WO2016182329A1 - Système et procédé de sécurité de réseau pour marquer des sites bloqués - Google Patents

Système et procédé de sécurité de réseau pour marquer des sites bloqués Download PDF

Info

Publication number
WO2016182329A1
WO2016182329A1 PCT/KR2016/004911 KR2016004911W WO2016182329A1 WO 2016182329 A1 WO2016182329 A1 WO 2016182329A1 KR 2016004911 W KR2016004911 W KR 2016004911W WO 2016182329 A1 WO2016182329 A1 WO 2016182329A1
Authority
WO
WIPO (PCT)
Prior art keywords
client terminal
dns
server
packet
domain address
Prior art date
Application number
PCT/KR2016/004911
Other languages
English (en)
Korean (ko)
Inventor
이용환
박민혁
김수로
손재식
Original Assignee
주식회사 수산아이앤티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 수산아이앤티 filed Critical 주식회사 수산아이앤티
Publication of WO2016182329A1 publication Critical patent/WO2016182329A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation

Definitions

  • the following description relates to a technique for preventing information leakage and a network security method.
  • Korean Patent Laid-Open Publication No. 2014-0044987 provides an Internet access path bypass derivation system and method through domain name system (DNS) packet modulation, thereby preventing IP address collisions so that communication can be performed smoothly.
  • DNS domain name system
  • the patent is a network security system using a proxy server to inspect the incoming packets from the outside, but not blocking the packets going out from the inside. Accordingly, there is a need for a technology capable of providing a security service while maintaining an existing network environment.
  • SSL Secure Sockets Layer
  • the present invention has been made to solve the above problems of the prior art, and an object thereof is to provide a network security system and method for displaying a blocked site.
  • the present invention may provide a method of preventing information leakage by displaying a blocked site to be blocked using an alert server of a network security system.
  • the present invention generates a private certificate by providing a private certificate when the connection to the blocking site requiring SSL communication occurs using an alert server capable of generating SSL communication and a private certificate, thereby preventing the SSL communication error. It is an object of the present invention to provide a network security system and method that can be displayed.
  • the network security system connected to the network equipment to which the client terminal is connected to mirror the DNS query packet through the network equipment, DNS query of the DNS query packet
  • a DNS blocking server for generating a fake DNS response packet and transmitting it to the client terminal when the domain address is a management target domain address
  • a warning server for transmitting a warning page to the client terminal, indicating that the site is blocked when receiving a request packet from the client terminal receiving the fake DNS response packet.
  • the warning server may generate a private certificate and transmit the private certificate to the client terminal when receiving the certificate request packet from the client terminal before receiving the request packet.
  • the private certificate may be a certificate corresponding to a site that the client terminal wants to access.
  • the alert server may generate the private certificate using the DNS query domain address to which the client terminal is to be connected as a factor.
  • the client terminal may check and authenticate whether the private certificate can be trusted.
  • the client terminal presets the information on the alert server as a trusted root certification authority.
  • the DNS blocking server may generate the fake DNS response packet by inputting the IP address of the warning server as a response IP address corresponding to the DNS query domain address.
  • the DNS blocking server includes a management target domain address list including at least one management target domain address, extracts the DNS query domain address from the DNS query packet, and the DNS query domain address is the management target. It may be determined whether the management target domain address is included in the domain address list.
  • a network security method includes: mirroring a DNS query packet through a network device to which a client terminal is connected in a DNS blocking server; Extracting a DNS query domain address from the DNS query packet at the DNS blocking server; Determining, by the DNS blocking server, whether the DNS query domain address is a management target domain address; Generating, by the DNS blocking server, a fake DNS response packet when the DNS query domain address is a management target domain address; Transmitting, by the DNS blocking server, the generated fake DNS response packet to the client terminal; And transmitting a warning page to the client terminal notifying that the site is blocked when the request server receives the request packet from the client terminal that has received the fake DNS response packet.
  • the method may further include generating a private certificate and transmitting it to the client terminal.
  • the present invention mirrors a DNS query packet through a network device connected to a client terminal in a DNS blocking server, and generates a fake DNS response packet when the DNS query domain address extracted from the DNS query packet is a managed domain address.
  • It relates to a network security system, which can continue network communication even if a DNS blocking server fails. Even if a managed domain uses Secure Sockets Layer (SSL) communication, the page is blocked without errors due to SSL communication. To warn that There.
  • SSL Secure Sockets Layer
  • FIG. 1 is a diagram illustrating a schematic configuration of a network security system according to an embodiment.
  • FIG. 2 is a flowchart illustrating a process of processing a DNS query packet at a DNS blocking server of a network security system according to an embodiment.
  • FIG. 3 is a flowchart illustrating a process of warning that a page is blocked when an alert server of a network security system requests a connection to a management target according to an embodiment.
  • FIG. 4 is a diagram illustrating a flow when a client terminal requests a connection to a management target site requiring SSL communication, according to an exemplary embodiment.
