KR20170120942A - System for exetended physically separating network using diskless solution - Google Patents

Abstract

The present invention relates to an extended physical network separation system using a diskless solution. A network separation system of the present invention comprises: at least one business PC; at least one Internet PC; an Internet VPN device used for establishing a virtual private network for network connection with an Internet network of another branch; and a smart disk server. A business network that the business PC uses and an Internet network that the Internet PC uses are physically separated. The Internet PC is provided with an operating system and a software from the smart disk server which does not include a hard disk drive and is connected by a LAN. In addition, the smart disk server is configured to integrally operate and manage an operating system and a software of an Internet PC of another branch connected through the Internet PC and the Internet VPN device, to store and manage data for each Internet PC, and to control an I/O port of each Internet PC so as to prevent an external data input/output device from being connected to the Internet PC.

Description

TECHNICAL FIELD [0001] The present invention relates to an extended physical network disconnection system using a diskless solution,

The present invention relates to an extended physical network separation system using a diskless solution, and more particularly, to a network separation system in which a business network, which is a security network, and an Internet network, which is an insecure network, are physically separated, And a scalable network separation system using a diskless solution capable of supplying and managing an operating system and software to an Internet PC in an Internet network of another point connected via a network PC and VPN.

The diskless solution is to boot the OS through a general network card without installing a separate hard disk in the PC, and the OS, software and data of all the PCs are stored in the integrated space provided by the central server.

Because the central server provides installation automation, OS installation is possible without accessing individual PCs, and disk data can be centrally managed similar to desktop virtualization, and the performance of each PC can be maintained at the highest level at all times.

The advantage of diskless solution is that the data is stored only on the central server, so it is highly secure. As the function of virtualization, the image of each PC is managed as a file on the central server, so it is easy to backup and recover. In addition, it can be restored very quickly through installation automation even when reinstalling due to OS damage.

On the other hand, network separation is a method of separating an external Internet network from a business network. In general, a physical network separation and a logical network separation method are used.

The physical network separation refers to physically separating the network from the network, and the external network and the internal network are separately constructed. The advantage of this method is that it is physically separated so that the visibility can be confirmed, the separated state can be confirmed directly by the eye, the system is complete, and no special technique is needed, However, since PCs are needed for each network, there is a problem of cost to pay two PCs per person, and there is a drawback in that it is necessary to work while going to each PC.

In addition, in the conventional physical network separation method, security may be threatened by network connection of an external terminal. For example, if one employee is resting at home and has a good idea, write a draft with a PC at home, put it on a USB memory stick, and then connect the USB memory to a business PC connected to the internal network, If there was a malicious code that attacked a USB memory or a word program, it could be infected with malicious code.

To overcome the disadvantages of the physical network separation, the network separation using the virtualization technology, that is, the logical network separation method has been developed. The logical network separation method includes SBC network separation, virtualization network separation on the desktop, and network separation using OS level virtualization.

The SBC (Server-based Computing) is based on virtualization technology, which is being developed two to 30 years ago, and is equipped with a virtual machine such as VMWare at the center and each terminal connects to a central server . The user PC must be connected to the virtual machine server for business processing, and the generated or inquired document can not escape from the central server, thereby preventing the document from being leaked. This method requires only one physical PC and has a special advantage in maintenance by controlling each work environment from a central server.

For example, a case where a hard disk of a PC is physically destroyed can be considered. If you have important data or documents you are working on, if you have a problem with your PC, you will not be able to do business immediately, and in serious cases there is a risk that the entire data will be lost. In addition, it takes a lot of time to repair the PC, reinstall the OS and reinstall the business applications, and the work will become paralyzed during this time. However, in the case of SBC, even if the PC is physically permanently damaged, it is possible to work immediately at the next person's place or on receipt of a new PC. All of the data and work environment is preserved on the server. Another advantage is that the terminal only needs to be connected to the server, so the terminal may not necessarily be a PC. Mobile terminals can handle tasks in the same environment any number of times. The disadvantages are that it is not as visible as physical network separation and it is not a well-proven technology because it is early. Moreover, since it is server-based, there is also a disadvantage that hardware resources of PC such as high-performance CPU and 3D card can not be used. This means that PC hardware resources such as CAD, design, animation, and game development can not be applied in areas where it is important.

