KR20230029376A - Server rack system capable of managing remote entrance - Google Patents

Abstract

According to one embodiment, in a server rack system capable of storing a server, disclosed is the server rack system comprising: a server rack (200) capable of storing a plurality of servers; a locking device (202) operatively coupled to a door of the server rack (200) to open or close the door of the server rack (200); and an access management system (300) that manages locking and unlocking of the locking device (202). Therefore, the present invention enables information such as a phone number for access managing not to be leaked to the outside.

Description

Server rack system capable of managing remote entrance}

The present invention relates to a server rack system capable of remote access management.

A server rack is a structure capable of storing a plurality of servers. A place such as a data center has tens to hundreds of server racks, and several to tens of servers are located in each server rack.

On the other hand, server administrators need to access each individual server and replace an outdated or broken server. If there are many servers to manage, an accident such as replacing a normal server may occur. Furthermore, there is a risk of unauthorized persons accessing the server.

According to one embodiment of the present invention, a server rack system capable of remote access management is provided.

According to another embodiment of the present invention, there is provided a server rack system capable of controlling access remotely with enhanced security.

According to one embodiment, in a server rack system capable of storing a server,

A server rack 200 capable of storing a plurality of servers; A locking device 202 operatively coupled to the door of the server rack 200 to open or close the door of the server rack 200; A server rack system including a; and access management system 300 for managing locking and unlocking of the locking device 202 may be provided.

According to one or more embodiments, it is possible to manage visitors for each server rack, and also for each server stored in the server rack. In addition, information such as a phone number for access control may not be leaked to the outside.

1 and 3 are diagrams for explaining a server rack system according to an embodiment of the present invention.
FIG. 2 is a diagram for explaining an access control system in the embodiment of FIG. 1 .
4 is a diagram for explaining an operation of a wireless security unit in the embodiment of FIG. 1 .
5 to 8 are views for explaining the configuration of a locking device according to an embodiment of the present invention.
9 is a diagram for explaining a wireless care method according to an embodiment of the present invention.
10 is a diagram for explaining a method of estimating a type of a wireless device according to an embodiment of the present invention.

The above objects, other objects, features and advantages of the present invention will be easily understood through the following preferred embodiments in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments described herein and may be embodied in other forms. Embodiments described below are exemplary embodiments provided to sufficiently convey the spirit of the present invention to those skilled in the art.

Definition of Terms

In this specification, the term 'software' refers to technology that moves hardware in a computer, and the term 'hardware' refers to a type of device or device (CPU, memory, input device, output device, peripheral device, etc.) constituting a computer. The term 'step' means a series of processes or operations connected in time series to achieve a predetermined goal, the term 'program' means a set of instructions combined to be processed by a computer, and the term 'recording medium' refers to a program A computer-readable recording medium on which programs used to install, execute, or distribute programs are recorded.

In this specification, when terms such as first and second are used to describe components, these components should not be limited by these terms. These terms are only used to distinguish one component from another. Embodiments described and illustrated herein also include complementary embodiments thereof.

In this specification, singular forms also include plural forms unless specifically stated otherwise in a phrase. The terms 'comprise' and/or 'comprising' used in the specification do not exclude the presence or addition of one or more other elements.

In the present specification, 'component A and/or component B' means 'component A', 'component B' or 'component A and component B'.

In this specification, a 'wireless terminal', 'device', 'system', or 'apparatus' consists of a computer.

In the present specification, 'computer' includes a computer processor, a storage device, an operating system, firmware, application programs, a communication unit, and other resources, where an operating system (OS: OPERATING SYSTEM) is other hardware, firmware, or application programs (eg For example, a management program) can be operatively connected. The communication unit refers to a module composed of software and hardware for transmitting and receiving data with the outside. In addition, computer processors, memory devices, operating systems, application programs, firmware, communication units, peripheral devices, and other resources (including hardware resources and software resources) are operatively connected to each other. On the other hand, descriptions or drawings of the components mentioned above are described or illustrated within the limits for the purpose of explanation of the present invention.

In this specification, the transmission of information, details, and/or data from element 'A' to element 'B' means that element 'A' transmits directly to element 'B' or that element 'A' transmits information directly to element 'A'. is used in the sense of including transmission to component 'B' through at least one other component.

In the present specification, phrases identical or similar to the phrases "lock device operatively coupled with the server rack", "lock device coupled with the server rack", and "lock device of the server rack" refer to "the door and the door of the server rack". It is used to mean "a locking device that is operatively coupled." In addition, in the present specification, phrases identical or similar to the phrases “locking device operatively coupled with the server case”, “locking device coupled with the server case”, “locking device of the server case”, “locking device of the server” , It is used to mean "a locking device operatively coupled to the door of the server case 204".

In this specification, phrases identical or similar to the phrase "component A and component B are operatively connected" mean that the result of the configuration or action of component A affects the configuration or action of component B, or It means that the result of the composition or action of B affects component A.

In the present specification, a 'fake device' refers to a device capable of reading or tampering with data of another wireless device without illegal or legitimate permission.

On the other hand, for easy description of the present invention in the present specification, previously published patent documents are referred to, and all patent documents (registration publications, publications) mentioned in this way are combined as part of the present specification.

1 and 3 are views for explaining a server rack system according to an embodiment of the present invention, FIG. 2 is a view for explaining an access control system in the embodiment of FIG. 1, and FIG. It is a diagram for explaining the operation of the wireless security unit in the embodiment, and FIGS. 5 to 8 are diagrams for explaining the configuration of a locking device according to an embodiment of the present invention. Hereinafter, operations of a server rack system and its components according to an embodiment of the present invention will be described in detail with reference to these drawings simultaneously or partially.

A server rack system according to an embodiment of the present invention is configured so that only those authorized to access the server can access it.

1 to 8, a server rack system according to an embodiment of the present invention may include a server rack 200, locking devices 201, 202, and 205, and an access control system 300. . The locking devices 201, 202, 205 and the access control system 300 are operatively connected to each other through a communication network. For example, the access control system 300 may manage locking and unlocking of the locking devices 201, 202, and 205 through a communication network.

A locking device 202 is operatively coupled to the door of the server rack 200, and a plurality of servers 203 and 207 are stacked and positioned inside the server rack 200. A door (not shown) of the server rack 200 is opened or closed by a locking device 202 .

The servers 203 and 207 are stored in a server case (not shown in FIG. 1, see FIG. 8), respectively, and locks 201 and 205 are operatively coupled to the door of the server case 204, respectively.

For example, the locking device 201 is operatively coupled to the door of server 1 (203) and the locking device 205 is operatively coupled to the door of server 2 (207). That is, the door (not shown) of server 1 (203) is opened or closed by the locking device 201, and the door (not shown) of server 2 (207) is opened or closed by the locking device 205.

Hereinafter, among the locking devices 201 and 205, the locking device 201 coupled to the door of the server 1 (203) will be mainly described. As will be described later, the locking device 201 coupled to the server rack 200 and the locking device 201 coupled to the server case may have the same configuration.

The access control system 300 controls the opening and closing of the locking device 201 coupled to the server rack 200 and the locking device 201 coupled to the server 1 (203). The access control system 300 stores and manages each ID of the lock devices and the most recently updated phone number for access control in correspondence with each other.

When the person U1 calls the phone number for access management displayed on the locking device 201, the access management system 300 uses the calling number of the person U1 to access the server rack 200 coupled with the locking device 201. ), and the access control system 300 transmits a release signal to the locking device 201 only when the user U1 has the permission to enter. In addition, the access control system 300 checks whether there is a server with permission to be accessed by the user U1 among the servers 203 and 207 stored in the server rack 200, and checks whether there is a server with permission to access. If there is, a release signal is transmitted to the locking device 201 coupled to the server.

For example, when the access control system 300 tries to access the server 1 203, the access control system 300 determines whether the user U1 has the right to access the server 1 203, and determines whether the right has been granted. If it is determined that there is, a release signal for releasing the locking device 202 coupled to the server rack 200 is transmitted to the locking device 202, and a signal for releasing the locking device 201 coupled to the server 1 (203) is locked. Send to device 201. The user U1 can unlock the locking device 202 and the locking device 201 simply by making a phone call to the phone number for access control displayed on the locking device 202 coupled to the server rack 200 .

The access control system 300 stores and manages the smartphone phone number of a person who can access the server rack 200, and servers (eg, server 1 (203), server 2 (207) ... ..) to store and manage the smartphone phone number of the person who can access it.

The access control system 300, for example, when the visitor U1 makes a call to the phone number for access control, the visitor U1 can access the server rack 200 using the calling number of the visitor U1. It is determined whether the user can access the server, and it is determined which server 1 (203) among the servers can be accessed. If the person U1 has access to both server 1 203 and server 2 207, the access control system 300 releases the lock 202 coupled to the server rack 200. transmits a release signal to the locking device 202, transmits a signal to release the locking device 201 coupled to server 1 (203) to the locking device 201, and transmits a locking device coupled to server 2 (207) A signal to release 205 is transmitted to the locking device 205.

On the other hand, the access control system 300 does not simultaneously send a signal to release the locking device 201 coupled to server 1 (203) and a signal to release the locking device 205 coupled to server 2 (207). It may be sent sequentially at a predetermined time. That is, a signal for releasing the locking device 201 may be transmitted to the locking device 201, and then a signal for releasing the locking device 205 may be transmitted to the locking device 205 about 10 seconds later. By doing this, the visitor can open only the door of a server that needs to be accessed among the servers to which he/she has permission to access, and not access the door of a server that does not need to be accessed.

