WO2006001590A1 - Netwok security system co-operated with an authentification server and method thereof - Google Patents

Netwok security system co-operated with an authentification server and method thereof Download PDF

Info

Publication number
WO2006001590A1
WO2006001590A1 PCT/KR2005/000857 KR2005000857W WO2006001590A1 WO 2006001590 A1 WO2006001590 A1 WO 2006001590A1 KR 2005000857 W KR2005000857 W KR 2005000857W WO 2006001590 A1 WO2006001590 A1 WO 2006001590A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
information
terminal
authentication
user
Prior art date
Application number
PCT/KR2005/000857
Other languages
French (fr)
Inventor
Ki-Tae Kim
Original Assignee
Exers Technologies. Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Exers Technologies. Inc. filed Critical Exers Technologies. Inc.
Priority claimed from KR1020050024389A external-priority patent/KR100714367B1/en
Publication of WO2006001590A1 publication Critical patent/WO2006001590A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/35Protecting application or service provisioning, e.g. securing SIM application provisioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to a network security system capable of performing an enhanced security policy, and more particularly, to a network security system and method for performing an authentication process on users accessing a network, and at the same time, checking an installation status of specific software in a user terminal based on personal security policies set up to the user to determine whether or not to allow the user terminal to access the network based on the check result, thereby implementing optimal network security.
  • FIG. 1 is a configuration view showing a whole configuration of an authentication system in accordance with the IEEE 802. Ix standard.
  • FIG. 2 is a flowchart for explaining a series of authentication processes performed by entities in the authentication system of FIG. 1.
  • the IEEE 802. Ix standard defines three entities: a supplicant 100; an authenticator 110; and an authentication server 120.
  • the supplicant 100 is an entity providing user's authentication information to the authenticator 110 and sending authentication request to the authenticator 110.
  • the supplicant includes wire or wireless terminals intending to access network.
  • the authenticator is initially set to an uncontrolled port status.
  • the supplicant and authenticator can communicate with each other through the EAP (Extensible Authentication Protocol) .
  • the authenticator 110 is an entity transferring the received authentication information and authentication request to the authentication server 120.
  • the authenticator transfers an authentication success message to the supplicant and converts its port status into a controlled port status.
  • the authenticator includes APs (Access Points), routers, switches, and the like.
  • the authentication server 120 is an entity determining authentication based on the supplicant's authentication request received from the authenticator 110. In order to determine authentication, the authentication server uses user's authentication information stored in its internal database or received from external entities. In the IEEE 802.
  • any protocol for communication between the authentication server 120 and the authenticator 110 is not defined.
  • a protocol used for an AAA (Authentication, Authorization, and Accounting) server is also recommended as the protocol between the authentication server 120 and the authenticator 110. Therefore, the RADIUS (Remote Authentication Dial-In User Service) protocol is used as an industrial de-facto standard protocol.
  • the authenticator and the authentication server communicate with each other through the RADIUS protocol, the user's network access right can be controlled according to the determination of authentication (performed by an internal authentication algorithm of the authentication server) and the attributes and vendor-specific attributes of the RADIUS which can be transferred together with the authentication success message.
  • FIG. 3 is a configuration view of a network according to the centralized authentication method.
  • FIG. 4 is a configuration view of a network according to the distributed authentication method.
  • the authentication server is located in the center of the network, so that a user authentication management can be advantageously centralized.
  • data rate of the network may be limited, and performance of the network may deteriorate due to increase in load of the authentication server.
  • FIG. 3 is a configuration view of a network according to the centralized authentication method.
  • a main authentication server located in the center of the network is connected to the network to manage resources and database, and local servers sending authentication requests manage TLS (Transport Layer Security) session and keys to reduce load of the main authentication server.
  • the distributed authentication method can increase network efficiency by about five times that of the centralized authentication method.
  • the distributed authentication method can improve stability of authentication for local users . Since 2000, computer viruses and malicious codes such as Worm have widely spreaded, and various techniques thereof have been developed. Moreover, these techniques have been used as hacking tools. As a result, the computer viruses and malicious codes have made enormous attack and damages that have never been seen. In order to cope with the computer viruses and malicious codes, various anti-virus vaccine programs have been proposed and developed.