Also, the separation of the virtualization network from the desktop is based on virtualization technology like SBC, but the difference is that the virtual machine runs on the PC. By using two NICs (LAN cards), it is possible to allocate them to the host operating system and the virtual machine, respectively, and connect them to separate networks or connect them to the internal network through VPN. Compared with the second SBC method, there is no merit of central data concentration, but it has the advantage of using all the hardware resources of the PC. The disadvantage of this method is that the hardware of the PC must have enough performance to run the virtual machine.

In addition, the network separation method using virtualization at the OS level does not require an OS in addition to the above method. A virtual space is created on the currently used OS, and only applications executed in the virtual space are connected to the Internet, thereby realizing network separation. Unlike the previous method, this method does not require special hardware and does not consume a lot of system resources. Therefore, it can be applied to existing PC, so it is possible to construct network separation with minimum cost. The disadvantage is that it is vulnerable to malicious code attacking programs implemented at the OS level, resulting in relatively low security.

As described above, among the network separation methods generally used, the complete system separation of the network is the physical network separation. However, in the physical network separation as described above, a separate PC is required for each network, and As the number of branch offices increased, additional costs such as the addition of PCs, management points, and management costs at each branch could not be solved.

According to the above-mentioned situation, it is possible to prevent unnecessary expenses such as PC, management point and management cost from being consumed even in the physical network separation and branch addition situation, to stabilize the hardware including the PC, A new network separation method is required. Even if the network is separated, malicious codes of the external network can be introduced to the internal network by various scenarios such as USB.

Hereinafter, the prior art in the technical field will be described, and the present invention will be described by distinguishing it from the prior art.

Korean Patent Registration No. 1432626 relates to a physical separation device for internal and external networks, and more particularly, to a network separation board on which a network separation operating system connected to an internal network or an external network is mounted; A mounting member provided on one side of the network separation board and mounted on a built-in terminal slot in a main body of the PC; A KVM module mounted on the network separation board and supporting the network separation operating system and the main operating system of the main board provided in the main body of the PC to share and use peripherals (keyboard, monitor, mouse, etc.) of the PC; Desc / Clms Page number 2 > physical network separating apparatus, which is incorporated herein by reference.

The prior art document does not require a separate PC for each of the internal and external networks by separating the physical network through a separate device (network separation device) in order to construct a physical network separation system. However, There is a problem in that the network separation construction cost is consumed by the number of PCs.

Korean Patent Laid-Open Publication No. 2015-0019315 relates to a method for controlling physically separated computers on a single monitor screen and a security system thereof. More specifically, a set-top box stores a position of a cursor displayed on the monitor screen The set-top box may include a keyboard signal generated from a mouse signal generated from a mouse connected to the set-top box or a keyboard connected to the set-top box, Transmitting a mouse signal or a keyboard signal to a computer judged to be a computer to which the set-top box will connect, generating a mouse signal or a keyboard signal and generating a video signal, Outputting the set-top box, Controlling the scaling conversion or the color space conversion according to whether the video signals received from the main computer and the non-connected computer are connected computers, and synthesizing the converted video signals and displaying them on the monitor is described .

The above prior art document can solve some of the resource waste which is a disadvantage of the conventional physical network separation technology by controlling a plurality of computers separated by a network using a single monitor, a keyboard and a mouse connected to a set-top box, A keyboard, and a mouse. However, there is still a problem that a separate PC must be provided in accordance with the physical network separation.

SUMMARY OF THE INVENTION The present invention has been made to solve the above problems, and it is an object of the present invention to provide a network separation system that physically separates a business network as a security network and an Internet network as an insecure network, To provide and manage the operating system and software in the Internet PC in the Internet network of the other branch connected through the Internet, thereby saving the PC resource and management cost added according to the network separation and the branch office increase.

