WO2013151376A1 - Système de sécurité utilisant un double os et procédé associé - Google Patents

Système de sécurité utilisant un double os et procédé associé Download PDF

Info

Publication number
WO2013151376A1
WO2013151376A1 PCT/KR2013/002856 KR2013002856W WO2013151376A1 WO 2013151376 A1 WO2013151376 A1 WO 2013151376A1 KR 2013002856 W KR2013002856 W KR 2013002856W WO 2013151376 A1 WO2013151376 A1 WO 2013151376A1
Authority
WO
WIPO (PCT)
Prior art keywords
dual
network
security
application data
data
Prior art date
Application number
PCT/KR2013/002856
Other languages
English (en)
Korean (ko)
Inventor
김현승
Original Assignee
(주) 엘케이컴즈
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주) 엘케이컴즈 filed Critical (주) 엘케이컴즈
Publication of WO2013151376A1 publication Critical patent/WO2013151376A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/22Microcontrol or microprogram arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present invention relates to a security system and a method using a dual OS, and more particularly, two systems that are independent of each other, a data processing system connected to a predetermined network, a first system connected to a network and a second system not.
  • the second system relates to a security system that can have an excellent security effect by allowing communication with the first system only in a client manner.
  • the storage area may be a special storage device having high security, or may be implemented as a virtual environment.
  • the OS driving the virtual machine is dependent on the OS.
  • the attack process with the root authority of the data processing system is still in an environment where the confidentiality and integrity of the data can be compromised.
  • an object of the present invention is to separate a single system (or device) into a plurality of systems driven by independent OSs, and any one of the plurality of systems may be the remaining system, that is, the first system.
  • the present invention provides a system and a method for maintaining security against an attack from a network by always communicating with a client only, that is, by performing one-way access control to the plurality of systems.
  • the second system can ensure the safety of the second system by performing only a predefined operation, and the security of the entire system by processing or storing data requiring security through the second system. It is to provide a system and method that can maintain.
  • the present invention provides a system and a method for enabling secure data transmission from an external network to an internal network even in a network separated environment.
  • the first system is installed, the first system is connected to the network network and performs communication with the network node existing in the network network and A second OS, which is driven independently of the first OS, is installed, and the second OS is implemented to include a second system configured to operate only as a client for communication with the first system.
  • the second system may be implemented such that an internal process of the second system or a process with another system performs only a predefined process.
  • an access control adapter is installed in the first system, and an access control handler is installed in the second system. Handler) may be installed.
  • the first system may further include an application data handler for extracting application data from which network attribute information has been removed from data received from the network node.
  • the first system may further include a security controller for filtering the extracted application data through a predetermined criterion and storing only the filtered application data.
  • the second system may be characterized by requesting and bringing the application data stored in the first system in a client manner.
  • the second system may further include a second security controller for inspecting the imported application data based on a predetermined second criterion, and determining whether to transmit the applied data to another predetermined system according to the inspected result. .
  • the second system may be characterized in that the first system to obtain the application data through a protocol different from the protocol in which the first system communicates with the network node.
  • the second system may be characterized in that only the other predefined system may allow the application data to be taken.
  • the other system is a fourth system included in a security system using a second dual OS provided to correspond to the security system using a dual OS, and a third OS is installed in the security system using the second dual OS.
  • a third system connected to a network network and communicating with a second network node existing in the second network network and a fourth OS running independently of the third OS are installed.
  • the client is configured to communicate with the third system. It may include the fourth system implemented to operate only.
  • the fourth system transmits the application data to the third system in a client manner, the transmitted application data is stored in the third system, and the stored application data is accessed by a second network node connected to the third system. It is possible to feature.
  • a security system using a dual OS for solving the technical problem includes a security system using a first dual OS and a security system using a second dual OS, and a security system using the first dual OS and the second dual OS.
