WO2014123347A1 - Système permettant de fournir un réseau protégé dans une société, et procédé s'y rapportant - Google Patents

Système permettant de fournir un réseau protégé dans une société, et procédé s'y rapportant Download PDF

Info

Publication number
WO2014123347A1
WO2014123347A1 PCT/KR2014/000968 KR2014000968W WO2014123347A1 WO 2014123347 A1 WO2014123347 A1 WO 2014123347A1 KR 2014000968 W KR2014000968 W KR 2014000968W WO 2014123347 A1 WO2014123347 A1 WO 2014123347A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
secure channel
network
server
gateway
Prior art date
Application number
PCT/KR2014/000968
Other languages
English (en)
Korean (ko)
Inventor
김형정
배기덕
곽동원
김성배
Original Assignee
주식회사 엑스엔시스템즈
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 엑스엔시스템즈 filed Critical 주식회사 엑스엔시스템즈
Publication of WO2014123347A1 publication Critical patent/WO2014123347A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload

Definitions

  • the present invention relates to a system and a method for providing a security network in an enterprise, and more particularly, to provide a security network by forming a security channel between network devices (eg, a user terminal or a server) in an internal network in an enterprise.
  • the present invention relates to a system and a method for establishing a secure corporate internal network.
  • Such attempts have generally evolved to prevent intrusion from the external network to the internal network.
  • a predetermined secure channel eg, a virtual private network (VPN) channel.
  • VPN virtual private network
  • 1 is a view for explaining a method for protecting a conventional corporate internal network.
  • the external terminal 20 and the gateway 10 for the enterprise are provided.
  • Some security channels had to be established.
  • the secure channel (for example, a VPN channel) is formed between the VPN client and the gateway 10 installed in the external terminal 20 verified in advance. Therefore, only the verified or authenticated external terminal 20 could access the internal network 40 through the gateway 10.
  • the conventional method of using the secure channel has been mainly used for access control from the external network to the internal network, that is, it has been mainly used for providing security in the public network.
  • the actual communication in the internal network 40 did not pay much attention to security.
  • a network access control (NAC) solution for network access control of terminals existing in an internal network
  • a network separation solution for separating an external network from an internal network as necessary, and for blocking illegal Wi-Fi terminals, which are recently in question.
  • Various solutions such as the Wireless Intrusion Prevention System (WIPS), have to be installed separately for the stability of the internal network.
  • WIPS Wireless Intrusion Prevention System
  • a technical problem to be achieved by the present invention is to provide a system and method for performing communication between hosts in an enterprise through a secure channel through a gateway.
  • a system for providing a security network in an enterprise provides a security network to a plurality of terminals including a first terminal connected to an internal network in an enterprise.
  • a gateway server for establishing a first secure channel with the first terminal for communication between other devices in the internal network, and a manager for controlling the gateway server and the first terminal for setting the first secure channel. include a server.
  • the manager server generates an authentication unit for authenticating a user of the first terminal and channel setting information for the first secure channel when the user of the first terminal is authenticated and transmits the generated channel setting information to the first terminal and the gateway server. It may include a secure channel setting unit for.
  • the secure channel setting unit dynamically generates the channel setting information including at least one of a communication partner, an encryption algorithm, or an encryption key value of the first secure channel, and transmits the channel setting information to the first terminal and the gateway server. can do.
  • the secure channel setting unit is a gateway to form the first secure channel with the first terminal of the plurality of gateway devices based on a secure channel setting load of each of the plurality of gateway devices included in the gateway server. It may be characterized by selecting a device.
  • the manager server further includes an access control unit configured to set access right information for specifying information on the other device accessible through the first terminal, and the access control unit is configured to connect the gateway server to the first terminal.
  • the access authority information may be transmitted to control the gateway server to selectively allow the first terminal to access the other device so as to correspond to the access authority information.
  • the manager server further includes an application manager configured to set application management information for specifying information on an allowed application that can access the security network among applications installed in the first terminal, wherein the application manager comprises the application management information.
  • the application manager comprises the application management information.
  • the gateway server includes a secure channel forming unit for forming a secure channel with the first terminal under the control of the manager server, and the secure channel forming unit further forms an external secure channel with a predetermined external device existing in an external network. It may be characterized by.