The extended physical network separation system utilizing the diskless solution according to an embodiment of the present invention includes at least one business PC; At least one Internet PC; An Internet VPN device used for establishing a virtual private network for network connection with an Internet network at another point; And a smart disk server, wherein the business network used by the business PC and the Internet network used by the Internet PC are physically separated, wherein the Internet PC includes a hard disk drive, And the smart disk server collectively provides operating system and software of a PC for Internet at another point connected through the Internet PC and the Internet VPN device And controls the I / O ports of the respective Internet PCs to prevent the external data input / output devices from being connected to the Internet PCs.

In addition, as an embodiment of the extended physical network separation system utilizing the diskless solution, an L4 switch and an internal system server for data transmission on the business network side; And an L4 switch on the side of the Internet network and an external system server for data transmission, and performs data transmission between the business network and the Internet network through the internal system server for data transmission and the external system server for data transmission .

As an embodiment of the extended physical network separation system utilizing the diskless solution, the internal system server for data transmission and the external system server for data transmission are provided with a function of checking for tampering and malicious code during file transmission, The function of blocking the transmission of the up / modulated file through the analysis of the file header of the transmission file, the blocking function of the infected file after checking the malicious code of the transmission file, the encryption communication function between the sender and the receiver at the time of file transmission, And a file integrity check function.

In addition, as an embodiment of the extended physical network separation system utilizing the diskless solution, the communication method between the internal system server for data transmission and the external system server for data transmission uses its own protocol as NON-TCP communication And analyzes the communication request protocol when the file is transmitted, thereby blocking the out-of-policy communication.

In addition, as an embodiment of the extended physical network separation system utilizing the diskless solution, an L4 switch and an internal system server for a strip connection in a business network side; And an L4 switch and an external system server for linking L4 on the Internet network side and performing strip connection between the business network and the Internet network through the internal system server for strip connection and the external system server for strip connection, .

In addition, as one embodiment of the extended physical network separation system utilizing the diskless solution, a unidirectional communication session from the internal system server for strip connection to the external system server for strip connection is configured, Thereby preventing security vulnerabilities and hacking threats.

In addition, as an embodiment of the extended physical network separation system utilizing the diskless solution, the communication method between the internal system server for strip connection and the external system server for strip connection is NON-TCP communication and uses its own protocol And analyzes the communication request protocol when the strip is connected, thereby blocking the out-of-policy communication.

In addition, as an embodiment of the extended physical network separation system utilizing the diskless solution, two internal system servers and two external system servers are provided and a file transmission interval or a strip connection interval is configured in a double manner, Even if a failure occurs in one file transmission interval or a strip connection interval, normal file transmission or strip connection can be performed.

In addition, as an embodiment of the extended physical network separation system utilizing the diskless solution, an L4 switch on the business network side and an L4 switch on the Internet network side connected to the two internal system servers and two external system servers So that file transfer or strip connection can be normally performed even if a failure occurs in the L4 switch failure and the file transmission system section or the strip connection system section.

The network access controller (NAC) may further include a network access controller (NAC) as an embodiment of the extended physical network separation system utilizing the diskless solution. The NAC may monitor terminal information connected to the Internet network through the NAC, So that it can be blocked or released.

As an embodiment of the extended physical network separation system utilizing the discless solution, the NAC may provide a real-time notification function, a blocking function for a specific IP address and a MAC address, A function of allocating an IP to a visitor or a temporary user, an automatic recovery of an IP address not used for a long time, and a function of blocking a network when using the corresponding IP after automatic recovery.

The present invention relates to a scalable physical network separation system using a diskless solution, which separates a business network and an internet network into physical network separation methods and constructs a diskless server for an Internet PC in the Internet network, It is possible to operate and manage the operating system and software of the Internet PC at other points which are connected to the main office and the main office through a VPN.