  • the number of users of portable terminals increases.
  • the vaccine programs for the portable terminals are not more suitably updated than desktop terminals are.
  • these non-updated portable terminals are connected to the network.
  • the computer viruses and malicious codes entering into intranets from external public networks can be somewhat controlled or blocked by using firewalls, expensive IDS/IPS (Intrusion Detection System/ Intrusion Protection System) , or an anti-virus system to preserve security of the intranets.
  • IDS/IPS Intrusion Detection System/ Intrusion Protection System
  • an anti-virus system to preserve security of the intranets.
  • the wireless communication technologies have been remarkably developed, the users have wirelessly accessed the network by using their portable terminals such as notebooks and PDAs (Personal Digital Assistants) .
  • an object of the present invention is to provide a network security system capable of persevering security of a network by optimizing a security status of each terminal accessing the network.
  • another object of the present invention is to provide a network security server capable of checking a security status of each user terminal during the user authentication process in cooperation with an authentication server.
  • a network security system performing an authentication process on users accessing a network and a network security process, comprising: a security server for storing and managing personal security policies applied to registered users and security information on the personal security policies; a terminal for transmitting basic authentication information input by a user to request authentication;, and an authentication server for performing the authentication process on the user based on the basic authentication information received from the terminal and receiving the personal security policies applied to the user and the associated security information from the security server, wherein, when authentication is granted to the user, the authentication server determines whether or not to allow the terminal to access the network based on the personal security policies and the security information received from the security server.
  • the security information of the personal security policies may include a list of specific software to be installed in the terminal of each user and registration information of the specific software, wherein the security information in the security server includes a list of specific software to which the personal security policies are applied, registration information of the specific software, and information on a management server managing the S/W.
  • the authentication server may determine whether or not the user is a registered one based on the basic authentication information received from the terminal, wherein, if the user is not a registered one, the authentication server dose not grant authentication and allow the user to access the network.
  • the authentication server may determine whether or not the user is a registered one based on the basic authentication information received from the terminal, wherein, if the user is a registered one, the authentication server transmits to the terminal the security information received from the security server, wherein the terminal transmits comparison result information of comprising the security information with the registration information on the terminal to the authentication server, and wherein, if the security information matches with the registration information on the terminal as the comparison result information, the authentication server allows the terminal to access the network.
  • the authentication server may set up a VLAN ID of the terminal to the same as a VLAN ID of a management server managing the specific software and provides an URL of the management server to the terminal.
  • the network security system may further comprise at least one of access points and switches enabling the terminal to access the network, wherein the access points or switches transmit the authentication request received from the terminal to the authentication server or information received from the authentication server to the terminal.
  • a security server comprising a database for storing and managing personal security policies to be set up and applied to users and security information on the personal security policies, wherein the security information includes a list of specific software to which the personal security- policies are applied, registration information of the specific software, and information on a management server managing the S/W, and wherein the security server updates the database in a predetermined time period in cooperation with the management server and transmits the personal security policy applied to the specific user and the security information on the applied personal security policy in response to a request of the authentication server.
  • a network security method of performing a security process on a network and a user terminal accessing the network comprising: a step (a) of receiving basic authentication information and an authentication request from a user terminal of a user; a step (b) of determining whether or not the user is a registered one based on the received basic authentication information; a step (c) of receiving personal security policy applied to the user and the security information and transmitting the security information to the user terminal if the user is a registered one; a step (d) of receiving comparison result information of comparison of the security- information with the corresponding information on the user terminal; and a step (e) of allowing the user terminal to access the network if the security information matches with the corresponding information on the user terminal as the comparison result information.
  • a network security system of the present invention personal security policies are set up based on users, the set-up personal security policies are applied to the users, and allowance of networ.k access of user terminals is determined in accordance with the personal security policies, so that it is possible to enhance security of a network.
  • security associated programs or virus vaccine programs can be installed in user terminals registered in an authentication server, and the programs can be always updated to new versions.
  • a virus-infected user terminal can be automatically quarantined from a network in order to treat the programs infected with viruses.
  • the network security system can perform a remote virus prevention process in cooperation with a vaccine management server by means of a protected path.