Referring to FIG. 1 , it is assumed that a person (for example, person 1) who has access to server 2 (207) makes a phone call to the phone number for access management displayed on the locking device (202). The access control system 300 can know whether the person 1 is making a phone call using the phone number for access control, and can also know the calling number of the person 1. The access management system 300 determines whether the visitor 1 has access to the server rack 200 using the calling number of the visitor 1 and the authority to access any server 1 203 stored in the server rack 200. you can find out if it exists.

The access control system 300 allocates and manages phone numbers for access control for each locking device coupled to the server rack, and periodically changes them. The access control system 300 assigns different phone numbers for access control to each locking device.

According to this embodiment, the phone number for access control assigned to the locking device 202 coupled to the server rack 200 is for access management assigned to a locking device (not shown) coupled to another server rack (not shown). different from the phone number. Therefore, the access control system 300 can know which locking device 201 is coupled to which server rack 200 when a call is received from the visitor 1 . Meanwhile, the access control system 300 may change the authority to access the server rack 200 and the first server 203 according to predetermined criteria. For example, it is possible to give permission to different people for each server rack, to give permission to different people for servers stored in a server rack, or to change access rights for the same person over time.

Referring to FIG. 1, it is assumed that the accessor 2 makes a phone call to the access control phone number 070-582-***3 displayed on the locking device 202. When a call is received from the visitor 2, the access control system 300 checks which server rack lock device the access control phone number 070-582-***3 is assigned to. If it is assigned to the server rack 200, any server among server 1 (203), server 2 (207), ... located (stored) in the server rack 200 using the calling number of the visitor 2 1 (203) is accessible. If there is no confirmation result, the access control system 300 may transmit a warning message (warning that an unauthorized person is trying to access the server rack 200) to the smartphone of the manager (not shown) of the access control system 300.

Referring to FIGS. 1 and 7 , the server rack 200 has a tubular structure with an empty interior so that a plurality of servers can be stacked and stored. The server rack 200 is provided with a door so that only authorized persons can access the inside of the server rack 200, and only when such a door is opened can access the server inside the door rack.

According to this embodiment, the locking device 202 is coupled to the door of the server rack 200, and the door is opened only when the locking device 202 is released.

In the present invention, one feature is that the door of the server rack 200 is remotely opened and closed by the locking device 201 according to the present invention, and for the physical structure of the server rack 200, a conventional server Racks can be used as is. Therefore, the physical configuration of the server rack 200 in the present invention may be used as a conventionally known server rack. For example, the technical configuration disclosed in Korean Patent Registration No. 2022005390000 (2021.01.04) (improved server rack and server using the same), and the technology disclosed in Korean Patent Registration No. 2021311130000 (2020.07.01) (space-saving server rack) Configuration, the technical configuration disclosed in Korean Patent Registration No. 2019811300000 (2019.05.16) (server rack with server spacing adjustment function) can be used as the server rack 200 of the present invention. That is, the locking device 201 according to the present invention can be operatively coupled to the door of the server rack disclosed in these patent documents (so that the door is opened or closed by the locking device 201). The technical details disclosed in these prior server rack patents are all incorporated as part of this specification.

1, 7, and 8, servers may be stacked and located in the server rack 200 according to the present invention, and each of such servers is embedded in the server case 204 shown in FIG. It is stacked in the server rack 200 in the form of.

Assuming that server 1 (203) is embedded in the server case 204, in order to access the server 1 (203) embedded in the server case 204, the doors (OP1, OP2) of the server case 204 must be opened. And, the doors OP1 and OP2 of the server case 204 can be opened only when the locking device 201 is released.

The doors OP1 and OP2 of the server case 204 and the locking device 201 are operatively connected so that the doors OP1 and OP2 of the server case 204 are opened when the locking device 201 is released.

In the present invention, one feature is that the doors (OP1, OP2) of the server case 204 are remotely opened and closed by the locking device 201 according to the present invention, and the physical As for the structure, a conventional server case can be used as it is. As shown in FIG. 8 , the server case 204 has a rectangular cylindrical shape in which the server 1 203 can be embedded, and may have an empty configuration. For example, the configuration disclosed in Korean Registered Patent No. 2018140850000 (2017.12.26) (computer case for server rack), the configuration disclosed in Korean Patent Publication No. 2020050207866 (2005.11.16) (case for blade server in which panel eye/o is mounted on the side) It can be utilized for the server case 204 of the present invention. For example, a door is installed on one side of the computer case or server case disclosed in these patent documents, and the locking device 201 according to the present invention is operatively coupled to the door (by the locking device 201). can be opened or closed). The method of physically combining the door and the locking device 201 is known in the art, for example, the technical configuration disclosed in Korean Patent Publication 2020200002021 (May 21, 2020) (door locking device) or Korean Registered Patent 2004898320000 (August 9, 2019) (Directional push-pull door lock) can be utilized.

1, 5, and 6, the locking device may include a communication unit 202a, a microcomputer 202b, a display unit 202c, a power source 202e, and a mechanical unit 202d. These locking devices may be used as locking devices 202 coupled to the door of the server rack 200 or locking devices 201 and 203 for opening or closing the door of the server case 204 . The locking device 202 operatively coupled to the door of the server rack 200 and the locking device 201 operatively coupled to the door of the server case 204 have the same function.

According to one embodiment, the function, structure, and shape of the locking device 202 operatively coupled to the door of the server rack 200 and the locking device 201 coupled to the door of the server case 204 are completely mutual. can be the same Alternatively, the functions of the locking device 202 operatively coupled to the door of the server rack 200 and the locking device 201 operatively coupled to the door of the server case 204 are configured to be identical to each other, Depending on the size or shape of the door of the server rack 200 and the door of the server case 204, the locking device 202 operatively coupled to the door of the server rack 200 and the door coupled to the server case 204 The physical size or shape of the locking device 201 may be different from each other. Hereinafter, the locking devices 201 and 202 will not be distinguished unless there is no difference between the locking device 202 coupled to the server rack 200 and the locking device 201 coupled to the server case 204. to explain without

With continued reference to FIGS. 5 and 6 , the communication unit 202a is configured to communicate with the access control system 300 through an in-house wired/wireless communication network and a communication network. That is, the communication unit 202a is configured to receive a release signal of the lock device 202, a lock signal, and a phone number for access control from the access control system 300.

When the access control phone number is received by the communication unit 202a, the access control phone number is displayed on the display unit 202c in a form that can be visually seen by a person.

The display unit 202c may display text so that a person can visually see the phone number for access control.

When the communication unit 202a receives the access control phone number, the access control phone number is displayed on the display unit 202c. 6 exemplarily shows that the display unit 202c displays a phone number for access control.

The mechanical part 202d means all parts necessary for locking or unlocking. That is, the mechanical unit 202d is configured to physically lock or open the door of the server rack 200 . The mechanism part is a technical configuration disclosed in previously known patent documents, for example, Korean Patent Registration No. 2018147190000 (2017.12.27) (Digital door lock remote control system and method using a mobile terminal), Korean Patent Registration No. 2012421220000 (2013.03.05) (A method for remotely controlling a door lock device using a smartphone and the door lock device), a technical configuration disclosed in Korean Publication No. 2020050087624 (August 31, 2005) (a method for remotely unlocking a door in a wireless communication terminal), and Korean Patent Registration No. 2015387360000 (July 16, 2015) (door lock device and technical configuration disclosed in a remote control monitoring door lock system having the same, technical configuration disclosed in Korean Patent Publication No. 2020200002021 (May 21, 2020) (door lock locking device 201), or The technical configuration disclosed in Korean Registered Patent No. 2004898320000 (2019.08.09) (directional change push-pull door lock) can be used.

The power source 202e supplies necessary power to each component of the locking device 202 . The power source 202e is configured to supply power from a portable battery (not shown) to each component, or to supply power to each component of the locking device 202 by receiving power from the outside through a wire. It can be.

The microprocessor 202b means a microprocessor computer (MIcroProcessor COMputer), and is configured to include a central processing unit (CPU), memory, ROM, input/output device, and circuits for the operation of each of these components.

The microcomputer 202b performs a corresponding operation when the communication unit 202a receives data such as a release signal, a lock signal, and/or a telephone number for access control. For example, when the communication unit 202a receives the release signal, the microcomputer 202b controls the mechanical unit 202d to open the door, and when the communication unit 202a receives the lock signal, the microcomputer 202d The mechanism unit 202d is controlled to put the door in a closed state. In addition, when the communication unit 202a receives the telephone number for access control, the microcomputer 202d controls the display unit 202c to display the access control telephone number on the display unit 202c.

The access control system 300 transmits the phone number for access control to the locking device 202, randomly changes the access control phone number periodically, and transmits the changed phone number for access control to the locking device 202. do. Several tens to hundreds of phone numbers for access control to be allocated to the locking device 202 are prepared in advance, and the access control system 300 randomly selects one of the prepared phone numbers for access control periodically. is selected and assigned to the locking device 202. For reference, phone numbers for access control prepared in advance for assignment to the locking device 202 are stored and managed in a DB storage device 303 to be described later.