1 is a view for explaining an extended physical network separation system utilizing a diskless solution according to an embodiment of the present invention.
FIG. 2 is a view for explaining a redundancy configuration of an eternal system server and an external system server according to an embodiment of the present invention.
3 is a view for explaining the L4 switch duplication configuration according to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT Hereinafter, a preferred embodiment of an extended physical network separation system using a diskless solution according to the present invention will be described with reference to the accompanying drawings. This will be described in detail.

In the drawings of the present invention, the sizes and dimensions of the structures are enlarged or reduced from the actual size in order to clarify the present invention, and the known structures are omitted so as to reveal the characteristic features, and the present invention is not limited to the drawings .

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description, well-known functions or constructions are not described in detail to avoid obscuring the subject matter of the present invention.

In addition, since the embodiments described in the present specification and the configurations shown in the drawings are only the most preferred embodiments of the present invention and do not represent all the technical ideas of the present invention, It is to be understood that equivalents and modifications are possible.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, an extended physical network separation system utilizing a diskless solution according to the present invention will be described in detail with reference to the accompanying drawings.

The present invention relates to a network separation system in which a business network and an Internet network are physically separated, in which not only all Internet PCs in the Internet network using a smart disk server but also operating system and software And a method for supplying and managing the same.

For reference, a diskless solution is a network system consisting of a LAN, an Ethernet card, and a switch hub, which is generally called DISKLESS, HARDLESS, NOHARD, etc., Is uploaded to a virtual IMG file arbitrarily generated by a manager from a central server (a smart disk server in the present invention), and then each PC user uses the PC using the IMG file stored in the server in a LAN booting manner It is possible to operate PC without installing separate HDD in each PC.

In other words, the diskless solution uses the LAN communication method and the LAN boot method to transfer the OS file and the software file from the central server, so that the PC can be operated without the HDD.

1 is a view for explaining an extended physical network separation system utilizing a diskless solution according to an embodiment of the present invention.

As shown in FIG. 1, the extended physical network separation system utilizing the diskless solution is constructed by physically separating the business network and the Internet network and having a smart disk server in the Internet network.

More particularly, the network separation system of the present invention comprises at least one business PC; At least one Internet PC; An Internet VPN device used for establishing a virtual private network for network connection with an Internet network at another point; And a smart disk server, wherein the business network used by the business PC and the Internet network used by the Internet PC are physically separated, wherein the Internet PC includes a hard disk drive, And the smart disk server collectively provides operating system and software of a PC for Internet at another point connected through the Internet PC and the Internet VPN device And controls the I / O port of each Internet PC to prevent the external data input / output device from being connected to the Internet PC.

As described above, the present invention separates the business network and the Internet network into physical network separation methods, establishes a discless server for the Internet PC in the Internet network, and controls the operating system and software of each Internet PC through the discless server It is advantageous to increase the convenience of management such that the recovery solution for each PC for the Internet is unnecessary and the software can be easily managed.

In addition, all Internet PCs are always initialized to the same state at the time of rebooting by the smart disk server, and the PC state of the initial setting state is always retrieved. Therefore, the same SSD class booting, reading and writing speeds can always be implemented, The PC state can be maintained.

In addition, since all the OS and software are stored and managed in the smart disk server, it is possible to solve the HDD failure which occupies 50% of the PC hardware failure because no separate hard disk is required for each PC, It is possible to protect the PC from the power consumption and the hardware stabilization effect.

In addition, since the administrator can manage each PC through the diskless server, it is possible to prevent installation of software not authorized by the administrator, to protect intellectual property rights such as prevention of illegal software use, By operating system virtualization by server and application virtualization, each PC can be protected from malicious code and virus. By controlling I / O port of each PC, it is possible to control not to use keyboard, mouse and unauthorized USB port So that the security of the network and the manganese can be improved.

Since the Internet PC is operated through a smart disk server, a hard disk is not required. Therefore, the Internet PC is composed of a monitor, a keyboard, a mouse, and a computer main body. The computer includes a main board, a CPU, a RAM, It shall be the minimum component.