  • FIG. 5 is a diagram illustrating an example of inputting a command for generating a private certificate according to an exemplary embodiment.
  • FIG. 6 illustrates an example of inputting information to be input when generating a private certificate according to an exemplary embodiment.
  • FIG. 7 illustrates an example of confirming information of a private certificate generated according to an embodiment.
  • FIG. 8 illustrates an example of a list of DNS blocking servers according to an exemplary embodiment.
  • FIG. 1 is a diagram illustrating a schematic configuration of a network security system according to an embodiment.
  • the client terminal 160 when accessing the Internet 100 from the client terminal 160 in a network environment, the client terminal 160 may be connected to a switch 170 or a router.
  • the client terminal 160 may be connected to the switch 170 or the router to enable network connection and data transmission.
  • the client terminal 160 may have at least one client connected to the Internet.
  • the client may be a terminal such as a PC or a smart phone.
  • the DNS blocking server 140 may be connected to a network device to which the client terminal 160 is connected to mirror a DNS query packet through the network device.
  • the DNS blocking server 140 may store a list of management target domain addresses.
  • the DNS blocking server 140 may store www.aaa.com, www.bbb.com, and www.ccc.com which are managed domain addresses.
  • the DNS query packet may be delivered to the external DNS server 120 through the Internet 100, or may be forwarded to the DNS blocking server 140 through mirroring.
  • the DNS blocking server 140 may extract a DNS query domain address included in the DNS query packet. For example, www.abc.com, which is a DNS query domain address included in a DNS query packet, may be extracted. At this time, it may be determined whether the DNS query domain address is a management target domain address. By comparing the list of managed domain addresses stored in the DNS blocking server 140 with the DNS query domain address, it may be determined whether the management target domain address is the same.
  • the www server sends the DNS response packet to the client terminal 160 in response to the DNS query packet transmitted to the external DNS server 120 through the Internet 100. I can deliver it.
  • the client terminal 160 may normally connect to the destination site using a DNS response packet to perform communication.
  • the DNS response packet may be provided in response to a DNS query packet requesting an IP address corresponding to the domain name, and may include an IP address corresponding to the domain name.
  • a fake DNS response packet may be generated and transmitted to the client terminal 160 through the switch 170.
  • the DNS blocking server 140 may generate a fake DNS response packet by inputting the IP address of the alert server 150 as a response IP address corresponding to the DNS query domain address.
  • the generated DNS response packet may be transmitted to the client terminal 160 through the switch 170.
  • the DNS blocking server 140 substitutes the IP address of the alert server 150 (for example, 10.10.10.10) as the DNS query domain address.
  • a fake DNS response packet may be generated by inputting a response IP address corresponding to the IP address, and the generated fake DNS response packet may be transmitted to the client terminal 160.
  • the client terminal 160 may receive the DNS response packet and access the alert server 150.
  • the alert server 150 receives the request packet from the client terminal 160 generated using the fake DNS response packet, the alert server 150 transmits a warning page to the client terminal 160 indicating that the site is blocked.
  • the client terminal 160 if the client terminal 160 is a site requesting SSL (Secure Sockets Layer) communication, the client terminal 160 before the client terminal 160 transmits a request packet requesting access to the site to the alert server 150.
  • the certificate request packet requesting a certificate for SSL communication may be sent to the alert server 150.
  • the alert server 150 may generate a private certificate and transmit it to the client terminal 16 when receiving the certificate request packet from the client terminal 160 before receiving the request packet from the client terminal 160. That is, the alert server 150 may support SSL communication.
  • the private certificate may be a certificate corresponding to a site to which the client terminal 160 wishes to access.
  • the alert server 150 may generate a private certificate by using the DNS query domain address that the client terminal 160 wants to access as a parameter.
  • the alert server 150 may generate a private certificate using OpenSSL using a DNS query domain address as an argument. A process of generating a private certificate using OpenSSL will be described with reference to FIGS. 5 through 7.
  • FIG. 5 is a diagram illustrating an example of inputting a command for generating a private certificate according to an exemplary embodiment.
  • openssl means openssl command
  • -days 365 means validity period
  • Rsa: 2048 means encryption method
  • -keyout ⁇ .key is key generation and key The name of the, "-out certificate.crt” means the certificate generation.
  • FIG. 6 illustrates an example of inputting information to be input when generating a private certificate according to an exemplary embodiment.
  • the screen of FIG. 6 is added after inputting a command of "openssl req -x509 -nodes -days 365 -newkey rsa: 2048 -keyout privateKey.key -out cerficate.crt -reqexts v3_req -extensions v3_ca".
  • Issuer email domain name corresponding to issuer information. Issuing department. company. This is a case where information such as region is inputted, and a private certificate can be generated through this process.
  • FIG. 7 illustrates an example of confirming information of a private certificate generated according to an embodiment.
  • the private certificate includes information such as version, serial number, signature algorithm, signature hash algorithm, issuer, validity period (start), validity period (end), and subject.
  • the client terminal 160 verifies whether the private certificate can be trusted and authenticates it. Transmit to 150.
  • the client terminal 160 presets the information on the alert server 150 as a trusted root certification authority.
  • the client terminal 160 may manage by including a private certificate previously generated by the alert server 150 in a root certificate.