  • Each of the security systems using the first system is installed, the first system is connected to the first network or the second network network and performs communication with the network node existing in the first network or the second network network and A second OS installed independently of the first OS, and including a second system configured to operate only as a client for communication with the first system, and a second system included in the security system using the first dual OS;
  • the system uses the second dual OS only when there is a request from a second system included in the security system using the second dual OS. It characterized in that for transmitting predetermined data to the second system included in the system.
  • a security system using a dual OS for solving the technical problem includes a security system using a first dual OS and a security system using a second dual OS, and a security system using the first dual OS and the second dual OS.
  • Each of the security systems using the first system and the first system is installed, connected to the first network or the second network network and performs communication with the network node existing in the first network or the second network network and the A second system installed independently of the first OS, the second system being implemented to operate only as a client for communication with the first system, and a second system included in the security system using the second dual OS; Is characterized by acting only as a client for any system.
  • a security method using a dual OS is included in a security system using a dual OS, and a first system in which a first OS is installed is connected to a network network to receive predetermined data from a network node existing in the network network. And a second system installed in the security system using the dual OS and installed independently of the first OS to receive the predetermined data or application data derived by the predetermined data in a client manner. And the second system communicates with the first system only in a client manner.
  • the security method using the dual OS may further include extracting, by the first system, the application data from which network attribute information has been removed from the data received from the network node.
  • the security method using the dual OS may further include filtering, by the first system, the extracted application data through a predetermined criterion and storing only the filtered application data.
  • the second system receiving the predetermined data or application data derived by the predetermined data in a client manner, wherein the second system uses a protocol different from that in which the first system communicates with the network node. Importing the application data through the.
  • the security method using the dual OS may further include transmitting the data or the application data only when the second system receives a request from another predefined system.
  • the other system is a fourth system included in a security system using a second dual OS provided to correspond to the security system using a dual OS, and a third OS is installed in the security system using the second dual OS.
  • a third system connected to a network network and communicating with a second network node existing in the second network network and a fourth OS running independently of the third OS are installed.
  • the client is configured to communicate with the third system. It characterized in that it comprises the fourth system implemented to operate only.
  • the security method using the dual OS may further include transmitting, by the fourth system, the data or the application data to the third system in a client manner.
  • a security method using a dual OS is included in a security system using a dual OS, and a first system in which a first OS is installed is connected to a network network to receive predetermined data from a network node existing in the network network.
  • the second system installs the predetermined data or application data derived by the predetermined data in a client manner.
  • the second system transmitting the data or the predetermined data to the other system only when there is a request from another predefined system, wherein the second system includes the first system; Characterized in that it communicates with the system only as a client. All.
  • the security system using a dual OS is divided into a plurality of systems driven by independent OSs, and any one of the plurality of systems is connected to a network, but the remaining second system Always operates only as a client for the second system, so the second system has the effect of being separated from the network.
  • the first system is deprived of the root authority due to an attack from the network, there is no method of attacking the second system by the first system, thereby ensuring the safety of the second system.
  • FIG. 1 is a view showing a schematic configuration of a security system using a dual OS according to an embodiment of the present invention.
  • FIG. 2 is a diagram schematically illustrating an operation when a security system using a dual OS is provided in pairs according to an embodiment of the present invention.
  • FIG. 3 is a diagram illustrating an example in which a security system using a dual OS according to an embodiment of the present invention is applied to a network environment.