  • network access of a user terminal in which new versions of security-associated programs or virus vaccine programs are not installed is denied, so that it is possible to absolutely deny network access of terminals which are likely to be virus-infected or have a security problem.
  • FIG. 1 is a configuration view showing a whole configuration of an authentication system in accordance with the IEEE 802. Ix standard.
  • FIG. 2 is a flowchart for explaining a series of authentication processes performed by entities in the authentication system of FIG. 1.
  • FIGS. 3 and 4 are views for explaining centralized and distributed authentication methods, respectively.
  • FIG. 5 is a configuration view showing a network security system according to a preferred embodiment of the present invention.
  • FIG. 6 is a configuration view for explaining operations of users in a network security system according to a preferred embodiment of the present invention.
  • FIG. 7 is a flowchart a series of operations of an authentication server in a network security system according to the present invention.
  • FIG. 8 is a flowchart of a series of operation of a user terminal in a network security system according to a preferred embodiment of the present invention.
  • FIG. 5 is a configuration view showing a network security system according to a preferred embodiment of the present invention.
  • the network security system according to the present invention comprises user terminals 500, 502, 504, 506, and 508, an access point 510, a switch 520, an authentication server 530, a security server 540, specific-software management servers 550, 552, and 554.
  • an access point 510 a switch 520
  • an authentication server 530 a security server
  • 540 a security server 540
  • specific-software management servers 550 552, and 554.
  • the user accesses the access point 510 and/or the switch 520 to enter basic authentication information.
  • the basic authentication information may be user's ID and password.
  • the user terminal transmits the basic authentication information (input by the user) to the access point 510 and/or the switch 520 to request authentication.
  • the access point 510 and/or the switch 520 transfers the associated information to the authentication server 530.
  • the access point 510 and/or the switch 520 transmits the associated information together with the authentication request of the user to the authentication server 530.
  • the network management system may include at least one access point and at least one switch.
  • the network management system may utilize a core switch 522 in order to collectively manage the at least one switch.
  • the authentication server 530 receives the basic authentication information of users from an authenticator such as a switch and performs a user authentication process.
  • the basic authentication information includes user's ID and password.
  • the basic authentication information can vary depending on networks or communication protocols. If authentication is granted to the user, the authentication server 530 checks the personal security policies applied to the user, and then, it checks the S/W installation status of the user terminal based on the checked personal security policies in cooperation with the security server 540. If the S/W installation status of the user terminal matches with the security information of the personal security policies, the authentication server 530 allows the user terminal to access the network. The detailed operations of the authentication server 530 will be described later.
  • the security server 540 sets up the personal security policies applied to the users.
  • the personal security policies have the security information including a list of S/W used for the personal security policies, registration information of the S/W, and information on the management servers (which manage the S/W) .
  • the security server 540 stores and manages new registration information on the S/W in the database and transmits the associated information to the authentication server 530 in response to a request of the authentication server 530.
  • the S/W registered in the security server 540 includes, for example, virus vaccine programs, 0/S patch programs, and other security-associated programs.
  • the management servers managing and operating the S/W include, for example, a vaccine server 550, an O/S patch server 552, and other PC security servers 554.
  • a variety of the S/W registered in the security server 540 may be set up in response to requests of a system manager or a system.
  • FIGS. 6 and 7 the operation of the authentication server performing the authentication process and applying the personal security policies to the users in cooperation with the security server will be described in detail.
  • FIG. 6 is a view showing the operations of the network security system according to the present invention.
  • FIG. 7 is a flowchart a series of operations of the authentication server in the network security system according to the present invention. As shown in FIG.
  • the authentication server receives the basic authentication information from one of the user terminals 500, 502, 506, and 508 (Step 700) .
  • the authentication server determines whether or not the user is a registered one based on the basic authentication information received from the user terminal (Step 710) .
  • the authentication server transmits the user's ID among the basic authentication information to the security server, and then, receives the personal security policies corresponding to the user's ID from the security server and the security information according to the personal security policies (Step 730) .
  • the personal security policies are security policies applied to the users.
  • the security information include the list of specific S/W set up to the user and the registration information on the S/W.