  • the gateway server may include a firewall providing unit for providing a predetermined firewall between an external network and the internal network, an intrusion detection unit for detecting an intrusion into the internal network from the external network, or the external network or the internal network. It may further include at least one of the URL filtering unit for filtering the access URL of the.
  • the first terminal may include an agent system including a secure channel forming module for receiving channel setting information from the manager server and forming the first secure channel with the gateway server based on the received channel setting information. Can be.
  • the agent system further includes a control module for receiving predetermined application management information from the application manager, and controlling only an allowed application specified based on the received application management information to access the security network through the secure channel forming module. It may include.
  • the control module may transmit information about a blocked application to the manager server based on the application management information, or forcibly terminate the process of the blocked application.
  • the secure channel may be a VPN channel.
  • an enterprise security network providing method for providing a security network to a plurality of terminals including a first terminal connected to an internal network in an enterprise for solving the technical problem
  • the first terminal performs a user authentication through a manager server
  • the first terminal establishes a first secure channel with the gateway server according to an authentication result, and the first terminal is formed between the first secure channel, the gateway server, and another device connected to the secure network. Communicating with the other device via a second secure channel.
  • the method may further include receiving, by the first terminal, channel setting information for forming the first secure channel from the manager server if authentication is successful, based on the received channel setting information.
  • the first terminal may form the first secure channel with the gateway server.
  • the gateway server includes a plurality of gateway devices, and the forming of the first secure channel with the gateway server by the first terminal according to the authentication result may be performed in a secure channel configuration load of each of the plurality of gateway devices.
  • the predetermined gateway device selected based on the first terminal and the first terminal may include forming the first secure channel.
  • the communicating with the other device may be performed by communicating with the other device selectively permitted by the gateway server based on the access right information transmitted from the manager server to the gateway server.
  • the method for providing an enterprise security network may include receiving application management information for specifying information on an allowed application that can access the security network among applications installed in the first terminal by the first terminal; The method may further include controlling, by the first terminal, only the allowed application to selectively access the security network based on the received application management information.
  • the enterprise security network providing method may be stored in a computer-readable recording medium recording a program.
  • NAC network authentication
  • communication between internal hosts can also perform encrypted communication, thereby preventing attacks such as network mirroring in advance.
  • it can block illegal Wi-Fi networks through network mirroring, there is an effect of building a WIPS solution.
  • both internal and external networks can provide security through the same access method.
  • 1 is a view for explaining the approach to the internal network using a conventional security channel.
  • FIG. 2 schematically illustrates a system configuration for implementing a method for providing an enterprise security network according to an embodiment of the present invention.
  • FIG. 3 shows a schematic configuration of a manager server according to an embodiment of the present invention.
  • FIG. 4 shows a schematic configuration of a gateway server according to an embodiment of the present invention.
  • FIG. 5 shows a schematic configuration of an agent system installed in an internal host according to an embodiment of the present invention.
  • FIG. 6 is a flowchart illustrating a data flow for explaining a method for providing a security network within an enterprise according to an embodiment of the present invention.
  • FIG. 7 is a diagram illustrating a data flow in which access control is performed according to a method for providing a security network within an enterprise according to an embodiment of the present invention.
  • the component when one component 'transmits' data to another component, the component may directly transmit the data to the other component, or through at least one other component. Means that the data may be transmitted to the other component.
  • FIG. 2 schematically illustrates a system configuration for implementing a method for providing an enterprise security network according to an embodiment of the present invention.
  • a manager server 100 and a gateway server 200 may be provided to implement a method for providing a security network within an enterprise according to an exemplary embodiment of the present invention.
  • an internal network and an external network in a predetermined company may be distinguished.
  • the internal network may be implemented as a physical network 40, and a plurality of hosts, that is, a plurality of terminals 300 and 310 may be connected through the physical network 40.
