WO2016182329A1 - Système et procédé de sécurité de réseau pour marquer des sites bloqués - Google Patents
Système et procédé de sécurité de réseau pour marquer des sites bloqués Download PDFInfo
- Publication number
- WO2016182329A1 WO2016182329A1 PCT/KR2016/004911 KR2016004911W WO2016182329A1 WO 2016182329 A1 WO2016182329 A1 WO 2016182329A1 KR 2016004911 W KR2016004911 W KR 2016004911W WO 2016182329 A1 WO2016182329 A1 WO 2016182329A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- client terminal
- dns
- server
- packet
- domain address
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/22—Arrangements for preventing the taking of data from a data transmission channel without authorisation
Definitions
- the following description relates to a technique for preventing information leakage and a network security method.
- Korean Patent Laid-Open Publication No. 2014-0044987 provides an Internet access path bypass derivation system and method through domain name system (DNS) packet modulation, thereby preventing IP address collisions so that communication can be performed smoothly.
- DNS domain name system
- the patent is a network security system using a proxy server to inspect the incoming packets from the outside, but not blocking the packets going out from the inside. Accordingly, there is a need for a technology capable of providing a security service while maintaining an existing network environment.
- SSL Secure Sockets Layer
- the present invention has been made to solve the above problems of the prior art, and an object thereof is to provide a network security system and method for displaying a blocked site.
- the present invention may provide a method of preventing information leakage by displaying a blocked site to be blocked using an alert server of a network security system.
- the present invention generates a private certificate by providing a private certificate when the connection to the blocking site requiring SSL communication occurs using an alert server capable of generating SSL communication and a private certificate, thereby preventing the SSL communication error. It is an object of the present invention to provide a network security system and method that can be displayed.
- the network security system connected to the network equipment to which the client terminal is connected to mirror the DNS query packet through the network equipment, DNS query of the DNS query packet
- a DNS blocking server for generating a fake DNS response packet and transmitting it to the client terminal when the domain address is a management target domain address
- a warning server for transmitting a warning page to the client terminal, indicating that the site is blocked when receiving a request packet from the client terminal receiving the fake DNS response packet.
- the warning server may generate a private certificate and transmit the private certificate to the client terminal when receiving the certificate request packet from the client terminal before receiving the request packet.
- the private certificate may be a certificate corresponding to a site that the client terminal wants to access.
- the alert server may generate the private certificate using the DNS query domain address to which the client terminal is to be connected as a factor.
- the client terminal may check and authenticate whether the private certificate can be trusted.
- the client terminal presets the information on the alert server as a trusted root certification authority.
- the DNS blocking server may generate the fake DNS response packet by inputting the IP address of the warning server as a response IP address corresponding to the DNS query domain address.
- the DNS blocking server includes a management target domain address list including at least one management target domain address, extracts the DNS query domain address from the DNS query packet, and the DNS query domain address is the management target. It may be determined whether the management target domain address is included in the domain address list.
- a network security method includes: mirroring a DNS query packet through a network device to which a client terminal is connected in a DNS blocking server; Extracting a DNS query domain address from the DNS query packet at the DNS blocking server; Determining, by the DNS blocking server, whether the DNS query domain address is a management target domain address; Generating, by the DNS blocking server, a fake DNS response packet when the DNS query domain address is a management target domain address; Transmitting, by the DNS blocking server, the generated fake DNS response packet to the client terminal; And transmitting a warning page to the client terminal notifying that the site is blocked when the request server receives the request packet from the client terminal that has received the fake DNS response packet.
- the method may further include generating a private certificate and transmitting it to the client terminal.
- the present invention mirrors a DNS query packet through a network device connected to a client terminal in a DNS blocking server, and generates a fake DNS response packet when the DNS query domain address extracted from the DNS query packet is a managed domain address.
- It relates to a network security system, which can continue network communication even if a DNS blocking server fails. Even if a managed domain uses Secure Sockets Layer (SSL) communication, the page is blocked without errors due to SSL communication. To warn that There.
- SSL Secure Sockets Layer
- FIG. 1 is a diagram illustrating a schematic configuration of a network security system according to an embodiment.