  • FIG. 4 is a flowchart illustrating a security method using a dual OS in an embodiment of the present invention.
  • FIG. 5 is a flow chart following the flow chart of FIG. 4 for explaining data transfer between networks when a security system using dual OSs is provided in pairs according to an embodiment of the present invention.
  • FIG. 6 is a diagram illustrating an example in which a security system using a dual OS according to an embodiment of the present invention is applied to a service environment through a remote network.
  • the component when one component 'transmits' data to another component, the component may directly transmit the data to the other component, or through at least one other component. Means that the data may be transmitted to the other component.
  • FIG. 1 is a view showing a schematic configuration of a security system using a dual OS according to an embodiment of the present invention.
  • a security system 100 using a dual OS includes a first system 110 and a second system 120.
  • Each of the first system 110 and the second system 120 may be a predetermined system in which an OS is installed and data processing capability exists.
  • the security system 100 using the dual OS is a single device, and the first system 110 and the second system 120 may be provided in the security system 100 using the dual OS.
  • the first system 110 and the second system 120 are each implemented with different main boards, and each processor has a predetermined processor and storage device and at least one NIC (Network). Interface Card) may be provided in the system. That is, the first system 110 and the second system 120 may be implemented as a physically divided system in a single device. Of course, the first system 110 and the second system 120 may not be physically separated. Various embodiments may be possible.
  • the security system 100 using the dual OS is implemented as a single device
  • the first system 110 and the second system 120 is implemented as a physically divided system in the single device.
  • the first system 110 and the second system 120 are implemented as a single device (eg, a motherboard and / or a storage device, a CPU, etc.), the first system 110 and the first system 110 may be used.
  • the OS of the two systems 120 should be able to ensure that they operate independently of each other. That is, it may be desirable for two OSs to be horizontal and independent of each other to be driven, and each OS to correspond to each system.
  • a plurality of OSs may be driven using a hypervisor capable of simultaneously running a plurality of OSs in a host computer, and in this case, it may be preferable that the host computer does not run a separate OS. If the OS of the host computer is driven separately, and if a separate OS is run on the OS of the host, the separate OS is dependent on the host OS.
  • each of the OSs 111 and 121 driving the first system 110 and the second system 120 may be an independent OS.
  • the first OS 111 and the second OS 121 may be the same type of OS or may be different OSs.
  • the first system 110 includes the first OS 111.
  • the first system 110 may further include an access control adapter 112.
  • the first system 110 may further include an application data handler 115 and / or a first security controller 113.
  • the application data filtered through the application data handler 115 and / or the first security controller 113 may be stored in a predetermined storage device 114.
  • the second system 120 includes a second OS 121.
  • the second system 120 may further include an access control handler 122.
  • the second system 120 may further include a predetermined second security controller 123.
  • the second system 120 may be provided with a predetermined storage device (not shown) in which data processed by the second system 120 is stored.
  • the first OS 111 and the second OS 121 may be driven independently of each other.
  • first system 110 and the second system 120 may perform server-client communication. That is, the second system 120 always operates only as a client with respect to the first system 110. In the present specification, this communication will be defined as client type communication. Client-based communication, that is, the second system 120 operates only as a client with respect to the first system 110, so that the second system 120 listens to the first system 110. This may mean that no operation is performed. Accordingly, the first system 110 cannot make any request to the second system 120, and the second system 120 always makes a request to the first system 110, It may mean that the communication is performed by receiving the request. Thus, unidirectional access control from the second system 120 to the first system 110 can be achieved.
  • the access control adapter 112 and the access control handler 122 may be an active access control adapter and an active access control handler, respectively.
  • the second system 120 may always operate in client mode, that is, only as a client, with respect to the first system 110.
  • the OS and the one-way access control independent of each other the second system 120 may be isolated from the network connected to the first system 110. Therefore, the second system 120 has an effect of ensuring safety against attacks from the network regardless of the safety of the first system 110. Thus, even if the first system 110 is attacked from the network, even if the root authority of the first system 110 is taken away, the second system 120 does not have any attack from the first system 110. You may not be attacked.
