A node according to an embodiment disclosed in the present document may comprise a communication circuit, a processor operatively connected to the communication circuit, and a memory which is operatively connected to the processor and stores a reception application and an access control application, wherein the memory stores instructions causing, when executed by the processor, the node to: detect a network reception event from a source network through the access control application; through the access control application, identify the presence or absence of a data flow which is applied from an external server and corresponds to a destination service port included in a data packet from the source network; and through the access control application, request network reception from the external server on the basis of the presence or absence of the applied data flow and whether the applied data flow includes identification information of the source network.
A node according to an embodiment disclosed in the present document may store instructions which cause the node to: detect a network access event through an access control application; transmit a domain name system (DNS) query request packet to a first external server through the access control application; receive a DNS query result from the first external server, wherein the DNS query result includes domain information and IP information; and transmit a domain validation request or a network access request including the domain information to a second external server on the basis of whether a data flow corresponding to the IP information exists, through the access control application.
A node according to an embodiment disclosed in the present document may store instructions for: performing a network access request to an external server through an access control application, the network access request including identification information of a target application and identification information of a destination network; receiving a data flow from the external server through the access control application, the data flow corresponding to identification information of the node and the identification information of the destination network and including information about whether a data packet can be transmitted through a virtual router; and transmitting a data packet of the target application on the basis of the received data flow, through the access control application. The virtual router may be included in a switch to which the node transmits the data packet.
A node according to an embodiment disclosed in the present document can store instructions so as to: determine a communication protocol on the basis of whether an operating system transport layer can be accessed through an access control application; transmit, on the basis of the determined communication protocol, an authentication data packet including first authentication information stored in the access control application to an external server, and request authentication; receive an authentication result with respect to the authentication data packet from the external server; and change an authentication state of a control data packet on the basis of the received authentication result. If a control data processing request for the external server is performed, the control data processing request is performed on the basis of the control data packet having a changed authentication state.
H04L 69/165 - Utilisation combinée des protocoles TCP et UDPImplémentation ou adaptation du protocole Internet [IP], du protocole de contrôle de transmission [TCP] ou du protocole datagramme utilisateur [UDP] critères de sélection à cet effet
H04L 69/22 - Analyse syntaxique ou évaluation d’en-têtes
5.
SYSTEM FOR CONTROLLING NETWORK ACCESS OF APPLICATION ON BASIS OF DATA FLOW, AND METHOD RELATING TO SAME
A network system according to an embodiment disclosed in the present disclosure includes a node, a destination network, a network node, and a server. The node is configured to transmit or drop a data packet depending on whether there is data flow, by means of an access control application, delete the data flow corresponding to identification information of an ended application, when a running end event of the target application or the access control application is identified, and transmit a list of the deleted data flow to the server. The server is configured to transmit the list of the deleted data flow to the network node and collect a network node policy from the node. The network node is configured to process a data packet corresponding to the list of the deleted data flow to be no longer forwarded.
According to an embodiment disclosed in the specification, a network node may include a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory. The processor may receive, from a server, a data flow including a node IP, a destination network IP, and port information, which are created to allow creation of a TCP session between a source node and a destination network, may monitor a data packet broadcast or multicast from the source node at a network boundary, may transmit an IP blocking data packet to the source node when there is no data flow corresponding to a source IP of the data packet received through the monitoring, or may transmit a TCP data packet for forcibly terminating a TCP session to the source node when there is no data flow corresponding to a destination IP and destination port information of the data packet received through the monitoring.
A gateway, according to one embodiment disclosed in the present document, comprises a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory, wherein the processor is configured to: receive a service request from a node; identify the presence of a data flow that corresponds to the service request and is authorized from an external server; when the data flow is present, generate protection information to be inserted into the service request on the basis of protection information included in the data flow; and insert the protection information, to be inserted into the service request, into the service request so as to forward same to a service server. The protection information may include at least one of protection information related to the node generated by the external server and protection information removed from the gateway when returning a service request result to the node.
A gateway according to an embodiment disclosed in the present document may comprise a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory, wherein the processor is configured to: receive a service request from a node; identify the existence of a data flow which corresponds to the service request and is authorized from an external server; identify whether a protection information token included in the service request corresponds to the data flow; when the protection information token corresponds to the data flow, generate, on the basis of the data flow, protection information which corresponds to the protection information token and is to be inserted into the service request; and insert, into the service request, the protection information to be inserted into the service request, and forward same to a service server, and the protection information token is configured to be identification information processed by the gateway to maintain a flow of information to be protected between the service server and an authorized subject.
Disclosed is a gateway which includes a communication circuit, a memory, and a processor operatively connected with the communication circuit and the memory. The processor receives a data packet of a node through a network processing layer, identifies whether there is data flow corresponding to the data packet of the node and authorized from an external server, inspects authentication information of the data packet, when there is a need to inspect the authentication information of the data packet based on authentication information included in the data flow, generates data flow identification information capable of being identified by an application processing layer based on the data packet and forward the data packet to the application processing layer, and processes the forwarded data packet based on the data flow identification information by means of the application processing layer.