- FIG. 2 is a flowchart illustrating a process of processing a DNS query packet at a DNS blocking server of a network security system according to an embodiment.
- FIG. 3 is a flowchart illustrating a process of warning that a page is blocked when an alert server of a network security system requests a connection to a management target according to an embodiment.
- FIG. 4 is a diagram illustrating a flow when a client terminal requests a connection to a management target site requiring SSL communication, according to an exemplary embodiment.
- FIG. 5 is a diagram illustrating an example of inputting a command for generating a private certificate according to an exemplary embodiment.
- FIG. 6 illustrates an example of inputting information to be input when generating a private certificate according to an exemplary embodiment.
- FIG. 7 illustrates an example of confirming information of a private certificate generated according to an embodiment.
- FIG. 8 illustrates an example of a list of DNS blocking servers according to an exemplary embodiment.
- FIG. 1 is a diagram illustrating a schematic configuration of a network security system according to an embodiment.
- the client terminal 160 when accessing the Internet 100 from the client terminal 160 in a network environment, the client terminal 160 may be connected to a switch 170 or a router.
- the client terminal 160 may be connected to the switch 170 or the router to enable network connection and data transmission.
- the client terminal 160 may have at least one client connected to the Internet.
- the client may be a terminal such as a PC or a smart phone.
- the DNS blocking server 140 may be connected to a network device to which the client terminal 160 is connected to mirror a DNS query packet through the network device.
- the DNS blocking server 140 may store a list of management target domain addresses.
- the DNS blocking server 140 may store www.aaa.com, www.bbb.com, and www.ccc.com which are managed domain addresses.
- the DNS query packet may be delivered to the external DNS server 120 through the Internet 100, or may be forwarded to the DNS blocking server 140 through mirroring.
- the DNS blocking server 140 may extract a DNS query domain address included in the DNS query packet. For example, www.abc.com, which is a DNS query domain address included in a DNS query packet, may be extracted. At this time, it may be determined whether the DNS query domain address is a management target domain address. By comparing the list of managed domain addresses stored in the DNS blocking server 140 with the DNS query domain address, it may be determined whether the management target domain address is the same.
- the www server sends the DNS response packet to the client terminal 160 in response to the DNS query packet transmitted to the external DNS server 120 through the Internet 100. I can deliver it.
- the client terminal 160 may normally connect to the destination site using a DNS response packet to perform communication.
- the DNS response packet may be provided in response to a DNS query packet requesting an IP address corresponding to the domain name, and may include an IP address corresponding to the domain name.
- a fake DNS response packet may be generated and transmitted to the client terminal 160 through the switch 170.
- the DNS blocking server 140 may generate a fake DNS response packet by inputting the IP address of the alert server 150 as a response IP address corresponding to the DNS query domain address.
- the generated DNS response packet may be transmitted to the client terminal 160 through the switch 170.
- the DNS blocking server 140 substitutes the IP address of the alert server 150 (for example, 10.10.10.10) as the DNS query domain address.
- a fake DNS response packet may be generated by inputting a response IP address corresponding to the IP address, and the generated fake DNS response packet may be transmitted to the client terminal 160.
- the client terminal 160 may receive the DNS response packet and access the alert server 150.
- the alert server 150 receives the request packet from the client terminal 160 generated using the fake DNS response packet, the alert server 150 transmits a warning page to the client terminal 160 indicating that the site is blocked.
- the client terminal 160 if the client terminal 160 is a site requesting SSL (Secure Sockets Layer) communication, the client terminal 160 before the client terminal 160 transmits a request packet requesting access to the site to the alert server 150.
- the certificate request packet requesting a certificate for SSL communication may be sent to the alert server 150.
- the alert server 150 may generate a private certificate and transmit it to the client terminal 16 when receiving the certificate request packet from the client terminal 160 before receiving the request packet from the client terminal 160. That is, the alert server 150 may support SSL communication.
- the private certificate may be a certificate corresponding to a site to which the client terminal 160 wishes to access.
- the alert server 150 may generate a private certificate by using the DNS query domain address that the client terminal 160 wants to access as a parameter.
- the alert server 150 may generate a private certificate using OpenSSL using a DNS query domain address as an argument. A process of generating a private certificate using OpenSSL will be described with reference to FIGS. 5 through 7.
