KR20170075588A - Apparatus, method and system for providing of secure IP communication service - Google Patents

Apparatus, method and system for providing of secure IP communication service Download PDF

Info

Publication number
KR20170075588A
KR20170075588A KR1020150185419A KR20150185419A KR20170075588A KR 20170075588 A KR20170075588 A KR 20170075588A KR 1020150185419 A KR1020150185419 A KR 1020150185419A KR 20150185419 A KR20150185419 A KR 20150185419A KR 20170075588 A KR20170075588 A KR 20170075588A
Authority
KR
South Korea
Prior art keywords
terminal
secure
security
packet
core
Prior art date
Application number
KR1020150185419A
Other languages
Korean (ko)
Other versions
KR101821794B1 (en
Inventor
서경덕
김태균
이정일
장덕문
Original Assignee
주식회사 케이티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 케이티 filed Critical 주식회사 케이티
Priority to KR1020150185419A priority Critical patent/KR101821794B1/en
Priority to PCT/KR2016/014850 priority patent/WO2017111404A1/en
Publication of KR20170075588A publication Critical patent/KR20170075588A/en
Application granted granted Critical
Publication of KR101821794B1 publication Critical patent/KR101821794B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Abstract

In order for the secure IP communication service providing apparatus to provide the secure IP communication service between the first terminal and the second terminal, the secure IP communication service providing apparatus transmits the first secure core IP included in the IP packet transmitted from the first terminal, 2 checks whether the first terminal and the second terminal are formed into a group based on the security core IP, and if the first terminal and the second terminal are formed as a group, the IP packet transmitted from the first terminal is transmitted to the second terminal .

Figure P1020150185419

Description

[0001] Apparatus, method and system for providing secure IP communication service [0001]

The present invention relates to an apparatus, a method and a communication system for providing a secure IP communication service.

In general, terminals that desire to use the Internet service receive the public IP address and access the public Internet network to use the service. There are various types of terminals using the internet service, such as POS terminal, CCTV, IoT terminal, etc. These terminals can be used by individuals, but they can be bundled into a user group and installed in the enterprise.

At this time, if a malicious third party changes the service provided to the terminal through the public Internet network, changes the IP address provided to the terminal, attacks an IP address such as DDos, In the case of intercepting an IP address, there is a problem that a store-type franchise that operates a POS, a company that requires secure connection between a head office, a branch office, and a branch office, or a CCTV operating company or an institution can not provide a secure service.

In order to do this, the service is provided by encrypting the traffic or installing a separate VPN device, but the communication speed is not guaranteed due to the VPN header or the traffic encryption, and there is a disadvantage in that a cost is incurred by installing a separate expensive equipment. Accordingly, it is required to provide an Internet communication environment securely without exposing a user group to the outside without a separate VPN device, and development of a technology for grouping user groups and using communication services without traffic encryption is required.

Accordingly, the present invention provides an apparatus and method for providing an IP communication service through a closed communication connection between designated groups in a secure Internet network providing secure IP communication service enabling closed communication connection between designated groups in a public Internet network And a communication system.

According to another aspect of the present invention, there is provided a method for providing a secure IP communication service between a first terminal and a second terminal,

The secure IP communication service providing apparatus may further include a first security core IP and a second security core IP included in the IP packet transmitted from the first terminal and determining whether the first terminal and the second terminal are formed into one group Checking; And transmitting the IP packet transmitted from the first terminal to the second terminal if the first terminal and the second terminal are formed as a group.

The first terminal generates a first IP packet and starts communication using a second security core IP assigned to the second terminal before confirming that the first group is formed of the one group; Confirming whether the L3 router interworking with the communication service providing apparatus is a first security access IP for the first terminal and an IP for which the second security core IP is permitted for secure IP communication; Transferring the first IP packet to the secure IP communication service providing apparatus if the first secure access IP and the second secure core IP are both authorized IPs; And blocking the first IP packet if at least one of the first security access IP or the second security core IP is not an authorized IP.

After transmitting the IP address to the secure IP communication service providing apparatus, the secure IP communication service providing apparatus executes NAT (Network Address Translation) on the first secure access IP included in the received first IP packet, Converting into core IP; And generating a second IP packet including the generated first security core IP and the second security core IP packet.

Checking whether the first security core IP for the first terminal and the second terminal are included in one group; checking whether the first security core IP for the first terminal and the second security core IP for the second terminal are included in one group; And blocking the second IP packet if the first terminal and the second terminal are not included in one group.

Wherein the step of verifying whether the first terminal and the second terminal are formed in the one group comprises the steps of: executing NAT to the second security core IP of the second terminal, Converting to a destination IP; And generating a third IP packet including the first secure core IP, the destination IP, and the packet.

