WO2024029658A1 - Système de contrôle d'accès dans un réseau et procédé associé - Google Patents

Système de contrôle d'accès dans un réseau et procédé associé Download PDF

Info

Publication number
WO2024029658A1
WO2024029658A1 PCT/KR2022/012964 KR2022012964W WO2024029658A1 WO 2024029658 A1 WO2024029658 A1 WO 2024029658A1 KR 2022012964 W KR2022012964 W KR 2022012964W WO 2024029658 A1 WO2024029658 A1 WO 2024029658A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
network
policy
packet
arp
Prior art date
Application number
PCT/KR2022/012964
Other languages
English (en)
Korean (ko)
Inventor
김찬우
김장훈
강준석
김현필
Original Assignee
스콥정보통신 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 스콥정보통신 주식회사 filed Critical 스콥정보통신 주식회사
Publication of WO2024029658A1 publication Critical patent/WO2024029658A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • This disclosure relates to an access control system and method in a network, and more specifically, to providing an access control system and method for controlling access in a network including a plurality of in-house terminals located in different households. will be.
  • wall pads in the same apartment complex form one subnet, and communication is performed between wall pads within the subnet through direct communication. Additionally, communication between wall pads of different districts is possible through communication between subnets. Therefore, in order to protect the wall pad from hacking, it is necessary to control not only access within the same subnet within the apartment complex, but also access from other subnets.
  • ACL Access Control List
  • firewall function provided by security equipment such as switches or routers was used.
  • ACL technology sets filters defined by source IP address, destination IP address, protocol, application port number, etc. and performs comparative inspection on in-bound or out-bound packets.
  • This is a technology that allows or blocks the packet.
  • ACL technology operates to unconditionally block (deny) or allow packets to pass for devices that are not registered in the white list or black list, resulting in difficulties in policy management due to changes in the network environment, such as network configuration changes and new device registration. .
  • ACL technology can block communication between subnets of different buildings within an apartment complex, but it may be difficult to block direct communication between wall pads within the same building. Communication between wall pads in the same building belonging to one subnet is done through the L2 switch belonging to the subnet, not the L3 switch. Therefore, the ACL function configured in the L3 switch cannot block communication between wall pads within the same building.
  • the present disclosure is intended to provide an access control system and method that can control access to in-house terminals such as wall pads installed for each household in an apartment complex.
  • a management device sends ARP (Address Resolution Protocol) request packets to the plurality of in-house terminals. Transmitting to, the management device analyzing first ARP response packets received in response to the ARP request packet to obtain address information of the plurality of in-house terminals, the management device performing MAC (Media Access Control) ) Generating second ARP response packets whose addresses have been modulated, and the management device transmits the second ARP response packets to the plurality of in-house terminals to identify each in-house terminal in the ARP table of the plurality of in-house terminals. It may include the step of altering the MAC address.
  • ARP Address Resolution Protocol
  • the second ARP response packet may be an ARP response packet that includes the IP address of the domestic terminal whose MAC address is to be altered in each ARP table and the altered MAC address as source address information.
  • the modified MAC address may be a MAC address with which communication is not possible.
  • the network includes a policy server that manages an access management policy including a VLAN (Virtual Local Area Network) band allocation policy and a communication permission policy for each of a plurality of subnets to which different network devices are connected, and the plurality of in-house terminals. It may include a plurality of network devices.
  • the management device transmits a third ARP response packet with a modified MAC address to the plurality of network devices, and sets the MAC address of the gateway in the ARP table of the plurality of network devices to the MAC of the management device. modulating an address, the management device receiving a packet transmitted from the plurality of network devices to a gateway, and the management device forwarding the received packet to the gateway based on the access management policy.
  • a discarding step may be further included.
  • the step of forwarding or discarding the received packet to the gateway is to prohibit communication between the VLAN band to which the destination IP address of the received packet belongs and the VLAN band to which the source IP address of the received packet belongs in the communication permission policy.
  • the step of discarding the received packet may be included.
  • the step of forwarding or discarding the received packet to the gateway includes allowing communication between the VLAN band to which the destination IP address of the received packet belongs and the VLAN band to which the source IP address of the received packet belongs in the communication permitting policy. In this case, it may include forwarding the received packet to the gateway.
  • Forwarding or discarding the received packet to the gateway may include forwarding the received packet to the gateway if the destination IP address of the received packet belongs to a network external to the network.
  • the communication permission policy may be set to prohibit communication between subnets to which the plurality of in-house terminals belong.
  • the access control method includes the management device obtaining address information of a network device that transmitted the packet from the received packet, and the management device obtaining address information obtained from the received packet and the policy server. A step of detecting a new network device by comparing managed address information may be further included.
  • the access management policy may further include a policy for determining whether to authorize the new network device.
  • the access control method includes the policy server determining whether to authorize the new network device based on the access management policy or control input from an administrator, and the management device determining whether the new network device is unauthorized. If the device is a new network device, the step of transmitting to the new network device a fourth ARP request packet for modulating the MAC address of another network device in the ARP table of the new network device to a MAC address with which communication is not possible may be further included.
  • the management device modifies the MAC address of the gateway in the ARP table of the new network device to a MAC address that cannot communicate or to the MAC address of the management device. It may further include transmitting a fifth ARP request packet to the new network device.
  • the access management policy may further include a blocking policy for address thief devices.
  • the management device compares the address information obtained from the received packet with the address information managed by the policy server to detect the address thief device that has stolen the address of another network device registered in the network.
  • the method may further include detecting and, by the management device, blocking the address thief device from the network based on the blocking policy.
  • the management device may be connected to an 802.1Q tagged port of the L3 switch.
  • an access control system in a network including a plurality of in-house terminals located in different households transmits ARP (Address Resolution Protocol) request packets to the plurality of in-house terminals, and the ARP request packet
  • ARP Address Resolution Protocol
  • the ARP request packet By analyzing the first ARP response packets received in response to obtaining address information of the plurality of in-house terminals, and transmitting second ARP response packets with modulated MAC (Media Access Control) addresses to the plurality of in-house terminals, It may include a management device that blocks communication between the plurality of in-house terminals by modulating the MAC address of each in-house terminal registered in the ARP table of the plurality of in-house terminals.
  • the second ARP response packet may be an ARP response packet that includes the IP address of the domestic terminal whose MAC address is to be altered in each ARP table and the altered MAC address as source address information.
  • the modified MAC address may be a MAC address with which communication is not possible.
  • the access control system may further include a policy server that manages an access management policy including a VLAN (Virtual Local Area Network) band allocation policy and a communication permission policy for each of the plurality of subnets constituting the network.
  • the management device transmits a third ARP response packet with a modified MAC address to a plurality of network devices registered in the network, and matches the MAC address of the gateway registered in the ARP table of the plurality of network devices with the MAC address of the management device.
