KR20170075588A - Apparatus, method and system for providing of secure IP communication service - Google Patents
Apparatus, method and system for providing of secure IP communication service Download PDFInfo
- Publication number
- KR20170075588A KR20170075588A KR1020150185419A KR20150185419A KR20170075588A KR 20170075588 A KR20170075588 A KR 20170075588A KR 1020150185419 A KR1020150185419 A KR 1020150185419A KR 20150185419 A KR20150185419 A KR 20150185419A KR 20170075588 A KR20170075588 A KR 20170075588A
- Authority
- KR
- South Korea
- Prior art keywords
- terminal
- secure
- security
- packet
- core
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Abstract
In order for the secure IP communication service providing apparatus to provide the secure IP communication service between the first terminal and the second terminal, the secure IP communication service providing apparatus transmits the first secure core IP included in the IP packet transmitted from the first terminal, 2 checks whether the first terminal and the second terminal are formed into a group based on the security core IP, and if the first terminal and the second terminal are formed as a group, the IP packet transmitted from the first terminal is transmitted to the second terminal .
Description
The present invention relates to an apparatus, a method and a communication system for providing a secure IP communication service.
In general, terminals that desire to use the Internet service receive the public IP address and access the public Internet network to use the service. There are various types of terminals using the internet service, such as POS terminal, CCTV, IoT terminal, etc. These terminals can be used by individuals, but they can be bundled into a user group and installed in the enterprise.
At this time, if a malicious third party changes the service provided to the terminal through the public Internet network, changes the IP address provided to the terminal, attacks an IP address such as DDos, In the case of intercepting an IP address, there is a problem that a store-type franchise that operates a POS, a company that requires secure connection between a head office, a branch office, and a branch office, or a CCTV operating company or an institution can not provide a secure service.
In order to do this, the service is provided by encrypting the traffic or installing a separate VPN device, but the communication speed is not guaranteed due to the VPN header or the traffic encryption, and there is a disadvantage in that a cost is incurred by installing a separate expensive equipment. Accordingly, it is required to provide an Internet communication environment securely without exposing a user group to the outside without a separate VPN device, and development of a technology for grouping user groups and using communication services without traffic encryption is required.
Accordingly, the present invention provides an apparatus and method for providing an IP communication service through a closed communication connection between designated groups in a secure Internet network providing secure IP communication service enabling closed communication connection between designated groups in a public Internet network And a communication system.
According to another aspect of the present invention, there is provided a method for providing a secure IP communication service between a first terminal and a second terminal,
The secure IP communication service providing apparatus may further include a first security core IP and a second security core IP included in the IP packet transmitted from the first terminal and determining whether the first terminal and the second terminal are formed into one group Checking; And transmitting the IP packet transmitted from the first terminal to the second terminal if the first terminal and the second terminal are formed as a group.
The first terminal generates a first IP packet and starts communication using a second security core IP assigned to the second terminal before confirming that the first group is formed of the one group; Confirming whether the L3 router interworking with the communication service providing apparatus is a first security access IP for the first terminal and an IP for which the second security core IP is permitted for secure IP communication; Transferring the first IP packet to the secure IP communication service providing apparatus if the first secure access IP and the second secure core IP are both authorized IPs; And blocking the first IP packet if at least one of the first security access IP or the second security core IP is not an authorized IP.
After transmitting the IP address to the secure IP communication service providing apparatus, the secure IP communication service providing apparatus executes NAT (Network Address Translation) on the first secure access IP included in the received first IP packet, Converting into core IP; And generating a second IP packet including the generated first security core IP and the second security core IP packet.
Checking whether the first security core IP for the first terminal and the second terminal are included in one group; checking whether the first security core IP for the first terminal and the second security core IP for the second terminal are included in one group; And blocking the second IP packet if the first terminal and the second terminal are not included in one group.
Wherein the step of verifying whether the first terminal and the second terminal are formed in the one group comprises the steps of: executing NAT to the second security core IP of the second terminal, Converting to a destination IP; And generating a third IP packet including the first secure core IP, the destination IP, and the packet.