When the access control phone number is newly received from the access control system 300, the locking device 202 displays it on the display unit 202c as exemplarily shown in FIG. When a visitor who wants to access the server rack 200 makes a phone call to the phone number for access control displayed on the display unit 202c, the access control system 300 determines whether the visitor has authority to access the server rack 200. After checking, if it is determined that there is authority, a release signal is transmitted to the locking device 202.

The locking device 202 according to the present invention periodically receives a phone number for access management from the access control system 300 and displays it through the display unit 202c. differentiated from That is, in the locking device 202 according to the present invention, except for the component displaying the phone number for access control periodically received from the access control system 300, the rest of the components are conventionally known locking devices (e.g., the ones mentioned below). Refer to published patent documents) can be utilized as it is.

For example, the technical configuration disclosed in Korean Patent Registration No. 2018147190000 (2017.12.27) (Digital door lock remote control system and method using a mobile terminal), Korean Patent Registration No. 2012421220000 (2013.03.05) (remotely using a smartphone) A method for controlling a door lock device and the door lock device), a technical configuration disclosed in Korean Publication No. 2020050087624 (2005.08.31) (a remote door unlock method in a wireless communication terminal), and a Korean Patent Registration No. 2015387360000 (2015.07. 16) (At least one or more of the technical configurations disclosed in the door lock device and the remote control monitoring door lock system equipped with the same can be utilized.

The access control system 300 according to an embodiment of the present invention assigns different phone numbers for access control to each lock device, and manages access periodically (eg, daily, weekly, or monthly) even for the same lock device. Change the phone number and assign it. Accordingly, when a prospective person calls the phone number for access management displayed on the locking device 202, the access management system 300 can know whether the prospective person is trying to access the locking device 202. According to this embodiment, different telephone numbers for access control are assigned to a plurality of locking devices, and by periodically changing the phone numbers for access control, a person scheduled to enter must be in a position close to the locking device 202. You have to go and call the phone number for access control displayed on the locking device 201.

Since the access control phone number displayed on the locking device 202 can be known by the person who has access to the locking device 202 by directly looking at the locking device 202, a person who wants to unlock the locking device 202 can visually see the locking device 202. It should be positioned so as to be visible (that is, to the extent that the text displayed on the display unit 202c provided in the locking device 202 can be visually recognized).

This is to prevent the case of unlocking the self-locking device 202 existing at a location far from the locking device 202 . That is, even if an authorized person is not in a position close to the locking device 202 (meaning a position where the access control phone number displayed on the display unit 202c of the locking device 202 can be visually seen), the lock is locked. The device 201 is intended to be incapable of being unlocked.

3 is a diagram for explaining the operation of the server rack system.

Hereinafter, the locking device 202 will be described as an example.

Referring to FIGS. 1, 2, and 3 together, the access control system 300 stores and manages (deletes, adds, and corrects) an authority DB in the DB storage device 303. Authorization DB is information about the phone number for access control assigned to the server rack 200 (or lock 202), information about a person who has authority to access the server rack 200 (eg, name , smartphone phone number), and information (eg, name, smartphone phone number).

For example, the authorization DB allows access to the server rack 200 operatively coupled with the locking device 202 by matching the ID of the locking device 202 with the most recently updated telephone number for access management. This is data in which at least one person's phone number and ID of the locking device 202 are corresponded to each other. The access control server 301 stores and manages the ID of the lock device 202 and the most recently updated telephone number for access control in the authority DB, and the access control server 301 is When a call is received to the phone number, the authority DB is searched to determine whether the accessor's calling number has the authority to access the server rack 200 operatively coupled with the locking device 202, and the caller's calling number When is included in the authority DB, a release signal is transmitted to the locking device 202.

A person with authority may have authority to access only the server rack 200, or may have authority to access all or part of the server rack 200 and servers located in the server rack 200. <Table 1> below shows an exemplary authorization DB.

Phone number for access control server rack ID Accessor's phone number server ID
070-582-***3 R1 010-9104-****. 010-6743-****
010-6904-**** R1S1
010-9104-****
R1S2
070-582-***4 R2 010-9104-****. 010-6743-****
010-6904-**** R2S1
010-9104-****. 010-6743-****
010-6904-**** R2S2
010-9104-**** R2S3
070-582-***5 R3 010-9104-**** R3S1
010-6743-****
010-6904-**** R3S2

The access management system 300 stores and manages the authority DB as shown in <Table 1> in the DB storage device 303, the lock 202 is coupled to the door of the server rack R1, and the server rack R2 ), a locking device (not shown) is coupled to the door of the server rack (R3), and a locking device (not shown) is coupled to the door of the server rack (R3), and the server (R1S1) and the server (R1S2) are stored in the server rack (R1). It is assumed that the locking device 201 is coupled to the door of the server R1S1 and the locking device 205 is coupled to the door of the server R1S2. In addition, the phone number of person 1 is 010-9104-****, person 1 accesses the server (R1S1) of the server rack (R1), person 2's phone number is 010-9194-****, It is assumed that the visitor 2 accesses the server R2S1 of the server rack R2.

Under the above assumption, the operation of the server rack system will be described with reference to FIGS. 1, 2, and 3.

The access control system 300 includes a locking device 202 coupled to the server rack R1, a locking device coupled to the server rack R2 (not shown), and a locking device coupled to the server rack R3 (not shown). ), the access control phone number is periodically updated and transmitted. The most recently updated telephone number for access control is stored and managed in the authority DB. Referring to <Table 1>, the access control phone number most recently transmitted by the access control system 300 is the lock 202 coupled to the server rack R1 and the lock coupled to the server rack R2. '070-582-***3', '070-582-***4', and '070-582 respectively to the device (not shown) and the locking device (not shown) coupled to the server rack (R3). -***5' is transmitted. Hereinafter, the locking device 202 will be described first.

The locking device 202 displays the most recently updated telephone number for access management, '070-582-***3'. When person 1 calls the access control phone number '070-582-***3' displayed on the lock device 202 with his/her smartphone, the access control system 300 calls the access control phone number '070-582-***3'. 582-***3' and the calling number of person 1, '010-9104-****'.

The access control system 300 can refer to <Table 1> stored in the DB storage device 303 to know the server rack R1 to which the access control phone number '070-582-***3' is assigned. Among the servers R1S1 and R1S2 of the server rack R1, it is possible to know which server has permission to access. Referring to <Table 1>, it can be seen that accessor 1 has access to all of the servers R1S1 and R1S2 of the server rack R1.

The access control system 300 checks whether the phone number '070-582-***3' for access control called by person 1 and the calling number of person 1 are recorded in the authority DB, It can be seen that there is authority to access the servers R1S1 and R1S2.

The access control system 300 transmits a signal for releasing the lock 202 of the server rack R1, the lock 201 of the server R1S1, and the lock 205 of the server R1S2 to the lock 202 , and transmitted to the locking device 201 and the locking device 205, respectively. Here, when the signal to release is transmitted, the signal to release the lock 202 of the server rack R1 is transmitted first, the signal to release the lock 201 is transmitted second, and finally the lock 205 A signal in which is released may be transmitted. Alternatively, these signals may be transmitted simultaneously.

When the locking device 202 receives a release signal from the access control system 300, the door of the server rack R1 can be opened, and the locking device 201 also receives a release signal from the access control system 300. When received, the door of the case of the server (R1S1) is in a state where it can be opened, and when the locking device 205 also receives a release signal from the access control system 300, the door of the case of the server (R1S2) can be opened. be in a state of being Here, 'state in which the door can be opened' and 'state in which the door can be opened' mean a state in which the door can be opened by hand. The locking device 202 is closed again when the door is left unopened by hand for a predetermined period of time in the 'state in which the door can be opened'.

The locking device 201 and the locking device 205 are also closed again if the door is left unopened by hand for a predetermined period of time in the 'state in which the door can be opened'. Therefore, if the visitor 1 needs to access only the server R1S1, when the locking device 202 is released, the door of the server rack R1 is opened, and only the door of the server R1S1 to which the locking device 201 is combined is opened. You can open it. The locking device 205 remains open for a certain period of time, and then becomes closed again if the door of the server R1S2 is not opened.

Referring to FIG. 3 , a case in which the accessor 2 without access authority calls the phone number for access management will now be described.

The locking device 202 displays the most recently updated telephone number for access management, '070-582-***3'. When the accessor 2 calls the access control phone number '070-582-***3' displayed on the lock 202 with his/her smartphone, the access control system 300 calls the access control phone number '070-582-***3'. 582-***3' and the calling number of visitor 2, '010-9194-****'.

The access control system 300 may know the server rack R1 to which the access control phone number '070-582-***3' is assigned by referring to <Table 1>, and the servers of the server rack R1 You can see which server (R1S1, R1S2) has permission to access. Referring to <Table 1>, it can be seen that accessor 2 does not have access to all of the servers R1S1 and R1S2 of the server rack R1. Accordingly, the access control system 300 may transmit a notification to the effect that 'authorization is not available' to the calling number '010-9194-****' of the second visitor. In addition, the access control system 300 may also transmit a message to the effect that an unauthorized person is trying to access the server rack R1 to the smart phone of the manager of the access control system 300 .

4 is a diagram for explaining an operation of a wireless security unit in the embodiment of FIG. 1 .

With reference to FIGS. 1 to 4 , the operation of the wireless security unit of the access control system 300 will be described.