- FIG. 5 is a diagram illustrating an example of inputting a command for generating a private certificate according to an exemplary embodiment.
- openssl means openssl command
- -days 365 means validity period
- Rsa: 2048 means encryption method
- -keyout ⁇ .key is key generation and key The name of the, "-out certificate.crt” means the certificate generation.
- FIG. 6 illustrates an example of inputting information to be input when generating a private certificate according to an exemplary embodiment.
- the screen of FIG. 6 is added after inputting a command of "openssl req -x509 -nodes -days 365 -newkey rsa: 2048 -keyout privateKey.key -out cerficate.crt -reqexts v3_req -extensions v3_ca".
- Issuer email domain name corresponding to issuer information. Issuing department. company. This is a case where information such as region is inputted, and a private certificate can be generated through this process.
- FIG. 7 illustrates an example of confirming information of a private certificate generated according to an embodiment.
- the private certificate includes information such as version, serial number, signature algorithm, signature hash algorithm, issuer, validity period (start), validity period (end), and subject.
- the client terminal 160 verifies whether the private certificate can be trusted and authenticates it. Transmit to 150.
- the client terminal 160 presets the information on the alert server 150 as a trusted root certification authority.
- the client terminal 160 may manage by including a private certificate previously generated by the alert server 150 in a root certificate.
- the network security system does not cause a service stop problem because the network communication is continuously performed even if the DNS blocking server fails. For example, since the DNS blocking server is mirrored even when the DNS server is broken, since the DNS response packet is transmitted from the normal DNS server to the client terminal, the client terminal can make a normal network connection using the DNS response packet.
- FIG. 2 is a flowchart illustrating a process of processing a DNS query packet at a DNS blocking server of a network security system according to an embodiment.
- the DNS blocking server 140 mirrors a DNS query packet through a network device to which the client terminal 160 is connected (210).
- the DNS blocking server 140 extracts a DNS query domain address from the DNS query packet (220).
- the DNS blocking server 140 checks whether the DNS query domain address is a management target domain address (230).
- the DNS blocking server 140 If it is determined in step 230 that the DNS query domain address is the management target domain address, the DNS blocking server 140 generates a fake DNS response packet (240). At this time, the DNS blocking server 140 generates a fake DNS response packet by inputting the IP address of the warning server 150 as a response IP address corresponding to the DNS query domain address.
- the DNS blocking server 140 transmits the generated fake DNS response packet to the client terminal 160 (250).
- FIG. 3 is a flowchart illustrating a process of warning that a page is blocked when an alert server of a network security system requests a connection to a management target according to an embodiment.
- the alert server 150 checks whether a certificate request packet is received from the client terminal 160 (310).
- the alert server 150 Upon receiving the certificate request packet in step 310, the alert server 150 generates a private certificate and transmits the private certificate to the client terminal 160 (320).
- the private certificate is a certificate corresponding to a site to which the client terminal 160 wants to access, and is generated using the DNS query domain address to which the client terminal 160 wants to access as a factor.
- the warning server 150 checks whether the request server requesting access to the site is received from the client terminal 160 that receives the fake DNS response packet (330).
- the alert server 150 When receiving the confirmation result request packet in step 330, the alert server 150 transmits a warning page to the client terminal 160 indicating that the site is blocked (340).
- FIG. 4 is a diagram illustrating a flow when a client terminal requests a connection to a management target site requiring SSL communication, according to an exemplary embodiment.
- the DNS blocking server 140 mirrors a DNS query packet through a network device to which the client terminal 160 is connected (410).
- the DNS blocking server 140 extracts the DNS query domain address from the DNS query packet and checks whether the management domain address is the management target domain address (412), it generates a fake DNS response packet and transmits it to the client terminal 160. (414). At this time, the IP address of the alert server 150 is described in the response IP address of the fake DNS response packet.
- the client server 160 When the site to which the client terminal 160 is to be connected is a site requesting SSL communication, when receiving a fake DNS response packet, the client server 160 transmits a certificate request packet to the alert server 150 to the alert server 150 (416).