According to another aspect of the present invention, there is provided a method for providing a secure IP communication service to a terminal,
The secure IP communication service providing apparatus includes: receiving an IP packet from a terminal that intends to use a communication service through a second server located in a public Internet network; The IP address of the first web server previously stored in correspondence with the IP address of the second server in the secure DNS connected to the secure IP communication service providing apparatus based on the IP address of the second server included in the IP packet, ; And if the IP address of the first web server exists, the secure IP communication service providing apparatus receives the information of the communication service provided by the second web server through the first web server and transmits the information to the terminal .
The step of delivering to the terminal may include receiving the information on the communication service provided by the second web server and delivering the information to the first web server, And the first web server providing information received through the secure IP communication service providing apparatus to the terminal.
According to another aspect of the present invention, there is provided an apparatus for providing a secure IP communication service for providing a secure IP communication service to a terminal,
A first NAT included in the IP packet generated by the source terminal to convert the first secure access IP of the source terminal into a first secure core IP; The first security core IP converted from the first NAT and the second security core IP of the destination terminal included in the IP packet are confirmed from group mapping information input from outside and stored in advance, A security group determination device for determining whether the terminals are included in the same group; And a second NAT for converting the second security core IP into a second secure access IP.
According to another aspect of the present invention, there is provided a secure IP communication system including a secure IP communication service providing apparatus for providing a secure IP communication service to a terminal,
A control unit configured to group security core IPs assigned to a plurality of terminals set as a group to generate group mapping information; A source terminal for executing NAT to the security access IP and the security core IP allocated to the terminal and generating an IP packet for use of the secure IP communication service and a source terminal for receiving the IP packet generated by the source terminal are the same And a secure IP gateway that verifies that it belongs to a group.
Wherein the communication system receives an IP packet generated by the source terminal, and based on the second security core IP of the destination terminal included in the received IP packet and the first secure access IP of the source terminal, And an L3 router that verifies that the IPs assigned to the destination terminals are IPs allowed to provide secure IP communication services.
Wherein the communication system is configured to transmit the IP packet having the input IP to the second web server located in the secure IP network when the IP with the first web server of the public Internet network is inputted, And the second web server to match the IP of the second web server; And the second web server receiving information from the first web server and transmitting the information provided by the first web server to the source terminal.
According to the present invention, a user group can be easily set up and a connection attempt from a terminal not belonging to a group can be blocked, thereby providing an Internet service safely.
1 is an exemplary diagram illustrating an environment for providing a secure IP communication service according to a first embodiment of the present invention.
2 is an exemplary diagram of a secure IP gateway according to a first embodiment of the present invention.
3 is a flowchart illustrating a method of secure IP communication between grouped terminals according to the first embodiment of the present invention.
4 is an exemplary diagram of secure IP communication according to a first embodiment of the present invention.
5 is an exemplary diagram illustrating an environment for providing a secure IP communication service according to a second embodiment of the present invention.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.
Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise.
In this specification, a terminal includes a mobile station (MS), a mobile terminal (MT), a subscriber station (SS), a portable subscriber station (PSS) An access terminal (AT), and the like, and may include all or some of functions of a mobile terminal, a subscriber station, a mobile subscriber station, a user equipment, and the like.
Hereinafter, an apparatus and method for providing a secure IP communication service according to an embodiment of the present invention will be described with reference to the drawings. In the embodiment of the present invention, a service that enables closed communication connection among groups predetermined in the public Internet network is referred to as a 'secure IP communication service', but is not necessarily limited thereto.
1 is an exemplary diagram illustrating an environment for providing a secure IP communication service according to a first embodiment of the present invention.
1, it is assumed that the n terminals and the
Here, the
Also, the IP used in the core area, that is, the
When the
The
If at least one of the two IPs included in the IP packet is an IP that is not allowed by the ACL, the
The IP packet having passed through the
The IP packet that has passed through the
The
The
To this end, the
The
An example of the
2 is an exemplary diagram of a secure IP gateway according to a first embodiment of the present invention.
As shown in FIG. 2, the
When the
Upon receiving the IP packet including the first security core IP, the second security core IP, and the packet from the
When the security
When the
The
In addition, although the
If a function is installed in an arbitrary component, an arbitrary component may receive group mapping information, a group policy, and the like from the
A method of performing IP communication between terminals grouped in the above-described environment will be described with reference to FIG. Although only the components necessary for secure IP communication are shown in FIG. 3, the present invention is not limited thereto. The source IP assigned to the
3 is a flowchart illustrating a method of secure IP communication between grouped terminals according to the first embodiment of the present invention.