Disclosed is a gateway which a communication circuit, a memory, and a processor operatively connected with the communication circuit and the memory. The processor receives a service request from a node, identifies whether the service request is received through at least any one of a tunnel authorized by an external server, a security session, or a logical connection, identifies whether there is data flow corresponding to the service request and authorized by the external server, generates authentication information to be inserted into the service request, based on authentication information included in the data flow, and inserts and forwards the authentication information to be inserted into the service request and information associated with the node into the service request to a service server.
Disclosed is a gateway which includes a communication circuit, a memory, and a processor operatively connected with the communication circuit and the memory. The processor receives a data packet of a node through a network processing layer, identifies whether there is data flow corresponding to the data packet of the node and authorized from an external server, inspects authentication information of the data packet, when there is a need to inspect the authentication information of the data packet based on authentication information included in the data flow, and inserts and forwards data flow identification information capable of being identified by an application processing layer into the data packet to the application processing layer.
According to an embodiment disclosed in the present document, a gateway may comprise a communication circuit, a memory, and a processor operatively coupled with the communication circuit and the memory, wherein the processor is configured to: receive a data packet for a service request from a node; identify whether a data flow corresponding to the data packet exists; when it is identified that the data flow exists, forward the data packet to a destination network of the data packet; when it is identified that the data flow does not exist, forward the data packet to an external server; and after forwarding the data packet to the external server, receive information on the data flow from the external server according to an authentication result for the node.
H04L 41/28 - Restriction de l’accès aux systèmes ou aux fonctions de gestion de réseau, p. ex. en utilisant la fonction d’autorisation pour accéder à la configuration du réseau
H04L 12/66 - Dispositions pour la connexion entre des réseaux ayant différents types de systèmes de commutation, p. ex. passerelles
H04L 12/28 - Réseaux de données à commutation caractérisés par la configuration des liaisons, p. ex. réseaux locaux [LAN Local Area Networks] ou réseaux étendus [WAN Wide Area Networks]
According to an embodiment disclosed in the present document, a gateway comprises a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory, wherein the processor can be configured to: receive, from a node, a data packet for a service request; identify whether there is a channel corresponding to the data packet; forward the data packet to a destination network of the data packet if it is identified that there is a channel; forward the data packet to an external server if it is identified that there is no channel; and, after forwarding the data packet to the external server, receive information about the channel from the external server according to an authentication result for the node.
According to an embodiment disclosed in the present document, a gateway can be configured to: receive, from a node, a data packet for a service request; identify whether there is data flow authentication information corresponding to the data packet; forward the data packet to a destination network if it is identified that there is valid data flow authentication information; forward the data packet to an external server if it is identified that there is no valid data flow authentication information; and, after forwarding the data packet to the external server, receive information about a data flow, including the data flow authentication information, from the external server according to an authentication result for the node.
A node according to an embodiment disclosed in the present document comprises: a communication circuit; a processor operatively connected to the communication circuit; and a memory that is operatively connected to the processor and stores a target application and an access control application, wherein the memory may be configured to, when executed by the processor, enable the node to: detect a data packet transmission event of the target application through the access control application; correspond to a data packet that the target application wants to transmit; identify whether a data flow received from an external server is present; on the basis of protocol information included in the data flow, autonomously inspect a protocol or inspect the protocol through the external server by identifying whether to perform a protocol inspection of the data packet autonomously or through the external server; and when the protocol inspection of the data packet is completed, transmit the data packet.
A node includes a communication circuit, a processor, and a memory storing an access control application. The memory stores instructions, when executed by the processor, causing the node to detect a network access event for a destination network, via the access control application, identify whether there are data flow and a tunnel corresponding to the destination network and authorized from an external server, via the access control application, and transmit a data packet through the tunnel, when there are the authorized data flow and the authorized tunnel. The tunnel is generated between the node and a gateway based on tunneling information received from the external server. The tunneling information includes information about tunnels and gateways in which the node is able to perform tunneling among the tunnels and gateways listed by the external server based on a node environment of the node and a network environment.
A node includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a reception application and an access control application, and the memory stores instructions that, when executed by the processor, cause the node to detect an event of a network reception from a source network of the reception application through the access control application, to determine whether a data flow, which corresponds to identification information of the reception application, a service port, and the source network and is authorized from an external server exists, through the access control application, to receive a data packet using the communication circuit, when the authorized data flow exists and the reception application is attempting to receive, and to drop the data packet when the authorized data flow information does not exist or the reception application is not attempting to receive.