  • the network security system does not cause a service stop problem because the network communication is continuously performed even if the DNS blocking server fails. For example, since the DNS blocking server is mirrored even when the DNS server is broken, since the DNS response packet is transmitted from the normal DNS server to the client terminal, the client terminal can make a normal network connection using the DNS response packet.
  • FIG. 2 is a flowchart illustrating a process of processing a DNS query packet at a DNS blocking server of a network security system according to an embodiment.
  • the DNS blocking server 140 mirrors a DNS query packet through a network device to which the client terminal 160 is connected (210).
  • the DNS blocking server 140 extracts a DNS query domain address from the DNS query packet (220).
  • the DNS blocking server 140 checks whether the DNS query domain address is a management target domain address (230).
  • the DNS blocking server 140 If it is determined in step 230 that the DNS query domain address is the management target domain address, the DNS blocking server 140 generates a fake DNS response packet (240). At this time, the DNS blocking server 140 generates a fake DNS response packet by inputting the IP address of the warning server 150 as a response IP address corresponding to the DNS query domain address.
  • the DNS blocking server 140 transmits the generated fake DNS response packet to the client terminal 160 (250).
  • FIG. 3 is a flowchart illustrating a process of warning that a page is blocked when an alert server of a network security system requests a connection to a management target according to an embodiment.
  • the alert server 150 checks whether a certificate request packet is received from the client terminal 160 (310).
  • the alert server 150 Upon receiving the certificate request packet in step 310, the alert server 150 generates a private certificate and transmits the private certificate to the client terminal 160 (320).
  • the private certificate is a certificate corresponding to a site to which the client terminal 160 wants to access, and is generated using the DNS query domain address to which the client terminal 160 wants to access as a factor.
  • the warning server 150 checks whether the request server requesting access to the site is received from the client terminal 160 that receives the fake DNS response packet (330).
  • the alert server 150 When receiving the confirmation result request packet in step 330, the alert server 150 transmits a warning page to the client terminal 160 indicating that the site is blocked (340).
  • FIG. 4 is a diagram illustrating a flow when a client terminal requests a connection to a management target site requiring SSL communication, according to an exemplary embodiment.
  • the DNS blocking server 140 mirrors a DNS query packet through a network device to which the client terminal 160 is connected (410).
  • the DNS blocking server 140 extracts the DNS query domain address from the DNS query packet and checks whether the management domain address is the management target domain address (412), it generates a fake DNS response packet and transmits it to the client terminal 160. (414). At this time, the IP address of the alert server 150 is described in the response IP address of the fake DNS response packet.
  • the client server 160 When the site to which the client terminal 160 is to be connected is a site requesting SSL communication, when receiving a fake DNS response packet, the client server 160 transmits a certificate request packet to the alert server 150 to the alert server 150 (416).
  • the alert server 150 When the alert server 150 receives the certificate request packet from the client terminal 160, it generates a private certificate (418). At this time, the private certificate is a certificate corresponding to a site to which the client terminal 160 wants to access, and is generated using the DNS query domain address to which the client terminal 160 wants to access as a factor.
  • the private certificate generated by the alert server 150 is transmitted to the client terminal 160.
  • the client terminal 160 When the client terminal 160 receives the private certificate from the alert server 150, it authenticates whether the private certificate is valid and if authentication succeeds (422), the request packet requesting access to the site is sent to the alert server 150. Transmit (424).
  • the alert server 150 When the alert server 150 receives the request packet from the client terminal 160, the alert server 150 transmits an alert page to the client terminal 160 indicating that the site is blocked (426).
  • FIG. 8 illustrates an example of a list of DNS blocking servers according to an exemplary embodiment.
  • FIG. 8 illustrates a management target domain address list 800.
  • the management target domain address may be stored in a database of a DNS blocking server, and an external database storing the management target domain address may be used.
  • the management target domain address list may include a domain address field 810 and an information field, and other fields may be generated and stored.
  • the management target domain address list may be stored in a database in a list form, and the management target domain address may be updated at regular intervals.
  • the management target domain address list may modify, add, and delete domain addresses.
  • the managed target domain list may store a managed target domain address.
  • the list of managed domains may be stored as managed domain addresses www.plustech.com, www.abc.com, and www.zzz.com. It may also include the address of at least one web mail site.
  • the method for displaying a blocked site in a network security system may be implemented in the form of program instructions that can be executed by various computer means and recorded in a computer readable medium.
  • the computer readable medium may include program instructions, data files, data structures, etc. alone or in combination.
  • Program instructions recorded on the media may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts.
  • Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks, such as floppy disks.
  • Magneto-optical media and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like.
  • program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.
  • the hardware device described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)