3, the
The
Accordingly, if it is confirmed in step S101 that at least one of the first security access IP and the second security core IP is not set by the ACL, the
The
The security
As a result of checking in step S106, if the first security core IP and the second security core IP are set to belong to the same group, the security
The second secure access IP generated in step S108 is included in the IP packet instead of the second security core IP and the packet including the second secure access IP is generated as the third IP packet. The generated third IP packet is transmitted to the
The
In the response procedure, the second secure access IP of the
The security IP communication described above will be described with reference to FIG. 4 by way of example. The IP address referred to in FIG. 4 or the converted IP is not necessarily limited to this example.
4 is an exemplary diagram of secure IP communication according to a first embodiment of the present invention.
As shown in FIG. 4, it is assumed that the first secure IP allocated to the first terminal is 169.208.0.1 and the second secure IP allocated to the second terminal is 39.28.0.3. The security IPs included in the ACLs set in the
In the
That is, as shown in FIG. 4, when the public IP is 2.2.2.2, when NAT is executed, it is set to be converted into the security core IP of 39.28.0.2. Conversely, running NAT on the security core IP will translate to secure access IP.
Also, the
When the
The
The
To this end, the
Meanwhile, it is assumed that the terminal shown in FIG. 4 as the third terminal attempts secure IP communication with the second terminal formed in the group. It is assumed that the third terminal is a terminal not included in the group, the security access IP of the third terminal is 169.208.0.3, and the security core IP changed when the NAT is executed is 39.28.0.3.
At this time, the third terminal can attempt to transmit the IP packet in two forms. As shown in (1), it is assumed that the source IP is set to 169.208.0.3 and the destination IP is set to 2.2.2.2, which is a public IP, to start communication.
Since the created IP packet includes the packets to be transmitted to the destination terminal and 169.208.0.3 and 2.2.2.2, the
On the other hand, as shown in (2), it is assumed that the source IP is set to 169.208.0.3 and the destination IP is set to 39.28.0.2, which is the security core IP. Then, the
However, in the process of confirming the group mapping information, the
In this manner, when a terminal not belonging to the group attempts IP communication or attempts communication with an IP not allowed in the ACL, it is blocked in the
In addition, there may be a case where a user of the third terminal wants to transmit a packet to a user of a first terminal formed as a group or to a
In this case, in addition to the security core IP information and the group identification information, unique identification information allocated to the terminal may be managed in the group mapping information stored in the
The
In the above description, a security IP communication service providing method between terminals belonging to a group in providing a secure IP communication service has been described. Next, a method of providing a secure IP communication service according to yet another embodiment for achieving the same effect as providing a service in a closed network using a secure IP communication service providing apparatus will be described with reference to FIGS. 5 and 6 do.
5 is an exemplary diagram illustrating an environment for providing a secure IP communication service according to a second embodiment of the present invention.
As shown in FIG. 5, the environment for providing a secure IP communication service according to the second embodiment of the present invention is similar to the environment described in FIG. 5, the secure DNS 130, the in-
The secure DNS 130 stores the connection address and the IP address of the in-
When the in-
In addition, the functions of the security DNS 130, the in-
In this way, even if the terminal 10 located in the communication environment attempts to use a service provided by an outside party in order to use the secure IP communication service, even if the packet according to the connection attempt is not sent out to the outside, Make it available through the web server. In addition, it is also possible to provide a closed communication service such as preventing connection to an external site by using an in-house terminal at a predetermined time (for example, a designated working time, etc.).
Hereinafter, a method of providing a secure IP communication service in an environment providing closed communication service will be described as an example.
It is assumed that a user in an enterprise intends to use the communication service provided by the external company server 90 by using the
When an intra-company terminal that tries to access for IP communication transmits an IP packet with a destination IP address of 202.175.1.1, the security DNS 130 transmits the IP packet to the enterprise server 90 providing the communication service at the corresponding address, And the IP address 39.28.0.5 of the in-
That is, when the IP address with the destination of 202.175.1.1 is transmitted from the terminal 10, the
The
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.