According to another aspect of the present invention, there is provided a method for providing a secure IP communication service to a terminal,

The secure IP communication service providing apparatus includes: receiving an IP packet from a terminal that intends to use a communication service through a second server located in a public Internet network; The IP address of the first web server previously stored in correspondence with the IP address of the second server in the secure DNS connected to the secure IP communication service providing apparatus based on the IP address of the second server included in the IP packet, ; And if the IP address of the first web server exists, the secure IP communication service providing apparatus receives the information of the communication service provided by the second web server through the first web server and transmits the information to the terminal .

The step of delivering to the terminal may include receiving the information on the communication service provided by the second web server and delivering the information to the first web server, And the first web server providing information received through the secure IP communication service providing apparatus to the terminal.

According to another aspect of the present invention, there is provided an apparatus for providing a secure IP communication service for providing a secure IP communication service to a terminal,

A first NAT included in the IP packet generated by the source terminal to convert the first secure access IP of the source terminal into a first secure core IP; The first security core IP converted from the first NAT and the second security core IP of the destination terminal included in the IP packet are confirmed from group mapping information input from outside and stored in advance, A security group determination device for determining whether the terminals are included in the same group; And a second NAT for converting the second security core IP into a second secure access IP.

According to another aspect of the present invention, there is provided a secure IP communication system including a secure IP communication service providing apparatus for providing a secure IP communication service to a terminal,

A control unit configured to group security core IPs assigned to a plurality of terminals set as a group to generate group mapping information; A source terminal for executing NAT to the security access IP and the security core IP allocated to the terminal and generating an IP packet for use of the secure IP communication service and a source terminal for receiving the IP packet generated by the source terminal are the same And a secure IP gateway that verifies that it belongs to a group.

Wherein the communication system receives an IP packet generated by the source terminal, and based on the second security core IP of the destination terminal included in the received IP packet and the first secure access IP of the source terminal, And an L3 router that verifies that the IPs assigned to the destination terminals are IPs allowed to provide secure IP communication services.

Wherein the communication system is configured to transmit the IP packet having the input IP to the second web server located in the secure IP network when the IP with the first web server of the public Internet network is inputted, And the second web server to match the IP of the second web server; And the second web server receiving information from the first web server and transmitting the information provided by the first web server to the source terminal.

According to the present invention, a user group can be easily set up and a connection attempt from a terminal not belonging to a group can be blocked, thereby providing an Internet service safely.

1 is an exemplary diagram illustrating an environment for providing a secure IP communication service according to a first embodiment of the present invention.
2 is an exemplary diagram of a secure IP gateway according to a first embodiment of the present invention.
3 is a flowchart illustrating a method of secure IP communication between grouped terminals according to the first embodiment of the present invention.
4 is an exemplary diagram of secure IP communication according to a first embodiment of the present invention.
5 is an exemplary diagram illustrating an environment for providing a secure IP communication service according to a second embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise.

In this specification, a terminal includes a mobile station (MS), a mobile terminal (MT), a subscriber station (SS), a portable subscriber station (PSS) An access terminal (AT), and the like, and may include all or some of functions of a mobile terminal, a subscriber station, a mobile subscriber station, a user equipment, and the like.

Hereinafter, an apparatus and method for providing a secure IP communication service according to an embodiment of the present invention will be described with reference to the drawings. In the embodiment of the present invention, a service that enables closed communication connection among groups predetermined in the public Internet network is referred to as a 'secure IP communication service', but is not necessarily limited thereto.

1 is an exemplary diagram illustrating an environment for providing a secure IP communication service according to a first embodiment of the present invention.

1, it is assumed that the n terminals and the second terminals 20 are formed as one group, and the third terminal is not included in the group. Each of the n terminals included in the group is referred to as a first terminal 10 and it is assumed that an IP packet is transmitted from the first terminal 10 to the second terminal 20.

Here, the first terminal 10, the third terminal may be a personal computer located in a company network providing security IP communication service, and the second terminal 20 may be a server located in a company network. The source IP, which is an IP assigned to the first terminal 10, is a secure IP generated by a DHCP (Dynamic Host Configuration Protocol) server 60 to be described later, and is a destination IP It is also assumed to be a secure IP. A generic IP is also assigned to each terminal, and a detailed description of a method of generating and assigning a secure IP by the DHCP server 60 will be omitted.

Also, the IP used in the core area, that is, the grouping device 100, is referred to as a secure core IP (IP). An IP used between the first terminal 10 and the grouping apparatus 100 and between the grouping apparatus 100 and the second terminal 20 is referred to as a secure access IP, But is not limited thereto.