1 to 4, the access control system 300 according to an embodiment of the present invention includes an access control server 301, a DB storage device 303, an IP-PBX 305, and a wireless security unit ( 100). Here, the DB storage device 303 may store the authority DB. Since the authority DB has been described above, it will be omitted here.

The access management server 301, the DB storage device 303, the IP-PBX 305, and the wireless security unit 100 can communicate wirelessly with each other through the in-house wired/wireless communication network N3. It may be a wireless communication technology such as Wi-Fi or Bluetooth. PSTN (N4) means a telephone communication network, and as technology develops, the range of PSTN (N4) is getting narrower. Although the PSTN (N4) is shown in this embodiment, an outgoing call by the smart phone of visitor 1 can be transferred to the IP-PBX (305) without going through the PSTN (N4).

The VoIP provider 401 collectively refers to software and hardware for delivery of voice communication and multimedia sessions over Internet Protocol (IP) networks such as the Internet. On the other hand, the router 308 is a device included in the network layer of the OSI 7 layer, and extracts routes for packets that must pass between logically separated networks or physically separated networks, finds the best route it knows, and then It is a device that plays a role in sending packets to other networks.

The access control server 301 controls the opening and closing of the locking device 201 of the server rack 200 and the locking device 201 of the server 1 (203). The access management server 301 stores and manages each ID of the lock devices and the most recently updated phone number for access management in the DB storage device 303 in correspondence with each other. When a visitor makes a call to the phone number for access management, the IP-PBX 305 can know the originating number of the visitor. The IP-PBX (305) transmits the phone number for access management that the visitor called and the caller ID of the visitor to the access management server (301).

The access management server 301 checks whether the accessor's calling number has permission to enter and exit the server rack 200 combined with the locking device 202, and locks only when the accessor has permission to access. Sends a release signal to the device 202. In addition, the access control server 301 checks whether there is a server with permission to access among the servers stored in the server rack 200 by the visitor, and a server with permission to access (for example, server 1 ( 203)), a release signal is transmitted to the locking device 201 coupled to the case of the server 1 (203).

For example, when an access control server 301 tries to access server 1 (203), the access control server 301 determines whether such an access person has permission, and if it is determined that the person has permission, the locking device 202 of the server rack 200 ) is transmitted to the locking device 202, and a signal releasing the locking device 201 of the server 1 (203) is transmitted to the locking device 201. The accessor can unlock the locking device 202 and the locking device 201 simply by making a phone call to the phone number for access management displayed on the locking device 202 coupled to the server rack 200 .

The access control server 301 stores and manages the smartphone phone number of the person who can access the server rack 200 in the DB storage device 303, and the servers (eg, server 1 (203), server 2 (207) ....) is stored in the DB storage device 303 and managed. The access management server 301 determines whether the person can access the server rack 200 by using the phone number for access control provided from the IP-PBX 305 and the originating number of the person who enters the server. It determines which server is accessible.

If the accessor is a person who can access both server 1 (203) and server 2 (207), the access management server 301 locks the release signal for releasing the lock device 202 of the server rack 200. A signal for transmitting to the device 202 and unlocking the locking device 201 of the server 1 (203) is transmitted to the locking device 201, and a signal for releasing the locking device 205 of the server 2 (207) is locked. Send to device 205. On the other hand, the access control server 301 does not send a signal to release the lock device 201 of server 1 (203) and a signal to release the lock device 205 of server 2 (207) at the same time, but waits for a predetermined time. You can also send them sequentially. That is, after transmitting the signal to release the locking device 201, a signal to release the locking device 205 may be transmitted about 10 seconds later.

Now, it is assumed that a person (entrant 1) who has access only to server 2 (207) makes a phone call to the phone number for access control displayed on the locking device (202). When person 1 makes a call to the phone number for access control, the outgoing call from person 1 is transmitted to the IP-PBX 305 via the PSTN (N4), the VoIP provider 401, and the router 308.

As described above, the IP-PBX 305 can know the phone number for access control called by person 1 and the calling number of person 1. (301). The access management server 301 can determine whether the visitor 1 has the right to access the server rack 200 and which server stored in the server rack 200 can be accessed by using the calling number of the visitor 1. .

The access control server 301 allocates and manages access control phone numbers to the locking device 202 and periodically changes them. That is, it is as if one phone number for access control is assigned to each server rack 200, and the phone number for access control is periodically changed. Therefore, the access management server 301 can know which lock device is coupled to which server rack when a call is received from the visitor 1.

It is assumed that the accessor 2 makes a call to the phone number for access control displayed on the locking device 202, 070-582-***3. When an outgoing call from visitor 2 arrives, the IP-PBX (305) knows the access control phone number 070-582-***3 and the caller number of visitor 2, and the IP-PBX (305) is the access control phone The number 070-582-***3 and the calling number of the person 2 are provided to the access control server 301. The access control server 301 checks which server rack lock device the phone number 070-582-***3 for access control is assigned to. If it is assigned to the server rack 200, which server among server 1 (203), server 2 (207), ... stored in the server rack 200 can be accessed using the calling number of the person 2 check if you can As a result of the check, if there is no authority to access any server, the access control server 301 sends a warning message to the smartphone of the manager (not shown) of the access control system 300 (warning that an unauthorized person is trying to access the server rack 200). ) can be transmitted.

The wireless security unit 100 detects a wireless signal of a wireless device trying to access the access control server 301, the DB storage device 303, and/or the IP-PBX 305 without permission through the in-house wired/wireless communication network N3. It is possible to determine whether the detected wireless device is a fake device. The wireless devices to be detected by the wireless security unit 100 include any and all wired devices and wireless devices connected to the in-house wired/wireless communication network N3.

The wireless security unit 100 may perform a type estimation operation of estimating the type of the wireless device and an operation of determining whether the wireless device is a fake device by attacking the wireless device with a vulnerability according to the type of the wireless device. .

The type estimation operation is an operation of estimating the type of the wireless device according to the result of the port scanning operation and the protocol scanning operation, the port scanning operation is an operation of finding an open port of the wireless device, and the protocol scanning operation is the result of performing the port scanning operation. This is an operation to find the protocol used in the open port identified by .

The protocol scanning operation includes an operation of checking the type of open port, an operation of creating and transmitting a packet for protocol confirmation according to the type of open port to a wireless device having an open port, and an operation of transmitting from the wireless device This is an operation to check whether a response to the protocol check packet is received.

Here, the response includes at least one of banner information and service information of a wireless device having an open port, and the banner information or service information includes information indicating a type of wireless device.

The type estimation operation includes a first estimation operation of estimating the type of service from the protocol found as a result of performing the protocol scanning operation, a second estimation operation of estimating the type of service from information indicating the type of the wireless device, and the first estimation operation. An operation of comparing the type of service estimated by the operation with the type of service estimated by the second estimation operation, and when the comparison results are different, the open port is obtained from information indicating the type of the wireless device. Performs an operation of estimating the type of a wireless device having.

The wireless security unit 100 may be installed within a distance where wireless communication is possible using an in-house wired/wireless communication network. Here, the distance at which wireless communication is possible using the in-house wired/wireless communication network (N3) may mean a distance at which wireless communication is possible with the access management server 301, the DB storage device 303, and the IP-PBX 305. Preferably, the wireless security unit 100 is connected to the in-house wired/wireless communication network (N) by wire, and any wirelessly connected to the access control server 301 and the DB storage device 303 through the in-house wired/wireless communication network (N) A wireless signal of the wireless device may be detected, and it may be determined whether the detected wireless device is a fake device.

Specifically, the wireless security unit 100 performs a type estimation operation of estimating the type of the wireless device and an operation of determining whether the wireless device is a fake device by attacking the wireless device with a vulnerability according to the type of the wireless device.

Here, the type estimation operation is an operation of estimating the type of the wireless device according to the results of the port scanning operation and the protocol scanning operation.

The port scanning operation is an operation to find an open port of a wireless device, and the protocol scanning operation is an operation to find a protocol used in an open port found as a result of performing the port scanning operation.

The protocol scanning operation includes an operation of checking the type of open port, an operation of creating a packet for protocol confirmation according to the type of open port and transmitting it to a wireless device having an open port, and an operation of transmitting the packet to the wireless device having an open port This is an operation to check whether a response to the packet for protocol confirmation is received from Here, the response includes at least one of banner information and service information of a wireless device having an open port, and the banner information or service information includes information indicating a type of wireless device.

The type estimation operation includes a first estimation operation of estimating the type of service from the protocol found as a result of performing the protocol scanning operation, a second estimation operation of estimating the type of service from information indicating the type of wireless device, and the first estimation operation. An operation of comparing the type of service estimated by the second estimation operation and the type of service estimated by the second estimation operation, and a wireless device having an open port from information indicating the type of the wireless device when both comparison results are different. Performs an operation of estimating the type of .

In FIG. 4, arbitrary wireless devices 15 (15a, 15b, 15c, 15d) are additionally shown for explanation of the present system.

The wireless security unit 100 may detect a dangerous device capable of hacking the access management system 300 described with reference to FIG. 2 (hereinafter referred to as a 'fake device') and block communication. Hereinafter, the operation of the wireless security unit 100 will be described in more detail.

The wireless security unit 100 may monitor short-range wireless communication of the wireless devices 15: 15a, 15b, 15c, and 15d (hereinafter, referred to as '15' when there is no practical benefit of distinction).

For example, the wireless device 15 may perform communication according to a short-range wireless communication technology standard such as Bluetooth or Wi-Fi.