  • the second system 120 may be guaranteed for the attack from the network. However, even if it is safe against an attack from the network, it may not be said that the safety or security of the entire second system 120 is guaranteed.
  • the second system 120 may perform only a predetermined operation or process to increase safety or security of the entire second system 120. That is, the second system 120 performs an operation of the white list method. That is, the second system 120 may be defined so as to perform only a predetermined operation or process and not perform an operation or process that is not. Accordingly, the second system 120 may be implemented to ensure security or integrity by blocking the execution of an unexpected process.
  • the second system 120 may periodically request the application data 114 stored in the first system 110 in a client manner.
  • only predefined data processing and storage processes can be performed.
  • the second security controller 123 is provided in the second system 120, the operation of the security controller 123 may also be defined in advance.
  • a predetermined other system eg, 220 of FIG. 2 as described below, it may be defined to allow the request only in the case of a predetermined other system.
  • the operations or processes predefined to be performed by the second system 120 may vary according to which system the security system 100 using the dual OS is implemented.
  • the security system 100 using the dual OS may be implemented as a system requiring security.
  • a virtual smart card device ie, a device including a function of a smart card
  • Secure operations and processes to be performed, and data to be secured may be implemented to be performed by the second system 120, wherein the operations, processes, and operations performed on the second system 120 are performed. And / or data may be previously defined in the second system 120. Therefore, the security system 100 using the dual OS may be implemented in any system requiring high security.
  • the security system 100 using the dual OS provides a function of securely transferring data from one network (eg, an internet network, a DMZ network, etc.) to another network (eg, an internal corporate network (intranet), etc.).
  • the first system 110 may include the first security controller 113 as shown in FIG. 1 and / or in addition to the first OS 111 and the access control adapter 112 as described above.
  • the application data handler 115 may further include.
  • a predetermined storage device 114 for storing application data may be further included.
  • the second system 120 may further include a second security controller 123 in addition to the second OS 121 and the access control handler 122.
  • the first system 110 may be a system connected to a predetermined network (eg, the Internet). Data transmitted from the network to the first system 110 (hereinafter, network data) may be insecure data. Thus, the first system 110 may perform predetermined security processing. Such security processing may be performed through the application data handler 115 and / or the first security controller 113. Only application data secured by the application data handler 115 and / or the first security controller 113 may be stored in the storage device 114. The data stored in the storage device 114 may be transmitted and transferred in a client manner by the second system 120.
  • a predetermined network eg, the Internet
  • network data may be insecure data.
  • the first system 110 may perform predetermined security processing. Such security processing may be performed through the application data handler 115 and / or the first security controller 113. Only application data secured by the application data handler 115 and / or the first security controller 113 may be stored in the storage device 114. The data stored in the storage device 114 may be transmitted and transferred in a client manner
  • the application data handler 115 may receive network data transmitted from a network and extract only application data from which network attribute information is removed from the received network data.
  • the network attribute information may include, for example, packet related information (eg, source IP, destination IP, sequence information, etc.), session related information such as SYN / ACK / FIN, OS finger print information, and maximum transmission unit (MTU) information. This may mean network related information except for payload information that is actually delivered. Since there is room for network attack through such network attribute information, the application data handler 115 may generate application data from which the network attribute information has been removed. To this end, the application data handler 115 may have a predetermined socket to remove the network attribute information through socket communication using the socket. In addition, the application data handler 115 may receive the network data through a predetermined network control (eg, TCP / IP Access Control, not shown).
  • a predetermined network control eg, TCP / IP Access Control, not shown.