When the first terminal 10 generates an IP packet and starts IP communication with the security core IP that is the destination IP, the L3 router 30 connected to the first terminal 10 receives the IP packet from the first terminal 10 , A secure access IP (source IP) and a secure core IP corresponding to the destination IP. Since it is assumed that the first terminal 10 already knows the security core IP and the first terminal 10 can acquire the security core IP of the second terminal 20 through various methods, In the embodiments of the present invention, detailed description is omitted.

The L3 router 30 checks whether the security access IP for the first terminal 10 and the security core IP for the second terminal 20 are included in an ACL (Access Control List) stored in advance. Here, the ACL is a list of IPs allowed for the terminal to use the secure IP communication service, and a list of a plurality of security access IPs and security core IPs is stored.

If at least one of the two IPs included in the IP packet is an IP that is not allowed by the ACL, the L3 router 30 blocks the IP packet transmitted from the first terminal 10 to use the secure IP communication service Respectively. The L3 router 30 also functions as a general L3 router 30 in addition to the function of determining whether to block the IP packet, and the details thereof are already known, and a detailed description thereof will be omitted in the embodiment of the present invention.

The IP packet having passed through the L3 router 30 is transmitted to the first router 40. The DHCP server 60 is connected to the first router 40. [ The DHCP server 60 is a device for allocating a secure IP address to the first terminal 10, and a method of allocating the function or the secure IP address of the DHCP server 60 is already known. In the embodiment of the present invention, It is omitted. Since the function of the first router 40 also functions as a general router, detailed description is omitted in the embodiment of the present invention.

The IP packet that has passed through the first router 40 is transmitted to the secure IP gateway 110 located in the Internet network. The secure IP gateway 110 performs NAT (Network Address Translation) for converting the security access IP into the security core IP or converting the security core IP into the security access IP. Also, the secure IP gateway 110 determines whether the first terminal 10 for the source IP and the second terminal 20 having the destination IP are included in one group, based on the group mapping information stored in advance and grouped Check.

The secure IP gateway 110 blocks the IP packet generated from the terminal not set as the group from being delivered to the terminal having the destination IP, and also performs a general gateway function. The structure of this secure IP gateway 110 will be described later.

The secure IP gateway 110 interfaces with a control and management system (CMS) 120 (hereinafter referred to as a " control unit " The control unit 120 generates group mapping information for the terminals set in the group in advance and provides the group mapping information to the secure IP gateway 110. [ The group mapping information includes the group identification information and the security core IP information of each of the terminals belonging to the group.

To this end, the control unit 120 receives the security core IP information set in each of the terminals included in the group from the outside and generates the group as a group. The group creation method is already known and will not be described in detail. In the embodiment of the present invention, the control unit 120 is physically separated and interlocked with the secure IP gateway 110, but the secure IP gateway 110 performs the function of the control unit 120 as a program, Or may be installed in the gateway 110. In this case, the group mapping information is manually input from the outside to the secure IP gateway 110.

The secure IP gateway 110 is connected to the second router 50 and the IP packet transmitted through the second router 50 is transmitted to the second terminal 20 as a destination. The functions of the first router 40 and the second router 50 may be various functions including a general router function, and detailed description thereof will be omitted in the embodiment of the present invention.

An example of the secure IP gateway 110 included in the grouping apparatus 100 in the above environment will be described with reference to FIG.

2 is an exemplary diagram of a secure IP gateway according to a first embodiment of the present invention.

As shown in FIG. 2, the secure IP gateway 110 includes a first NAT 111, a security group determination unit 112, and a second NAT 113.

When the first NAT 111 receives the IP packet from the first router 40, the first NAT 111 executes the first security access IP address, which is the source IP address of the first terminal 10 that has transmitted the received IP packet, 1 Convert to secure core IP.

Upon receiving the IP packet including the first security core IP, the second security core IP, and the packet from the first NAT 111, the security group determination device 112 checks the group mapping information for the first security core IP It is determined whether the first terminal 10, which is a source terminal, and the second terminal 20, which is a destination terminal, are terminals grouped into the same group. The group mapping information is received from the control unit 120 and stored in advance in the security group determination unit 112. The group mapping information includes security core IP and group mapping identification information for each of a plurality of terminals included in the group .

When the security group determination unit 112 determines that the source side terminal is not formed in the group, it blocks the transmission of the IP packet to be transmitted to the destination terminal.

When the second NAT 113 receives the IP packet that has passed through the security group determination unit 112, the second NAT 113 performs the NAT on the second security core IP included in the IP packet with the second security access IP. The security core IP and the secure access IP which are converted when performing the NAT in the first NAT 111 and the second NAT 113 will be described by way of example in which the IP generated by converting each IP is determined.