  • the plurality of hosts may include a predetermined wireless terminal 320.
  • a server farm including at least one server 410 or 420 may be connected to the physical network 40.
  • the manager server 100 may also be connected to a plurality of hosts and / or the gateway server 200 through the physical network 40.
  • the manager server 100 may implement the technical idea of the present invention by controlling the plurality of hosts connected to the gateway server 200 and the physical network 40.
  • Each of the plurality of hosts may be provided with a predetermined agent system for implementing the technical idea of the present invention.
  • the network devices included in the internal network are respectively secured with the gateway server 200 and the secure channel. It can form a communication with other devices included in the internal network through the secure channel. Therefore, the gateway server 200 may perform a role of relaying communication between two network devices existing in the internal network.
  • the manager server 100 may control the establishment of a secure channel between the gateway server 200 and a predetermined network device existing in the internal network.
  • the information necessary for forming the secure channel may be dynamically set, and the secure channel may be dynamically formed by transmitting the information to two devices participating in the secure channel.
  • the manager server 100 may control an object accessible through a secure network on a per user (per host) basis, and may also control an accessible application.
  • the security channel is indicated by a thick double-headed arrow. Since the security channel performs 1: 1 encrypted communication, there is an effect of establishing a security network (security network) even in an internal network of an enterprise.
  • the non-secure network communication may be performed using the physical network 40.
  • the first terminal 300 forms a first secure channel with the gateway server 200
  • the second The terminal 310 may also form a second secure channel with the gateway server 200. Then, the first terminal 300 and the second terminal 310 may be performed through the first secure channel and the second secure channel.
  • the secure channel formed by the first terminal 300 and the second terminal 310 with the gateway server 200 may be a virtual private network (VPN) channel.
  • the gateway server 200 may form a logical secure channel in the first terminal 300 and / or the second terminal 310 through VPN tunneling for forming the VPN channel.
  • the secure channel can perform encrypted communication between two network devices forming a secure channel, data leakage does not occur even if a packet is leaked or attacked by a physical device existing on the path of the secure channel. There is.
  • the Internet Key Exchange (IKE) authentication for encryption communication can be performed to provide a strong user authentication solution, which has the effect of introducing a NAC solution.
  • IKE Internet Key Exchange
  • the internal network may use only a security network to which the technical idea of the present invention is applied, but if the existing physical network is also allowed, the physical network operates as an insecure network and the solution according to the technical idea of the present invention Since it can be used as a security network that operates independently from the non-secure network, there is an effect of providing a degree of network redundancy solution. This may bring about network redundancy effect through user-specific application control and / or user-specific access authority control that can use the security network as described below. Of course, the security may be somewhat lower than that of the existing host or OS itself redundancy.
  • the hosts (terminals) existing in the internal network communicate with the gateway server 200 through a 1: 1 encryption channel, it is possible to block duplication of the wireless AP, that is, illegal Wi-Fi communication due to a network mirroring attack. It has an effect. This can also provide the effect of introducing existing WIPS solutions.
  • the access control of the application for each user and the access right control for each user can be performed, thereby introducing the next-generation firewall.
  • an external terminal 500 existing in a predetermined external network may also form a secure channel with the gateway server 200. Therefore, the external terminal 500 or the internal terminals 300, 310, and 320 may also be connected to the internal network through a unified communication scheme.
  • the external terminal 500 accesses the server group 400
  • only the external terminal communicates with the gateway server 200 through a secure channel and is connected to the internal network.
  • the communication between the gateway server 200 and the server group 400 also performs a secure network to the outside of a much more secure access environment There is an effect that can be provided.
  • Manager server 100 according to an embodiment of the present invention for implementing this technical idea may be implemented as shown in FIG.
  • FIG. 3 shows a schematic configuration of a manager server according to an embodiment of the present invention.
  • the manager server 100 includes an authentication unit 110 and a secure channel setting unit 120.
  • the manager server 100 may further include an access controller 130.
  • the manager server 100 may further include an application manager 140.