  • the authentication server 530 receives the personal security policies and the security information from the security server 540 and transfers the security information to the user terminals (Step 740) .
  • the user terminal receiving the security information from the authentication server 530 reads out information on the S/W registered in the security information and determines whether or not the read-out S/W is installed in the user terminal. If the read-out S/W is installed in the user terminal, the user terminal checks the registration information on the specific S/W thereof. Next, the user terminal compares the security information received from the authentication server with the registration information on the S/W of the user terminal and transmits comparison result information to the authentication server.
  • the authentication server receives the comparison result information from the user terminal (Step 750)
  • the authentication server reads out the comparison result information (Step 760) . If the security information matches with the registration information of the S/W of the user terminal as the comparison result, the user terminal (corresponding to the registered user 502 or 504 of FIG. 5) is allowed to access the network (Step 780) , and the process ends. If the security information does not match with the registration information of the S/W of the user terminal as the comparison result, the VLAN ID of the user terminal (corresponding to the registered user 506 of FIG. 5) is set up to the same as the VLAN ID of the S/W management server, and the URL of the S/W management server is transmitted to the user terminal (Step 770) .
  • the authentication server sets up the VLAN ID of the user terminal to the same as the VLAN ID of the specific S/W management server and allocates the corresponding IP to the user terminal. Therefore, the user terminal is allowed to access only the specific S/W management server while denied to access other networks.
  • the user terminal receiving the URL of the specific S/W management server accesses the specific S/W management server and downloads the specific S/W to install the S/W in the user terminal or to update a new version of the S/W.
  • the user terminal compares the security information received from the authentication server with the registration information of the S/W and transmits comparison result information to the authentication server.
  • the authentication server reads out the comparison result information received from the user terminal.
  • FIG. 8 is a flowchart of a series of operation of a terminal program installed in a user terminal in a network security system according to a preferred embodiment of the present invention.
  • basic authentication information input by a user is transmitted to an authentication server (Step 800) .
  • the user terminal receives an authentication success message and specific security information from authentication server (Step 810) .
  • the specific security information includes a list of the specific S/W, registration information on the S/W, and information on the version of the S/W.
  • the user terminal reads out the S/W registration information of the user terminal (Step 820)
  • the user terminal compares the received specific security information from authentication server with the read-out S/W registration information of the user terminal and transmits comparison result information to the authentication server (Step 830) . If the user terminal is allowed to access the network by the authentication server, the process ends (Step 840) . If the user terminal is not allowed to access the network and if the URL of the management server managing the specific S/W is provided (Step 850), the user terminal accesses the management server to download and install the S/W (Step 860) .
  • the user terminal reads out the S/W registration information of the user terminal again to compare the security information with the read-out S/W registration information and transmits comparison result information to the authentication server (Step 830) , so that the authentication server allows the user terminal to access the network.
  • the network security system according to the preferred embodiments of the present invention performs authentication for users intending to access the network and checks installation and version of specific software, O/S patch programs, virus vaccine programs, or the like stored in the user terminal to allow the user terminal to access the network.
  • the authentication server denies the user terminal to access the network in cooperation with the security server.
  • the authentication server After the specific software is installed or updated, the authentication server allows the user terminal to access the network.
  • various programs such as virus vaccine programs, 0/S patch program, and other PC security associated programs can be used for the specific software.
  • the virus vaccine program can be updated at the same time of performing the authentication, so that it is possible to preserve security of the network as well as the user terminal such as PC.
  • a module having a function of the aforementioned security server may be built in the authentication server, so that the security and authentication servers can be integrated.
  • the user terminal may transmit S/W processing result information as well as the comparison result information of comparing the security information with the S/W registration information of the user terminal.
  • the authentication server may analyze the information received from the user terminal to determine whether or not to allow the user terminal to access the network.
  • the virus vaccine program is set up as the S/W. If the S/W processing result information of the user terminal indicates that the terminal is infected with a virus, the authentication server does not allow the user terminal to access the network. At the same time, the authentication server allocates a secure network path to the user terminal, so that the user terminal can access the vaccine management server to treat virus-infected programs.
  • a network security system can be used to enhance network security by denying a virus-infected terminal or a specific-S/W non- installed terminal to access a network.