The wireless device 15 may be a non-authorized device in the system 200 or a legitimate device with the privilege. The wireless security unit may select an unauthorized device ('fake device') from the wireless device 15 .

The wireless device 15 may be a device such as a smart phone or a laptop capable of wireless communication, but is not limited thereto.

The wireless security unit 100 may perform a type estimation operation and a fake device selection and blocking operation.

As will be described later, the wireless security unit 100 may detect wireless signals output by the wireless device 15 . Here, the wireless signal may be, for example, a signal output for Bluetooth communication or a signal output for Wi-Fi communication. The wireless security unit 100 may select one or more devices as a target device from among detected devices according to a predetermined criterion. Here, the predetermined criterion may be signal strength.

As will be described later, the diagnosis module (not shown) included in the wireless security unit 100 can, for example, estimate the type of the target device 15 and also determine whether the target device 15 is a fake device. can

In this embodiment, the number of wireless devices 15 is shown as four each, but this number is illustrative and may be less or more than this number. Hereinafter, assuming that the wireless device 15 is a target device, a type estimation operation, a fake device selection operation, and a blocking operation will be sequentially described.

The type estimation operation is an operation of estimating the type of the target device 15 .

In this embodiment, a diagnosis module (not shown) may perform a port scanning operation, a protocol scanning operation, and a type assumption operation.

A port scanning operation is to find an open port of the target device 15 . That is, the port scanning operation is an operation of checking which ports are open for each of the target device 15a, the target device 15b, the target device 15c, and the target device 15d.

The port scanning operation may be performed by techniques called, for example, full scanning or stealth scanning. Full scanning is a technique that establishes a complete TCP session and checks open ports. Stealth scanning is a kind of half scan technology. A packet for port checking is transmitted and when a response to the port checking packet is received, the responded port is open. If no response is received, the port is closed. judge it to be Stealth scanning can be, for example, FIN, NULL, or XMASH.

A port is a logical unit that identifies a network service or a specific process, and a protocol using a port is, for example, a transport layer protocol. Examples of transport layer protocols may be Transmission Control Protocol (TCP) and User Datagram Protocol (UDT). Ports are identified by numbers, and these numbers are called port numbers. For example, port numbers are used with IP addresses.

Port numbers can be classified into three types, for example.

If the port number belongs to 0 ~ 2023, it is a well-known port, if the port number belongs to 2024 ~ 49151, it is a registered port, and if the port number belongs to 49152 ~ 65535 If it belongs to , it is a dynamic port. On the other hand, representative examples of well-known ports include: 20: FTP (data), 21: FTP (control), 22: SSH, 23: Telnet, 53: DNS, 80: World Wide Web HTTP, 119: NNTP, 443: TLS/SSL HTTP. Those of ordinary skill in the art (hereinafter referred to as 'those skilled in the art') will readily recognize that these port numbers and port types are exemplary.

For purposes of explanation of the present invention, the open port of target device 15a is port 80, the off port of target device 15b is port 23, the open port of target device 15c is port 5555, , it is assumed that the open port of the target device 15d is port 5559.

A port scanning operation is an operation of finding an open port of the target device 15 . For example, the diagnostic module (not shown) performs a port scanning operation, the open port of the target device 15a is port 80, the off port of the target device 15b is port 23, and the target device 15c It is found that the open port of is port 5555, and the open port of the target device 15d is port 5559.

A protocol scanning operation is an operation for knowing the type of protocol used in an open port. Here, the open port is found by port scanning operation. For example, the diagnosis module (not shown) searches for a protocol used in port 80, which is an open port of the target device 15a.

In addition, the diagnostic module (not shown) is used in the protocol used at port 23 of the target device 15b, the protocol used at port 5555 of the target device 15c, and the port 5559 of the target device 15d. Find out what each protocol is.

The protocol scanning operation performed by the diagnosis module (not shown) includes an operation of checking the type of open port, an operation of creating a packet to be sent to the open port (hereinafter referred to as 'protocol checking packet') according to the type of open port, An operation of transmitting a packet for protocol confirmation to the wireless device having the open port, and an operation of confirming whether a response is received from the wireless device that has transmitted the packet for protocol confirmation.

A packet for protocol confirmation may be, for example, a script.

The operation of checking the type of the open port is an operation of checking the type of the open port found through the port scanning operation. For example, the operation of checking the type of open port is an operation of checking whether the open port corresponds to a well-known port, a registered port, or a dynamic port. am. In order to perform the operation of checking the type of open port, data (eg, <Table 1>) in which the type of port is classified according to the port number (hereinafter referred to as 'port type data') must be prepared in advance. Such 'port type data' may be stored and managed by the wireless security unit.

According to one embodiment, the diagnosis module (not shown) can know the type of the open port by referring to 'port type data'. For example, in the diagnosis module (not shown), port 80 of the target device 15a and port 23 of the target device 15b are well-known ports, and port 5555 of the target device 15c It can be seen that the port and port 5559 of the target device 15d are dynamic ports.

The diagnosis module (not shown) performs an operation of creating a packet for checking a protocol suitable for the type of open port.

For example, since port 80 of the target device 15a is a well-known port for using the World Wide Web HTTP protocol, a packet for protocol confirmation is created using the Web HTTP protocol, so that the target device ( 15a). If there is a response from the target device 15a to the protocol check packet written using the web HTTP protocol, the diagnosis module (not shown) determines that port 80 of the target device 15a uses the web HTTP protocol.

On the other hand, if there is no response from the target device 15a to the protocol check packet written using the web HTTP protocol, the diagnosis module (not shown) determines that port 80 of the target device 15a does not use the web HTTP protocol. do. In this case, the diagnosis module (not shown) uses a protocol other than the World Wide Web HTTP protocol to create a protocol check packet and transmits the packet to the target device 15a.

If there is a response from the target device 15a to the packet for protocol confirmation written in a protocol other than the web HTTP protocol, the diagnostic module (not shown) determines that port 80 of the target device 15a uses the other protocol. . If there is no response from the target device 15a to the packet for protocol confirmation written in the other protocol than the web HTTP protocol, the diagnosis module (not shown) determines that port 80 of the target device 15a uses the other protocol. decide not to Thereafter, the target device 15a creates and transmits a protocol confirmation packet using another protocol until a response comes from the target device 15a. The diagnosis module (not shown) finds out the type of protocol actually used in each open port of the target device 15 by the above-described method.

The diagnosis module (not shown) estimates each type of the target device 15 using at least one result of the port scanning operation result and the protocol scanning operation result. It performs type assumption.

According to one embodiment, the type assumption performed by the diagnosis module (not shown) includes an operation of estimating the type of service from the type of protocol found as a result of performing the protocol scan operation, and and estimating the type of wireless device from the type of service.

The operation of estimating the type of service from the type of protocol is usually based on the experience that a mainly used protocol is determined for each service. For example, RTSP, RTP, or RTCP protocols mainly support streaming services. That is, when data defining services mainly supported for each protocol (hereinafter referred to as 'protocol-service mapping data') is prepared, the diagnosis module (not shown) uses 'protocol-service mapping data' to determine the type of protocol. The type of service can be estimated, and 'protocol-service mapping data' can be stored and managed by the wireless security unit.

The operation of estimating the type of the target device 15 from the type of service is also based on experience that a service mainly used for each type of wireless devices is usually determined. For example, RTSP, RTP, or RTCP protocols mainly support streaming services, and these streaming services are provided by wireless devices such as IP TVs, for example. That is, when data defining the types of wireless devices mainly provided for each service (hereinafter referred to as 'service-type mapping data') is prepared, the diagnosis module (not shown) uses the 'service-type mapping data', The type of wireless device can be estimated from the type of 'service-type mapping data' can be stored and managed by the wireless security unit.

Meanwhile, the response to the protocol confirmation packet may include at least one of banner information and service information of the target device 15 .

Banner information included in the response to the protocol confirmation packet typically includes data indicating what type of operating system is used in the target device 15 . The diagnosis module (not shown) may know the type of service or estimate the type of the target device 15 if the type of operating system is known.

Examples of operating systems used in the target device 15 include Tizen, Brillo, Fuchsia, or LiteOS. Here, Tizen is an open source mobile operating system that supports portable devices such as mobile phones, wireless devices such as TVs and refrigerators, Brillo is an Android-based embedded operating system announced by Google, and Fook Fuchsia is an operating system under development by Google to support embedded systems, PCs, smartphones, and wireless devices, and LiteOS is developed by Huawei for wireless devices such as smart homes, wearable devices, or It is an operating system for supporting various wireless devices such as smart cars.

Service information included in the response to the protocol confirmation packet typically includes data indicating what type of target device is. For example, the service information may include data such as 'My iPhone', and this data is information directly indicating the type of the target device. According to an embodiment, the type assumption performed by the diagnostic module (not shown) includes at least one of banner information and service information of the target device, and the above-described port scanning At least one of the result of performing the operation and the result of performing the protocol scanning operation is used.

For example, the type assumption performed by the diagnosis module (not shown) includes a first estimation operation, a second estimation operation, a comparison operation, and a type determination operation.

The first estimating operation is an operation of estimating the type of service from the type of protocol obtained through the protocol scanning operation. For an exemplary description of the first estimation operation, please refer to the description mentioning the RTSP, RTP, or RTCP protocol.