- the alert server 150 When the alert server 150 receives the certificate request packet from the client terminal 160, it generates a private certificate (418). At this time, the private certificate is a certificate corresponding to a site to which the client terminal 160 wants to access, and is generated using the DNS query domain address to which the client terminal 160 wants to access as a factor.
- the private certificate generated by the alert server 150 is transmitted to the client terminal 160.
- the client terminal 160 When the client terminal 160 receives the private certificate from the alert server 150, it authenticates whether the private certificate is valid and if authentication succeeds (422), the request packet requesting access to the site is sent to the alert server 150. Transmit (424).
- the alert server 150 When the alert server 150 receives the request packet from the client terminal 160, the alert server 150 transmits an alert page to the client terminal 160 indicating that the site is blocked (426).
- FIG. 8 illustrates an example of a list of DNS blocking servers according to an exemplary embodiment.
- FIG. 8 illustrates a management target domain address list 800.
- the management target domain address may be stored in a database of a DNS blocking server, and an external database storing the management target domain address may be used.
- the management target domain address list may include a domain address field 810 and an information field, and other fields may be generated and stored.
- the management target domain address list may be stored in a database in a list form, and the management target domain address may be updated at regular intervals.
- the management target domain address list may modify, add, and delete domain addresses.
- the managed target domain list may store a managed target domain address.
- the list of managed domains may be stored as managed domain addresses www.plustech.com, www.abc.com, and www.zzz.com. It may also include the address of at least one web mail site.
- the method for displaying a blocked site in a network security system may be implemented in the form of program instructions that can be executed by various computer means and recorded in a computer readable medium.
- the computer readable medium may include program instructions, data files, data structures, etc. alone or in combination.
- Program instructions recorded on the media may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts.
- Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks, such as floppy disks.
- Magneto-optical media and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like.
- program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.
- the hardware device described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
Abstract
La présente invention concerne un système et un procédé de sécurité de réseau pour marquer des sites bloqués. Selon le procédé, un serveur de blocage DNS reproduit un paquet d'interrogation DNS traversant un équipement de réseau auquel est connecté un terminal client et génère un paquet de réponse DNS factice afin de transmettre le paquet de réponse DNS factice au terminal client, si une adresse de domaine d'interrogation DNS extraite du paquet d'interrogation DNS est une adresse de domaine à gérer, et un serveur d'avertissement génère un certificat privé afin de transmettre le certificat privé au terminal client si un paquet de demande de certificat est reçu du terminal client, et transmet, au terminal client, une page d'avertissement notifiant un site bloqué si un paquet de demande est reçu en provenance du terminal client.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150066321A KR101656615B1 (ko) | 2015-05-12 | 2015-05-12 | 차단 사이트를 표시하는 네트워크 보안 시스템 및 방법 |
KR10-2015-0066321 | 2015-05-12 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016182329A1 true WO2016182329A1 (fr) | 2016-11-17 |
Family
ID=57102412
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2016/004911 WO2016182329A1 (fr) | 2015-05-12 | 2016-05-11 | Système et procédé de sécurité de réseau pour marquer des sites bloqués |
Country Status (2)
Country | Link |
---|---|
KR (1) | KR101656615B1 (fr) |