Abstract

A network security system performing an authentication process on users accessing a network and a network security process is provided. The network security system includes: a security server for storing and managing personal security policies applied to registered users and security information on the personal security policies; a terminal for transmitting basic authentication information input by a user to request authentication; and an authentication server for performing the authentication process on the user based on the basic authentication information received from the terminal and receiving the personal security policies applied to the user and the associated security information from the security server, wherein, when authentication is granted to the user, the authentication server determines whether or not to allow the terminal to access the network based on the personal security policies and the security information received from the security server. Accordingly, it is determined whether nor not to allow the user terminal to access the network based on an installation status of the specific software in the security information applied to the user at the same time of performing the authentication process on the user accessing the network, so that it is possible to implement optimal security.

Description

NETWORK SECURITY SYSTEM CO-OPERATED WITH AN AUTHENTICATION SERVER AND METHOD THEREOF
TECHNICAL FIELD The present invention relates to a network security system capable of performing an enhanced security policy, and more particularly, to a network security system and method for performing an authentication process on users accessing a network, and at the same time, checking an installation status of specific software in a user terminal based on personal security policies set up to the user to determine whether or not to allow the user terminal to access the network based on the check result, thereby implementing optimal network security.
BACKGROUND ART FIG. 1 is a configuration view showing a whole configuration of an authentication system in accordance with the IEEE 802. Ix standard. FIG. 2 is a flowchart for explaining a series of authentication processes performed by entities in the authentication system of FIG. 1. Referring to FIGS. 1 and 2, the IEEE 802. Ix standard defines three entities: a supplicant 100; an authenticator 110; and an authentication server 120. The supplicant 100 is an entity providing user's authentication information to the authenticator 110 and sending authentication request to the authenticator 110. For example, the supplicant includes wire or wireless terminals intending to access network. When the supplicant sends the authentication request, the authenticator is initially set to an uncontrolled port status. In this status, the supplicant and authenticator can communicate with each other through the EAP (Extensible Authentication Protocol) . The authenticator 110 is an entity transferring the received authentication information and authentication request to the authentication server 120. When the authentication server grants the authentication, the authenticator transfers an authentication success message to the supplicant and converts its port status into a controlled port status. For example, the authenticator includes APs (Access Points), routers, switches, and the like. The authentication server 120 is an entity determining authentication based on the supplicant's authentication request received from the authenticator 110. In order to determine authentication, the authentication server uses user's authentication information stored in its internal database or received from external entities. In the IEEE 802. Ix standard, any protocol for communication between the authentication server 120 and the authenticator 110 is not defined. In general, a protocol used for an AAA (Authentication, Authorization, and Accounting) server is also recommended as the protocol between the authentication server 120 and the authenticator 110. Therefore, the RADIUS (Remote Authentication Dial-In User Service) protocol is used as an industrial de-facto standard protocol. In a case where the authenticator and the authentication server communicate with each other through the RADIUS protocol, the user's network access right can be controlled according to the determination of authentication (performed by an internal authentication algorithm of the authentication server) and the attributes and vendor-specific attributes of the RADIUS which can be transferred together with the authentication success message. On the other hand, authentication methods for a network to which a plurality of network devices are connected are mainly classified into a centralized and distributed authentication method. FIG. 3 is a configuration view of a network according to the centralized authentication method. FIG. 4 is a configuration view of a network according to the distributed authentication method. As shown in FIG. 3, in the centralized authentication method, the authentication server is located in the center of the network, so that a user authentication management can be advantageously centralized. However, if several authentication request points are distributed, data rate of the network may be limited, and performance of the network may deteriorate due to increase in load of the authentication server. As shown in FIG. 4, in the distributed authentication method, a main authentication server located in the center of the network is connected to the network to manage resources and database, and local servers sending authentication requests manage TLS (Transport Layer Security) session and keys to reduce load of the main authentication server. The distributed authentication method can increase network efficiency by about five times that of the centralized authentication method. In addition, the distributed authentication method can improve stability of authentication for local users . Since 2000, computer viruses and malicious codes such as Worm have widely spreaded, and various techniques thereof have been developed. Moreover, these techniques have been used as hacking tools. As a result, the computer viruses and malicious codes have made enormous attack and damages that have never been seen. In order to cope with the computer viruses and malicious codes, various anti-virus vaccine programs have been proposed and developed. On the other hand, the number of users of portable terminals increases. However, the vaccine programs for the portable terminals are not more suitably updated than desktop terminals are. Moreover, these non-updated portable terminals are connected to the network. The computer viruses and malicious codes entering into intranets from external public networks can be somewhat controlled or blocked by using firewalls, expensive IDS/IPS (Intrusion Detection System/ Intrusion Protection System) , or an anti-virus system to preserve security of the intranets. Recently, as the wireless communication technologies have been remarkably developed, the users have wirelessly accessed the network by using their portable terminals such as notebooks and PDAs (Personal Digital Assistants) . As a result, the virus infection of the internal paths (which are infected via the portable terminals) can be treated by the users