A node according to an embodiment disclosed in the present specification includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and that stores a target application and a access control application, and the memory stores instructions that when executed by the processor, cause the node to detect an event of a network access with respect to a destination network of the target application through the access control application, to determine whether a data flow and a tunnel, which correspond to identification information of the target application and the destination network and are authorized from an external server exist through the access control application, to determine whether an inspection of a data packet of the target application is necessary based on data packet inspection information included in the authorized data flow when the authorized data flow and the authorized tunnel exist, to inspect the data packet based on a rule database included in the data packet inspection information when the inspection of the data packet is necessary, and to forward the data packet based on the authorized data flow and the authorized tunnel when the inspection of the data packet is not necessary or when a result of the inspection of the data packet is successful.
H04L 43/00 - Dispositions pour la surveillance ou le test de réseaux de commutation de données
H04L 43/20 - Dispositions pour la surveillance ou le test de réseaux de commutation de données le système de surveillance ou les éléments surveillés étant des entités virtualisées, abstraites ou définies par logiciel, p. ex. SDN ou NFV
19.
SYSTEM FOR CONTROLLING NETWORK ACCESS AND METHOD THEREFOR
A node according to an embodiment disclosed in the present document is configured to, on the basis of a transmission protocol of a data packet of a target application and authentication information included in a data flow applied from an external server, insert the authentication information into the data packet of the target application and transmit same to a destination node through an access control application, receive a response to the data packet from the destination node, identify whether the response to the data packet corresponds to the data flow, if the response corresponds to the data flow, allow a logical connection between the node and the destination node, and process the data packet on the basis of the logical connection, wherein the authentication information inserted into the data packet may be used by the destination node to respond to the external server upon verifying whether the authentication information is normal and determining that the authentication information is normal.
A node according to an embodiment disclosed herein may be configured to: transmit a data packet of a target application to a destination node through a connection control application by inserting first authentication information, included in a data flow applied from an external server, into the data packet of the target application on the basis of the first authentication information and a transmission protocol of the data packet of the target application; receive a response to the data packet from the destination node and check whether the response to the data packet corresponds to the data flow; check whether second authentication information included in the response to the data packet is valid when the response to the data packet corresponds to the data flow; and process the data packet on the basis of a logical connection between the node and the destination node by permitting the logical connection when the second authentication information is valid.
A node according to an embodiment of the present disclosure includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and that stores a target application and an access control application, and the memory stores instructions that, when executed by the processor, cause the node to receive tunnel generation information necessary to generate a gateway and a tunnel from an external server, through the access control application, to request the gateway to generate the tunnel based on the tunnel generation information, through the access control application, to receive static IP information assigned to the node or each user of the node from the gateway, through the access control application, and to transmit the static IP information to the external server, through the access control application.
A node according to one embodiment disclosed in the present document stores instructions for sensing a network access event through an access control application, confirming the presence of a data flow, which corresponds to a data packet to be transmitted by a target application and is applied from an external server, confirming the type of the data packet, permitting the transmission of a TCP SYN packet on the basis of whether the TCP SYN packet can be transmitted on the basis of the type of the data packet, performing a network access authentication check after the generation of a TCP session or if it is unnecessary to check the TCP SYN packet, and processing data packets transmitted thereafter on the basis of the authentication check result, wherein the data flow can include information about whether to fundamentally permit the transmission of the TCP SYN packet.
A gateway according to one embodiment disclosed in the present document executes a proxy server so as to receive a service processing request from a node, confirms whether there is data flow information corresponding to information included in the service processing request, the information included in the service processing request including departure information or destination information, and can store, if there is data flow information, on the basis of the data flow information, instructions for processing the service processing request.
A gateway according to one embodiment in the present document comprises: a communication circuit; a processor operatively connected to the communication circuit; and a memory, which is operatively connected to the processor and stores a proxy server, wherein the memory can store instructions so that, when executed by the processor, the gateway receives a data flow including file input/output (IO) information indicating whether encryption is required when a file of a node is transmitted from an external server or whether decryption is required when the file is received, and processes, through the proxy server, a service processing request or a service processing request result on the basis of whether the file information is included in the service processing request of the node or the service processing request result.
H04L 47/2475 - Trafic caractérisé par des attributs spécifiques, p. ex. la priorité ou QoS pour la prise en charge des trafics caractérisés par le type d'applications
25.
SYSTEM FOR CONTROLLING FILE TRANSMISSION AND RECEPTION OF APPLICATION ON BASIS OF PROXY AND METHOD RELATING TO SAME
A gateway according to an embodiment disclosed in the present document may comprise: a communication circuit; a processor operatively connected to the processor; and a memory, operatively connected to the processor, for storing a proxy server, wherein the memory can store instructions which, when executed by the processor, cause the gateway to: receive, from an external server, a dataflow including file input output (IO) information indicating whether a node requires approval for file transmission and reception; and process a service processing request or a service processing request result of the node via the proxy server on the basis of whether file information is included in the service processing request or service processing request result.