  • the first security controller 113 may filter the generated application data based on a predetermined criterion. For example, the first security controller 113 may apply the application on the basis of whether a malicious keyword or a prohibited word exists in the application data, whether a predetermined SQL injection code exists, or whether the malicious code exists. You can filter the data. In addition, various conventional methods for checking the security of data may be included in the predetermined criteria. If the application data that does not satisfy the criteria is detected by the first security controller 113, the first security controller 113 performs the session if the session that transmitted the application data is maintained. You can either quit or just discard the application data.
  • a predetermined second security controller 123 may also be provided in the second system 120.
  • the filtering criteria performed by each of the first security controller 113 and the second security controller 123 may be implemented. It may vary depending on the example. For example, when the entire security system 100 using the dual OS is designed to perform N security processes (filtering or inspection, etc.), the first security controller 113 and the second security controller 123 may be used. The N security processes may be implemented to be performed, and whether the security process is performed by the first security controller 113 or the second security controller 123 may be selectively defined. According to an embodiment of the present disclosure, the first security controller 113 performs data processing with relatively light security processing, and the second security controller 123 implements data processing with relatively heavy security processing. Can be.
  • the data processing overhead of the first system 110 is generally This is because it may be larger than the second system 120.
  • the security processing performed by the first security controller 113 and the second security controller 123 may be selectively defined according to an implementation example.
  • the application data passed through the application data handler 115 and the first security controller 113 may be stored in the storage device 114.
  • the application data stored in the storage device 114 may be data that guarantees a certain safety.
  • the application data may be data such as an email or a message, but is not limited thereto, and may include all types of data that may be transmitted from the network.
  • the data stored in the storage device 114 may be taken by the second system 120 communicates in a client manner. That is, the second system 120 requests the first system 110 to transmit data stored in the storage device 114, and the first system 120 responds thereto to perform communication. .
  • the communication between the first system 110 and the second system 120 is, for example, a protocol (eg, the first system 110) communicating with a predetermined network node existing in a network (eg, the Internet).
  • TCP / IP may be a different protocol (eg, IPX communication, etc.).
  • the external network is TCP / IP, and the system (e.g., the first system 110) connected to the external network via the TCP / IP establishes TCP / IP with another system (e.g., the second system 120).
  • the first system 110 and the second system 120 may perform security through a protocol other than the TCP / IP protocol. Since the TCP / IP protocols are OSI level 4 and 3 protocols, the TCP / IP vulnerability is eliminated when the first system 110 and the second system 120 communicate with each other using a level 5 or higher application protocol. Can be.
  • the second system 120 imports application data stored in the storage device 114
  • the imported application data may be stored by the second system 120.
  • the second system 120 may also have a predetermined storage device.
  • the second system 120 may also filter the imported application data again based on a predetermined criterion. As described above, the filtering may be performed by the second security controller 123.
  • the second system 120 may further include a predetermined module or configuration for performing a predefined operation according to whether the security system 100 using the dual OS is implemented as a system.
  • the second system 120 can be separated from the network, it is effective to be guaranteed to be safe from the attack from the network. That is, as shown in FIG. 1, access from the first system 110 to the second system 120 is impossible (corresponding to a solid arrow) and unidirectional access control in the opposite direction (ie, a thick arrow). This safety can be ensured.
  • the security system 100 using the dual OS when the security system 100 using the dual OS is implemented to perform data transfer from another predetermined network to another network, the security system 100 using the dual OS as illustrated in FIG. 1. It may be preferable that) are provided in pairs. One such example is shown in FIG. 2.
  • FIG. 2 is a diagram schematically illustrating an operation when a security system using a dual OS is provided in pairs according to an embodiment of the present invention.
  • the security system using the dual OS uses the security system 100 using the first dual OS and the security system 200 using the second dual OS as described in FIG. 1. It can be provided in pairs.
  • the security system 100 using the first dual OS may be connected to a first network network (eg, the Internet network), and the security system 200 using the second dual OS may be connected to a second network network (eg, an internal network). (Intranet), etc.).