performing the vaccine update and scan. DETAILED DESCRIPTION OF THE INVENTION Technical Goal of the Invention Accordingly, a collective security solution capable of monitoring a security status of a personal computer and preventing threats in advance have been increasingly needed. Therefore, the inventor have been contrived such a collective security solution. In order to solve the aforementioned problems, an object of the present invention is to provide a network security system capable of persevering security of a network by optimizing a security status of each terminal accessing the network. In addition, another object of the present invention is to provide a network security server capable of checking a security status of each user terminal during the user authentication process in cooperation with an authentication server. Disclosure of the Invention In order to achieve the aforementioned objects, according to an aspect of the present invention, there is provided a network security system performing an authentication process on users accessing a network and a network security process, comprising: a security server for storing and managing personal security policies applied to registered users and security information on the personal security policies; a terminal for transmitting basic authentication information input by a user to request authentication;, and an authentication server for performing the authentication process on the user based on the basic authentication information received from the terminal and receiving the personal security policies applied to the user and the associated security information from the security server, wherein, when authentication is granted to the user, the authentication server determines whether or not to allow the terminal to access the network based on the personal security policies and the security information received from the security server. In the aspect of the present invention, the security information of the personal security policies may include a list of specific software to be installed in the terminal of each user and registration information of the specific software, wherein the security information in the security server includes a list of specific software to which the personal security policies are applied, registration information of the specific software, and information on a management server managing the S/W. In addition, the authentication server may determine whether or not the user is a registered one based on the basic authentication information received from the terminal, wherein, if the user is not a registered one, the authentication server dose not grant authentication and allow the user to access the network. In addition, the authentication server may determine whether or not the user is a registered one based on the basic authentication information received from the terminal, wherein, if the user is a registered one, the authentication server transmits to the terminal the security information received from the security server, wherein the terminal transmits comparison result information of comprising the security information with the registration information on the terminal to the authentication server, and wherein, if the security information matches with the registration information on the terminal as the comparison result information, the authentication server allows the terminal to access the network. In addition, if the security information does not match with the registration information on the terminal as the comparison result information, the authentication server may set up a VLAN ID of the terminal to the same as a VLAN ID of a management server managing the specific software and provides an URL of the management server to the terminal. In addition, the network security system may further comprise at least one of access points and switches enabling the terminal to access the network, wherein the access points or switches transmit the authentication request received from the terminal to the authentication server or information received from the authentication server to the terminal. According to another aspect of the present invention, there is provided a security server comprising a database for storing and managing personal security policies to be set up and applied to users and security information on the personal security policies, wherein the security information includes a list of specific software to which the personal security- policies are applied, registration information of the specific software, and information on a management server managing the S/W, and wherein the security server updates the database in a predetermined time period in cooperation with the management server and transmits the personal security policy applied to the specific user and the security information on the applied personal security policy in response to a request of the authentication server. According to still another aspect of the present invention, there is provided a network security method of performing a security process on a network and a user terminal accessing the network, comprising: a step (a) of receiving basic authentication information and an authentication request from a user terminal of a user; a step (b) of determining whether or not the user is a registered one based on the received basic authentication information; a step (c) of receiving personal security policy applied to the user and the security information and transmitting the security information to the user terminal if the user is a registered one; a step (d) of receiving comparison result information of comparison of the security- information with the corresponding information on the user terminal; and a step (e) of allowing the user terminal to access the network if the security information matches with the corresponding information on the user terminal as the comparison result information. Effect of the Invention According to a network security system of the present invention, personal security policies are set up based on users, the set-up personal security policies are applied to the users, and allowance of networ.k access of user terminals is determined in accordance with the personal security policies, so that it is possible to enhance security of a network. In addition, according to a network security system of the present invention, in the IEEE 802. Ix standard, security associated programs or virus vaccine programs can be installed in user terminals registered in an authentication server, and the programs can be always updated to new versions. In addition, according to a network security system of the present invention, a virus-infected user terminal can be automatically quarantined from a network in order to treat the programs infected with viruses. In addition, if necessary, the network security system can perform a remote virus prevention process in cooperation with a vaccine management server by means of a protected path. In addition, according to a network security system of the present invention, network access of a user terminal in which new versions of security-associated programs or virus vaccine programs are not installed is denied, so that it is possible to absolutely deny network access of terminals which are likely to be virus-infected or have a security problem.
BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a configuration view showing a whole configuration of an authentication system in accordance with the IEEE 802. Ix standard. FIG. 2 is a flowchart for explaining a series of authentication processes performed by entities in the authentication system of FIG. 1. FIGS. 3 and 4 are views for explaining centralized and distributed authentication methods, respectively. FIG. 5 is a configuration view showing a network security system according to a preferred embodiment of the present invention. FIG. 6 is a configuration view for explaining operations of users in a network security system according to a preferred embodiment of the present invention. FIG. 7 is a flowchart a series of operations of an authentication server in a network security system according to the present invention. FIG. 8 is a flowchart of a series of operation of a user terminal in a network security system according to a preferred embodiment of the present invention.
BEST MODE FOR CARRYING OUT THE INVENTION Now, constructions and operations of a network security system according to preferred embodiments of the present invention will be described with reference to the accompanying drawings. FIG. 5 is a configuration view showing a network security system according to a preferred embodiment of the present invention. Referring to FIG. 5, the network security system according to the present invention comprises user terminals 500, 502, 504, 506, and 508, an access point 510, a switch 520, an authentication server 530, a security server 540, specific-software management servers 550, 552, and 554. Now, constructions and operations of the components of the network security system will be described in detail. When a user intends to access a network, the user accesses the access point 510 and/or the switch 520 to enter basic authentication information. Here, the basic authentication information may be user's ID and password. The user terminal transmits the basic authentication information (input by the user) to the access point 510 and/or the switch 520 to request authentication. The access point 510 and/or the switch 520 transfers the associated information to the authentication server 530. When receiving the authentication request from the wire or wireless terminal, the access point 510 and/or the switch 520 transmits the associated information together with the authentication request of the user to the authentication server 530. Here, the network management system may include at least one access point and at least one switch. In this case, the network management system may utilize a core switch 522 in order to collectively manage the at least one switch. The authentication server 530 receives the basic authentication information of users from an authenticator such as a switch and performs a user authentication process. Here, the basic authentication information includes user's ID and password. The basic authentication information can vary depending on networks or communication protocols. If authentication is granted to the user, the authentication server 530 checks the personal security policies applied to the user, and then, it checks the S/W installation status of the user terminal based on the checked personal security policies in cooperation with the security server 540. If the S/W installation status of the user terminal matches with the security information of the personal security policies, the authentication server 530 allows the user terminal to access the network. The detailed operations of the authentication server 530 will be described later. Next, the security server 540 sets up the personal security policies applied to the users. The personal security policies have the security information including a list of S/W used for the personal security policies, registration information of the S/W, and information on the management servers (which manage the S/W) . In addition, in cooperation with the management servers 550, 552, and 554 managing the S/W registered in the list, the security server 540 stores and manages new registration information on the S/W in the database and transmits the associated information to the authentication server 530 in response to a request of the authentication server 530. Here, the S/W registered in the security server 540 includes, for example, virus vaccine programs, 0/S patch programs, and other security-associated programs. The management servers managing and operating the S/W include, for example, a vaccine server 550, an O/S patch server 552, and other PC security servers 554. However, it should be noted that a variety of the S/W registered in the security server 540 may be set up in response to requests of a system manager or a system. Now, referring to FIGS. 6 and 7, the operation of the authentication server performing the authentication process and applying the personal security policies to the users in cooperation with the security server will be described in detail. FIG. 6 is a view showing the operations of the network security system according to the present invention. FIG. 7 is a flowchart a series of operations of the authentication server in the network security system according to the present invention. As shown in FIG. 6, the users may be classified into an unregistered user 508, a