The present invention may be configured to manage an Internet PC at another point connected through the Internet VPN device. That is, the smart disk server can provide the OS and software to the Internet PC for another point, store and manage the files of the Internet PC for each of the other points, and control the I / O port, It is possible to prevent the external data input / output device from being connected to the PC for the Internet, and to manage and control all the data of each Internet PC.

With this method, even if the number of branch offices continues to increase, it becomes possible to replace the Internet PC for the rest of the Internet at one point and manage the OS and the spotware. Thus, The cost of management can be dramatically saved, and the management convenience can be greatly improved since the PC can be managed from one point to all the points.

In addition, the present invention may include a separate smart disk server in the Internet network of another branch office, which may be operated by applying a separate PC management policy to each branch office. Alternatively, a separate smart disk server may be installed, It is also possible to designate and operate a point managed by a smart disk server.

That is, the smart disk server provides OS and software to a specific Internet point PC connected to the Internet via a VPN, stores and manages files of Internet PCs at other points, controls the I / O port, Output device to the Internet PC of the Internet, and to manage and control all the data of each PC for the Internet, and a separate smart disk server is provided in the internet network at another point Optionally, separate PC management policies may be applied to each branch office.

Meanwhile, the present invention may include a network access controller (NAC) in the Internet network for management and control of various terminals connected to the Internet network.

And monitor or access to the terminal connected to the Internet network through the NAC. More specifically, the NAC includes a terminal tracking and monitoring function connected to the Internet network, a real-time notification function for a user and an administrator when blocking a terminal connection, a blocking function for a specific IP address and a MAC address, A function of assigning an IP to a user, an automatic recovery of an IP address that has not been used for a long time, and a function of blocking a network when using the corresponding IP after automatic recovery.

Accordingly, the present invention can secure visibility of the Internet network, perform role-based access control through authentication, secure the integrity of the terminal according to the security standard established by the administrator, It is possible to block and control the connection of weak terminals.

In addition, since the business network and the Internet network are physically separated from each other in the present invention, it is necessary to secure network connection for data exchange and business service connection necessary for business execution. It is difficult to record logs of manganese exchange data when data is exchanged using a removable memory device such as USB without network connection, and it is difficult to trace an outflow route when a security incident such as data leakage occurs, There may be a problem that the data is leaked to the outside.

In order to solve such problems, the present invention performs secure data transmission and strip connection between the business network and the Internet through a data transmission system and a strip connection system.

FIG. 2 is a view for explaining a redundancy configuration of an eternal system server and an external system server according to an embodiment of the present invention.

As shown in the figure, the data transmission between the business network and the Internet network is performed through the L4 switch on the business network side, the internal system server for data transmission, the L4 switch on the Internet network side, and the external system server for data transmission.

The internal system server for data transmission and the external system server for data transmission are provided with a function of checking for malfunction or malfunction of a file when transmitting a file, a function for blocking transmission of a file for modifying a file by analyzing a file header of the transmission file, It is possible to exchange data safely by including the function of blocking infected file after checking the code, encrypting communication function between the sender and the receiver at the time of file transmission, and checking the file integrity at the time of file transmission.

In addition, the strip connection between the business network and the Internet network is performed through the L4 switch of the business network side, the internal system server for the strip connection, the L4 switch for the Internet network, and the external system server for the strip connection.

At this time, by configuring a unidirectional communication session from the internal system server for strip connection on the side of the business network to the external system server for strip connection on the side of the Internet network, it is possible to prevent the security vulnerability due to opening of the inbound port and the threat of hacking of the business network can do.

By using the NON-TCP communication in-house protocol such as the manganese file transmission and the strip connection, the communication request protocol can be analyzed in the file transmission and the stipple connection to block the out-of-policy communication.

Meanwhile, in constructing the file transfer system and the strip connection system as described above, the present invention overcomes the problem that the manganese file transfer or the strip connection is interrupted when a fault occurs in one file transmission system section or a strip connection system section Therefore, even if a failure occurs in one file transmission system section or a strip connection system section, a file transmission system or a strip connection system can be normally constructed by using two internal system servers and two external system servers, So that the linkage can be performed.