  • the plurality of network devices may include the plurality of in-house terminals. .
  • the management device may discard the received packet when communication between the VLAN band to which the destination IP address of the received packet belongs and the VLAN band to which the source IP address of the received packet belongs is prohibited in the communication permission policy. there is.
  • the management device allows communication between the VLAN band to which the destination IP address of the received packet belongs and the VLAN band to which the source IP address of the received packet belongs, or the destination IP address of the received packet is If it belongs to a network external to the network, the received packet can be forwarded to the gateway.
  • the communication permission policy may be set to prohibit communication between different subnets to which the plurality of in-house terminals belong.
  • the policy server manages address information of the plurality of network devices, and the management device obtains address information of the network device that transmitted the packet from the received packet, address information obtained from the received packet, and New network devices can be detected by comparing address information managed by the policy server.
  • the access management policy may further include a policy for determining whether to authorize the new network device.
  • the policy server may determine whether to authorize the new network device based on the access management policy or control input from an administrator. If the new network device is an unauthorized device, the management device sends a fourth ARP request packet to the new network device to modulate the MAC address of another network device in the ARP table of the new network device to a MAC address with which communication is not possible. can be transmitted to.
  • the management device sends a fifth ARP request packet to modify the MAC address of the gateway in the ARP table of the new network device to a MAC address that is unable to communicate or to the MAC address of the management device. can be transmitted to the new network device.
  • the access management policy may further include a blocking policy for address thief devices.
  • the management device detects the address thief device that has stolen the address of another network device registered in the network by comparing the address information obtained from the received packet with the address information managed by the policy server, and sets the blocking policy. Based on this, the address thief device can be blocked from the network.
  • the management device may be connected to an 802.1Q tagged port of the L3 switch.
  • Figure 1 schematically shows a network within an apartment complex according to an embodiment.
  • Figure 2 schematically shows an access control system according to one embodiment.
  • Figure 3 schematically shows an access control method in a network according to an embodiment.
  • Figure 4 schematically illustrates a method of blocking access of an address theft device to a network according to an embodiment.
  • Figure 1 schematically shows a network within an apartment complex according to an embodiment.
  • packets transmitted and received from the network 1 within the apartment complex to the external network (Internet) pass through the firewall 11 and the L3 switch 12.
  • the firewall 11 is responsible for the security of the network 1 and can block harmful traffic entering or leaving the network.
  • the L3 switch 12 can operate as a backbone switch located at the center of the nodes in the network 1 that want to connect to the Internet. In this case, all packets transmitted and received between the network 1 and the Internet pass through the L3 switch 12.
  • the L3 switch 12 may operate as a gateway of the network 1. The gateway can forward packets between the Internet and the network 1, or between subnets constituting the network 1, based on the destination IP address included in each packet.
  • Network 1 may include at least one subnet 20.
  • each subnet 20 may include in-house terminals 22 located in the same building and at least one L2 switch 21 that supports communication between them. Communication between in-house terminals 22 belonging to the same subnet 20, that is, in-house terminals 22 in the same building, may correspond to direct communication through the L2 switch 21. Communication between in-house terminals 22 belonging to different subnets 20, that is, in-house terminals 22 in different buildings, may correspond to communication between subnets 20 through the gateway of the L3 switch 12. .
  • the in-house terminal 22 is a network device located within each household, and can perform various functions such as providing information within the apartment complex/unit, controlling facilities within the apartment complex/unit, and making calls.
  • the in-house terminal 22 may include, for example, a video phone, a door phone, a wall pad, etc.
  • the network 1 includes various public systems managed through the network 1 within the apartment complex (for example, CCTV 31, parking management system 32, complex entrance 33, common It may include the front door (34), etc.).
  • the network 1 may further include various servers located within the apartment complex, such as a complex server 41 and a call server 42.
  • each subnet 20, 30, and 40 may be divided into a virtual local area network (VLAN) band. That is, different VLAN bands may be assigned to the subnets 20, 30, and 40.
  • VLAN virtual local area network
  • the in-house terminal 22 belonging to the network 1 may be collectively referred to as 'network devices'.
  • the network 1 may further include a policy server 43 and a management device 13 to block illegal access to network devices belonging to the network 1.
  • Figure 2 schematically shows an access control system for controlling access to network devices in a network 1 within an apartment complex according to an embodiment.
  • the access control system 100 may include the L3 switch 12, management device 13, and policy server 43 of FIG. 1 described above.
  • the management device 13 and the policy server 43 are connected to the L3 switch 12 and can communicate with each other through the L3 switch 12.
  • the policy server 43 can perform the function of setting and managing a policy for network access (access management policy) and device information of network devices in the network 1.
  • the policy server 43 may include a database 431 and a policy management unit 432.
  • the database 431 may store policy (access management policy) information for connection authentication, authorization, account operations, etc. for network access in the network 1.
  • the access management policy includes a VLAN band (or subnet band) allocation policy for each subnet (20, 30, and 40) constituting the network (1), a communication allowance policy (communication allowance policy for each VLAN band, and a communication allowance policy between VLAN bands).
  • communication permission policy may be included.
  • the communication permission policy is such that communication is blocked between different subnets 20 to which the in-house terminals 22 belong, and the subnet 20 to which the in-house terminals 22 belong and the subnet to which the parking management system 32 belongs ( 30) It can be set to enable communication between the two.
  • the access management policy includes a policy for determining whether to authorize a network device that newly attempts to connect to the network (1), a blocking policy for devices that are unauthorized by the network (1) or have stolen the address of another network device, etc. It can be included.
  • the database 431 may further include device information of each network device registered in the network 1.
  • Device information may include address information (IP address and MAC address), status information (online/offline), authentication information (authorization/unauthorization), blocking status, etc. of each network device.
  • the policy management unit 432 can set and manage policy information stored in the database 431.
  • the policy management unit 432 can set and manage policy information based on control input received from the administrator.
  • the policy management unit 432 may set and manage device information stored in the database 431.
  • the policy management unit 432 may receive address information and status information of each network device from the management device 13, and set and manage device information based on the received information.
  • the policy management unit 432 may determine whether to authorize the new network device based on information about the new network device received from the management device 13.
  • the policy management unit 432 may determine whether to authorize a new network device based on policy information stored in the database 431.
  • the policy management unit 432 may notify the manager of the detection of a new network device and then decide whether to authorize the network device based on control input received from the manager.
  • the policy management unit 432 may also transmit corresponding authorization information to the management device 13 when it is determined whether to authorize a new network device.
  • the management device 13 may control access to the network 1 using ARP (Address Resolution Protocol) packet modulation and packet forwarding.
  • ARP Address Resolution Protocol
  • the management device 13 may include a storage unit 131, a transmission/reception unit 132, and a control unit 133.
  • the storage unit 131 can store various information, data, etc. processed by the management device 13.
  • the storage unit 131 may store information (policy information, device information, etc.) received from the policy server 43.
  • the storage unit 131 may store address information and status information of each network device obtained by the control unit 133, which will be described later.
  • the storage unit 131 may temporarily store packets transmitted and received through the transceiver 132.
  • the transceiver 132 can transmit and receive information, packets, etc. between the management device 13 and other devices belonging to the network 1.
  • the transceiver 132 can receive policy information, device information, etc. from the policy server 43.
  • the transceiver unit 132 may notify the policy server 43 of the occurrence of an event and transmit status information and address information of the network device obtained by the management device 13 to the policy server 43.
  • the transceiver 132 may collect packets (ARP packets, User Datagram Protocol (UDP) packets, Transmission Control Protocol (TCP) packets, etc.) transmitted through the L3 switch 12 within the network 1.
  • the transceiver unit 132 may be connected to an 802.1Q tagged port (or trunk port) of the L3 switch 12.
  • the 802.1Q tagged port of the L3 switch 12 is a port through which multiple VLAN band traffic passes. As described above, different VLAN bands may be assigned to each subnet 20, 30, and 40 of the network 1. Therefore, in order for the management device 13 to collect packets of all subnets 20, 30, and 40 transmitted through the L3 switch 12, it must access all VLAN bands assigned to the subnets 20, 30, and 40. It must be possible to do this, and for this, the transceiver 132 can be connected to the 802.1Q tagged port of the L3 switch 12.
  • the transmitting and receiving unit 132 may transmit and receive ARP packets (ARP request packet, ARP response packet, etc.) with each network device (for example, in-house terminal 22) connected to the network 1. there is.
  • ARP packets ARP request packet, ARP response packet, etc.
  • the transceiver 132 may forward packets received from other network devices to a gateway (eg, the L3 switch 12 performing a gateway function).
  • a gateway eg, the L3 switch 12 performing a gateway function.
  • the control unit 133 may control the overall operation of the management device 13.
  • control unit 133 may receive policy information, device information of network devices, etc. from the policy server 43 and store them in the storage unit 131.
  • control unit 133 may transmit an ARP request packet for each VLAN band (subnet band) to obtain information (address information, status information, etc.) on network devices connected to each VLAN band (subnet band).
  • the control unit 133 may broadcast an ARP request packet including the IP address of the network device for which information is to be checked as destination address information to the subnet to which the network device belongs. Then, the control unit 133 may determine status information of the corresponding network device based on whether an ARP response packet for the transmitted ARP request packet is received. That is, the control unit 133 may determine that the corresponding network device is offline if an ARP response packet is not received within the predetermined time from the corresponding network device after transmitting the ARP request packet at least once during a predetermined period of time. there is. If an ARP response packet is received from a corresponding network device within a predetermined time after transmitting the ARP request packet, the control unit 133 may determine that the corresponding network device is online.
  • the control unit 133 may set status information for each network device based on the determined status and store this in the storage unit 131.
  • the online state may indicate a state in which the connection between the corresponding network device and the network 1 is activated
  • the offline state may indicate a state in which the connection between the corresponding network device and the network 1 is deactivated.
  • the control unit 133 may detect a status change event by comparing it with previous status information of the corresponding network device.
  • the previous state information of the corresponding network device can be obtained from the device information of the corresponding network device received from the policy server 43 or the previous state information of the corresponding network device stored in the storage unit 131.
  • the control unit 133 may determine that a state change event has occurred for the network device.
  • the control unit 133 may notify the policy server 43 of the state change event. Additionally, the control unit 133 may transmit updated status information to the policy server 43 to update device information stored in the policy server 43.
  • the control unit 133 may acquire address information (IP address and MAC address) of each network device by analyzing the received ARP response packet. There is. A network device that has confirmed its IP address from the destination address information of the ARP request packet transmitted from the management device 13 may transmit an ARP response packet including its IP address and MAC address as source address information. Therefore, when an ARP response packet is received, the control unit 133 obtains the address information (IP address and MAC address) of the corresponding network device from the source address information (source IP address and source MAC address) included in the response packet. You can.
  • the control unit 133 can collect status information and address information of the home terminals 22 installed in each household in the apartment complex in the above-described manner, and which subnet 20 (VLAN band) each home terminal 22 is in. You can also check whether it belongs.
  • the control unit 133 identifies the in-house terminals 22 connected to each subnet 20 based on the information collected in the above-described manner, and uses ARP packet modulation to identify in-house terminals of different generations belonging to the same subnet 20. (22) Communication between devices can be blocked.
  • the control unit 133 may generate modulated ARP response packets to modulate MAC addresses in the ARP table of each domestic terminal 22, based on the address information of each domestic terminal 22.
  • Each modified ARP response packet may include the IP address of the in-house terminal 22, the target of MAC address modification, and the modified MAC address as source address information.
  • the altered MAC address may be a meaningless MAC address unsuitable for communication.
  • the control unit 133 may transmit it to the subnet 20 to which the in-house terminal 22, which is the subject of MAC address modification, belongs. Accordingly, other domestic terminals 22 in the same subnet 20 that have received the modified ARP response packet can update their stored ARP tables based on the source address information included in the received ARP response packet. That is, each in-house terminal 22 that receives the modulated ARP response packet acquires the source IP address and source MAC address from the received ARP response packet, and enters the MAC address corresponding to the source IP address in its ARP table as the source. It can be changed to MAC address.
  • the ARP table of each network device contains address information (IP address and MAC address) of network devices belonging to the same broadcast domain (e.g., subnet) as the network device and address information (IP) of the gateway to which the network device is connected. address and MAC address).
  • IP address information
  • each domestic terminal 22 refers to the address information of the other domestic terminal 22 stored in the ARP table. Therefore, when the in-house terminals 22 belonging to the same subnet 20 modulate the MAC addresses of the ARP table that they refer to in order to communicate with other in-house terminals 22 to MAC addresses that cannot communicate, the in-house terminals 22 use the same MAC addresses. Since the correct MAC address of the other home terminal 22 belonging to the subnet 20 cannot be known, direct communication with the other home terminal 22 becomes impossible.
  • the control unit 133 may control access between network devices belonging to different subnets using ARP packet modulation and packet forwarding.
  • the control unit 133 generates a modulated ARP response packet to modulate the MAC address of the gateway (e.g., L3 switch 12) to the MAC address of the management device 13 for each subnet requiring access control, A modulated ARP response packet can be transmitted to each subnet.
  • the modulated ARP response packet may include the IP address of the gateway (L3 switch 12) and the MAC address of the management device 13 as source address information. Each network device that receives this can update the MAC address of the gateway to the MAC address of the management device 13 in the ARP table stored therein.
  • a specific network device transmits a packet destined for the outside of the subnet to which it belongs (to another subnet or an external network of network 1), it will be delivered to the management device 13 rather than the gateway of the L3 switch 12. You can. That is, when each network device transmits a packet outside the subnet to which it belongs (the Internet or another subnet), the control unit 133 can receive the transmitted packet on behalf of the gateway.
  • control unit 133 When the control unit 133 receives a packet on behalf of the gateway, it can check the source subnet and destination subnet of the received packet based on the source IP address and destination IP address of the received packet. In addition, the control unit 133 can check whether access from the source subnet to the destination subnet is permitted based on the policy information (policy for allowing communication between VLAN bands (or subnet bands)) received from the policy server 43. there is. If access from the source subnet to the destination subnet is prohibited in the communication permission policy, the control unit 133 may block access by discarding the packet without forwarding it.
  • policy information policy for allowing communication between VLAN bands (or subnet bands)
  • this case applies when the in-house terminal 22 transmits a packet to connect to the in-house terminal 22 belonging to another building (another subnet 20), and in this case, the in-house terminal 22 Transmitted packets may be discarded and delivery blocked. If access from the source subnet to the destination subnet is permitted in the communication permission policy, the control unit 133 may forward the packet to the gateway (L3 switch 12) so that the packet is normally delivered to the destination.
  • the gateway L3 switch 12
  • the in-house terminal 22 is a network device commonly used within an apartment complex (e.g., CCTV 31, parking management system 32, complex entrance door 33, common front door 34, etc.)
  • This case corresponds to the case where a packet is transmitted to connect to , and in this case, the packet transmitted from the in-house terminal 22 is forwarded to the gateway to be normally delivered to the destination.
  • the control unit 133 can forward the packet to the gateway (L3 switch 12) so that the packet is delivered normally.
  • the gateway When a packet is forwarded from the management device 13, the gateway (L3 switch 12) can check the destination address of the forwarded packet and transmit the packet to the destination subnet or external network.
  • the control unit 133 may continuously analyze packets received from network devices and update the status information of each network device. When a packet is received, the control unit 133 may check whether the network device that transmitted the packet is already registered in the policy server 43 based on the source address information of the received packet. If the network device that transmitted the packet is already a registered network device, the control unit 133 can confirm that the network device is online. In addition, the control unit 133 detects network devices that have not transmitted packets for a predetermined period of time among network devices registered with the policy server 43 (i.e., network devices whose address information is registered in the device information of the policy server 43). Once confirmed, the status of the network device can be checked using the ARP packet as described above. That is, the control unit 133 can transmit an ARP request packet to check the status of the corresponding network device and check the status of the corresponding network device based on whether an ARP response packet is received.
  • the control unit 133 may continuously analyze packets received from network devices to detect new network devices attempting to connect to the network 1. When a packet is received from a network device, the control unit 133 obtains source address information (source IP address and source MAC address) from the received packet, compares this with the address information of pre-registered network devices, and transmits the packet. You can check whether the network device is a new device. If address information identical to the source address information obtained from the received packet is not found among the address information of the previously registered network devices, the control unit 133 determines that the network device that transmitted the packet is a new device newly connected to the network (1). It can be judged that it is.
  • source address information source IP address and source MAC address
  • control unit 133 determines that the network device that transmitted the packet is a new device, it notifies the policy server 43 of the occurrence of a new device detection event and sends the address information (IP address and MAC address) of the network device to the policy server. You can also send it to (43).
  • the policy server 43 may determine whether to authorize the new network device based on an access management policy or a control input received from the manager. When a new network device is authorized, the policy server 43 may register the new network device in the network 1 and include the address information of the new network device in the device information in the database 431. Additionally, the policy server 43 may transmit information indicating whether a new network device is authorized or not to the management device 13.
  • the control unit 133 When the control unit 133 receives authorization information (authorization/disapproval) for a new network device from the policy server 43, it can block access of the new network device to the network 1 depending on whether the new network device is authorized. . If the new network device is an unauthorized device, the control unit 133 uses a modulated ARP response packet to communicate the MAC addresses of network devices belonging to the same subnet as the unauthorized network device in the ARP table of the unauthorized network device. This can be altered into a meaningless MAC address. That is, the control unit 133 generates a modulated ARP response packet to modulate the MAC address of each network device belonging to the same subnet as the unauthorized network device into a meaningless address, and sends it to the subnet to which the unauthorized network device belongs. Can be transmitted. The unauthorized network device that receives this updates its ARP table based on the address information obtained from the modified ARP response packet, which prevents the unauthorized network device from verifying the correct MAC address of the network device. do.
  • the control unit 133 may block the unauthorized network device from accessing network devices outside the subnet to which it belongs by modifying the MAC address of the gateway in the ARP table of the unauthorized network device to a meaningless address. That is, the control unit 133 transmits an ARP response packet to modulate the MAC address of the gateway (e.g., L3 switch 12) into a meaningless MAC address, and selects the gateway's MAC from the ARP table of the unauthorized network device. The address can be altered into a meaningless MAC address. Accordingly, unauthorized network devices may be blocked from communicating not only with other network devices in the subnet to which they belong, but also with network devices in other subnets that must be accessed through a gateway.
  • the gateway e.g., L3 switch 12
  • the control unit 133 may block unauthorized network devices from accessing other network devices using a tactical packet forwarding method.
  • the control unit 133 sends an ARP response packet to the unauthorized network device to modulate the MAC address of the gateway in the ARP table of the unauthorized network device to the MAC address of the management device 13. It can be transmitted to the subnet it belongs to. Accordingly, the MAC address of the gateway in the ARP table in the unauthorized network device is modulated to the MAC address of the management device 13, and the packet transmitted by the unauthorized network device is delivered to the management device 13, not the gateway. It can be. Since the management device 13 already knows that the network device in question is an unauthorized device, when a packet is received from an unauthorized network device, it can discard the packet and block communication with the unauthorized network device.
  • the control unit 133 may analyze received packets to check whether address theft (IP address theft, MAC address theft, IP address and MAC address theft) of the network device.
  • address theft IP address theft, MAC address theft, IP address and MAC address theft
  • the control unit 133 compares the source address information of the received packet with the address information of devices registered in the policy server 43 to detect a network device that has stolen an IP address or MAC address. If the source address information extracted from the collected packet has the same IP address as the network device already registered in the policy server 43 but has a different MAC address, the network device that transmitted the packet steals the IP address. You can decide to do it. In addition, if the source address information extracted from the collected packet has the same MAC address as the network device already registered in the policy server 43 but has a different IP address, the network device that transmitted the packet has the MAC address. may be determined to have been stolen.
  • the control unit 133 may detect network devices that have stolen IP and MAC addresses by analyzing ARP probe packets transmitted from each network device.
  • the IPv4 Address Conflict Detection proposed standard, ARP Far Lobe packets are specified.
  • ACD the ARP Parob packet is a packet used when a host checks whether its IP address is already in use within the network it belongs to, and is used for the purpose of preventing IP collisions.
  • the host sets the ARP Opcode to 1, broadcasts an ARP probe packet set as an ARP request within its network, and waits to receive a response packet (a packet with an ARP Opcode of 2).
  • ARP probe packet ARP request
  • the host can set the source MAC address of the header to its own MAC address and set the source IP address to 0.0.0.0.
  • the host can set the destination MAC address of the ARP probe packet header to 00:00:00:00:00:00, and set the destination IP address to its own IP address. These ARP probe packets do not update the ARP tables of other hosts belonging to the same network to prevent IP address collisions.
  • each network device operates to repeatedly broadcast ARP probe packets when the IP address changes. Accordingly, a thief device that changes its IP address and MAC address by copying the address data of another network device broadcasts an ARP probe packet within the network to which the cloned IP address belongs.
  • an ARP probe packet (ARP request) transmitted from each network device (host) may include the IP address and MAC address of the network device that transmitted it. Accordingly, when an ARP probe packet transmitted as an ARP request is received from a network device, the control unit 133 can detect the IP address and MAC address of the corresponding network device from the received ARP probe packet. In addition, the control unit 133 compares the detected IP address and MAC address with the address information registered in the policy server 43 to determine whether the device is a thief device that copies and uses the IP address and MAC address of another network device. You can judge.
  • each network device changes when a network interface transitions from an inactive state to an active state, when a network device returns from sleep mode to normal mode, and when a network device returns to normal mode from sleep mode, as well as when its link status with the network 1 (e.g. ARP probe packets may be transmitted in situations such as when a change occurs (for example, in the connection status of an Ethernet cable) or when an 802.11 wireless interface is associated with a new base station.
  • ARP probe packets may be transmitted in situations such as when a change occurs (for example, in the connection status of an Ethernet cable) or when an 802.11 wireless interface is associated with a new base station.
  • a normal network device not a thief device, can repeatedly broadcast ARP probe packets when its connection to the network changes from offline to online.
  • control unit 133 may additionally check the status information of the network device that transmitted the ARP probe packet in order to prevent a normal network device from being mistakenly recognized as a rogue device. If the same address information as the newly collected address information through the ARP probe packet is already registered in the policy server 43, the control unit 133 additionally checks the status information before receiving the ARP probe packet of the corresponding network device. This allows you to make a final decision as to whether or not your address has been stolen. That is, if the status information of the corresponding network device indicates an offline state before the control unit 133 receives the ARP probe packet, the received ARP probe packet is transmitted from a normal device whose connection state with the network 1 has been switched to the online state. By determining that the message has been received, it is possible to finally determine that the corresponding network device is a normal network device rather than a thief device.
  • the control unit 133 may notify the policy server 43 of the occurrence of an address theft event. Additionally, based on the policy information received from the policy server 43, access to the network 1 of the detected thief device can be blocked. For example, when a thief device is detected, the control unit 133 may block network use of the thief device by transmitting a network use blocking packet (ARP Probe Reply packet).
  • ARP Probe Reply packet a network use blocking packet
  • the management device (13) detects such illegal address theft and blocks the thief device from accessing other network devices in advance, thereby preventing attempts to invade the network (1) by stealing the address of the public system. You can block it.
  • Figure 3 schematically shows a method of controlling access between network devices in the network 1 according to an embodiment.
  • the method of FIG. 3 may be performed by the access control system 100 described with reference to FIG. 2.
  • the management device 13 when the management device 13 starts operating, it can obtain status information and address information of each network device registered in the network 1 (S11).
  • the management device 13 may obtain status information and address information of each network device by transmitting an ARP request packet.
  • the management device 13 may generate, for each network device, an ARP request packet including the IP address of the network device as destination address information and transmit it to the subnet to which the network device belongs.
  • the control unit 133 may determine status information of the corresponding network device based on whether an ARP response packet for the transmitted ARP request packet is received.
  • the management device 13 transmits an ARP request packet to network devices and receives an ARP response packet, it obtains the address information (IP address and MAC address) of each network device from the source address information of the received ARP response packet. ) can also be obtained.
  • the management device 13 can use an ARP packet to modify the MAC addresses of the network devices and gateways requiring access control in the ARP table of each network device (S12).
  • the management device 13 may modulate the MAC address of another home terminal 22 into a meaningless address in the ARP table of each home terminal 22 in order to block communication between the home terminals 22. there is. To this end, the management device 13 may generate a modulated ARP response packet to modulate the MAC address of each in-house terminal 22 in the ARP table. Each modulated ARP response packet may include the IP address of the corresponding in-house terminal 22 and the modulated MAC address (MAC address unsuitable for communication) as source address information. The management device 13 may transmit the ARP response packet generated in this way to the subnet 20 to which the corresponding in-house terminal 22 belongs.
  • the corresponding MAC addresses in the ARP table of the domestic terminals 22 belonging to the corresponding subnet 20 are modulated into MAC addresses with which communication is not possible, thereby blocking access of other domestic terminals to the corresponding domestic terminal 22. You can.
  • the management device 13 can block all direct communication between the in-house terminals 22 by changing the MAC addresses of all other in-house terminals in the ARP table of each in-house terminal 22 to addresses that do not allow communication. .
  • the management device 13 matches the MAC address of the gateway to the MAC address of the management device 13 in the ARP table of each network device 22 in order to restrict access between different subnets 20, 30, and 40. It can be modulated. To this end, the management device 13 sends a modulated ARP response packet containing the IP address of the actual gateway (IP address of the L3 switch 12) and the MAC address of the management device 13 as source address information to each network device. It can be transmitted to the subnet it belongs to. Accordingly, the MAC address of the gateway in the ARP table of each network device may be modulated to the MAC address of the management device 13.
  • each network device when each network device wants to forward a packet outside the subnet to which it belongs, it transmits the packet by referring to the MAC address of the management device 13 rather than the gateway, and the transmitted packet is received by the management device 13 instead of the gateway. It can be.
  • the management device 13 can receive packets transmitted by network devices belonging to each subnet to other networks (eg, other subnets) on behalf of the gateway (S13).
  • the management device 13 can analyze the packet to determine whether the network device that transmitted the packet, that is, the source of the packet, is a new network device (S14).
  • the management device 13 may obtain source address information (source IP address and source MAC address) from the received packet and compare this with address information of network devices previously registered in the policy server 43. If the management device 13 does not search for address information identical to the source address information obtained from the received packet among the address information of the previously registered network devices, it determines that the source of the packet is a new device newly connected to the network 1. You can judge. When the management device 13 searches for address information identical to the source address information obtained from a received packet among the address information of pre-registered network devices, the management device 13 determines that the source address of the packet is already in the network 1. It can be determined that it is a registered network device.
  • source IP address and source MAC address source IP address and source MAC address
  • step S14 determines whether the packet source is a network device already registered in the network 1
  • the management device 13 determines whether to block the received packet based on the access management policy received from the policy server 43. (S15).
  • step S15 the management device 13 extracts the source IP address and destination IP address from the received packet, and determines the subnet to which the source IP address belongs and the subnet to which the destination IP address belongs in the policy of allowing communication between VLAN bands (or subnet bands). You can check whether it is set to allow communication between the devices.
  • the management device 13 prohibits communication between the VLAN band (subnet band) to which the source IP address belongs and the VLAN band (subnet band) to which the destination IP address belongs in the communication permission policy (for example, the in-house terminal 22) If an attempt is made to connect to the in-house terminal 22 belonging to this other building (another subnet 20), it may be determined that the packet needs to be blocked.
  • the management device 13 allows communication between the VLAN band (subnet band) to which the source IP address belongs and the VLAN band (subnet band) to which the destination IP address belongs in the communication permission policy (for example, in-house terminal When (22) attempts to connect to a network device commonly used within the apartment complex (e.g., CCTV (31), parking management system (32), complex entrance door (33), common front door (34), etc.) ), it can be determined that there is no need to block the packet.
  • a network device commonly used within the apartment complex e.g., CCTV (31), parking management system (32), complex entrance door (33), common front door (34), etc.
  • the management device 13 may block communication by discarding the packet (S17). On the other hand, when the management device 13 does not need to block the packet (S16), it forwards the packet to the actual gateway (e.g., the L3 switch 12) (S18), so that the packet is normally delivered to the destination. It can be delivered.
  • the actual gateway e.g., the L3 switch 12
  • the management device 13 may transmit the address information of the new network device to the policy server 43 and notify the detection of the new network device. .
  • the policy server 43 which has been notified of the detection of a new network device by the management device 13, can determine whether to authorize the new network device based on the policy or control input from the manager (S19). If the new network device is an authorized device (S20), the policy server 43 registers the new network device in the network 1 (S21) and includes the address information of the new network device in the device information of the database 431. You can.
  • the policy server 43 determines whether to authorize a new network device, it can transmit information about whether to authorize the new network device to the management device 13. If the new network device is an unauthorized device (S20), the management device 13 that has received this may block the unauthorized device's access to the network 1 (S22).
  • step S22 the management device 13 uses a modified ARP response packet to change the MAC addresses of network devices belonging to the same subnet as the unauthorized network device from the ARP table of the unauthorized network device into meaningless MAC addresses that cannot communicate. It can be modulated. Accordingly, unauthorized network devices cannot determine the correct MAC addresses of other network devices belonging to the same subnet, and thus communication with other network devices is blocked.
  • the management device 13 may modulate the MAC address of the gateway into a meaningless address in the ARP table of the unauthorized network device using a modified ARP response packet. Accordingly, unauthorized network devices may be blocked from communicating not only with other network devices in the subnet to which they belong, but also with network devices in other subnets that must be accessed through a gateway.
  • the management device 13 may block unauthorized network devices from accessing other network devices using ARP packet modulation and packet forwarding methods.
  • the management device 13 sends an ARP response packet to the unauthorized network device to change the MAC address of the gateway in the ARP table of the unauthorized network device to the MAC address of the management device 13. It can be transmitted to the subnet to which it belongs. Accordingly, the packet transmitted by the unauthorized network device is delivered to the management device 13 rather than the gateway, and since the management device 13 already knows that the network device is an unauthorized device, the packet is transmitted to the unauthorized network device. Packets received from can be discarded.
  • Figure 4 schematically shows a method of blocking access of an address theft device to a network 1 according to an embodiment.
  • the method of FIG. 4 may be performed by the access control system 100 described with reference to FIG. 2 .
  • the management device 13 can analyze each packet to determine whether the addresses of the network devices that transmitted the packets have been stolen (S32).
  • the management device 13 may detect a network device that has stolen an IP address or MAC address by comparing the source address information of the collected packets with the address information of devices registered in the policy server 43. If the source address information extracted from the collected packet has the same IP address as the network device already registered in the policy server 43 but has a different MAC address, the network device that transmitted the packet has an IP address. It can be determined that it was stolen. In addition, if the source address information extracted from the collected packet has the same MAC address as the network device already registered in the policy server 43 but has a different IP address, the network device that transmitted the packet has a MAC address. You may decide that the address has been stolen.
  • the management device 13 may detect network devices that have stolen IP and MAC addresses by analyzing ARP probe packets transmitted from each network device.
  • the management device 13 may detect the IP address and MAC address of the corresponding network device from the ARP probe packet transmitted as an ARP request from the network device.
  • the management device 13 compares the detected IP address and MAC address with the address information registered in the policy server 43, and determines whether the device is a thief device that duplicates and uses the IP address and MAC address of another network device. Awareness can be determined.
  • the management device 13 may additionally check the status information of the network device that transmitted the ARP probe packet in order to prevent a normal network device from being mistakenly recognized as a rogue device.
  • the received ARP probe packet is received from a normal device whose connection state with the network 1 has been switched to the online state. If it is determined that the corresponding network device is a normal network device rather than a thief device, it can be finally determined that the corresponding network device is a normal network device.
  • the management device 13 may notify the policy server 43 that the address theft device has been detected (S34). Additionally, based on the policy information received from the policy server 43, access to the network 1 of the detected address theft device can be blocked (S35). For example, when an address thief device is detected, the control unit 133 may block network use of the thief device by transmitting a network use blocking packet (a response packet to an ARP probe packet).
  • the management device 13 If the management device 13 confirms in step S32 that the network device is not an address theft device (S33), it can process packets received from the network device according to the set policy (S36). For example, packets may be processed through steps S14 to S22 of FIG. 3.
  • the access control system 100 uses a modulated ARP packet to modulate the MAC address of the other in-house terminal 22 held by each in-house terminal 22 to an address that cannot communicate, thereby allowing access to the same subnet ( Direct communication between terminals 22 registered in 20) can be effectively blocked.
  • the access control system 100 modifies the MAC address of the gateway held by each network device to the MAC address of the management device 13, so that the management device 13 receives the packets on behalf of the gateway and then discards the packets according to the policy. or forwarding, access between subnets that are not permitted to communicate with each other (for example, subnets 20 to which different domestic terminals 22 are connected) can also be effectively blocked.
  • packets collected by the management device 13 of the access control system 100 may be analyzed to detect and block access of unauthorized network devices or address theft devices in advance.
  • Computer-readable media includes all types of recording devices that store data that can be read by a computer system. Examples of computer-readable media include HDD (Hard Disk Drive), SSD (Solid State Disk), SDD (Silicon Disk Drive), ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc. This also includes those implemented in the form of carrier waves (e.g., transmission via the Internet). Additionally, the computer may include a terminal control unit. Accordingly, the above detailed description should not be construed as restrictive in all respects and should be considered illustrative. The scope of the present invention should be determined by reasonable interpretation of the appended claims, and all changes within the equivalent scope of the present invention are included in the scope of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

Selon la présente invention, un procédé de contrôle d'accès dans un réseau comprenant une pluralité de terminaux internes situés dans différents ménages peut comprendre les étapes de : transmission de paquets de demande ARP à la pluralité de terminaux internes ; acquisition d'informations d'adresse de la pluralité de terminaux internes par analyse de premiers paquets de réponse ARP reçus en réponse aux paquets de demande ARP ; génération de deuxièmes paquets de réponse ARP dans lesquels des adresses MAC sont modulées ; et modulation d'adresses MAC des terminaux internes respectifs dans des tables ARP de la pluralité de terminaux internes par transmission des deuxièmes paquets de réponse ARP à la pluralité de terminaux internes. Les deuxièmes paquets de réponse ARP peuvent être des paquets de réponse ARP comprenant, en tant qu'informations d'adresse source, des adresses IP de terminaux internes dont les adresses MAC doivent être modulées dans des tables ARP respectives et des adresses MAC modulées, et les adresses MAC modulées peuvent être des adresses MAC par l'intermédiaire desquelles la communication est impossible.
PCT/KR2022/012964 2022-08-03 2022-08-30 Système de contrôle d'accès dans un réseau et procédé associé WO2024029658A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020220096889A KR102510093B1 (ko) 2022-08-03 2022-08-03 네트워크에서의 접근 통제 시스템 및 그 방법
KR10-2022-0096889 2022-08-03

Publications (1)

Publication Number Publication Date
WO2024029658A1 true WO2024029658A1 (fr) 2024-02-08

Family

ID=85502905

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2022/012964 WO2024029658A1 (fr) 2022-08-03 2022-08-30 Système de contrôle d'accès dans un réseau et procédé associé

Country Status (2)

Country Link
KR (1) KR102510093B1 (fr)
WO (1) WO2024029658A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102628441B1 (ko) * 2023-07-17 2024-01-23 스콥정보통신 주식회사 네트워크 보호 장치 및 그 방법

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20050029800A (ko) * 2003-09-23 2005-03-29 주식회사 신텔정보통신 네트워크 접속 제어 방법
KR20050052018A (ko) * 2003-11-28 2005-06-02 한국전자통신연구원 고속의 패킷 포워딩을 위한 주소 번역 프로토콜 테이블관리방법 및 관리장치
US20050198383A1 (en) * 2003-12-31 2005-09-08 Laurence Rose Printer discovery protocol system and method
KR100528171B1 (ko) * 2005-04-06 2005-11-15 스콥정보통신 주식회사 네트워크 상에서 특정 아이피 주소 또는 특정 장비를보호/차단하기 위한 아이피 관리 방법 및 장치
KR20120058188A (ko) * 2010-11-29 2012-06-07 주식회사 케이티 무선인터넷 서비스의 온라인 개통 방법 및 그 시스템

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20050029800A (ko) * 2003-09-23 2005-03-29 주식회사 신텔정보통신 네트워크 접속 제어 방법
KR20050052018A (ko) * 2003-11-28 2005-06-02 한국전자통신연구원 고속의 패킷 포워딩을 위한 주소 번역 프로토콜 테이블관리방법 및 관리장치
US20050198383A1 (en) * 2003-12-31 2005-09-08 Laurence Rose Printer discovery protocol system and method
KR100528171B1 (ko) * 2005-04-06 2005-11-15 스콥정보통신 주식회사 네트워크 상에서 특정 아이피 주소 또는 특정 장비를보호/차단하기 위한 아이피 관리 방법 및 장치
KR20120058188A (ko) * 2010-11-29 2012-06-07 주식회사 케이티 무선인터넷 서비스의 온라인 개통 방법 및 그 시스템

Also Published As

Publication number Publication date
KR102510093B1 (ko) 2023-03-14

Similar Documents

Publication Publication Date Title
CA2600760C (fr) Securite pour dispositifs mobiles dans un reseau sans fil
WO2012153913A1 (fr) Procédé de défense contre une attaque par usurpation d'identité à l'aide d'un serveur de blocage
WO2017091047A1 (fr) Procédé de blocage de connexion dans un système de prévention d'intrusion sans fil et dispositif associé
WO2022235007A1 (fr) Système de commande d'accès au réseau basé sur un dispositif de commande, et son procédé
US20040213237A1 (en) Network authentication apparatus and network authentication system
US20040141617A1 (en) Public access point
WO2010128747A1 (fr) Procédé et dispositif propres à rehausser la sécurité dans un protocole de communication sans fil zigbee
US20060015714A1 (en) Authentication system, network line concentrator, authentication method and authentication program
WO2021071032A1 (fr) Procédé et appareil de contrôle d'accès au dispositif pour l'internet des objets
WO2015034241A1 (fr) Procédé et système pour configurer un pare-feu de passerelle domestique intelligente
MXPA06013129A (es) Contencion automatizada de un invasor en redes.
WO2013085217A1 (fr) Système de gestion de la sécurité ayant de multiples serveurs de relais, et procédé de gestion de la sécurité
WO2011136610A2 (fr) Améliorations apportées à la gestion de trafic à destinations multiples
WO2024029658A1 (fr) Système de contrôle d'accès dans un réseau et procédé associé
WO2010068018A2 (fr) Procédé pour configurer un réseau d'utilisateur fermé à l'aide d'un mécanisme de tunnellisation ip et système de réseau d'utilisateur fermé
WO2022255619A1 (fr) Système de prévention d'intrusion sans fil et son procédé de fonctionnement
WO2016076574A1 (fr) Appareil et procédé d'identification d'informations de terminal
JP4253520B2 (ja) ネットワーク認証装置及びネットワーク認証システム
WO2020009369A1 (fr) Système et procédé permettant de fournir une sécurité à une communication de bout en bout
WO2016200232A1 (fr) Système et procédé destinés à un serveur à distance en cas de défaillance d'un serveur de rétablissement
WO2019182219A1 (fr) Système de réseau de confiance basé sur une chaîne de blocs
JP4750750B2 (ja) パケット転送システムおよびパケット転送方法
WO2022265265A1 (fr) Procédé et appareil de détection et de blocage de dispositif illégal dans un réseau filaire/sans fil
WO2023038224A1 (fr) Appareil et procédé de gestion de terminal dans un réseau
WO2024071535A1 (fr) Système et procédé de service de passerelle de contrôle d'accès à une base de données basé sur saas

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22954113

Country of ref document: EP

Kind code of ref document: A1