A node according to an embodiment disclosed in the present document may store instructions for: performing a network connection request of the target application on an external server through a connection control application, wherein the network connection request includes identification information about the target application and destination network identification information; receiving a data flow from the external server, wherein the data flow includes certificate information corresponding to the destination network identification information; and processing a data packet of the target application on the basis of the certificate information.
H04L 67/562 - Courtage des services de mandataires
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
27.
CONTROLLER-BASED NETWORK CONNECTION CONTROL SYSTEM, AND METHOD THEREOF
A node according to an embodiment disclosed in the present document may comprise: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing a connection control application and a target application, wherein the memory stores instructions which, when executed by the processor, cause the node to: receive a data packet through the connection control application; on the basis of whether there is a data flow corresponding to the received data packet and applied from an external server and whether session identification information is included in the data packet, request the external server to update the data flow including the session identification information; and transmit the data packet on the basis of the data flow having the updated session identification information, the data flow being received from the external server.
A node, according to one embodiment disclosed in the present document, comprises a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing an access control application and a target application. The memory may store instructions that, when executed by the processor, cause the node to: when a file IO access event of the target application is detected, check whether a data flow allocated to the target application exists, by means of the access control application; if the data flow allocated to the target application exists, identify the type of file IO of the target application by means of the access control application; if the identified type of file IO is writing, perform file decryption by means of the access control application; and if the identified type of file IO is reading, perform file encryption by means of the access control application.
A gateway according to an embodiment disclosed in the present document comprises a communication circuit, a memory for storing a database, and a processor operatively connected to the communication circuit and the memory. The processor can be configured to: receive a data packet; determine whether the data packet was received from an authorized subject; determine whether a data flow corresponding to service processing request information about the data packet and applied from an external server exists; inspect the service processing request information when the data flow exists; and process the data packet on the basis of the result of the inspection of the service processing request information.
A node according to an embodiment disclosed in the present document may: receive, via an access control application, a first service authentication request of a target application, the first service authentication request including identification information of a service server to which the target application is to access; identify the existence or not of a data flow applied from an external server, the data flow corresponding to identification information of the target application and the identification information of the service server; when the data flow exists, transmit a second service authentication request to the external server on the basis of data flow identification information of the data flow, or the identification information of the target application and the identification information of the service server; as a response to the second service authentication request, receive a data flow having updated authentication information from the external server; and deliver, to the target application, a result of the first service authentication request.
A server, according to one embodiment disclosed in the present document, comprises a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a database. The memory may store instructions that, when executed by the processor, cause the server to: receive a file input output (IO) information inspection request from an access control application of a node, wherein the file IO information inspection request includes file identification information of a file IO target file; check whether file IO table information for the target file is present in the database by using the file identification information; when the file IO table information is present, perform a file inspection for the target file on the basis of the file IO table information; and transmit a response indicating a result of the file inspection to the access control application of the node.
A node according to an embodiment disclosed herein comprises: a communication circuit; a processor operatively connected to the communication circuit; and memory which is operatively connected to the processor and in which a connection control application and a target application are stored. In the memory, instructions can be stored which, when executed by the processor, cause the node to: request an external server to establish a network connection to a service server through the connection control application, the network connection request including identification information about a target application attempting to connect to a network of the service server, and an internet protocol (IP) and a port of the service server; receive a data flow, including permitted file input/output (IO) information indicating whether file IO of the target application is permitted, when connecting to the network of the service server is possible; check, through the connection control application, whether file IO associated with the target application is present; and manage the operation of the associated file IO on the basis of the permitted file IO information.
A node according to one embodiment disclosed in the present document may store instructions that cause an access control application to detect a data packet transmission event of a target application, check a transmission protocol of the data packet, determine the existence of a data flow that corresponds to the transmission protocol and identification information of the target application and is authorized by an external server, insert authentication information into the data packet on the basis of the transmission protocol and the authentication information contained in the data flow, and transmit the data packet on the basis of the transmission protocol.
A node according to an embodiment disclosed in the present document comprises: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing an access control application and a target application, wherein the memory may store instructions which, when executed by the processor, enable the node to: identify a file input output (IO) information inspection event by the target application, through the access control application; determine whether a file IO information inspection is required on the basis of applied file IO information of a data flow related to the target application, through the access control application; request an external server for the file IO information inspection, through the access control application, on the basis of determining that the file IO information inspection is required; and allow or block file IO of the target application, through the access control application, on the basis of a file IO information inspection result received from the external server.
A node according to an embodiment disclosed in the present document may store instructions to: detect an event for transmitting a data packet of a target application through an access control application; identify the presence of a data flow that corresponds to identification information of the target application and information included in the data packet and is applied from an external server; identify the type of the data packet; when the data packet is a data packet for requesting generation of a secure session, transmit the data packet to a gateway or a service server to generate a secure session between the node and the gateway or the service server; and when the secure session is generated, transmit identification information of the secure session to the external server.