Abstract

La présente invention concerne un système et un procédé de sécurité de réseau pour marquer des sites bloqués. Selon le procédé, un serveur de blocage DNS reproduit un paquet d'interrogation DNS traversant un équipement de réseau auquel est connecté un terminal client et génère un paquet de réponse DNS factice afin de transmettre le paquet de réponse DNS factice au terminal client, si une adresse de domaine d'interrogation DNS extraite du paquet d'interrogation DNS est une adresse de domaine à gérer, et un serveur d'avertissement génère un certificat privé afin de transmettre le certificat privé au terminal client si un paquet de demande de certificat est reçu du terminal client, et transmet, au terminal client, une page d'avertissement notifiant un site bloqué si un paquet de demande est reçu en provenance du terminal client.
PCT/KR2016/004911 2015-05-12 2016-05-11 Système et procédé de sécurité de réseau pour marquer des sites bloqués WO2016182329A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020150066321A KR101656615B1 (ko) 2015-05-12 2015-05-12 차단 사이트를 표시하는 네트워크 보안 시스템 및 방법
KR10-2015-0066321 2015-05-12

Publications (1)

Publication Number Publication Date
WO2016182329A1 true WO2016182329A1 (fr) 2016-11-17

Family

ID=57102412

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2016/004911 WO2016182329A1 (fr) 2015-05-12 2016-05-11 Système et procédé de sécurité de réseau pour marquer des sites bloqués

Country Status (2)

Country Link
KR (1) KR101656615B1 (fr)
WO (1) WO2016182329A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117278524B (zh) * 2023-09-26 2024-06-14 北京网藤科技有限公司 解决浏览器打开本地服务器显示警告提示的方法及系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060007538A (ko) * 2004-07-20 2006-01-26 박재홍 Dns를 이용한 선택적 인터넷 접속 차단 서비스 제공 방법
KR20110124833A (ko) * 2010-05-12 2011-11-18 (주)한드림넷 네트워크 스위치 및 그 네트워크 스위치의 보안공지방법
KR20140044987A (ko) * 2012-09-25 2014-04-16 주식회사 시큐아이 보안 시스템 및 그것의 동작 방법