  • a first network network eg, the Internet network
  • a second network network eg, an internal network. (Intranet), etc.
  • the security system 200 using the second dual OS may be a system including all of the same components as in FIG. 1. That is, the security system 200 using the second dual OS may include a third system 210 connected to a second network and a fourth system 220 operating as a client to the third system 210. Can be.
  • the third system 210 also includes an independent third OS 211 and an access control adapter 212.
  • the application data handler 215, the security controller 213, and the storage device. 214 may be implemented to not include.
  • data transfer from the second network to the first network can also be easily performed. There is an effect that can be performed by redefining the function of the fourth system 220.
  • the fourth system 220 includes a fourth OS 221 and an access control handler 222.
  • the fourth system 220 may further include a security controller 223, or may not.
  • the fourth system 220 may always operate only as a client with respect to the third system 210.
  • communication between the security system 100 using the first dual OS and the security system 200 using the second dual OS is performed through communication between the second system 120 and the fourth system 220.
  • the fourth system 220 may be implemented to operate only as a client with respect to the second system 120.
  • the second system 120 may further include an access control adapter (not shown) that communicates with the access control handler 222 of the fourth system 220.
  • the unidirectional access control may be achieved between the security system 100 using the first dual OS and the security system 200 using the second dual OS.
  • the second system 120 may include a process for allowing the transmission of application data only when a request from the fourth system 220 is received during a predefined process.
  • the fourth system 220 may include a process of bringing application data to the second system 120 through a client type request during a predefined process.
  • the fourth system 220 when the fourth system 220 obtains the application data from the second system 120 included in the security system 100 using the first dual OS in a client manner, the fourth system 220 The obtained application data may be transmitted to the third system 210 in a client manner.
  • the application data transmitted to the third system 210 may be stored in the storage device 214 included in the third system 210, and the stored application data may be stored by network nodes included in the second network. It may be accessible.
  • the communication between the third system 210 and the fourth system 220 may be different from a protocol (eg, TCP / IP, etc.) in which the third system 210 communicates with external network nodes.
  • a protocol eg, TCP / IP, etc.
  • IPX IPX
  • the fourth system 220 can always operate only as a client for any system. That is, it can be seen that the fourth system 220 does not operate as a server. As a result, the fourth system 220 may mean that it is safe from any external attack. Therefore, the security system using the dual OS as shown in FIG. 2 through the fourth system 220 has the effect of ensuring secure data transmission from the first network to the second network safely even when any external attack exists. There is.
  • FIG. 3 An example in which a security system using a dual OS according to an embodiment of the present invention described with reference to FIG. 1 or 2 is applied to a network environment is illustrated in FIG. 3.
  • FIG. 3 is a diagram illustrating an example in which a security system using a dual OS according to an embodiment of the present invention is applied to a network environment.
  • a first network eg, a DMZ network, 1) or other external network (eg, the Internet) and a second network (eg, an internal network, 2) may be distinguished by a predetermined firewall.
  • the first network 1 may refer to a network connecting the second network 2 to the outside.
  • the first network 1 may be a network including a VPN server 10, a mail server 11, a web server, and the like for the second network 2.
  • the second network 2 is an internal network within a specific organization, and may be a network designed to distribute data to be distributed in an organization, such as a file server 20, a work server 21, a DB server, and the like.
  • the first network 1 and the second network 2 may be transmitted data through the security system 100 and 200 using the dual OS provided in pairs as shown in FIG.
  • the security system 200 using the second dual OS may perform unidirectional access to the security system 100 using the first dual OS. That is, the fourth system 220 of the security system 200 using the second dual OS may import application data included in the security system 100 using the first dual OS in a client manner. The obtained application data may be stored in the third system 210 included in the security system 200 using the second dual OS, and may be accessible by the internal network nodes 20 and 21.
  • FIG. 3 For example, when a plurality of internal networks (eg, internal networks of a plurality of organizations) are implemented as one DMZ network, security using a plurality of second dual OSs corresponding to the security system 100 using the first dual OS is provided. As the system 200 is included in each internal network, data of the external network can be securely transferred to each internal network.