The first NAT 111, the security group determination unit 112 and the second NAT 113 are included in the secure IP gateway 110 in the embodiment of the present invention. However, the first NAT 111 The security group determination unit 112 and the second NAT 113 are not included in the secure IP gateway 110 but may be included in the grouping apparatus 100 as three physically independent components. In this case, the physically independent security group determination device 112 receives the group mapping information from the control unit 120, and confirms whether the source side terminal and the destination terminal are included in the same group.

In addition, although the first NAT 111, the security group determination unit 112, and the second NAT 113 are shown as hardware components in the embodiment of the present invention, they may be implemented in a program form and implemented as a function. When implemented in the form of a program, the secure IP gateway 110 may perform the NAT function and the security group judgment function as in the embodiment of the present invention. Alternatively, the program may be driven to perform a corresponding function to components other than the secure IP gateway 110.

If a function is installed in an arbitrary component, an arbitrary component may receive group mapping information, a group policy, and the like from the control unit 120 in order to perform a security group determination function.

A method of performing IP communication between terminals grouped in the above-described environment will be described with reference to FIG. Although only the components necessary for secure IP communication are shown in FIG. 3, the present invention is not limited thereto. The source IP assigned to the first terminal 10 is referred to as a first secure access IP, and the IP generated by the first secure access IP executing NAT is referred to as a first secure core IP. The destination IP assigned to the second terminal 200 is referred to as a second security access IP, and the IP generated by executing NAT on the second secure access IP address is referred to as a second security core IP.

3 is a flowchart illustrating a method of secure IP communication between grouped terminals according to the first embodiment of the present invention.

3, the first terminal 10 generates a first IP packet and transmits it to the L3 router 30 using the second security core IP of the second terminal 20, which is the destination terminal to which the packet is to be transmitted (S100). At this time, the first IP packet includes the packet to be transmitted to the second terminal 20, the first security access IP of the first terminal 10, and the second security core IP of the second terminal 20.

The L3 router 30 determines whether the first security access IP and the second security core IP in the first IP packet received in step S100 are set in the ACL or whether the IP is permitted for secure IP communication (S101 ). The ACL stored in the L3 router 30 stores a plurality of IP lists previously permitted for secure IP communication. In the case of the other IP, the secure IP communication service is controlled not to be used.

Accordingly, if it is confirmed in step S101 that at least one of the first security access IP and the second security core IP is not set by the ACL, the L3 router 30 blocks the passage of the first IP packet. However, if both the first security access IP and the second security core IP correspond to the IP set in the ACL, the L3 router 30 forwards the first IP packet to the secure IP gateway 110 (S102).

The first NAT 111 of the secure IP gateway 110 converts the first secure access IP of the first IP packet received in step S102 into the first secure core IP through execution of NAT (S103). The first security core IP converted in step S103 is included in the IP packet, and the generated second IP packet is transmitted to the security group determination device 112 (S104).

The security group determination unit 112 determines whether the first security core IP and the second security core IP included in the second IP packet are included in one group (S106). If the terminal 10 to which the first security core IP is allocated does not belong to any group or if the first security core IP belongs to the group but the terminal 20 to which the second security core IP is assigned does not belong to the group The security group determination unit 112 blocks the IP packet transmitted to the second terminal 20.

As a result of checking in step S106, if the first security core IP and the second security core IP are set to belong to the same group, the security group determination device 112 transmits the second IP packet to the second NAT 113 (S107). The second NAT 113 executes NAT to the second security core IP included in the second IP packet to convert the second security access IP (S108).

The second secure access IP generated in step S108 is included in the IP packet instead of the second security core IP and the packet including the second secure access IP is generated as the third IP packet. The generated third IP packet is transmitted to the second terminal 20 to which the second security access IP is allocated (S109).

The second terminal 20 receives the third IP packet transmitted in step S109 and confirms the packet transmitted from the first terminal 10 (S110). The response procedure informing that the second terminal 20 has received the packet executes the procedure described in steps S100 to S109 inversely.

In the response procedure, the second secure access IP of the second terminal 20 becomes the source IP, and the first secure core IP of the first terminal 10 becomes the destination IP. The second secure access IP, which is the source IP, is converted from the second NAT 113 to the second secure core IP, and the first secure core IP, which is the destination IP, is converted from the first NAT 111 to the first secure access IP. Other procedures are the same as those described above.

The security IP communication described above will be described with reference to FIG. 4 by way of example. The IP address referred to in FIG. 4 or the converted IP is not necessarily limited to this example.

4 is an exemplary diagram of secure IP communication according to a first embodiment of the present invention.