WO (1) | WO2016182329A1 (fr) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117278524B (zh) * | 2023-09-26 | 2024-06-14 | 北京网藤科技有限公司 | 解决浏览器打开本地服务器显示警告提示的方法及系统 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20060007538A (ko) * | 2004-07-20 | 2006-01-26 | 박재홍 | Dns를 이용한 선택적 인터넷 접속 차단 서비스 제공 방법 |
KR20110124833A (ko) * | 2010-05-12 | 2011-11-18 | (주)한드림넷 | 네트워크 스위치 및 그 네트워크 스위치의 보안공지방법 |
KR20140044987A (ko) * | 2012-09-25 | 2014-04-16 | 주식회사 시큐아이 | 보안 시스템 및 그것의 동작 방법 |
-
2015
- 2015-05-12 KR KR1020150066321A patent/KR101656615B1/ko active IP Right Grant
-
2016
- 2016-05-11 WO PCT/KR2016/004911 patent/WO2016182329A1/fr active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20060007538A (ko) * | 2004-07-20 | 2006-01-26 | 박재홍 | Dns를 이용한 선택적 인터넷 접속 차단 서비스 제공 방법 |
KR20110124833A (ko) * | 2010-05-12 | 2011-11-18 | (주)한드림넷 | 네트워크 스위치 및 그 네트워크 스위치의 보안공지방법 |
KR20140044987A (ko) * | 2012-09-25 | 2014-04-16 | 주식회사 시큐아이 | 보안 시스템 및 그것의 동작 방법 |
Non-Patent Citations (2)
Title |
---|
"Terminal Authentication Service", PLUSTECH, 13 July 2014 (2014-07-13), pages 1. * |
CHAE, MYEONG SEOK: "Netpia, Notifying to KT-KTH Fair Trade Commission . Communication Commissions''.", ASIA ECONOMY DAILY, 27 March 2007 (2007-03-27), pages 1., Retrieved from the Internet <URL:http://blog.naver.com/malim918/130016348206> * |
Also Published As
Publication number | Publication date |
---|---|
KR101656615B1 (ko) | 2016-09-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8220032B2 (en) | Methods, devices, and computer program products for discovering authentication servers and establishing trust relationships therewith | |
WO2014185594A1 (fr) | Système et procédé à authentification unique dans un environnement vdi | |
US9438583B2 (en) | Certificate generation method, certificate generation apparatus, information processing apparatus, and communication device | |
WO2018124856A1 (fr) | Procédé et terminal d'authentification d'un utilisateur au moyen d'un id mobile grâce à une base de données de chaînes de blocs, et serveur utilisant le procédé et le terminal | |
WO2013085217A1 (fr) | Système de gestion de la sécurité ayant de multiples serveurs de relais, et procédé de gestion de la sécurité | |
US20160057141A1 (en) | Network system comprising a security management server and a home network, and method for including a device in the network system | |
WO2021187782A1 (fr) | Procédé de détection de trafic malveillant et dispositif associé | |
CN115603932A (zh) | 一种访问控制方法、访问控制系统及相关设备 | |
WO2015178597A1 (fr) | Système et procédé de mise à jour de clé secrète au moyen d'un module puf | |
WO2020159053A1 (fr) | Chaîne de vérification d'intégrité pour vérifier l'intégrité d'un dispositif, et procédé pour vérifier l'intégrité d'un dispositif à l'aide de celle-ci | |
CN114125027B (zh) | 一种通信建立方法、装置、电子设备及存储介质 | |
US20110154469A1 (en) | Methods, systems, and computer program products for access control services using source port filtering | |
WO2015182873A1 (fr) | Bloc de sélection de serveur dns et procédé de modification d'adresse dns utilisant un mandataire | |
WO2021060859A1 (fr) | Système d'authentification et de contrôle d'accès au réseau d'un terminal, et procédé associé | |
KR101040543B1 (ko) | 에스에스에이취 통신환경의 암호화된 데이터 탐지시스템과 탐지방법 | |
WO2016182329A1 (fr) | Système et procédé de sécurité de réseau pour marquer des sites bloqués | |
JP5715030B2 (ja) | アクセス回線特定・認証システム | |
KR20030029244A (ko) | 시디엔 서비스 망에서의 컨텐츠 전송 방법 및 시스템 | |
WO2023090756A1 (fr) | Système de commande d'accès au réseau basé sur un dispositif de commande, et procédé associé | |
WO2016153123A1 (fr) | Système permettant d'effectuer une authentification à l'aide d'une adresse mac et procédé s'y rapportant | |
JP2018074395A (ja) | データ通信システム、キャッシュdns装置及び通信攻撃防止方法 | |
WO2018056582A1 (fr) | Procédé d'inspection de paquet à l'aide d'une communication ssl | |
WO2012015099A1 (fr) | Appareil et procédé pour la fourniture de service web au moyen d'un jeton sécurisé à usage unique | |
WO2018088680A1 (fr) | Système de sécurité et procédé de traitement de demande d'accès à un site bloqué | |
US9823944B2 (en) | Deployment control device and deployment control method for deploying virtual machine for allowing access |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16792975 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16792975 Country of ref document: EP Kind code of ref document: A1 |