  • the manager server 100 may refer to a logical configuration having hardware resources and / or software necessary to implement the technical idea of the present invention, and necessarily means one physical component or one It does not mean a device. That is, the manager server 100 may mean a logical combination of hardware and / or software provided to implement the technical idea of the present invention. If necessary, the manager server 100 may be installed in devices spaced apart from each other to perform respective functions. As a result, it may be implemented as a set of logical configurations for implementing the technical idea of the present invention. In addition, the manager server 100 may refer to a set of components that are separately implemented for each function or role for implementing the technical idea of the present invention.
  • the term 'unit' or 'module' may refer to a functional and structural combination of hardware for performing the technical idea of the present invention and software for driving the hardware.
  • the ' ⁇ ' or ' ⁇ ' module may mean a logical unit of a predetermined code and a hardware resource for performing the predetermined code, and necessarily means a physically connected code, or It does not mean that kind of hardware can be easily deduced by the average expert in the art.
  • each of the authentication unit 110, the secure channel setting unit 120, the access control unit 130, and / or the application manager 140 may be located on different physical devices, or on the same physical device. It may be located. In some implementations, the combination of software and / or hardware that constitutes each of the authentication unit 110, the secure channel setting unit 120, the access control unit 130, and / or the application management unit 140. Also located in different physical devices, components located in different physical devices may be organically combined with each other to implement each of the modules.
  • the authentication unit 110 may authenticate a user of a first terminal (eg, 300) existing in an internal network in a predetermined company to which the technical idea of the present invention is applied.
  • the manager server 100 may further include a user DB (not shown).
  • the authentication of the user may be installed in the first terminal (eg, 300) and performed by a predetermined agent system and the authentication unit 110 to implement the technical idea of the present invention.
  • the agent system may allow a user to perform a login procedure when accessing a secure network provided by the technical idea of the present invention. Then, the authentication unit 110 may authenticate the user of the first terminal (eg, 300) based on the login information received from the agent system.
  • the first terminal When authentication is successful by the authenticator 110, the first terminal (eg, 300) may form a first secure channel (eg, a VPN channel) with the gateway server 200.
  • the formation of the first secure channel may be controlled by the secure channel setting unit 120.
  • the secure channel setting unit 120 generates channel setting information for forming the first secure channel, and transmits the channel setting information to the first terminal (eg, 300) and the gateway server 200, respectively. It is possible to control so that a secure channel is formed between the first terminal (eg, 300) 200 and the authentication is successful.
  • the formation of the first secure channel is not directly performed by communication between the gateway server 200 and the first terminal (eg, 300), but is dynamically controlled by the secure channel setting unit 120.
  • the first terminal (eg, 300) and / or the gateway server 200 are attacked, and thus parameters for forming the first secure channel, that is, channel setting information (eg, encryption key value, encryption algorithm, etc.) are leaked. There is an effect to reduce the risk of becoming.
  • channel setting information eg, encryption key value, encryption algorithm, etc.
  • the channel setting information may include at least one information to be defined for forming the first secure channel.
  • the channel setting information may include, for example, a counterpart device, an encryption algorithm, and / or an encryption key value (eg, a PSK key value, etc.) to communicate over a secure channel.
  • Some of the information included in the channel setting information may be fixed, and only a part of the information included in the channel setting information may be dynamically generated by the secure channel setting unit 120.
  • the generation of the channel setting information may be performed at any time before the first secure channel is formed.
  • the channel setting information transmitted to the first terminal (eg, 300) and the gateway server 200 may correspond to each other. That is, the first channel setting information transmitted to the first terminal (eg, 300) may specify the gateway server 200 as a counterpart device, and the second channel setting information transmitted to the gateway server 200 may be specified.
  • the first terminal (eg, 300) may be specified as a counterpart device.
  • the first channel setting information and the second channel setting information each include information on the same encryption algorithm, and the encryption key value preferably includes key values corresponding to each other.
  • the first terminal (eg, 300) and the gateway server 200 may authenticate each other through, for example, Internet Key Exchange (IKE) authentication of IPSec (Internet Protocol Security), and an encryption algorithm and a respective encryption algorithm for this purpose.
  • Encryption key values to be defined may be defined in the first channel configuration information and the second channel configuration information.
  • IKE authentication is used, authentication with each other through an encryption key is performed, and thus, it can be a powerful authentication tool for hosts (terminals) connected to the internal network.