As shown in FIG. 4, it is assumed that the first secure IP allocated to the first terminal is 169.208.0.1 and the second secure IP allocated to the second terminal is 39.28.0.3. The security IPs included in the ACLs set in the L3 router 30 are the security access IPs from 169.208.0.1 to 169.208.0.254 and the security core IPs 39.28.0.1 to 39.28.0.1, It corresponds to IPs up to 0.254. When the other IP is used as the source IP or the destination IP, the L3 router 30 blocks the IP packet.

In the secure IP gateway 110, IPs converted and generated according to the secure access IP and the security core IP mutual conversion are designated. That is, if the security access IP is 169.208.0.1, NAT is applied to the security core IP of 39.28.0.1. The security core IP is not only generated from the secure access IP, but can also be converted from the generic IP used for public IP communication.

That is, as shown in FIG. 4, when the public IP is 2.2.2.2, when NAT is executed, it is set to be converted into the security core IP of 39.28.0.2. Conversely, running NAT on the security core IP will translate to secure access IP.

Also, the secure IP gateway 110 also stores and manages the group mapping information set by the control unit 120. The group mapping information includes a plurality of security core IPs allocated to each of a plurality of terminals forming a group and group identification information. In FIG. 4, the group identification information is assumed to be # 01, and 39.28.0.1 and 39.28 . It is shown that two terminals having a security core IP of .0.2 form one group.

When the first terminal 10 shown in FIG. 4 attempts to transmit a packet to the second terminal 20, the first terminal 10 transmits the IP packet 39.28.0.2, which is the security core IP of the second terminal 20, And starts communication. The IP packet includes a packet to be transmitted to the second terminal 20, 169.208.0.1 which is the security access IP of the first terminal 10, and 39.28.0.2 which is the security core IP of the second terminal 20.

The L3 router 30 confirms two IP information 169.208.0.1 and 39.28.0.2 in the IP packet transmitted from the first terminal 10 and confirms that it is set in the ACL. Since both IPs are set in the L3 router 30, the L3 router 30 forwards the IP packet to the secure IP gateway 110. [

The first NAT 111 of the secure IP gateway 110 converts 169.208.0.1, which is the security access IP of the first terminal 10 included in the IP packet, to the security core IP 39.28.0.1. Then, it confirms whether the converted 39.28.0.1 and the destination terminal, that is, the security core IP 39.28.0.2 for the second terminal 20, form a group. According to the group mapping information # 01, since the two terminals form a group, the IP packet is transmitted to the second terminal 20.

To this end, the second NAT 113 executes NAT to the security core IP 39.28.0.2 of the second terminal 20 included in the IP packet to convert it to the destination IP 2.2.2.2. And the IP packet is delivered to the second terminal 20 having the IP address of 2.2.2.2.

Meanwhile, it is assumed that the terminal shown in FIG. 4 as the third terminal attempts secure IP communication with the second terminal formed in the group. It is assumed that the third terminal is a terminal not included in the group, the security access IP of the third terminal is 169.208.0.3, and the security core IP changed when the NAT is executed is 39.28.0.3.

At this time, the third terminal can attempt to transmit the IP packet in two forms. As shown in (1), it is assumed that the source IP is set to 169.208.0.3 and the destination IP is set to 2.2.2.2, which is a public IP, to start communication.

Since the created IP packet includes the packets to be transmitted to the destination terminal and 169.208.0.3 and 2.2.2.2, the L3 router 30 determines whether the two IPs are allowed IP for security IP communication Check. In this case, the L3 router 30 blocks the IP packet generated by the third terminal because the source IP is an allowed IP, and the destination IP is 2.2.2.2, which is not allowed in the secure IP communication according to the ACL.

On the other hand, as shown in (2), it is assumed that the source IP is set to 169.208.0.3 and the destination IP is set to 39.28.0.2, which is the security core IP. Then, the L3 router 30 transmits the IP packet generated by the third terminal to the secure IP gateway 110 because the two IPs 169.208.0.3 and 39.28.0.2 are IPs allowed through the ACL.

However, in the process of confirming the group mapping information, the secure IP gateway 110 confirms that the third terminal is a terminal not belonging to the group. That is, if the source IP of the third terminal is changed to the security core IP 39.28.0.3 through the first NAT 111, the terminal having the IP address of 39.28.0.3 does not belong to the group having the IP address 39.28.0.2 . Accordingly, the secure IP gateway 110 blocks the transmitted IP packet.

In this manner, when a terminal not belonging to the group attempts IP communication or attempts communication with an IP not allowed in the ACL, it is blocked in the L3 router 30 or the secure IP gateway 110.

In addition, there may be a case where a user of the third terminal wants to transmit a packet to a user of a first terminal formed as a group or to a second terminal 20 set as a group through secure IP communication from the outside. At this time, the source IP of the third terminal may be 169.208.0.3, but the IP packet may be transmitted after the user changes the IP setting to 169.208.0.1 assigned to the first terminal.

In this case, in addition to the security core IP information and the group identification information, unique identification information allocated to the terminal may be managed in the group mapping information stored in the secure IP gateway 110 according to the system design.

The secure IP gateway 110 may also receive the unique identification information of the third terminal along with the changed secure access IP transmitted from the third terminal, and may compare the previously stored information and block the IP packet. Or if the secure IP gateway 110 confirms that the user is the user of the first terminal 10 after performing the user authentication through communication with the third terminal 10, the secure IP gateway 110 may transmit the IP packet to be transmitted to the second terminal 20 . The detailed description of the example in which the terminal having the changed security access IP is used as the source terminal will be omitted.

In the above description, a security IP communication service providing method between terminals belonging to a group in providing a secure IP communication service has been described. Next, a method of providing a secure IP communication service according to yet another embodiment for achieving the same effect as providing a service in a closed network using a secure IP communication service providing apparatus will be described with reference to FIGS. 5 and 6 do.

5 is an exemplary diagram illustrating an environment for providing a secure IP communication service according to a second embodiment of the present invention.

As shown in FIG. 5, the environment for providing a secure IP communication service according to the second embodiment of the present invention is similar to the environment described in FIG. 5, the secure DNS 130, the in-house web server 140, the enterprise router 70, the proxy server 80, and the enterprise server 90 are further interlocked with the secure IP gateway 110.

The secure DNS 130 stores the connection address and the IP address of the in-house web server 140 so that the terminal 10 moves the address to which the terminal 10 accesses to use the communication service to the in-house web server 140. When the corresponding address reaches the secure IP gateway 110, the control unit 140 controls the connection to the intra-company web server 140

When the in-house web server 140 receives the web access address from the secure IP gateway 110, the in-house web server 140 receives the information from the enterprise server 90 providing the communication service at the corresponding web access address. At this time, the security IP gateway 110 receives information transmitted from the enterprise server 90 through the proxy server 80 and the enterprise router 70, and delivers the information to the intra-company web server 140. The in-house web server 140 provides the received information to the user of the terminal 10 through the secure IP gateway 110. [

In addition, the functions of the security DNS 130, the in-house web server 140, the enterprise router 70, the proxy server 80, and the enterprise server 90 are the same as those of a general DNS, a web server, a router, and a proxy server , The detailed description will be omitted in the embodiment of the present invention. That is, the process of transmitting the IP packet from the terminal 10 to the secure IP gateway 110 is performed in the same manner as the procedure described in the first embodiment of the present invention. At this time, the second terminal 10 may be the intra-company web server 140 of FIG.

In this way, even if the terminal 10 located in the communication environment attempts to use a service provided by an outside party in order to use the secure IP communication service, even if the packet according to the connection attempt is not sent out to the outside, Make it available through the web server. In addition, it is also possible to provide a closed communication service such as preventing connection to an external site by using an in-house terminal at a predetermined time (for example, a designated working time, etc.).

Hereinafter, a method of providing a secure IP communication service in an environment providing closed communication service will be described as an example.

It is assumed that a user in an enterprise intends to use the communication service provided by the external company server 90 by using the terminal 10. [ At this time, it is assumed that the user inputs an internet address of www.abc.com to acquire the information provided by the enterprise server 90, which is the web server, and the IP address for www.abc.com is 202.175.1.1 I suppose.

When an intra-company terminal that tries to access for IP communication transmits an IP packet with a destination IP address of 202.175.1.1, the security DNS 130 transmits the IP packet to the enterprise server 90 providing the communication service at the corresponding address, And the IP address 39.28.0.5 of the in-house web server 140 is stored together with 202.175.1.1 so that the in-house web server 140 is connected without being connected.

That is, when the IP address with the destination of 202.175.1.1 is transmitted from the terminal 10, the secure IP gateway 110 checks whether the address set by the secure DNS 130 exists. If there is a set address, 202.175.1.1 delivers the IP packet to the intra-company web server 140 without delivering the IP packet to the destination enterprise server 90.

The intra-company web server 140 receives the information from the enterprise server 90, which is the destination address, after confirming the destination address from the IP packet transmitted from the secure IP gateway 110, to provide. Even if the terminal 10 in the environment providing the secure IP communication service generates the IP packet to use the communication service provided from the server connected to the general network, You can check through the server.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.

Claims (14)

A method for providing a secure IP communication service between a first terminal and a second terminal, the method comprising:
The secure IP communication service providing apparatus may further include a first security core IP and a second security core IP included in the IP packet transmitted from the first terminal and determining whether the first terminal and the second terminal are formed into one group Checking; And
Transmitting the IP packet transmitted from the first terminal to the second terminal if the first terminal and the second terminal are formed as a group,
The method comprising the steps of: The method according to claim 1,
Before the step of confirming whether the one group is formed,
The first terminal generating a first IP packet and starting communication using a second security core IP assigned to the second terminal;
Confirming whether the L3 router interworking with the communication service providing apparatus is a first security access IP for the first terminal and an IP for which the second security core IP is permitted for secure IP communication;
Transferring the first IP packet to the secure IP communication service providing apparatus if the first secure access IP and the second secure core IP are both authorized IPs; And
Blocking the first IP packet if at least one of the first security access IP or the second security core IP is not an authorized IP
The method comprising the steps of: 3. The method of claim 2,
Wherein the L3 router verifies that the first security access IP and the second security core IP are authorized IPs by using a preset access control list (ACL) for secure IP communication. 3. The method of claim 2,
After the step of delivering to the secure IP communication service providing apparatus,
Wherein the secure IP communication service providing apparatus performs NAT (Network Address Translation) on the first security access IP included in the received first IP packet and converts the first secure access IP into a first secure core IP; And
Generating a second IP packet including the generated first security core IP and a second security core IP,
The method comprising the steps of: 5. The method of claim 4,
The method of claim 1,
Confirming whether a first security core IP for the first terminal and a second security core IP for the second terminal are included in one group; And
Blocking the second IP packet if the first terminal and the second terminal are not included in one group
The method comprising the steps of: 6. The method of claim 5,
The method of claim 1,
Performing NAT on the second security core IP of the second terminal and converting the second security core IP to a destination IP for the second terminal if the first terminal and the second terminal are included in one group; And
Generating a third IP packet including the first secure core IP, the destination IP, and the packet
The method comprising the steps of: A method for providing a secure IP communication service to a terminal in a secure IP communication service providing apparatus,
The secure IP communication service providing apparatus includes: receiving an IP packet from a terminal that intends to use a communication service through a second server located in a public Internet network;
The IP address of the first web server previously stored in correspondence with the IP address of the second server in the secure DNS connected to the secure IP communication service providing apparatus based on the IP address of the second server included in the IP packet, ; And
If the IP address of the first web server exists, the secure IP communication service providing apparatus receives the information of the communication service provided by the second web server through the first web server and transmits the information to the terminal
The method comprising the steps of: 8. The method of claim 7,
The method of claim 1,
Receiving the information on the communication service provided by the second web server and transmitting the received information to the first web server; And
The first web server providing information received through the secure IP communication service providing apparatus to the terminal
The method comprising the steps of: 1. A security IP communication service providing apparatus for providing a secure IP communication service to a terminal,
A first NAT included in the IP packet generated by the source terminal to convert the first secure access IP of the source terminal into a first secure core IP;
The first security core IP converted from the first NAT and the second security core IP of the destination terminal included in the IP packet are confirmed from group mapping information input from outside and stored in advance, A security group determination device for determining whether the terminals are included in the same group; And
A second NAT for converting the second security core IP into a second security access IP
The secure IP communication service providing apparatus comprising: 10. The method of claim 9,
The security group determination apparatus includes:
If it is determined that the source terminal and the destination terminal belong to the same group, the IP packet is delivered to the second NAT,
And blocks the IP packet when it is confirmed that the source terminal and the destination terminal do not belong to the same group. A control unit configured to group security core IPs assigned to a plurality of terminals set as a group to generate group mapping information; And
A source terminal for executing NAT to the security access IP and the security core IP allocated to the terminal and generating an IP packet for use of the secure IP communication service and a source terminal for receiving the IP packet generated by the source terminal, Secure IP gateway to ensure that it belongs to
And a secure IP communication system. 12. The method of claim 11,
The secure IP gateway comprises:
A first NAT included in the IP packet generated by the source terminal to convert the first secure access IP of the source terminal into a first secure core IP;
The first security core IP converted from the first NAT and the second security core IP of the destination terminal included in the IP packet are confirmed from group mapping information input from outside and stored in advance, A security group determination device for determining whether the terminals are included in the same group; And
A second NAT for converting the second security core IP into a second security access IP
And a secure IP communication system. 13. The method of claim 12,
The source terminal and the destination terminal are allocated to the source terminal and the destination terminal based on the second security core IP of the destination terminal included in the received IP packet and the first secure access IP of the source terminal, L3 router that verifies that the IPs are allowed to provide secure IP communication services
Wherein the secure IP communication system further comprises: 14. The method of claim 13,
When the IP address of the first web server of the public Internet network is inputted, the IP packet having the input IP is transmitted to the second web server located in the secure IP network, A security DNS that sets the IP address of the server to correspond; And
A second web server that receives information from the first web server and transmits information provided by the first web server to the source terminal,
Wherein the secure IP communication system further comprises:
KR1020150185419A 2015-12-23 2015-12-23 Apparatus, method and system for providing of secure IP communication service KR101821794B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
KR1020150185419A KR101821794B1 (en) 2015-12-23 2015-12-23 Apparatus, method and system for providing of secure IP communication service
PCT/KR2016/014850 WO2017111404A1 (en) 2015-12-23 2016-12-19 Device, method, and communication system for providing security ip communication service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150185419A KR101821794B1 (en) 2015-12-23 2015-12-23 Apparatus, method and system for providing of secure IP communication service