H04L 47/2475 - Trafic caractérisé par des attributs spécifiques, p. ex. la priorité ou QoS pour la prise en charge des trafics caractérisés par le type d'applications
H04L 47/32 - Commande de fluxCommande de la congestion en supprimant ou en retardant les unités de données, p. ex. les paquets ou les trames
36.
SYSTEM FOR CONTROLLING NETWORK ACCESS OF VIRTUALIZATION INSTANCE, AND METHOD THEREFOR
A server according to one embodiment disclosed herein can be configured to: receive a network access request from an access control application of a virtualization instance, wherein the network access request includes destination network identification information and identification information of a target application of the virtualization instance; confirm whether the target application is accessible on the basis of the destination network identification information and the identification information of the target application; create a data flow if the target application is accessible; confirm whether a data packet of the target application can be transmitted to a destination network through a virtual router; update the data flow if the data packet can be transmitted through the virtual router; and transmit the updated data flow to a virtualization server and the virtualization instance.
H04L 47/2483 - Trafic caractérisé par des attributs spécifiques, p. ex. la priorité ou QoS en impliquant l’identification des flux individuels
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
37.
CONTROLLER-BASED NETWORK ACCESS CONTROL SYSTEM, AND METHOD THEREFOR
A node according to an embodiment disclosed in the present document may store instructions which cause the node to: detect a network access event through an access control application; transmit a domain name system (DNS) query request packet to a first external server through the access control application; receive a DNS query result from the first external server, wherein the DNS query result includes domain information and IP information; and transmit a domain validation request or a network access request including the domain information to a second external server on the basis of whether a data flow corresponding to the IP information exists, through the access control application.
A node according to an embodiment disclosed in the present document may store instructions for: performing a network access request to an external server through an access control application, the network access request including identification information of a target application and identification information of a destination network; receiving a data flow from the external server through the access control application, the data flow corresponding to identification information of the node and the identification information of the destination network and including information about whether a data packet can be transmitted through a virtual router; and transmitting a data packet of the target application on the basis of the received data flow, through the access control application, wherein the virtual router may be included in a switch to which the node transmits the data packet.
H04L 47/2475 - Trafic caractérisé par des attributs spécifiques, p. ex. la priorité ou QoS pour la prise en charge des trafics caractérisés par le type d'applications
H04L 45/586 - Association de routeurs de routeurs virtuels
39.
SYSTEM FOR CONTROLLING NETWORK ACCESS ON BASIS OF CONTROLLER, AND METHOD THEREFOR
A node according to an embodiment disclosed in the present document can store instructions so as to: determine a communication protocol on the basis of whether an operating system transport layer can be accessed through an access control application; transmit, on the basis of the determined communication protocol, an authentication data packet including first authentication information stored in the access control application to an external server, and request authentication; receive an authentication result with respect to the authentication data packet from the external server; and change an authentication state of a control data packet on the basis of the received authentication result, wherein, if a control data processing request for the external server is performed, the control data processing request is performed on the basis of the control data packet having a changed authentication state.
H04L 47/2475 - Trafic caractérisé par des attributs spécifiques, p. ex. la priorité ou QoS pour la prise en charge des trafics caractérisés par le type d'applications
H04L 47/2483 - Trafic caractérisé par des attributs spécifiques, p. ex. la priorité ou QoS en impliquant l’identification des flux individuels
40.
SYSTEM FOR CONTROLLING NETWORK CONNECTION BASED ON CONTROLLER, AND METHOD THEREFOR
A node according to an embodiment disclosed in the present document may comprise a communication circuit, a processor operatively connected to the communication circuit, and a memory which is operatively connected to the processor and stores a reception application and an access control application, wherein the memory stores instructions causing, when executed by the processor, the node to: detect a network reception event from a source network through the access control application; through the access control application, identify the presence or absence of a data flow which is applied from an external server and corresponds to a destination service port included in a data packet from the source network; and through the access control application, request network reception from the external server on the basis of the presence or absence of the applied data flow and whether the applied data flow includes identification information of the source network.
A network system according to one embodiment disclosed in the present document comprises a node, a destination network, a network node, and a server. The node: transmits or drops a data packet in accordance with whether or not a data flow exists, by means of an access control application; deletes the data flow corresponding to the identification information of a terminated application if an execution termination event of a target application or the access control application is confirmed; and transmits the deleted data flow list to the server. The server: transmits the deleted data flow list to the network node; and recovers a network node policy from the node. The network node may be configured to process such that a data packet corresponding to the deleted data flow list is no longer forwarded.