  • the first channel setting information is transmitted to the first terminal (eg, 300) by the secure channel setting unit 120, and the second channel setting information is transmitted to the gateway server 200
  • the first channel setting information is transmitted to the gateway server 200.
  • the terminal (eg 300) and the gateway server 200 may perform VPN tunneling based on the information received from each other. And, the first secure channel can be formed.
  • each terminal eg, 300 to 320
  • a virtual (or logical) network is formed around the gateway server 200.
  • the network may be defined as a secure network in the present specification.
  • the gateway server 200 may not be implemented as any one server or device as described below, but may be implemented as a plurality of devices, that is, gateway devices. That is, the function of the gateway server 200 may be implemented by a plurality of gateway devices.
  • the communication performance of the entire security network may be determined according to which gateway device the first terminal (eg, 300) forms a secure channel with.
  • the secure channel setting unit 120 considers the load of each gateway device, that is, how many secure channels are currently formed, so that the load can be balanced among the plurality of gateway devices. You can select the gateway device.
  • the secure channel setting unit 120 may determine how many gateway devices are present. If the amount of traffic through the secure channel can be monitored as described below or if a secure channel is formed, the gateway device may be selected so that the total gateway devices may have similar loads as much as possible.
  • the hosts (terminals 300 to 320) existing in the internal network may form a secure channel with the gateway server 200, respectively.
  • communication between the first terminal (eg, 300) and the second terminal (eg, 310) may be performed by the first secure channel established by the first terminal (eg, 300) and the gateway server 200; It may be performed through a second secure channel formed by the second terminal (eg, 310) and the gateway server 200.
  • the gateway server 200 relays communication between the first terminal (eg, 300) and another device (eg, 310, 320, 400, etc.) with which the first terminal (eg, 300) will perform communication. Can play a role.
  • the gateway server 200 may relay access to all other devices requested by the first terminal (eg, 300), the gateway server 200 may access according to who the user of the first terminal (eg, 300) is. Control can also be performed. Such access control can be particularly useful in enterprise networks. Such access control may also be controlled by the manager server 100. In addition, the access control may be controlled by the access control unit 130 of the manager server 100.
  • the access control unit 130 may access information about a device accessible by the user, that is, the first terminal (eg, 300) may access.
  • Information about other devices can be specified.
  • the other device may be, for example, other hosts (for example, 310 to 320) existing in the internal network, or may be servers 410 and 420 included in the server group 400 existing in the internal network.
  • information about whether the external terminal 500 existing in the external network can be accessed through the gateway server 200 may be included.
  • Access right information Information about other devices that the user can access through the first terminal (eg, 300) may be specified by access right information.
  • the access control unit 130 may set access authority information for each user.
  • the access right information may vary according to the user's position or task.
  • the access right information may be a white list method, that is, a method of listing information on accessible devices, or a black list method, that is, a method of listing information on inaccessible devices. It may be.
  • the access control unit 130 receives access right information corresponding to the user from the gateway server 200 or the plurality of gateway devices. And (eg, 300) to the selected gateway device to form a secure channel. Then, when the gateway server 200 (or the selected gateway device) receives an access request from one of the devices (eg, 310, 320, 410, and 420) from the first terminal (eg, 300), Based on the access right information, the first terminal (eg, 300) may determine whether an access request is made to an accessible device, and selectively allow or disallow the access request according to a determination result.
  • the gateway server 200 (or the selected gateway device) to grant access to a predetermined other device in response to an access request from the first terminal (eg, 300), the other device and the gateway server 200 may be used.
  • the secure channel may need to be established.
  • each of the servers 410 and 420 and the gateway server 200 included in the server group 400 may have a secure channel formed at all times.
  • the servers 410 and 420 Separate authentication for or may not be performed.
  • the terminals (eg, 300 to 320) existing in the internal network may have a secure channel formed only after authentication is performed by the authenticator 110.
  • the first gateway device that forms the secure channel with the first terminal (eg, 300) and the second gateway device that forms the secure channel with the other device are different from each other, the first gateway device and the A security channel may also be formed between the second gateway devices.
  • the secure channel between the first gateway device and the second gateway device may also be controlled by the secure channel setting unit 120 of the manager server 100.