In addition, as shown in FIG. 3, even if an L4 switch failure occurs, an L4 switch on the side of a business network connected to the two internal system servers and two external system servers so that normal file transfer or strip connection can be performed And an L4 switch on the Internet network side.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, I will understand the point. Accordingly, the technical scope of the present invention should be determined by the following claims.

10: Network separation system
100: Business network
110: Business PC
120: Servers in business network
130: eternal system server for file transfer
140: eternal system server for strip connection
150: L4 switch
160: Business VPN device
200: Internet network
210: Internet PC
220: Smart Disk Server
230: External system server for file transfer
240: External system server for strip connection
250: L4 switch
260: Internet VPN device
300: other point

Claims (11)

At least one business PC;
At least one Internet PC;
An Internet VPN device used for establishing a virtual private network for network connection with an Internet network at another point; And
1. A network separation system including a smart disk server, wherein a business network used by the business PC and an Internet network used by the Internet PC are physically separated,
Wherein the Internet PC is provided with operating system and software from the smart disk server connected to the LAN and including the hard disk drive and the smart disk server is connected to the internet PC and the Internet And the external data input / output device is connected to the Internet PC by controlling the I / O port of each Internet PC, Which is a scalable physical network separation system utilizing a diskless solution. The method according to claim 1,
L4 switch for business network side and internal system server for data transmission; And
An L4 switch on the Internet network side and an external system server for data transmission,
Wherein the data transmission is performed between the internal network server for data transmission and the external system server for data transmission, and data transmission is performed between the business network and the Internet network. 3. The method of claim 2,
The internal system server for data transmission and the external system server for data transmission are provided with a function of checking for malfunctioning and tampering in file transmission, a function for blocking transmission of up / An encrypted file communication function between the sender and the receiver at the time of file transmission, and a file integrity check function between the transmission / reception at the time of file transmission, and an expansion type physical network utilizing the diskless solution Separation system. The method of claim 3,
The communication method between the internal system server for data transmission and the external system server for data transmission uses its own protocol as NON-TCP communication, and analyzes the communication request protocol when the file is transmitted, Which is a scalable physical network separation system utilizing a diskless solution. The method according to claim 1,
An internal system server for L4 switch and strip connection on the business network side; And
An L4 switch on the Internet network side and an external system server for strip connection,
And a strip connection between the business network and the Internet network is performed through the internal system server for strip connection and the external system server for strip connection. 6. The method of claim 5,
And a unidirectional communication session is established from the internal system server for strip connection to the external system server for strip connection, thereby preventing a security vulnerability and a threat of hacking due to inbound port opening. Physical network separation system. The method according to claim 6,
Wherein the internal system server for strip connection and the external system server for strip connection are NON-TCP communication, using their own protocol, and analyzing the communication request protocol in strip connection, Scalable physical network separation system using diskless solution. 8. The method according to any one of claims 2 to 7,
Two internal system servers and two external system servers are provided to duplex a file transfer section or a strip link section so that even if a failure occurs in one file transfer section or a strip link section, Wherein said system is a distributed physical network system using a diskless solution. 9. The method of claim 8,
The L4 switch on the side of the business network and the L4 switch on the side of the Internet network connected to the two internal system servers and the two external system servers are respectively provided so that the L4 switch failure and the file transmission system section or the strip connection system section So that a file transfer or a strip connection can be normally performed even if a failure occurs in the physical network. The method according to claim 1,
And an NAC (Network Access Controller) for monitoring terminal information connected to the Internet network through the NAC, and for blocking or canceling terminal connection. Separation system. 11. The method of claim 10,
The NAC includes:
Real-time notification function to users and administrators when blocking access to terminals, blocking function for specific IP address and MAC address, function of assigning IP to visitor or temporary user by setting trial period, automatic retrieval and automatic recovery of IP address not used for a long time And then blocking the network when the corresponding IP is used.

Images