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060007538A (ko) * 2004-07-20 2006-01-26 박재홍 Dns를 이용한 선택적 인터넷 접속 차단 서비스 제공 방법
KR20110124833A (ko) * 2010-05-12 2011-11-18 (주)한드림넷 네트워크 스위치 및 그 네트워크 스위치의 보안공지방법
KR20140044987A (ko) * 2012-09-25 2014-04-16 주식회사 시큐아이 보안 시스템 및 그것의 동작 방법

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Terminal Authentication Service", PLUSTECH, 13 July 2014 (2014-07-13), pages 1. *
CHAE, MYEONG SEOK: "Netpia, Notifying to KT-KTH Fair Trade Commission . Communication Commissions''.", ASIA ECONOMY DAILY, 27 March 2007 (2007-03-27), pages 1., Retrieved from the Internet <URL:http://blog.naver.com/malim918/130016348206> *

Also Published As

Publication number Publication date
KR101656615B1 (ko) 2016-09-22

Similar Documents

Publication Publication Date Title
US8220032B2 (en) Methods, devices, and computer program products for discovering authentication servers and establishing trust relationships therewith
WO2014185594A1 (fr) Système et procédé à authentification unique dans un environnement vdi
US9438583B2 (en) Certificate generation method, certificate generation apparatus, information processing apparatus, and communication device
WO2018124856A1 (fr) Procédé et terminal d&#39;authentification d&#39;un utilisateur au moyen d&#39;un id mobile grâce à une base de données de chaînes de blocs, et serveur utilisant le procédé et le terminal
WO2013085217A1 (fr) Système de gestion de la sécurité ayant de multiples serveurs de relais, et procédé de gestion de la sécurité
US20160057141A1 (en) Network system comprising a security management server and a home network, and method for including a device in the network system
WO2021187782A1 (fr) Procédé de détection de trafic malveillant et dispositif associé
CN115603932A (zh) 一种访问控制方法、访问控制系统及相关设备
WO2015178597A1 (fr) Système et procédé de mise à jour de clé secrète au moyen d&#39;un module puf
WO2020159053A1 (fr) Chaîne de vérification d&#39;intégrité pour vérifier l&#39;intégrité d&#39;un dispositif, et procédé pour vérifier l&#39;intégrité d&#39;un dispositif à l&#39;aide de celle-ci
CN114125027B (zh) 一种通信建立方法、装置、电子设备及存储介质
US20110154469A1 (en) Methods, systems, and computer program products for access control services using source port filtering
WO2015182873A1 (fr) Bloc de sélection de serveur dns et procédé de modification d&#39;adresse dns utilisant un mandataire
WO2021060859A1 (fr) Système d&#39;authentification et de contrôle d&#39;accès au réseau d&#39;un terminal, et procédé associé
KR101040543B1 (ko) 에스에스에이취 통신환경의 암호화된 데이터 탐지시스템과 탐지방법
WO2016182329A1 (fr) Système et procédé de sécurité de réseau pour marquer des sites bloqués
JP5715030B2 (ja) アクセス回線特定・認証システム
KR20030029244A (ko) 시디엔 서비스 망에서의 컨텐츠 전송 방법 및 시스템
WO2023090756A1 (fr) Système de commande d&#39;accès au réseau basé sur un dispositif de commande, et procédé associé
WO2016153123A1 (fr) Système permettant d&#39;effectuer une authentification à l&#39;aide d&#39;une adresse mac et procédé s&#39;y rapportant
JP2018074395A (ja) データ通信システム、キャッシュdns装置及び通信攻撃防止方法
WO2018056582A1 (fr) Procédé d&#39;inspection de paquet à l&#39;aide d&#39;une communication ssl
WO2012015099A1 (fr) Appareil et procédé pour la fourniture de service web au moyen d&#39;un jeton sécurisé à usage unique
WO2018088680A1 (fr) Système de sécurité et procédé de traitement de demande d&#39;accès à un site bloqué
US9823944B2 (en) Deployment control device and deployment control method for deploying virtual machine for allowing access

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16792975

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16792975

Country of ref document: EP

Kind code of ref document: A1