  • the manager server 100 may manage an application for each user. To this end, the manager server 100 may further include an application manager 140.
  • the application manager 140 may specify an application that can access the secure network, that is, an allowable application, for each user (by terminals (eg, 300 to 320)). That is, only the allowed application may control access to another device through a secure channel formed with the gateway server 200.
  • specifying the allowed application for each user means that the allowed application can be set differently for each user, but does not necessarily mean that the allowed application is different for every user.
  • the application manager 140 may access an allowed application that allows access to the secure network from the first terminal (eg, 300).
  • Application management information including information regarding the information may be transmitted to the first terminal (eg, 300).
  • the first terminal (eg, 300) may control an application connectable to the secure network based on the transmitted application management information. For example, when connected to the secure network, only allowed applications can be executed, otherwise applications can be blocked or the process of an application already running is forcibly terminated by the first terminal (eg, 300) or It may be killed. Alternatively, only an application that accesses another device through the secure network may be managed even if the secure network is connected. That is, the first terminal (eg, 300) may control so that only an allowed application may access another device through the secure network, and the first terminal (eg, 300) may be connected regardless of whether the secure network is connected. May be controlled by the application management information.
  • the application management information may also list up allowed applications in a whitelist manner, or may be implemented to list blocked applications in a blacklist manner.
  • the system for providing a security network in an enterprise by the manager server 100 performs encryption communication through a strong secure channel, while providing hosts (terminals (for example, 300 to 300 ⁇ ). 320)), control of user-specific access rights, and / or control of user-specific allowed applications. And this effect can provide the effect of building the NAC and next-generation firewall in the internal network of the enterprise as described above.
  • each terminal eg, 300 to 320
  • the internal network includes the secure network and the existing physical network 40 as described above. In the case of allowing communication through), there may be some effect of realizing network redundancy solution.
  • FIG. 1 the configuration of the gateway server 200 for implementing the technical spirit of the present invention as described above is shown in FIG.
  • the configuration of the terminal included in the internal network is shown in FIG.
  • FIG. 4 shows a schematic configuration of a gateway server according to an embodiment of the present invention.
  • 5 shows a schematic configuration of an agent system installed in an internal host according to an embodiment of the present invention.
  • the gateway server 200 may form a plurality of gateway devices (eg, 210) to form a large number of secure channels and perform communication through the secure channel. , 220).
  • Each of the gateway devices may include a secure channel forming unit 211.
  • the secure channel forming unit 211 may form a secure channel with a predetermined first terminal (eg, 300) under the control of the secure channel setting unit 120 of the manager server 100.
  • the secure channel forming unit 211 may allow access only to other devices accessible to each terminal (eg, 300 to 320), that is, for each user.
  • the access right information may be received from the secure channel setting unit 120 for each user (by terminals (eg, 300 to 320)), and the access right may be controlled to correspond to the received access right information.
  • the secure channel forming unit 211 may form a secure channel with an external terminal 500 located in an external network.
  • access control of the external terminal 500 may be controlled in advance or in real time by receiving control from the secure channel setting unit 120.
  • the secure channel forming unit 211 may relay the communication between two devices (for example, 300 and 310) to which the access right is allowed, so that the two devices may communicate through different secure channels through themselves.
  • the secure channel forming unit 211 may use another gateway device ( For example, the secure channel forming unit included in 220 and the secure channel may be formed. In this case, the two devices (eg, 300 and 310) may communicate with each other through three different secure channels.
  • each of the gateway devices 210 and 220 may be implemented by Unified Threat Management (UTM). Therefore, not only a barrier function for protecting the internal network from the outside that the original gateway should perform, but also an intrusion prevention system (IPS, Intrusion Prevention System), URL filtering, and the like may be further performed.
  • IPS intrusion prevention system
  • URL filtering URL filtering
  • Each of the components for performing these functions, that is, the firewall providing unit 212, the intrusion detecting unit 213, and the URL filtering unit 214 may be further included in the respective gateway devices 210 and 220.
  • the configuration for the DDos detection function, the configuration for spam processing may be further included in each of the gateway devices (210, 220).
  • Components for example, 212 to 214, etc.