A network node according to one embodiment disclosed in the present document comprises a communication circuit, a memory and a processor operatively connected to the communication circuit and the memory, wherein the processor receives, from a server, data flow including a node IP, a destination network IP and port information, which are generated to permit the generation of a TCP session between a departure node and a destination network, monitors a data packet that has been broadcast or multicast from the departure node at a network boundary, transmits, to the departure node, an IP blocking data packet if there is no data flow corresponding to a departure IP of the received data packet through the monitoring, or can transmit, to the departure node, a TCP data packet that forcibly terminates the TCP session, if there is no data flow corresponding to a destination IP and destination port information of the received data packet through the monitoring.
A node according to one embodiment disclosed in the present document comprises a processor, and a memory for storing an access control application, wherein the memory can store instructions so that, when executed by the processor, the node detects, through the access control application, a network access event for a destination network, identifies, through the access control application, whether a data flow and a tunnel, which correspond to the destination network and are applied from an external server, are present, and transmits data packets through the tunnel if the applied data flow and tunnel are present.
A network system according to an embodiment disclosed in the present document may comprise: a remote terminal; a virtualization terminal to which a user is connected through the remote control and which includes a connection control application, as a virtualization server communicatively connected to the remote terminal; an external server communicatively connected to the remote terminal, the virtualization server, and the virtualization terminal; and a work network communicatively connected to the virtualization terminal through the connection control application.
H04L 47/2483 - Trafic caractérisé par des attributs spécifiques, p. ex. la priorité ou QoS en impliquant l’identification des flux individuels
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
45.
SYSTEM FOR CONTROLLING NETWORK CONNECTION BASED ON CONTROLLER, AND METHOD FOR SAME
A node according to one embodiment of the present document includes: a communication circuit; a processor operably connected to the communication circuit, and a memory operably connected to the processor and storing a receiving application and a connection control application, wherein the memory may store instructions that when executed by the processor, causes the node to: detect, via the connection control application, a network receive event from a source network of the receiving application; confirm, via the connection control application, whether identification information of the receiving application, a service port, and a data flow applied from an external server and corresponding to the source network exist; and if the applied data flow exists and the receiving application is trying to receive, receive a data packet by using the communication circuit, and if information of the applied data flow does not exist or the receiving application is not receiving, drop a data packet.
A node according to an embodiment disclosed in the present document may comprise a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a target application and an access control application, wherein the memory stores instructions which, when executed by the processor, cause the node to: receive tunnel generation information required to generate a tunnel with a gateway from an external server through the access control application; request tunnel generation from the gateway through the access control application on the basis of the tunnel generation information; receive, from the gateway through the access control application, fixed IP information allocated to the node or each user of the node; and transmit the fixed IP information to the external server through the access control application.
H04L 12/66 - Dispositions pour la connexion entre des réseaux ayant différents types de systèmes de commutation, p. ex. passerelles
H04L 47/2483 - Trafic caractérisé par des attributs spécifiques, p. ex. la priorité ou QoS en impliquant l’identification des flux individuels
H04L 47/32 - Commande de fluxCommande de la congestion en supprimant ou en retardant les unités de données, p. ex. les paquets ou les trames
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 61/5007 - Adresses de protocole Internet [IP]
47.
SYSTEM FOR CONTROLLING CONTROLLER-BASED NETWORK ACCESS, AND METHOD THEREFOR
A node according to one embodiment disclosed in the present document comprises: a communication circuit; a processor operatively connected to the communication circuit; and a memory, which is operatively connected to the processor and stores a target application and an access control application, wherein the memory can store instructions for allowing, when being executed by means of the processor, the node to: sense a virtual private network (VPN) access event through the access control application; transmit VPN access information to an external server through the access control application, the VPN access information including VPN IP information assigned by means of the VPN access; sense, through the access control application, a network access event for a destination network of the target application; confirm the presence of a data flow, which corresponds to identification information about the target application, the destination network, a service port, and the VPN IP information and is applied from the external server; and transmit a data packet through a VPN on the basis of the applied data flow if the applied data flow is present and valid.
A node according to one embodiment disclosed in the present document comprises: a communication circuit; a processor operatively coupled to the communication circuit; and a memory operatively coupled to the processor and storing a target application and a connection control application, wherein the memory may store instructions which, when executed by the processor, cause the node to: detect, through the connection control application, a network connection event for a destination network of the target application; check, through the connection control application, whether a data flow and a tunnel corresponding to identification information of the target application and the destination network and authorized by an external server exist; when the authorized data flow and the authorized tunnel exist, check whether inspection of a data packet of the target application is necessary, on the basis of data packet inspection information included in the authorized data flow; when the data packet inspection is necessary, inspect the data packet on the basis of a rule database included in the data packet inspection information; and when the data packet inspection is not necessary or when the data packet inspection result is successful, forward the data packet on the basis of the authorized data flow and the authorized tunnel.