Claims (14)
The secure IP communication service providing apparatus may further include a first security core IP and a second security core IP included in the IP packet transmitted from the first terminal and determining whether the first terminal and the second terminal are formed into one group Checking; And
Transmitting the IP packet transmitted from the first terminal to the second terminal if the first terminal and the second terminal are formed as a group,
The method comprising the steps of:
Before the step of confirming whether the one group is formed,
The first terminal generating a first IP packet and starting communication using a second security core IP assigned to the second terminal;
Confirming whether the L3 router interworking with the communication service providing apparatus is a first security access IP for the first terminal and an IP for which the second security core IP is permitted for secure IP communication;
Transferring the first IP packet to the secure IP communication service providing apparatus if the first secure access IP and the second secure core IP are both authorized IPs; And
Blocking the first IP packet if at least one of the first security access IP or the second security core IP is not an authorized IP
The method comprising the steps of:
Wherein the L3 router verifies that the first security access IP and the second security core IP are authorized IPs by using a preset access control list (ACL) for secure IP communication.
After the step of delivering to the secure IP communication service providing apparatus,
Wherein the secure IP communication service providing apparatus performs NAT (Network Address Translation) on the first security access IP included in the received first IP packet and converts the first secure access IP into a first secure core IP; And
Generating a second IP packet including the generated first security core IP and a second security core IP,
The method comprising the steps of:
The method of claim 1,
Confirming whether a first security core IP for the first terminal and a second security core IP for the second terminal are included in one group; And
Blocking the second IP packet if the first terminal and the second terminal are not included in one group
The method comprising the steps of:
The method of claim 1,
Performing NAT on the second security core IP of the second terminal and converting the second security core IP to a destination IP for the second terminal if the first terminal and the second terminal are included in one group; And
Generating a third IP packet including the first secure core IP, the destination IP, and the packet
The method comprising the steps of:
The secure IP communication service providing apparatus includes: receiving an IP packet from a terminal that intends to use a communication service through a second server located in a public Internet network;
The IP address of the first web server previously stored in correspondence with the IP address of the second server in the secure DNS connected to the secure IP communication service providing apparatus based on the IP address of the second server included in the IP packet, ; And
If the IP address of the first web server exists, the secure IP communication service providing apparatus receives the information of the communication service provided by the second web server through the first web server and transmits the information to the terminal
The method comprising the steps of:
The method of claim 1,
Receiving the information on the communication service provided by the second web server and transmitting the received information to the first web server; And
The first web server providing information received through the secure IP communication service providing apparatus to the terminal
The method comprising the steps of:
A first NAT included in the IP packet generated by the source terminal to convert the first secure access IP of the source terminal into a first secure core IP;
The first security core IP converted from the first NAT and the second security core IP of the destination terminal included in the IP packet are confirmed from group mapping information input from outside and stored in advance, A security group determination device for determining whether the terminals are included in the same group; And
A second NAT for converting the second security core IP into a second security access IP
The secure IP communication service providing apparatus comprising:
The security group determination apparatus includes:
If it is determined that the source terminal and the destination terminal belong to the same group, the IP packet is delivered to the second NAT,
And blocks the IP packet when it is confirmed that the source terminal and the destination terminal do not belong to the same group.
A source terminal for executing NAT to the security access IP and the security core IP allocated to the terminal and generating an IP packet for use of the secure IP communication service and a source terminal for receiving the IP packet generated by the source terminal, Secure IP gateway to ensure that it belongs to
And a secure IP communication system.
The secure IP gateway comprises:
A first NAT included in the IP packet generated by the source terminal to convert the first secure access IP of the source terminal into a first secure core IP;
The first security core IP converted from the first NAT and the second security core IP of the destination terminal included in the IP packet are confirmed from group mapping information input from outside and stored in advance, A security group determination device for determining whether the terminals are included in the same group; And
A second NAT for converting the second security core IP into a second security access IP
And a secure IP communication system.