The second estimation operation is an operation of estimating the type of service using at least one of banner information and service information of the target device 15 . Exemplary descriptions of the second estimation operation include a description mentioning Tizen, Brillo, Fuchsia, or LiteOS and a description mentioning My iPhone. please refer to the section

The comparison operation is an operation of comparing the type of service estimated by the first estimation operation with the type of service estimated by the second estimation operation.

The type determination operation determines the target device 15 from the type of service estimated by the second estimation operation when the type of service estimated by the first estimation operation and the type of service estimated by the second estimation operation are different from each other. Determines the type of and, when the type of service estimated by the first estimating operation and the type of service estimated by the second estimating operation are the same, the type of service estimated by the first estimating operation or the second estimating operation This is an operation of estimating the type of target devices 15 from

On the other hand, when there is no banner information and service information of the target device 15, or there is no data for estimating the type of service in such banner information and service information, the type assumption operation , includes a first estimation operation and a type determination operation. That is, the type estimation operation may be performed only with the first estimation operation and the type determination operation without performing the second estimation operation and the comparison operation.

The fake device selection operation is an operation of selecting a fake device from among the target devices 15 .

In this embodiment, the diagnostic module (not shown) determines whether each of the target devices 15 is a fake device. For example, the diagnostic module (not shown) determines whether the target device 15a is a fake device among the target devices 15, determines whether the target device 15b is a fake device, and determines whether the target device 15b is a fake device. It is possible to determine whether or not it is a fake device for (15c), and to determine whether or not it is a fake device for the target device (15d). Here, the order is exemplary, and a person engaged in the technical field to which the present invention belongs (hereinafter, 'one skilled in the art') may determine the order to suit the situation when practicing the present invention.

The diagnosis module (not shown) attacks vulnerabilities according to the type of target device to determine whether or not it is a fake device, and the diagnosis module (not shown) determines whether the attack on the target device succeeds, It is determined whether the target device is a fake device.

Typically, vulnerability in a wireless device means a weakness that an attacker can use to lower the information assurance of a device. Wikipedia (https://en.wikipedia.org/wiki/Vulnerability) also defines vulnerabilities as “Vulnerability” refers to the inability (of a system or a unit) to withstand the effects of a hostile environment. In the specification, it will be used as defined in Wikipedia.

For example, when the target device 15a is a 'target device', the diagnostic module (not shown) determines whether the target device 15a is a fake device according to whether an attack on the vulnerability of the target device 15a succeeds. can determine whether That is, the diagnosis module (not shown) determines that the target device 15a is not a fake device when the attack on the vulnerability of the target device 15a succeeds, and the attack on the vulnerability of the target device 15a succeeds. If not, it is determined that the target device 15a is a fake device.

The diagnosis module (not shown) selects a vulnerability according to each type of the target device 15, attacks each of the target devices 15 using the selected vulnerability, and based on the attack result, the target device 15 ), fake devices can be selected.

A diagnostic module (not shown) according to another embodiment of the present invention estimates each type of the target device 15, attacks a vulnerability corresponding to each estimated type, and based on the attack result, the target device Among (15), a fake device can be determined.

In the above-described embodiments, the diagnosis module (not shown) may generate a message for attacking vulnerabilities according to the type of the target device 15 by referring to data corresponding to vulnerabilities by type ('vulnerability data by type'). . Vulnerability data for each type may be stored and managed by a storage device (to be described later) provided in the wireless security unit. Alternatively, vulnerability data for each type may be stored and managed in an external storage device (not shown) communicatively connected so that the wireless security unit can access it.

In the above-described embodiments, the operation of selecting a vulnerability according to the type of the target device 15 may be an operation of finding a vulnerability corresponding to the type of the target device by referring to vulnerability data for each type.

In the above-described embodiments, the diagnosis module (not shown) may generate a message for attacking vulnerabilities according to the type of the target device 15 by referring to data corresponding to vulnerabilities by type ('vulnerability data by type'). . Vulnerability data for each type may be stored and managed by a storage device (to be described later) provided in the wireless security unit. Alternatively, vulnerability data for each type may be stored and managed in an external storage device (not shown) communicatively connected so that the wireless security unit can access it.

In the above-described embodiments, the operation of selecting a vulnerability according to the type of the target device 15 may be an operation of finding a vulnerability corresponding to the type of the target device by referring to vulnerability data for each type.

In the above-described embodiments, the operation of attacking the vulnerability of the target device 15 may be, for example, an operation in which a diagnosis module (not shown) transmits a vulnerability attack message to the target device.

In the above-described embodiments, the diagnostic module (not shown) determines that the target device is not a fake device when the target device responds to a vulnerability attack, and if the target device does not respond to a vulnerability attack, It may be determined that the target device is a fake device.

Hereinafter, vulnerabilities possessed by wireless devices and messages for attacking vulnerabilities will be exemplarily described.

For example, the target device may be a router having the following types of vulnerabilities.

. Vulnerability: An unprivileged attacker could access the "/category_view.php" URL with the HTTP GET method

. Message for vulnerability attack: GET/category_view.php

For another example, the target device may be a router with the following types of vulnerabilities.

ㆍVulnerability: Unprivileged attacker can access "/mydlink/get_TriggeredEventHistory.asp" URL with HTTP GET method

. Message for vulnerability attack: GET/mydlink/get_TriggeredEventHistory.asp

As another example, the target device may be a router with the following types of vulnerabilities.

. Vulnerability: An unauthorized attacker can obtain information such as the PIN and MAC address of the target device by accessing the "/router_info.xml?section=wps" URL using the HTTP GET method.

. Message for vulnerability attack: GET/router_info.xml?section=wps

As another example, the target device may be a router with the following types of vulnerabilities.

. Vulnerability: An unprivileged attacker could inject script statements into data when accessing the "/wpsacts.php" URL with the HTTP POST method.

. Message for vulnerability attack: GET//wpsacts.php

As another example, the target device may be a DVR with the following types of vulnerabilities.

. Vulnerability: Vulnerability with backdoor of default / tluafed account

. Message for vulnerability attack: POST/Login. htm

As another example, the target device may be a DVR with the following types of vulnerabilities.

. Vulnerability: Vulnerability in which an administrator account is exposed in plain text when an unprivileged user accesses the "/device.rsp?opt=user&cmd=list" URL using the HTTP GET method

ㆍ Vulnerability attack message: GET/device.rsp?opt=user&cmd=list

According to embodiments of the present invention, target devices are treated as different types if they have different vulnerabilities even if they have the same kind of function. For example, the aforementioned routers have different vulnerabilities and thus are distinguished as different types of target devices. In addition, the above-described DVR (Digital Video Recorder) is also distinguished as a target device of different types when vulnerabilities are different from each other. For another example, if the manufacturer of the target device is the same and the firmware ware is different even if the device is of the same type, it is treated as a different type.

According to an embodiment of the present invention, 'vulnerability data by type' may be data corresponding to vulnerabilities for each type of target device. When such vulnerability data for each type is stored and managed, the diagnosis module (not shown) refers to the vulnerability data for each type to attack the vulnerability of the target device.

Alternatively, 'vulnerability data by type' may be data to which 'messages for attacking weaknesses' are mapped to each type of target device.

According to another embodiment of the present invention, vulnerability data for each type may not be prepared in advance. In this embodiment, the diagnostic module (not shown) may directly generate a vulnerability attack message corresponding to the type of the target device (for example, if the vulnerability attack unit is configured to directly generate a vulnerability attack message for each type) .

The blocking operation is an operation of blocking communication of the fake device.

The blocking operation is an operation of blocking communication of the fake device by performing a DDoS attack on the fake device.

For example, the diagnostic module (not shown) transmits a large amount of messages to the fake device, and the fake device that receives the large number of messages falls into an inability to communicate with other devices while responding to such messages. As such, the diagnosis module (not shown) may block communication of a target device having a vulnerability.

For example, assuming that the wireless device 15a is a fake device, the diagnosis module (not shown) blocks communication of the Bluetooth device by performing a DDoS attack on the fake device 15a. That is, the diagnosis module (not shown) transmits a large amount of messages to the fake device 15a, so that the fake device 15a that has received the large amount of messages cannot communicate with other Bluetooth devices while responding to such messages. As such, the diagnosis module (not shown) may block communication only with the fake device 15a.

Hereinafter, an exemplary configuration of the wireless security unit 100 according to an embodiment of the present invention will be described.

The wireless security unit of the present invention includes a port scanning unit, a protocol scanning unit, a type estimation unit, a determination unit, an operating system, a communication unit, a vulnerability attacking unit, a computer processor, a peripheral device, a storage device, and a memory, shown) are operatively connected to each other. Meanwhile, a port scanning unit, a protocol scanning unit, a type estimation unit, a judgment unit, and a vulnerability attack unit are collectively referred to as a diagnosis module (not shown), and this diagnosis module (not shown) is a program executed under the control of the computer processor. may consist of Programs such as an operating system or a diagnostic module (not shown) are loaded into memory and executed under the control of a computer processor, and may be operatively connected to other programs or hardware.

The diagnosis module (not shown) may perform the above-described type estimation operation, fake device selection operation, and blocking operation. Specifically, the port scanning unit may perform a port scanning operation, the protocol scanning unit may perform a protocol scanning operation, the type estimation unit may estimate a device type, and the determination unit may perform a fake device selection operation and blocking operation. For each of these operations, please refer to the above-mentioned part.