A system and a method for providing a secure network access of a terminal, the system including: a terminal; a gateway located at a boundary of a network to which the terminal belongs; and a server which manages data transmission between the terminal and the gateway. The server generates a control flow between the terminal and the server upon receiving a controller access request from the terminal; transmits, to the terminal, identification information of the control flow, and a threat detection policy stored in a database of the server; receives, from the terminal, the controller access update request including threat detection information indicating a result of executing a threat detection function installed in the terminal on the basis of the threat detection policy; and, when detection of a threat is confirmed from the threat detection information, cancels the control flow on the basis of the threat detection policy.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
H04L 47/10 - Commande de fluxCommande de la congestion
H04L 47/2483 - Trafic caractérisé par des attributs spécifiques, p. ex. la priorité ou QoS en impliquant l’identification des flux individuels
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
H04L 47/2475 - Trafic caractérisé par des attributs spécifiques, p. ex. la priorité ou QoS pour la prise en charge des trafics caractérisés par le type d'applications
50.
System For Protecting Control Data Packet And Method Pertaining To Same
A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory which is operatively connected to the processor and stores an access control application. The memory may store instructions that, upon being executed by the processor, cause the node to: sense a controller access event with respect to an external server through the access control application; insert a first protection header to a first control data packet for requesting controller access, the first protection header including a protection information ID for identifying protection information used for authenticating the first control data packet, and first authentication information that is generated on the basis of the protection information and used for authenticating and checking the integrity of the first control data packet; and transmit the first control data packet having the inserted first protection header to the external server by using the communication circuit.
A network access control device generates, in a tunnel-based access control network environment, a tunnel that connects a terminal application to the gateway of a destination network, on the basis of a tunnel between the terminal application and a gateway and a tunnel between gateways, thereby enabling safe transmission of a data packet from the terminal application to a destination node. It can include: a memory for storing a tunnel policy, a tunnel routing policy, and a tunnel table; and a control unit which generates tunnel information and data flow information on the basis of the tunnel policy, the tunnel routing policy, and the tunnel table according to a network access request of the terminal, and which transmits the generated tunnel information and data flow information to the terminal and the gateway of each network so that a tunnel between the terminal and the destination network is generated.
A method for managing a control flow by a server including: receiving a control flow generation request data packet from the terminal; transmitting a control flow communication code to the terminal; and receiving the result of executing the control flow communication code from the terminal, wherein if the result of executing the control flow communication code is normal, the server generates the control flow with the terminal, and if the execution result value is abnormal, or the execution result is not received from the terminal within a predetermined time, the server blocks the generation of the control flow with the terminal.
A terminal including a communication circuit, a processor, and a memory storing a target application and an access control application. The memory may store instructions which, when executed by the processor, enable the terminal to detect a network access event for a destination network of the target application, via the access control application, identify whether identification information of the target application and data flow information corresponding to the destination network are present via the access control application, identify whether authentication of data flow indicated by the data flow information is valid via the access control information, and drop a data packet of the target application when the data flow information is not present or the authentication of data flow is not valid or transmit the data packet of the target application when the data flow information is present and the authentication of data flow is valid.
A network access control system and a method are disclosed. In a step of generating a transmission control protocol (TCP) session between a terminal and a gateway (or a server), the TCP session is authenticated, and whether or not to generate the TCP session is determined on the basis of a result of the authentication, thereby preventing, in advance, a target application within the terminal from bypassing control of an access control application and transmitting a data packet to a destination network through an authorized tunnel.
H04L 69/16 - Implémentation ou adaptation du protocole Internet [IP], du protocole de contrôle de transmission [TCP] ou du protocole datagramme utilisateur [UDP]
55.
System for controlling network access of node on basis of tunnel and data flow, and method therefor
A technology for controlling network access based on a tunnel and a data flow in a network environment, including a node to detect, through an access control application, a network access event in which a target application accesses a destination network; check, through the access control application, whether or not there is a tunnel generated in a unit of nodes or IPs and applied from an external server, and whether or not there is a data flow generated in a unit of TCP sessions or applications and generated by the external server; if there is the applied tunnel and data flow, transmit a data packet of the target application through the applied tunnel by using a communication circuit; and if there is no applied tunnel or data flow, drop a data packet of the target application.
A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing a target application and an access control application, wherein the memory stores instructions that when executed by the processor, cause the node to: detect a network access event of the target application to a destination network through the access control application, identify whether a tunnel corresponding to identification information of the target application and the destination network and authorized by an external server exists, transmit a data packet of the target application through the authorized tunnel using the communication circuit, when the authorized tunnel exists, and drop the data packet of the target application, when the authorized tunnel does not exist.