The source terminal and the destination terminal are allocated to the source terminal and the destination terminal based on the second security core IP of the destination terminal included in the received IP packet and the first secure access IP of the source terminal, L3 router that verifies that the IPs are allowed to provide secure IP communication services
Wherein the secure IP communication system further comprises:
When the IP address of the first web server of the public Internet network is inputted, the IP packet having the input IP is transmitted to the second web server located in the secure IP network, A security DNS that sets the IP address of the server to correspond; And
A second web server that receives information from the first web server and transmits information provided by the first web server to the source terminal,
Wherein the secure IP communication system further comprises:
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150185419A KR101821794B1 (en) | 2015-12-23 | 2015-12-23 | Apparatus, method and system for providing of secure IP communication service |
PCT/KR2016/014850 WO2017111404A1 (en) | 2015-12-23 | 2016-12-19 | Device, method, and communication system for providing security ip communication service |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150185419A KR101821794B1 (en) | 2015-12-23 | 2015-12-23 | Apparatus, method and system for providing of secure IP communication service |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20170075588A true KR20170075588A (en) | 2017-07-03 |
KR101821794B1 KR101821794B1 (en) | 2018-03-08 |
Family
ID=59358017
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150185419A KR101821794B1 (en) | 2015-12-23 | 2015-12-23 | Apparatus, method and system for providing of secure IP communication service |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101821794B1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018230781A1 (en) * | 2017-06-15 | 2018-12-20 | 경상대학교산학협력단 | Method for killing freshwater microalgae by using contact sterilizing power of triiodide resin |
WO2020009369A1 (en) * | 2018-07-03 | 2020-01-09 | 주식회사 케이티 | Device and method for providing security to end-to-end communication |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070081530A1 (en) * | 2003-09-11 | 2007-04-12 | Yuji Nomura | Packet relay apparatus |
WO2009062504A1 (en) * | 2007-11-13 | 2009-05-22 | Tnm Farmguard Aps | Secure communication between a client and devices on different private local networks using the same subnet addresses |
JP5239341B2 (en) * | 2008-01-08 | 2013-07-17 | 日本電気株式会社 | Gateway, relay method and program |
-
2015
- 2015-12-23 KR KR1020150185419A patent/KR101821794B1/en active IP Right Grant
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018230781A1 (en) * | 2017-06-15 | 2018-12-20 | 경상대학교산학협력단 | Method for killing freshwater microalgae by using contact sterilizing power of triiodide resin |
WO2020009369A1 (en) * | 2018-07-03 | 2020-01-09 | 주식회사 케이티 | Device and method for providing security to end-to-end communication |
KR20200004191A (en) * | 2018-07-03 | 2020-01-13 | 주식회사 케이티 | Apparatus and method for providing security to an end-to-end communication |
Also Published As
Publication number | Publication date |
---|---|
KR101821794B1 (en) | 2018-03-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Shin et al. | A security protocol for route optimization in DMM-based smart home IoT networks | |
CN110800331B (en) | Network verification method, related equipment and system | |
JP4666169B2 (en) | Method of communication via untrusted access station | |
EP2347560B1 (en) | Secure access in a communication network | |
US20100122338A1 (en) | Network system, dhcp server device, and dhcp client device | |
CN112997454A (en) | Connecting to a home local area network via a mobile communication network | |
JP2006085719A (en) | Setting information distribution device, authentication setting transfer device, method, program, medium and setting information receiving program | |
JP2006086907A (en) | Setting information distribution device and method, program, medium, and setting information receiving program | |
EP3143780B1 (en) | Device authentication to capillary gateway | |
US10348687B2 (en) | Method and apparatus for using software defined networking and network function virtualization to secure residential networks | |
US7933253B2 (en) | Return routability optimisation | |
WO2020224341A1 (en) | Method and apparatus for identifying tls encrypted traffic | |
RU2447603C2 (en) | Method for dhcp messages transmission | |
EP3711311B1 (en) | Method and system for providing signed user location information | |
KR101821794B1 (en) | Apparatus, method and system for providing of secure IP communication service | |
Li et al. | Secure DHCPv6 mechanism for DHCPv6 security and privacy protection | |
EP3131325A1 (en) | Method, device and communication system for terminal to access communication network | |
CN101945053A (en) | Method and device for transmitting message | |
KR20180081965A (en) | Apparatus and methdo for providing network service | |
JP6076276B2 (en) | Communication system and communication method | |
KR102224454B1 (en) | Method, apparatus, system and computer program for controlling network traffic | |
JP4775154B2 (en) | COMMUNICATION SYSTEM, TERMINAL DEVICE, PROGRAM, AND COMMUNICATION METHOD | |
CN103532987B (en) | A kind of guard method preventing non-authentication computer equipment from accessing corporate intranet and system | |
KR100757874B1 (en) | METHOD AND SYSTEM OF PROTECTION IPv6 PACKET FORGERY IN DSTM OF IPv6-IPv4 NETWORK | |
Nguyen et al. | An SDN-based connectivity control system for Wi-Fi devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant |