• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    PURPOSE: A method for securing a network in a layer 2 is provided to perform various controlling operations for a security and control unauthorized users, who asses a network service, selectively. CONSTITUTION: If a packet is entered to an Ethernet device, it is judged whether an MAC(Medium Access Control) address corresponded to the packet exists in an MAC address table(S401). If the MAC address does not exist in an MAC address table, the MAC address is recorded in the MAC address table(S402). It is judged whether a stable mode of a system is activated or not(S403). If a stable mode of a system is not activated, new MAC address is removed(S404). In case that a stable mode is activated(S405), a manager selects a processing method with respect to a terminal which is not permitted(S407). In case that a limit mode is selected, a threshold capable of being introducing to a port is inputted(S406), the manager selects a processing method with respect to a terminal which is not permitted(S407). In case that a stable mode is activated, it is judged as to a limit mode(S408). In the case of not a limit mode, a service is not provided because a service can be provided to only currently accessed terminal. In case that the manager selects a method for preventing a port(S413), accesses of all terminals are prevented by preventing a port of the Ethernet device(S412).
    公开号:KR20020039559A
    申请号:KR1020000069458
    申请日:2000-11-22
    公开日:2002-05-27
    发明作者:이백주
    申请人:구자홍;엘지전자주식회사;
    IPC主号:
    专利说明:

    Network Security Method in Layer 2
    [5] The present invention relates to a network security method in Layer 2, and more particularly, is not permitted in Layer 2, which is a medium access control ("MAC") layer of an open system interface. When the terminal accesses the network relates to a network security method for controlling this in a variety of ways.
    [6] Conventional technologies for network security include the technology proposed by 3COM and the technology proposed by Allied Telesyn.
    [7] First, the technology proposed by 3COM company provides only one access control method as one of the basic access control methods. 3COM's technology guarantees network access only for terminals on the MAC address table, which is a list of terminals that allow the network when the administrator activates Safe Mode in Layer 2. When a terminal on the MAC address table is accessed, even if several terminals access together, a service for the terminal is provided. If a terminal that does not exist on the MAC address table is accessed, a source port into which traffic is introduced is blocked. 3COM's technology only provides a way to block ports when an unauthorized terminal accesses a network, so existing authorized terminals are also unable to receive services due to blocked ports.
    [8] Allied Telesin's technology is more advanced than 3COM's, and has three modes: safe mode, threshold mode, and unsafe mode.
    [9] The unsafe mode is a mode that does not activate a system for security and provides a service for all terminals currently accessing the network.
    [10] Safe activation mode activates the system for security and allows access only to users in the table at MAC Ad. It also allows access to only one user, rather than allowing multiple accesses to users in the MAC address table at the same time. Therefore, for any terminal that wants to access after one user access, the source port is blocked in the same way as 3COM company to prevent traffic inflow on the network.
    [11] The limit mode is a mode in which the safe mode supports only one user's access to allow a user to access a user below the limit by setting a specific limit by the administrator. For a terminal that exceeds the limit, the port is blocked, or a trap is sent to the network management system so that the administrator is informed of the condition that the limit is exceeded.
    [12] 1 is a flowchart illustrating a network security method of a conventional Allied Telesyn. Referring to FIG. 1, the conventional network security method is summarized as follows.
    [13] When the packet enters the Ethernet device, it is determined whether the MAC address corresponding to the packet exists in the MAC address table (S100). If the address does not exist in the MAC address table, it is newly recorded in the MAC address table (S101). It is determined whether the safe mode of the system is currently activated (S102), and if the safe mode is not activated, it is no longer necessary to process a new MAC address and thus is discarded (S106). The administrator decides whether to activate the safe mode. In the safety activation mode (S103), the administrator selects a processing method for the unauthorized terminal (S105), and in the limit mode, enters a threshold value that can be introduced into the port (S104) and then for the unauthorized terminal. A processing method is selected (S105). Processing methods include blocking a port, sending a trap, and taking no action.
    [14] In the case of the safe mode, it is determined again whether the limit mode. In the case of the non-limiting mode, since the service is provided only to the terminal that is currently being accessed because it is a simple safe mode, the service cannot be provided. When the administrator selects a method of blocking a port (S112), the Ethernet device port is blocked (S115). When the administrator selects a method of transmitting a trap (S113), the manager sends a trap to the network management system to notify that an unauthorized terminal has been introduced (S116). If the administrator has not selected any of the two processing methods, no action is taken (S114).
    [15] In the limited mode, it is checked whether the MAC address of the introduced UE exists in the MAC address table (S108). If the address exists in the MAC address table, the service is permitted to the terminal (S111). If the MAC address of the introduced terminal does not exist in the MAC address table, it is determined whether the threshold is exceeded (S109). If the threshold is exceeded, the terminal is introduced by the method selected by the administrator in the same processing method as in the safety activation mode. If the process does not exceed the limit and the MAC address of the introduced terminal is added to the table (S11).
    [16] Conventional network security method as described above is not a variety of control techniques for security. In particular, if the port is blocked, there is a problem that does not allow the inflow of other authorized terminals, the log of the violating terminal can not be checked, and there is a disadvantage that it is not possible to selectively control the current flowing terminals. .
    [17] In the present invention, to solve the problems of the prior art as described above, it is possible to propose a network security method in the layer 2 that can be variously controlled for security, and can selectively control the introduced terminal.
    [1] 1 is a flowchart illustrating a network security method of a conventional Allied Telesyn.
    [2] 2 is a block diagram illustrating a method of processing a new address in an unsafe mode;
    [3] 3 is a block diagram showing a security processing procedure in a safe mode according to a preferred embodiment of the present invention,
    [4] 4 is a flow chart of a network security method according to a preferred embodiment of the present invention.
    [18] In order to achieve the above object, the network security method in the layer 2 according to the present invention comprises the steps of: (a) recording a terminal with a new MAC address in the MAC address table when it is in an unsafe mode; (B) checking whether the MAC address of the inflow terminal in the secure mode exists in an access list table which is a list of MAC addresses of authorized terminals; (C) providing the requested service when the MAC address of the terminal introduced in the step (b) exists in the access list table; If the MAC address of the terminal introduced in step (b) does not exist in the access list table, trap transmission, filtering, log file generation, blocking method, trap transmission and filtering, trap transmission and log file generation, port Allowing the administrator to select any one of a blocking method, a log file generation method, a trap transmission method, and a method of blocking a port, and processing the method according to the method selected by the administrator.
    [19] Hereinafter, with reference to the accompanying drawings will be described in detail a preferred embodiment of a network security method in layer 2 according to the present invention.
    [20] Like the security method of the Allied Tele Shrine, the present invention processes the incoming terminals in three modes: non-safe mode, safe mode, and limit mode.
    [21] 2 is a block diagram illustrating a method of processing a new address in an unsafe mode.
    [22] In FIG. 2, the new address processing module 21 is a module for processing a newly introduced MAC address, and the newly introduced MAC address is recorded in the MAC address table 22. In the access list table 23, the MAC address of the terminal which is permitted to enter when in the safe mode is recorded, and the security processing module 24 determines the permission or violation of the access based on the MAC address in the access list. In case of violation, the security breach host is handled according to the set method. The simple network management protocol 26 is a protocol that allows a network management system to send a trap to a network management system or control security processing from the network management system 25 for a host detected by the security processing module. 25) handles traps received by the simple network management protocol and controls security processing.
    [23] In the unsafe mode, since the service is provided to all incoming terminals, the safety processing module 24 does not operate. When a new address is introduced from the Ethernet device 25, the new address processing module 21 updates the new address introduced to the MAC address table 22 so as to manage the received new address.
    [24] 3 is a block diagram illustrating a security processing procedure in a safe mode according to a preferred embodiment of the present invention.
    [25] In safe mode, access is allowed only to terminals allowed in the access list table. When switching to the safe mode, all MAC addresses updated in the MAC address table 22 in the unsafe mode are recorded in the access list table 23. After recording, the terminal enters the Ethernet device 25 and transmits the address to the security processing module 24. The security processing module checks whether the received address is an address existing in the access list table 23. If the address exists in the access list table 23, the service is provided. If the address does not exist in the access list table 23, the service is processed according to an access control method set in advance by the administrator.
    [26] The present invention proposes six different access control schemes in addition to the conventional method of blocking the ports and the trap transmission by the access control scheme.
    [27] First, the present invention proposes a method for generating a log file in an access control method. When a terminal with an unauthorized MAC address flows in, this fact is left in a log file to leave a record of unauthorized terminal inflow even after the system is turned off. According to a preferred embodiment of the present invention, the log file is preferably stored in the nonvolatile memory 28.
    [28] Secondly, the present invention proposes a method for removing unauthorized packets through filtering. If the hardware supports filtering, only the violating packets can be removed through the hardware. If the hardware does not support the filtering, the violating packets can be removed. Such filtering of the violated packets can improve the problem of preventing the inflow of authorized users such as blocking the port.
    [29] Third, the present invention proposes a method for performing unauthorized log file generation and filtering together. If this is done together, packets from unauthorized terminals are removed through filtering, leaving a record in the log file that unauthorized terminals attempted to enter.
    [30] Fourthly, the present invention proposes a method for performing filtering and trap transmission together. If this is done together, packets from unauthorized terminals are removed through filtering, and the security processing module notifies the administrator of the attempted inflow of unauthorized terminals through trap transmission.
    [31] Fifthly, the present invention proposes a method of blocking ports and generating a log file together. When this is done together, when an unauthorized terminal is introduced, blocking the source port prevents the inflow of all terminals and leaves a record indicating that there is an inflow of unauthorized terminals in a log file.
    [32] Sixthly, the present invention proposes a method of blocking a port and a method of performing a trap transmission together. If this is done together, when the inflow of unauthorized terminals is transmitted, a trap is sent to the network management system to inform the administrator of the inflow of unauthorized terminals, and the port is prevented from entering all terminals.
    [33] According to a preferred embodiment of the present invention, the six access processing methods described above allow an administrator to select one of them and set it in advance. After processing the terminal violating security by the above method, the MAC address for the violating terminal is recorded, the number of violations, and the violation time are stored in the RAM. The administrator can track the terminal violating security through the stored information.
    [34] The present invention can also set the limit mode to handle security. In limit mode, the administrator designates the limit of terminals that can enter the port. If the specified limit is not exceeded, the newly introduced MAC address is added to the access list and network access is guaranteed. However, when a newly introduced access address exceeds a specified threshold, access control is performed according to a method selected by an administrator as in the above-described safe mode.
    [35] 4 is a flowchart illustrating a network security method according to a preferred embodiment of the present invention. Referring to Figure 4 when the overall network security method of the present invention will be described.
    [36] When the packet enters the Ethernet device, it is determined whether the MAC address corresponding to the packet exists in the MAC address table (S401). If the address does not exist in the MAC address table, it is newly recorded in the MAC address table (S402). It is determined whether the safe mode of the system is activated (S403), and if it is not the safe mode, it is no longer necessary to process the new MAC address and discards it (S404). The administrator decides whether to activate the safe mode as in the prior art. When the administrator activates the safe mode (S405), the administrator selects a method for handling the disallowed terminal (S407). When the limit mode is selected, the administrator inputs a threshold value that can flow into the port (S406). Select a processing method for (S407). There are six methods described above, and the administrator selects one of them.
    [37] If the safe mode is activated, it is determined whether the limit value is the designated limit mode. In the case of the non-limiting mode, since the service is provided only for the terminal that is currently being accessed because it is a simple safe mode that does not designate a limit value for the inflowing terminal of the port, the service cannot be provided, and the administrator processes according to the method selected in S407. Do If the administrator selects a method of blocking the port (S413), the port of the Ethernet device is blocked to prevent the inflow of all terminals (S421). When the manager selects a method of transmitting a trap (S414), the manager sends a trap to the network management system to inform the manager that there is an inflow of an unauthorized terminal (S422). If the administrator selects filtering (S415), filtering is performed to remove the unauthorized packet (S423). If the log file generation is selected (S416), the inflow of the unauthorized terminal is recorded in the log file and stored in the nonvolatile memory (S424). If the trap transmission and filtering are selected together (S417), the administrator is informed that there is an inflow of an unauthorized terminal, and the inflow packet is removed (S422, S423). When the trap transmission and the log file generation are selected together (S418), the administrator is notified through the trap transmission that there is an inflow of the unauthorized terminal, and the fact is recorded in the log file (S422, S424). When the method of blocking the port and the generation of the log file are selected together (S419), the inflow of the unauthorized terminal is not recorded in the log file without allowing the inflow of all terminals by blocking the port (S421, S424). When a method of blocking a port and a trap transmission are selected together (S420), the terminal is not allowed by blocking the port, and the manager is notified through the trap transmission that there is an inflow of an unauthorized terminal (S421, S422). The fact of violation of the MAC address violating the security processed by the above method, the time of violation and the number of violations are recorded in a separate RAM (S425) so that the administrator can track the violating terminal.
    [38] If the limit value is in the specified limit mode, the inflow of the terminal is allowed as much as the specified limit value, unlike in the case where only the safe mode is activated, it is checked whether the MAC address of the inflow terminal is an address present in the access list (S409). . If the MAC address of the introduced terminal exists in the access list, the service is permitted (S410). In the case of a terminal having an address that does not exist in the access list, the terminal first checks whether the threshold is exceeded (S411). If the threshold is exceeded, the terminal processes the same according to the method selected by the administrator in the same manner as the above-described safe mode. If the limit value is not exceeded, the address of the introduced terminal is added to the access list (S412).
    [39] As described above, according to the network security method in Layer 2 of the present invention, there is an advantage that the network administrator can control this in various ways when a user other than the authorized user in the network service accesses the network service. have. In addition, the administrator can track the violating terminal by storing the log file for the violating terminal and recording the address, the violating time, and the number of violations of the violating terminal. In addition, if a control method such as filtering is selected, the violating terminal can be detected while protecting the currently serving terminal.
    权利要求:
    Claims (3)
    [1" claim-type="Currently amended] (A) recording in a MAC address table when a terminal with a new MAC address is introduced, when in an unsafe mode;
    (B) checking whether the MAC address of the inflow terminal in the secure mode exists in an access list table which is a list of MAC addresses of authorized terminals;
    (C) providing the requested service when the MAC address of the terminal introduced in the step (b) exists in the access list table;
    If the MAC address of the terminal introduced in step (b) does not exist in the access list table, trap transmission, filtering, log file generation, blocking method, trap transmission and filtering, trap transmission and log file generation, port (D) allowing the administrator to select any one of a blocking method and a log file generation, a trap transmission, and a blocking method, and processing according to the method selected by the administrator. Way.
    [2" claim-type="Currently amended] The method of claim 1,
    If the administrator is in the limit mode for setting a limit for the terminal entering the port, if the threshold is not exceeded, the address of the terminal is added to the access list table, if the threshold is exceeded, the trap transmission in step (d), Allow the administrator to select one of the following methods: filtering, generating log files, blocking ports, sending and filtering traps, creating trap sending and log files, blocking ports, and creating log files, sending traps, and blocking ports. The method of claim 2, further comprising the step of processing according to the method selected.
    [3" claim-type="Currently amended] The method according to claim 1 or 2,
    If the terminal having a MAC address that does not exist in the access list table flows or exceeds the threshold, the step further comprising the step of recording the MAC address of the corresponding terminal, the introduced time, the number of times in the RAM Network security method in 2.
    类似技术:
    公开号 | 公开日 | 专利标题
    US10552622B2|2020-02-04|Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior
    US8918875B2|2014-12-23|System and method for ARP anti-spoofing security
    US6760420B2|2004-07-06|Telephony security system
    US7188366B2|2007-03-06|Distributed denial of service attack defense method and device
    DE60019997T2|2006-01-12|Secure communication with mobile computers
    JP4545647B2|2010-09-15|Attack detection / protection system
    EP1972096B1|2011-10-19|System and method for prioritization of traffic through internet access network
    US5822434A|1998-10-13|Scheme to allow two computers on a network to upgrade from a non-secured to a secured session
    TWI235576B|2005-07-01|An apparatus and method for secure, automated response to distributed denial of service attacks
    JP3441726B2|2003-09-02|Communication device and communication method
    JP6026789B2|2016-11-16|Node device for preventing overflow of pending table in name-based network system, and device and method for preventing overflow
    US7855956B2|2010-12-21|Method and system for controlling the multicast source
    US5577209A|1996-11-19|Apparatus and method for providing multi-level security for communication among computers and terminals on a network
    DE69839101T2|2009-02-26|Method for a secure separation procedure in a mobile network
    EP1723745B1|2015-08-26|Isolation approach for network users associated with elevated risk
    US7249374B1|2007-07-24|Method and apparatus for selectively enforcing network security policies using group identifiers
    US7644168B2|2010-01-05|SAS expander
    EP2090063B1|2019-10-09|Apparatus and methods for authenticating voice and data devices on the same port
    RU2316903C2|2008-02-10|Method for checking user access privileges in a wireless local network
    EP2836052B1|2019-11-13|Method and device for data secrecy based on embedded universal integrated circuit card
    JP4166942B2|2008-10-15|Internet protocol traffic filter for mobile radio networks
    US7234163B1|2007-06-19|Method and apparatus for preventing spoofing of network addresses
    JP5544428B2|2014-07-09|Access control according to policies defined for associated electronic device groups including cellular modems
    US7936670B2|2011-05-03|System, method and program to control access to virtual LAN via a switch
    CN101411156B|2011-04-20|Automated containment of network intruder
    同族专利:
    公开号 | 公开日
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    法律状态:
    2000-11-22|Application filed by 구자홍, 엘지전자주식회사
    2000-11-22|Priority to KR1020000069458A
    2000-11-22|Priority claimed from KR1020000069458A
    2002-05-27|Publication of KR20020039559A
    2002-09-12|Application granted
    2002-09-12|Publication of KR100352126B1
    优先权:
    申请号 | 申请日 | 专利标题
    KR1020000069458A|KR100352126B1|2000-11-22|Network Security Method in Layer 2|
    [返回顶部]