The present invention relates to a network access control device and a method therefor, and provides a network access control device and a method therefor, the network access control device generating, in a tunnel-based access control network environment including a plurality of networks, a tunnel that connects a terminal application to the gateway of a destination network, on the basis of a tunnel between the terminal application and a gateway and a tunnel between gateways, thereby enabling safe transmission of a data packet from the terminal application to a destination node. To this end, the present invention can comprise: a memory for storing a tunnel policy, a tunnel routing policy, and a tunnel table; and a control unit which generates tunnel information and data flow information on the basis of the tunnel policy, the tunnel routing policy, and the tunnel table according to a network access request of the terminal, and which transmits the generated tunnel information and data flow information to the terminal and the gateway of each network so that a tunnel between the terminal and the destination network is generated.
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
H04L 12/801 - Commande de flux ou commande de congestion
H04L 29/12 - Dispositions, appareils, circuits ou systèmes non couverts par un seul des groupes caractérisés par le terminal de données
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 12/66 - Dispositions pour la connexion entre des réseaux ayant différents types de systèmes de commutation, p. ex. passerelles
58.
SYSTEM FOR PROTECTING CONTROL DATA PACKET AND METHOD PERTAINING TO SAME
A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory which is operatively connected to the processor and stores an access control application. The memory may store instructions that, upon being executed by the processor, cause the node to: sense a controller access event with respect to an external server through the access control application; insert a first protection header to a first control data packet for requesting controller access, the first protection header including a protection information ID for identifying protection information used for authenticating the first control data packet, and first authentication information that is generated on the basis of the protection information and used for authenticating and checking the integrity of the first control data packet; and transmit the first control data packet having the inserted first protection header to the external server by using the communication circuit.
A terminal comprises a communication circuit, a processor operably connected to the communication circuit, and a memory operably connected to the processor and storing a target application and an access control application, wherein the memory may store instructions which, when executed by the processor, enable the terminal to detect a network access event for a destination network of the target application, via the access control application, identify whether identification information of the target application and data flow information corresponding to the destination network are present via the access control application, identify whether authentication of data flow indicated by the data flow information is valid via the access control information, and drop a data packet of the target application when the data flow information is not present or the authentication of data flow is not valid or transmit the data packet of the target application when the data flow information is present and the authentication of data flow is valid.
The present invention relates to a network access control system and a method therefor, wherein in a step of generating a transmission control protocol (TCP) session between a terminal and a gateway (or a server), the TCP session is authenticated, and whether or not to generate the TCP session is determined on the basis of a result of the authentication, thereby preventing, in advance, a target application within the terminal from bypassing control of an access control application and transmitting a data packet to a destination network through an authorized tunnel.
The present invention relates to a system and a method for providing a secure network access of a terminal, the system comprising: a terminal; a gateway located at a boundary of a network to which the terminal belongs; and a server which manages data transmission between the terminal and the gateway. The server: generates a control flow between the terminal and the server upon receiving a controller access request from the terminal; transmits, to the terminal, identification information of the control flow, and a threat detection policy stored in a database of the server; receives, from the terminal, the controller access update request including threat detection information indicating a result of executing a threat detection function installed in the terminal on the basis of the threat detection policy; and, when detection of a threat is confirmed from the threat detection information, cancels the control flow on the basis of the threat detection policy.
A method for managing a control flow by a server according to an embodiment of the present invention may comprise the steps of: receiving a control flow generation request data packet from the terminal; transmitting a control flow communication code to the terminal; and receiving the result of executing the control flow communication code from the terminal, wherein if the result of executing the control flow communication code is normal, the server generates the control flow with the terminal, and if the execution result value is abnormal, or the execution result is not received from the terminal within a predetermined time, the server blocks the generation of the control flow with the terminal.
H04L 12/851 - Actions liées au type de trafic, p.ex. qualité de service ou priorité
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 9/26 - Formation de l'adresse de la micro-instruction suivante
H04L 12/26 - Dispositions de surveillance; Dispositions de test
A node may: detect, through an access control application, a network access event in which a target application accesses a destination network; check, through the access control application, whether or not there is a tunnel generated in a unit of nodes or IPs and applied from an external server, and whether or not there is a data flow generated in a unit of TCP sessions or applications and generated by the external server; if there is the applied tunnel and data flow, transmit a data packet of the target application through the applied tunnel by using a communication circuit; and if there is no applied tunnel or data flow, drop a data packet of the target application.
A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing a target application and an access control application, wherein the memory stores instructions that when executed by the processor, cause the node to: detect a network access event of the target application to a destination network through the access control application, identify whether a tunnel corresponding to identification information of the target application and the destination network and authorized by an external server exists, transmit a data packet of the target application through the authorized tunnel using the communication circuit, when the authorized tunnel exists, and drop the data packet of the target application, when the authorized tunnel does not exist.
The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. The perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. The perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.
The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. the perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. the perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.
G06F 21/71 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information
G06F 12/0868 - Transfert de données entre une mémoire cache et d'autres sous-systèmes, p. ex. des dispositifs de stockage ou des systèmes hôtes
The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. the perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. the perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.
The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. The perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. The perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.
brevets