  • a plurality of internal networks eg, internal networks of a plurality of organizations
  • security using a plurality of second dual OSs corresponding to the security system 100 using the first dual OS is provided.
  • data of the external network can be securely transferred to each internal network.
  • FIG. 4 is a flowchart illustrating a security method using a dual OS in an embodiment of the present invention.
  • 5 is a flow chart following the flow chart of FIG. 4 for explaining data transfer between networks when a security system using dual OSs is provided in pairs according to an embodiment of the present invention.
  • steps S100 to S130 are performed by the first system 110
  • steps S200 to S220 may be processes performed by the second system 120.
  • the first system 110 and the second system 120 may be included in the security system 100 using the first dual OS as a single device.
  • steps S300 to S310 may be processes performed by the fourth system 220
  • step S400 may be processes performed by the third system 210.
  • the third system 210 and the fourth system 220 may be included in the security system 200 using the second dual OS as a single device.
  • the first system 110 may receive network data from the first network (S100). Then, the first system 110 may remove network attribute information from the network data and extract application data (S110). In operation S120, the first system 110 may filter the application data based on a predetermined criterion. Application data that has passed the filtering may be stored in the first system 110 (S130).
  • the second system 120 may bring the application data stored in the first system 110 in a client manner (S200).
  • the second system 120 may further perform filtering through a predetermined reference (S210).
  • Application data that has passed the filtering may be stored by the second system 120 (S220).
  • the fourth system 220 included in the security system 200 using the second dual OS may bring application data stored in the second system 120 in a client manner (S300).
  • the fourth system 220 may transmit the application data to the third system 210 in a client manner (S310).
  • the third system 210 may store the received application data (S400).
  • the stored application data may be distributed to network nodes of a second network.
  • FIG. 6 is a diagram illustrating an example in which a security system using a dual OS according to an embodiment of the present invention is applied to a service environment through a remote network.
  • a predetermined web server side system 3 and a client side system 4 may be connected via an internet network.
  • the web server side system 3 includes a security system 200 using a second dual OS according to an embodiment of the present invention between a web server providing a predetermined web service and a firewall (F / W, Fire Wall). can do.
  • the client side system 4 may include a security system 100 using a first dual OS according to an embodiment of the present invention between a predetermined client system (eg, a user computer, etc.) and a firewall.
  • the web server may control the unidirectional access to the client system using the security system 200 using the second dual OS as described above. That is, when a client system makes a predetermined request to the web server, the request is transmitted to the security system 100 using the first dual OS. Then, the access control may be possible in which the security system 200 using the second dual OS takes the request through the security system 100 using the first dual OS. Therefore, the web server side can provide a web service without opening a port.
  • the security method using the dual OS can be embodied as computer readable codes on a computer readable recording medium.
  • Computer-readable recording media include all kinds of recording devices that store data that can be read by a computer system. Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, hard disk, floppy disk, optical data storage, and the like, and also in the form of carrier waves (e.g., transmission over the Internet). It also includes implementations.
  • the computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion. And functional programs, codes and code segments for implementing the present invention can be easily inferred by programmers in the art to which the present invention belongs.
  • the present invention can be used as a network security system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention a trait à un système de sécurité utilisant un double OS et à un procédé associé. Ce système de sécurité utilisant un double OS comprend : un premier système sur lequel un premier OS est installé, et qui est connecté à un réseau de manière à communiquer avec un nœud de réseau appartenant audit réseau ; et un second système sur lequel est installé un second OS fonctionnant indépendamment du premier OS, et qui sert uniquement de client en ce qui concerne la communication avec le premier système.
PCT/KR2013/002856 2012-04-05 2013-04-05 Système de sécurité utilisant un double os et procédé associé WO2013151376A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020120035492A KR101216581B1 (ko) 2012-04-05 2012-04-05 듀얼 os를 이용한 보안 시스템 및 그 방법
KR10-2012-0035492 2012-04-05