The port scanning unit performs the port scanning operation described above. The port scanning unit creates a port checking packet, transmits the port checking packet to the wireless device 15 through the communication unit, and checks whether a response to the port checking packet is received to determine the port opened in the wireless device 15. Decide.

The protocol scanning unit performs the protocol scanning operation described above. The protocol scanning unit creates a protocol confirmation packet, transmits the protocol confirmation packet to the wireless device 15 through the communication unit, checks whether a response to the protocol confirmation packet is received, and actually uses the protocol in the opened port. decide

The vulnerability attacking unit transmits the vulnerability attacking message to the target device through the communication unit, and the judgment unit checks whether there is a response to the vulnerability attacking message. .

An operating system is software that not only manages hardware but also provides a hardware abstraction platform and common system services to execute application software, and a storage device and memory each include a recording medium that provides a space for storing and executing programs. A computer processor is a central processing unit (CPU), and such a central processing unit is a control unit of a computer that controls a computer system and executes program operations, or a chip having the function.

The memory and/or storage device provides a space in which programs are stored or executed, and may also store data necessary for the operation of the present invention, such as protocol-service mapping data or service-type mapping data.

The memory and/or storage device may also temporarily and/or permanently store various data. For example, the memory and/or storage device may store messages for vulnerability exploitation.

The type estimation unit performs the above-described type estimation operation.

According to an embodiment, the type estimating unit includes at least one information of Banner information and Service information of the wireless device 15, and at least one operation result of the port scanning unit operation result and the protocol scanning unit operation result. Use

According to another embodiment, at least one result of an operation result of the port scanning unit and an operation result of the protocol scanning unit is used. Since the detailed description of these embodiments has been described above, it will be omitted.

According to an embodiment, the type estimation result of the type estimation unit is stored in the storage device and/or the memory. The type estimation result is data corresponding to a type for each wireless device 15 . Meanwhile, vulnerability data for each type may also be stored in the storage device and/or memory. Vulnerability data for each type (data corresponding to vulnerabilities for each type) is used to find vulnerabilities of the target device type.

The vulnerability attacking unit may refer to vulnerability data for each type to find a vulnerability corresponding to the type of the target device and generate a message for attacking the vulnerability. Then, the vulnerability attack message is transmitted to the target device through the communication unit. After checking whether there is a response to the vulnerability attack message, the determination unit determines that the target device is not a fake device if there is a response, and determines that it is a fake device if there is no response.

All or at least part of the port scanning unit may be configured as a program. The part composed of the program is loaded into the memory and performs the port scanning operation under the control of the computer processor. Other components, eg, a protocol scanning unit and a type estimation unit, may be configured in the same manner as the port scanning unit and perform their own operations. Meanwhile, since detailed descriptions of the port scanning operation, the protocol scanning operation, and the type estimation operation have been described above, they will be omitted here.

9 is a diagram for explaining a wireless care method according to an embodiment of the present invention. A wireless care method according to an embodiment of the present invention is for determining a fake device among wireless devices (also referred to as 'target devices') close to the access control system 300 . For example, components included in the access control system 300 using the wireless security unit 100, for example, the access control server 301, the DB storage device 303, and/or the IP-PBX 305 ) is to determine the access of unauthorized wireless devices.

Referring to FIG. 9, a wireless care method according to an embodiment of the present invention includes estimating the type of a target device (S100); Selecting a vulnerability according to the type of target device (S300); Attacking the vulnerability selected in step S300 (S400); and determining whether the target device is a fake device according to whether the attack on the target device succeeds (S500).

The wireless care method according to an embodiment of the present invention may further include storing and managing vulnerability data for each wireless device type corresponding to a vulnerability for each type of wireless device (S200).

The step of selecting the aforementioned vulnerability (S300) includes an operation of finding a vulnerability corresponding to the type of the target device by referring to vulnerability data for each wireless device type.

The step of attacking the target device described above (S400) may be a step of generating a vulnerability attack message that attacks the vulnerability selected in the step of selecting a vulnerability according to the type of the target device (S300) and transmitting it to the target device.

In the above-described step of determining whether the target device is a fake device (S500), when the target device responds to the vulnerability attack message, it is determined that the target device is not a fake device, and the target device responds to the vulnerability attack message. If there is no response, it may be a step of determining that the target device is a fake device.

Hereinafter, it is assumed that the wireless care method according to an embodiment of the present invention is applied to the wireless security unit 100 described with reference to FIGS. 2 and 4 .

For the step of estimating the type of the target device (S100), please refer to the description with reference to FIG. 10 .

The step of storing and managing vulnerability data for each type (S200) is a step in which the wireless security unit 100 stores and manages the result of the step of estimating the type of the target device (S100) in a recording medium.

The step of selecting a vulnerability (S300) is a step in which the wireless security unit 100 selects a vulnerability according to the type of the target device. For example, the vulnerability attacker may select a vulnerability according to the type of the target device estimated by the type estimation unit. To this end, vulnerability data for each type is stored in the storage device, and the vulnerability attacking unit may select a vulnerability corresponding to the type of the target device by referring to the vulnerability data for each type.

Attacking the target device (S400) is a step in which the wireless security unit 100 attacks the target device's vulnerability. For example, the vulnerability attacker transmits a vulnerability attack message to the target device. The vulnerability attack message is generated based on vulnerability data selected according to the type of the target device. The vulnerability attacking unit may directly generate a message for attacking the vulnerability.

In the step of determining whether the target device is a fake device (S500), for example, the determination unit of the wireless security unit 100 determines that the target device is not a fake device when the target device responds to the vulnerability attack message. And, if the target device does not respond to the vulnerability attack message, it may be determined that the target device is a fake device.

As described above, the method for determining whether the target device described with reference to FIG. 9 is a fake device may be implemented by, for example, a computer program.

For example, according to an embodiment of the present invention, attacking the vulnerability of the target device to determine whether or not the fake (fake) device; And determining whether the target device is a fake device according to whether the attack on the vulnerability of the target device succeeds; reading a program for executing a wireless care method in the wireless security unit 100, which includes a computer. A recording medium that can be used is provided.

For another example, estimating the type of the target device (S100); Selecting a vulnerability according to the type of a target device to be determined whether or not it is a fake device (S300); Attacking the vulnerability selected in step S300 (S400); and determining whether the target device is a fake device according to whether the attack on the target device succeeds (S500). A recording medium that can be used is provided.

10 is a diagram for explaining a method of estimating a type of a wireless device according to an embodiment of the present invention.

Referring to FIG. 10 , the method for estimating the type of a wireless device according to an embodiment of the present invention includes a port scanning step (S110) of finding an open port of a target device, and a port scanning step (S110). A protocol scanning step (S120) to find the protocol used in the open port found as a result of performing the Port Scanning step (S110), based on the results of the above-described scan steps (S110, S120) Thus, a type assumption step (S130) of estimating the type of the target device may be included.

Hereinafter, assuming that the method for estimating the type of a wireless device according to an embodiment of the present invention is applied to the above-described wireless security unit 100, the method for estimating the type of a wireless device according to an embodiment of the present invention will be described. Let's explain.

The port scanning step (S110) is to find an open port of the wireless device 15. That is, the port scanning step ( S110 ) is a step of performing the port scanning operation described with reference to FIG. 9 .

In this embodiment as well, for the purpose of explanation of the present invention, the open port of wireless device 15a is port 80, the off port of wireless device 15b is port 23, and the open port of wireless device 15c is port 23. It is assumed that is port 5555 and the open port of the wireless device 15d is port 5559.

The port scanning step (S110) is to find an open port of the wireless device 15. For example, as a result of performing the port scanning step (S110), the open port of the wireless device 15a is port 80, the off port of the wireless device 15b is port 23, and the open port of the wireless device 15c is is port 5555, and the open port of the wireless device 15d is port 5559.

The protocol scanning step (S120) is a step for knowing the type of protocol actually used in the open port. That is, the protocol scanning step (S120) is a step of performing the protocol scanning operation described with reference to FIG. 9_delete. Meanwhile, the open port is obtained as a result of performing the port scanning step (S110).

For example, in the protocol scanning step (S120), an operation of finding out the type of protocol used in port 80, which is an open port of the wireless device 15a, is performed. In addition, the protocol scanning step (S120) is a protocol used in port 23 of the wireless device 15b, a protocol used in port 5555 of the wireless device 15c, and a protocol used in port 5559 of the wireless device 5d. Performs an operation to find out which protocol is used. As such, the protocol scanning step ( S120 ) is a step of finding out the types of protocols actually used for all open ports of the wireless device 15 .

The protocol scanning step (S120) includes checking the type of open port, creating a protocol checking packet, transmitting the protocol checking packet to a target device having the open port, and transmitting the protocol checking packet. and checking whether there is a response from one target device. Meanwhile, the step of confirming the type of open port is a step of performing the above-described operation of confirming the type of open port, and the step of creating a packet for protocol confirmation is the step of performing the above-described operation of creating a packet for confirmation of protocol. , and the step of checking whether a response is received from the target device is a step of performing an operation of checking whether a response is received from the target device. Therefore, a more detailed description of these steps will be omitted.

In the step of checking the type of open port, it is checked whether the open port obtained by the port scanning operation corresponds to a well-known port, a registered port, or a dynamic port. perform the action

According to one embodiment, the step of checking the type of open port. By referring to the port type data, an operation of finding out the type of the open port acquired by the port scanning operation is performed.

According to one embodiment, the step of creating a packet for protocol confirmation performs an operation of creating a packet for protocol confirmation according to the type of open port.

For example, in the step of creating a packet for protocol confirmation, since port 80 of the wireless device 15a is a well-known port for using the World Wide Web HTTP protocol, Performs an operation to create a packet for protocol confirmation.

In addition, in the step of creating the protocol confirmation packet, if there is no response from the wireless device 15a to the protocol confirmation packet created using the web HTTP protocol, port 80 of the wireless device 15a uses the web HTTP protocol. Determines not to do so, and performs an operation of creating a packet for protocol confirmation using a protocol other than the World Wide Web HTTP protocol.

That is, in the step of creating the protocol confirmation packet, in order to find out the type of protocol actually used in the open ports of the wireless device 15, the protocol confirmation packet is created until a response comes like the above-described operations. .

The step of transmitting the packet for protocol confirmation to the wireless device is the step of transmitting the packet for protocol confirmation to the target device. In the step of transmitting the protocol confirmation packet to the target device, an operation of transmitting the protocol confirmation packet is performed until a response is received from the target device.

The step of checking whether there is a response from the target device that has transmitted the packet for protocol confirmation is to monitor whether a response to the packet for protocol confirmation is coming from the target device, and if a response is received, the protocol used for such a response is changed from the corresponding open port. Performs an operation to determine the actual protocol used.

The type estimation step (S130) is a type of estimating each type of target devices using at least one result of the above-described photo scanning step (S110) and protocol scanning step (S120). This step is to perform an estimation operation. That is, the type estimation step (S130) is a step of performing the above-described type estimation operation.

According to an embodiment, the type estimating step (S130) includes estimating the type of service from the type of protocol found as a result of performing the protocol scanning operation, and estimating the type of the target device from the type of service. do. Here, the step of estimating the type of service from the type of protocol is a step of performing an operation of estimating the type of service from the type of protocol described above, and the step of estimating the type of target device from the type of service is the step of estimating the type of service described above. This is a step of performing an operation of estimating the type of the target device from the type. Therefore, for a detailed description of these steps, please refer to the description of the embodiment of FIG. 1_DELETE_DELETE and FIG.

As described above, the response to the protocol confirmation packet may include at least one of banner information and service information of the target device.

According to an embodiment, the type assumption step (S130) includes at least one of Banner information and Service information of the target device, a result of performing the above-described photo scanning operation, and protocol scanning ( At least one of the results of the Protocol Scanning) operation is used.

For example, in the type estimation step ( S130 ), a first estimation operation, a second estimation operation, a comparison operation, and a type determination operation may be performed. For a detailed description of the first estimation operation, the second estimation operation, the comparison operation, and the type determination operation, please refer to the description of the embodiment described with reference to FIG. 9 .

For another example, the type estimation step ( S130 ) may perform a port scanning operation, a protocol scanning operation, and a type estimation operation. For a detailed description of the first estimation operation, the second estimation operation, the comparison operation, and the type determination operation, please refer to the description of the embodiment described with reference to FIG. 9 .

As described above, the method for estimating the type of a wireless device according to an embodiment of the present invention described with reference to FIG. 10 may be implemented by, for example, a computer program. That is, a computer-readable program for executing all or some of the steps constituting the method for estimating the type of a wireless device according to an embodiment of the present invention described with reference to FIG. 10 in a wireless device care apparatus. It can be stored on a recording medium. A program for executing all or some of the steps constituting the method according to an embodiment of the present invention stored in a recording medium in the wireless security unit 100 may be loaded into a memory and executed under the control of a computer processor.

For example, according to an embodiment of the present invention, the result of performing the port scanning step (S110) and the port scanning step (S110) of finding an open port of the target device. A protocol scanning step (S120) for finding a protocol used in the open port found by , and a type for estimating the type of the target device based on the results of the above-described scan steps (S110 and S120). A computer readable recording medium is provided for a program for causing the wireless security unit 100 to execute a method of estimating the type of a wireless device including a type assumption step (S130). For a description of each of these steps, please refer to the description above.

As described above, the method for estimating the type of a wireless device according to an embodiment of the present invention described with reference to FIG. 10 may be implemented by, for example, a computer program. That is, a computer-readable program for executing all or some of the steps constituting the method for estimating the type of a wireless device according to an embodiment of the present invention described with reference to FIG. 10 in a wireless device care apparatus. It can be stored on a recording medium. A program for executing all or some of the steps constituting the method according to an embodiment of the present invention stored in a recording medium in the wireless security unit 100 may be loaded into a memory and executed under the control of a computer processor.

For example, according to an embodiment of the present invention, the result of performing the port scanning step (S110) and the port scanning step (S110) of finding an open port of the target device. A protocol scanning step (S120) of finding a protocol used in the open port found by , and a type of estimating the type of the target device based on the results of the above-described scan steps (S110 and S120). A computer-readable recording medium is provided for a program for causing the wireless security unit 100 to execute a method of estimating the type of a wireless device including a type assumption step (S130). For a description of each of these steps, please refer to the description above.

As such, those skilled in the art in the field to which the present invention pertains can make various modifications and variations from the description of the above specification. Therefore, the scope of the present invention should not be limited to the described embodiments and should not be defined, but should be defined by not only the claims to be described later, but also those equivalent to these claims.

100: wireless security unit
200: server rack
201, 202, 205: locking device
203, 207: server
N2: In-house wired/wireless communication network
N1: communication network
U1, U2: Smartphone
300: Access control system
301: access management server
303: DB storage device
305: IP-PBX

Claims (5)

In a server rack system capable of storing a server,
A server rack 200 capable of storing a plurality of servers;
A locking device 202 operatively coupled to the door of the server rack 200 to open or close the door of the server rack 200; and
Server rack system including; access control system 300 for managing the locking and unlocking of the locking device 202. According to claim 1,
The access control system 300 transmits the access control phone number to the locking device 202, periodically updates the access control phone number and transmits it to the locking device 202,
The locking device 202 has a display unit for displaying the phone number for access control received from the access control system 300,
The access control system 300 stores and manages the ID of the locking device 202 and the most recently updated phone number for access control in correspondence with each other,
When the visitor calls the access control phone number, the access control system 300 uses the caller number of the visitor to enter and exit the server rack 200 operatively coupled with the locking device 202. It is checked whether there is authority to access, and a release signal is transmitted to the locking device 202 only when the person has authority to access,
The locking device 202 is to open the door of the server rack 200 when receiving a release signal from the access control system 300, the server rack system. According to claim 2,
The access control system 300 is
access management server 301;
DB storage device 303 for storing the authority DB; and
a wireless security unit 100; Including,
The access management server 301 is connected to the DB storage device 303 through the in-house wired and wireless communication network (N3),
The authority DB is
The ID of the locking device 202 and the most recently updated telephone number for access management are matched with each other, and at least one or more having the authority to access the server rack 200 operatively coupled with the locking device 202. The phone number of the visitor and the ID of the locking device 202 correspond to each other,
The access management server 301 stores and manages the ID of the locking device 202 and the most recently updated telephone number for access management in the authority DB,
The access management server 301, when a caller receives a call to the phone number for access management, retrieves the authority DB and retrieves the server rack 200 in which the caller number of the visitor is operatively coupled with the locking device 202. It is checked whether the person has the right to access, and if the caller ID of the person is included in the authority DB, a release signal is transmitted to the locking device 202,
The wireless security unit 100 can detect a wireless signal of a wireless device connected to the in-house wired and wireless communication network (N3), and can determine whether the detected wireless device is a fake device, server rack system. In paragraph 3,
The wireless security unit 100 performs a type estimation operation of estimating the type of the wireless device and an operation of determining whether the wireless device is a fake device by attacking the wireless device with a vulnerability according to the type of the wireless device, ,
The type estimation operation is an operation of estimating the type of the wireless device according to a result of a port scanning operation and a protocol scanning operation,
The port scanning operation is an operation of finding an open port of the wireless device,
The protocol scanning operation is an operation of finding a protocol used in an open port found as a result of performing the port scanning operation,
The protocol scanning operation
An operation of checking the type of the open port, an operation of preparing a packet for checking a protocol according to the type of the open port and transmitting the packet to the wireless device having the open port, and An operation of confirming whether a response to the protocol confirmation packet is received;
The operation of checking the type of the open port includes checking whether the open port corresponds to a well-known port, a registered port, or a dynamic port. is an action,
The response includes at least one of Banner information and Service information of the wireless device having the Open Port,
The server rack system, wherein the banner information or the service information includes information indicating a type of wireless device. According to claim 4,
The type estimation operation is
A first estimation operation of estimating the type of service from the protocol found as a result of performing the protocol scanning operation, a second estimation operation of estimating the type of service from information indicating the type of the wireless device, and estimation by the first estimation operation An operation of comparing the type of service estimated by the second estimation operation and the type of service estimated by the second estimation operation, and when the comparison results are different, the type of wireless device with the open port is obtained from information indicating the type of the wireless device. Perform an operation to infer the type,
In the protocol scanning step, if there is no response as a result of performing an operation to check whether a response to the protocol check packet is received from the wireless device, another protocol not used for the protocol check packet To perform an operation of creating a packet for protocol confirmation and transmitting it to the wireless device having the open port (Open Port), the server rack system.

Images