  • included in the gateway devices 210 and 220 except for the secure channel forming unit 211 are well known, so detailed description thereof will be omitted.
  • each of the terminals (eg, 300 to 320) included in the internal network may be provided with a predetermined agent system for implementing the technical idea of the present invention.
  • the agent system may be installed in the first terminal 300 as an example of the first terminal 300.
  • the agent system may refer to a system in which software installed in the first terminal 300 and hardware of the first terminal 300 are organically combined to implement the technical idea of the present invention.
  • the agent system may include a secure channel forming module 310.
  • the secure channel forming module 310 may form a secure channel with the secure channel forming unit 211 included in the gateway server 200 as described above.
  • the secure channel forming unit 211 and the secure channel forming module 310 may form a secure channel under the control of the secure channel setting unit 120 included in the manager server 100.
  • the secure channel forming unit 211 and the secure channel forming module 310 may communicate with each other to perform VPN tunneling and form a VPN channel.
  • agent system may further include a control module 320.
  • the control module 320 may perform a function of managing an allowed application under the control of the application manager 140 included in the manager server 100.
  • the control module 320 may control only an allowed application to access the secure network. According to an embodiment of the present disclosure, when the first terminal 300 is connected to the secure network, only the allowed application may be executed.
  • control module 320 transmits the amount of traffic, the usage time, the name of the application, and the like, through which the allowed application communicates through the secure network, to the application manager 140 so that the manager server 100 transmits the network of the secure network. Monitoring can also be performed. In addition, by transmitting the information (log information of the blocking application name, execution location, usage time, etc.) of the application blocked by the control module 320 to the manager server 100, the manager server 100 is You can also perform overall monitoring and management of applications that are requested to run on a secure network.
  • FIG. 6 is a flowchart illustrating a data flow for explaining a method for providing a security network within an enterprise according to an embodiment of the present invention.
  • a predetermined first terminal 300 existing in an internal network of an enterprise may request authentication from the manager server 100 (S100). Then, the manager server 100 may perform authentication (S110). Authentication result If the authentication is successful, the manager server 100 may select the gateway device for the first terminal 300 to form a secure channel in consideration of the load between the plurality of gateway devices (S120). Then, the manager server 100 dynamically generates channel setting information to be transmitted to the selected gateway device and the first terminal 300 (S130), and generates the generated channel setting information of the first terminal 300 and the selected terminal. It may transmit to the gateway device (or gateway server 200) (S140, S150).
  • the first terminal 300 and the selected gateway device (or gateway server 200), which have received the channel setting information, respectively, may form a secure channel based on the received channel setting information (S160).
  • FIG. 7 is a diagram illustrating a data flow in which access control is performed according to a method for providing a security network within an enterprise according to an embodiment of the present invention.
  • the manager server 100 may generate access right information corresponding to the first terminal 300 (S200).
  • another device that the gateway server 200 and the first terminal 300 communicate with may also be in a state in which a predetermined security channel is formed in a manner as shown in FIG. 6 (S200-1).
  • the manager server 100 may transmit the generated access right information to the gateway server 200 (or the selected gateway device) (S210).
  • the first terminal 300 is connected to the gateway server ( 200 (or the selected gateway device) may request an access to the other device (S230). Then, the gateway server 200 (or the selected gateway device) determines whether or not the first terminal 300 has permission to access the other device based on the access right information received in step S210. It may be determined whether the first terminal 300 is allowed to access the other device (S240). If it is determined that the determination is permitted, the gateway server 200 relays the communication between the first terminal 300 and the other device, and as a result, a secure channel is formed between the first terminal 300 and the other device. It may bring an effect (S250).
  • the method for providing a security network in an enterprise may be implemented as computer readable codes on a computer readable recording medium.
  • Computer-readable recording media include all kinds of recording devices that store data that can be read by a computer system. Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, hard disk, floppy disk, optical data storage, and the like, and also in the form of carrier waves (e.g., transmission over the Internet). It also includes implementations.
  • the computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion. And functional programs, codes and code segments for implementing the present invention can be easily inferred by programmers in the art to which the present invention belongs.

Abstract

L'invention a trait à un système permettant de fournir un réseau protégé dans une société, et à un procédé s'y rapportant. Le système qui permet de fournir un réseau protégé dans une société utilise une pluralité de terminaux incluant un premier terminal connecté à un intranet dans une société, et il utilise également : un serveur passerelle servant à former le premier terminal et une première voie protégée destinée à la communication entre le premier terminal et un autre dispositif présent dans l'intranet ; et un serveur gestionnaire prévu pour commander le serveur passerelle et le premier terminal afin de configurer la première voie protégée.
PCT/KR2014/000968 2013-02-05 2014-02-05 Système permettant de fournir un réseau protégé dans une société, et procédé s'y rapportant WO2014123347A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2013-0012922 2013-02-05
KR1020130012922A KR20140100101A (ko) 2013-02-05 2013-02-05 기업내 보안망 제공시스템 및 그 방법

Publications (1)

Publication Number Publication Date
WO2014123347A1 true WO2014123347A1 (fr) 2014-08-14

Family

ID=51299897

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2014/000968 WO2014123347A1 (fr) 2013-02-05 2014-02-05 Système permettant de fournir un réseau protégé dans une société, et procédé s'y rapportant

Country Status (2)

Country Link
KR (1) KR20140100101A (fr)
WO (1) WO2014123347A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100085424A (ko) * 2009-01-20 2010-07-29 성균관대학교산학협력단 그룹키 분배 방법 및 이를 위한 서버 및 클라이언트
KR20120092791A (ko) * 2011-02-14 2012-08-22 삼성전자주식회사 휴대 단말기의 원격 제어 방법 및 시스템

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100085424A (ko) * 2009-01-20 2010-07-29 성균관대학교산학협력단 그룹키 분배 방법 및 이를 위한 서버 및 클라이언트
KR20120092791A (ko) * 2011-02-14 2012-08-22 삼성전자주식회사 휴대 단말기의 원격 제어 방법 및 시스템

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
V. GUPTA ET AL.: "KSSL: Experiments in Wireless Internet Security", SUN MICROSYSTEMS, SMLI TR-2001-103, 1 November 2001 (2001-11-01) *

Also Published As

Publication number Publication date
KR20140100101A (ko) 2014-08-14

Similar Documents

Publication Publication Date Title
US8959334B2 (en) Secure network architecture
WO2013055091A1 (fr) Procédé et système de stockage d'informations à l'aide d'une communication tcp
KR101143847B1 (ko) 네트워크 보안장치 및 그 방법
US20070169171A1 (en) Technique for authenticating network users
Islam et al. An analysis of cybersecurity attacks against internet of things and security solutions
KR101992976B1 (ko) Ssh 인증키를 보안 관리하는 ssh 프로토콜 기반 서버 원격 접근 시스템
WO2013085217A1 (fr) Système de gestion de la sécurité ayant de multiples serveurs de relais, et procédé de gestion de la sécurité
WO2022235007A1 (fr) Système de commande d'accès au réseau basé sur un dispositif de commande, et son procédé
WO2021112494A1 (fr) Système et procédé de détection et de réponse de type gestion basée sur des points d'extrémité
US7594268B1 (en) Preventing network discovery of a system services configuration
WO2016190663A1 (fr) Procédé de gestion de sécurité et dispositif de gestion de sécurité dans un système de réseau domestique
WO2016200232A1 (fr) Système et procédé destinés à un serveur à distance en cas de défaillance d'un serveur de rétablissement
KR20150114921A (ko) 기업내 보안망 제공시스템 및 그 방법
WO2024029658A1 (fr) Système de contrôle d'accès dans un réseau et procédé associé
WO2019182219A1 (fr) Système de réseau de confiance basé sur une chaîne de blocs
WO2019045424A1 (fr) Procédé de déchiffrement de couche de prise de sécurité destinée à la sécurité
WO2018056582A1 (fr) Procédé d'inspection de paquet à l'aide d'une communication ssl
WO2014123347A1 (fr) Système permettant de fournir un réseau protégé dans une société, et procédé s'y rapportant
WO2021107493A1 (fr) Système de surveillance d'image ayant une capacité de configuration d'environnement d'utilisation de caméra à sécurité renforcée
KR102132490B1 (ko) 이동형 장치들의 소프트웨어 정의 네트워크 기반 신뢰 네트워크 구성을 위한 방법 및 장치
KR101818508B1 (ko) 기업내 보안망 제공시스템, 그 방법 및 컴퓨터 판독가능한 기록 매체
JP2005515700A (ja) モバイルコンピューティング環境および他の断続的なコンピューティング環境における安全な接続を提供するための方法およびデバイス
EP2090073B1 (fr) Architecture de réseau sécurisée
WO2014107028A1 (fr) Système de prévention d'invasion de logiciels malveillants, et procédé d'utilisation dudit système de prévention d'invasion de logiciels malveillants
Buriachok et al. Using 2.4 GHz Wireless Botnets to Implement Denial-of-Service Attacks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14749507

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14749507

Country of ref document: EP

Kind code of ref document: A1