Publications (2)

Publication Number Publication Date
KR20170075588A true KR20170075588A (en) 2017-07-03
KR101821794B1 KR101821794B1 (en) 2018-03-08

Family

ID=59358017

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150185419A KR101821794B1 (en) 2015-12-23 2015-12-23 Apparatus, method and system for providing of secure IP communication service

Country Status (1)

Country Link
KR (1) KR101821794B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018230781A1 (en) * 2017-06-15 2018-12-20 경상대학교산학협력단 Method for killing freshwater microalgae by using contact sterilizing power of triiodide resin
WO2020009369A1 (en) * 2018-07-03 2020-01-09 주식회사 케이티 Device and method for providing security to end-to-end communication

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070081530A1 (en) * 2003-09-11 2007-04-12 Yuji Nomura Packet relay apparatus
WO2009062504A1 (en) * 2007-11-13 2009-05-22 Tnm Farmguard Aps Secure communication between a client and devices on different private local networks using the same subnet addresses
JP5239341B2 (en) * 2008-01-08 2013-07-17 日本電気株式会社 Gateway, relay method and program

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018230781A1 (en) * 2017-06-15 2018-12-20 경상대학교산학협력단 Method for killing freshwater microalgae by using contact sterilizing power of triiodide resin
WO2020009369A1 (en) * 2018-07-03 2020-01-09 주식회사 케이티 Device and method for providing security to end-to-end communication
KR20200004191A (en) * 2018-07-03 2020-01-13 주식회사 케이티 Apparatus and method for providing security to an end-to-end communication

Also Published As

Publication number Publication date
KR101821794B1 (en) 2018-03-08

Similar Documents

Publication Publication Date Title
Shin et al. A security protocol for route optimization in DMM-based smart home IoT networks
CN110800331B (en) Network verification method, related equipment and system
JP4666169B2 (en) Method of communication via untrusted access station
EP2347560B1 (en) Secure access in a communication network
US20100122338A1 (en) Network system, dhcp server device, and dhcp client device
CN112997454A (en) Connecting to a home local area network via a mobile communication network
JP2006085719A (en) Setting information distribution device, authentication setting transfer device, method, program, medium and setting information receiving program
JP2006086907A (en) Setting information distribution device and method, program, medium, and setting information receiving program
EP3143780B1 (en) Device authentication to capillary gateway
US10348687B2 (en) Method and apparatus for using software defined networking and network function virtualization to secure residential networks
US7933253B2 (en) Return routability optimisation
WO2020224341A1 (en) Method and apparatus for identifying tls encrypted traffic
RU2447603C2 (en) Method for dhcp messages transmission
EP3711311B1 (en) Method and system for providing signed user location information
KR101821794B1 (en) Apparatus, method and system for providing of secure IP communication service
Li et al. Secure DHCPv6 mechanism for DHCPv6 security and privacy protection
EP3131325A1 (en) Method, device and communication system for terminal to access communication network
CN101945053A (en) Method and device for transmitting message
KR20180081965A (en) Apparatus and methdo for providing network service
JP6076276B2 (en) Communication system and communication method
KR102224454B1 (en) Method, apparatus, system and computer program for controlling network traffic
JP4775154B2 (en) COMMUNICATION SYSTEM, TERMINAL DEVICE, PROGRAM, AND COMMUNICATION METHOD
CN103532987B (en) A kind of guard method preventing non-authentication computer equipment from accessing corporate intranet and system
KR100757874B1 (en) METHOD AND SYSTEM OF PROTECTION IPv6 PACKET FORGERY IN DSTM OF IPv6-IPv4 NETWORK
Nguyen et al. An SDN-based connectivity control system for Wi-Fi devices

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant