possible to efficiently perform an illegal access from an open flow-based switch or a router terminal connected to a network by a wireless LAN AP without using a method of searching for a channel in a wireless section, Control and shut down.
In addition, the present invention can facilitate network access control for connection through a wireless LAN access point and an efficient access restriction policy setting and control based on an open flow at an edge switch end.
The embodiments of the present invention described above are not implemented only by the apparatus and method, but may be implemented through a program for realizing the function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.
100: terminal 110: AP
120: switch 130: router
140: radio controller 150: open flow controller
Claims (1)
The WLAN controller transmits a MAC address of APs permitted to access to an open flow controller, the open flow controller stores the MAC address in a database,
Wherein the open flow controller adds the MAC address to the flow entry of the flow table received by the switch and reports the connection port of the MAC addresses to the open flow controller,
When the unauthorized AP attempts to connect and an ARP request message is delivered to the switch, the unauthorized AP detects that the switch is connected through a MAC address that is not present in the flow entry, and discards the packet and transmits the aborted history to the open flow controller. And
Wherein the open flow controller transmits the history abolished to the wireless LAN controller
Containing
Access control method of unauthorized WLAN AP.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120143858A KR20140075475A (en) | 2012-12-11 | 2012-12-11 | Sysyem and method for controling access of unlicensed wlan ap |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120143858A KR20140075475A (en) | 2012-12-11 | 2012-12-11 | Sysyem and method for controling access of unlicensed wlan ap |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20140075475A true KR20140075475A (en) | 2014-06-19 |
Family
ID=51128183
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020120143858A KR20140075475A (en) | 2012-12-11 | 2012-12-11 | Sysyem and method for controling access of unlicensed wlan ap |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20140075475A (en) |
-
2012
- 2012-12-11 KR KR1020120143858A patent/KR20140075475A/en not_active Application Discontinuation
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11652889B2 (en) | Communication method and communications device | |
US11303727B2 (en) | Method and system for routing user data traffic from an edge device to a network entity | |
US8826413B2 (en) | Wireless local area network infrastructure devices having improved firewall features | |
Schulz-Zander et al. | Programmatic Orchestration of {WiFi} Networks | |
US8817788B2 (en) | Wireless communication terminal, method, program, recording medium, and wireless communication system | |
US8848708B2 (en) | Method, apparatus and system for packet processing | |
US20070064673A1 (en) | Flexible, scalable, wireless data forwarding and mobility for secure wireless networks | |
US20080107077A1 (en) | Subnet mobility supporting wireless handoff | |
US20170013452A1 (en) | Network re-convergence point | |
US20150365828A1 (en) | Communication terminal, communication method, program, communication system, and information processing apparatus | |
US9288686B2 (en) | Topology discovery based on SCTP/X2 snooping | |
US9826449B2 (en) | Wireless client traffic continuity across controller failover and load-balancing | |
US9294986B2 (en) | Topology discovery based on explicit signaling | |
Zhao et al. | SDWLAN: A flexible architecture of enterprise WLAN for client-unaware fast AP handoff | |
CN108141743B (en) | Methods, networks, apparatus, systems, media and devices handling communication exchanges | |
Mohammadnia et al. | IoT-NETZ: Practical spoofing attack mitigation approach in SDWN network | |
US20120054830A1 (en) | Network Relay Device and Relay Control Method of Received Frames | |
US20080259874A1 (en) | Flow based layer 2 handover mechanism for mobile node with multi network interfaces | |
JP2015519761A (en) | COMMUNICATION DEVICE, COMMUNICATION METHOD, COMMUNICATION SYSTEM, CONTROL DEVICE, AND PROGRAM | |
CN102740290B (en) | Method for pre-authentication and pre-configuration, and system thereof | |
KR20140075475A (en) | Sysyem and method for controling access of unlicensed wlan ap | |
US9231862B2 (en) | Selective service based virtual local area network flooding | |
US10972910B1 (en) | Restricting communication using operator determined barring | |
CN112219381B (en) | Method and apparatus for message filtering based on data analysis | |
US20230318961A1 (en) | Role information propagation in access switches |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WITN | Withdrawal due to no request for examination |