Publications (1)

Publication Number Publication Date
WO2013151376A1 true WO2013151376A1 (fr) 2013-10-10

Family

ID=47908434

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2013/002856 WO2013151376A1 (fr) 2012-04-05 2013-04-05 Système de sécurité utilisant un double os et procédé associé

Country Status (2)

Country Link
KR (1) KR101216581B1 (fr)
WO (1) WO2013151376A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018088588A1 (fr) * 2016-11-11 2018-05-17 엘에스웨어(주) Système basé sur un hôte et procédé d'analyse de vulnérabilités dans un environnement infonuagique

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10474845B2 (en) 2016-11-16 2019-11-12 Foundation Of Soongsil University-Industry Cooperation Duo operating system for android security, mobile device having the same, method of securing mobile device having the same
KR20190046552A (ko) * 2017-10-26 2019-05-07 삼성전자주식회사 디스플레이장치 및 그 제어방법

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070083569A (ko) * 2004-08-18 2007-08-24 쟈루나 에스에이 운영체제
KR100919643B1 (ko) * 2007-09-11 2009-09-30 (주)기가바이트씨앤씨 이원화된 독립적 환경을 통한 내외부망 분리 장치 및 그제어 방법
KR101110672B1 (ko) * 2009-12-29 2012-02-24 주식회사 코어트러스트 Dcas 환경에서의 호스트 보안모듈 가상화 시스템 및 방법

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070083569A (ko) * 2004-08-18 2007-08-24 쟈루나 에스에이 운영체제
KR100919643B1 (ko) * 2007-09-11 2009-09-30 (주)기가바이트씨앤씨 이원화된 독립적 환경을 통한 내외부망 분리 장치 및 그제어 방법
KR101110672B1 (ko) * 2009-12-29 2012-02-24 주식회사 코어트러스트 Dcas 환경에서의 호스트 보안모듈 가상화 시스템 및 방법

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018088588A1 (fr) * 2016-11-11 2018-05-17 엘에스웨어(주) Système basé sur un hôte et procédé d'analyse de vulnérabilités dans un environnement infonuagique

Also Published As

Publication number Publication date
KR101216581B1 (ko) 2012-12-31

Similar Documents

Publication Publication Date Title
JP2008199138A (ja) 情報処理装置及び情報処理システム
WO2013085217A1 (fr) Système de gestion de la sécurité ayant de multiples serveurs de relais, et procédé de gestion de la sécurité
JP2008271339A (ja) セキュリティゲートウェイシステムとその方法およびプログラム
WO2020013439A1 (fr) Dispositif et procédé de routage de commande dans un réseau sdn
WO2015065149A1 (fr) Dispositif électronique et procédé de commande de dispositif électronique
WO2022108087A1 (fr) Appareil et procédé pour la sécurité de communication d'un réseau can de véhicule
WO2011008017A2 (fr) Appareil et procédé de séparation de réseaux à base d'hôte
EP2680141A1 (fr) Securité pour accès basée sur TCP/IP d'une machine virtuelle à network attached storage en créant des réseaux dediés à l'identification d'adresse MAC et contrôle de flux de données
WO2021112494A1 (fr) Système et procédé de détection et de réponse de type gestion basée sur des points d'extrémité
US20230198964A1 (en) Encrypted data packet forwarding
WO2013151376A1 (fr) Système de sécurité utilisant un double os et procédé associé
WO2015102372A1 (fr) Appareil et procédé pour la virtualisation d'une interface réseau
WO2016076574A1 (fr) Appareil et procédé d'identification d'informations de terminal
WO2022092788A1 (fr) Procédés et système de sécurisation d'un contrôleur sdn contre l'attaque par refus de service
JP2011151514A (ja) トラフィック量監視システム
Han et al. State-aware network access management for software-defined networks
JP2010239591A (ja) ネットワークシステム、中継装置、およびネットワーク制御方法
WO2019045424A1 (fr) Procédé de déchiffrement de couche de prise de sécurité destinée à la sécurité
WO2016200232A1 (fr) Système et procédé destinés à un serveur à distance en cas de défaillance d'un serveur de rétablissement
JP5091975B2 (ja) 情報処理装置及び情報処理システム
WO2018088680A1 (fr) Système de sécurité et procédé de traitement de demande d'accès à un site bloqué
Cisco Terminal Server Configuration and Reference Errata
Cisco Terminal Server Configuration and Reference Errata
Cisco Terminal Server Configuration and Reference Errata
Cisco Terminal Server Configuration and Reference Errata

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13772965

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC OF 120215

122 Ep: pct application non-entry in european phase

Ref document number: 13772965

Country of ref document: EP

Kind code of ref document: A1