registered non-updated user 506, a VLAN ID =20 registered user 502, and VLAN ID =30 registered user 500. Now, a series of the operations of the authentication server for performing authentication process on the users of FIG. 6 will be described with reference to FIGS. 6 and 7. Firstly, as shown in FIG. 7, the authentication server receives the basic authentication information from one of the user terminals 500, 502, 506, and 508 (Step 700) . Next, the authentication server determines whether or not the user is a registered one based on the basic authentication information received from the user terminal (Step 710) . If the user is not a registered one (corresponding to the unregistered user 508), authentication is not granted to the user, so that the user is not allowed to access the network, and the authentication process ends. If the user is a registered one (corresponding to the users 502, 504, and 506 (Step 720), the authentication server transmits the user's ID among the basic authentication information to the security server, and then, receives the personal security policies corresponding to the user's ID from the security server and the security information according to the personal security policies (Step 730) . Here, the personal security policies are security policies applied to the users. The security information include the list of specific S/W set up to the user and the registration information on the S/W. Next, the authentication server 530 receives the personal security policies and the security information from the security server 540 and transfers the security information to the user terminals (Step 740) . On the other hand, the user terminal receiving the security information from the authentication server 530 reads out information on the S/W registered in the security information and determines whether or not the read-out S/W is installed in the user terminal. If the read-out S/W is installed in the user terminal, the user terminal checks the registration information on the specific S/W thereof. Next, the user terminal compares the security information received from the authentication server with the registration information on the S/W of the user terminal and transmits comparison result information to the authentication server. The authentication server receives the comparison result information from the user terminal (Step 750) The authentication server reads out the comparison result information (Step 760) . If the security information matches with the registration information of the S/W of the user terminal as the comparison result, the user terminal (corresponding to the registered user 502 or 504 of FIG. 5) is allowed to access the network (Step 780) , and the process ends. If the security information does not match with the registration information of the S/W of the user terminal as the comparison result, the VLAN ID of the user terminal (corresponding to the registered user 506 of FIG. 5) is set up to the same as the VLAN ID of the S/W management server, and the URL of the S/W management server is transmitted to the user terminal (Step 770) . Namely, the authentication server sets up the VLAN ID of the user terminal to the same as the VLAN ID of the specific S/W management server and allocates the corresponding IP to the user terminal. Therefore, the user terminal is allowed to access only the specific S/W management server while denied to access other networks. On the other hand, the user terminal receiving the URL of the specific S/W management server accesses the specific S/W management server and downloads the specific S/W to install the S/W in the user terminal or to update a new version of the S/W. Now, the user terminal compares the security information received from the authentication server with the registration information of the S/W and transmits comparison result information to the authentication server. Next, the authentication server reads out the comparison result information received from the user terminal. If the security information matches with the registration information of the S/W of the user terminal as the comparison result, the authentication server allows the user to access the network, and the process ends . FIG. 8 is a flowchart of a series of operation of a terminal program installed in a user terminal in a network security system according to a preferred embodiment of the present invention. Firstly, basic authentication information input by a user (intending to access a network) is transmitted to an authentication server (Step 800) . Next, the user terminal receives an authentication success message and specific security information from authentication server (Step 810) . Here, the specific security information includes a list of the specific S/W, registration information on the S/W, and information on the version of the S/W. Next, the user terminal reads out the S/W registration information of the user terminal (Step 820) Next, the user terminal compares the received specific security information from authentication server with the read-out S/W registration information of the user terminal and transmits comparison result information to the authentication server (Step 830) . If the user terminal is allowed to access the network by the authentication server, the process ends (Step 840) . If the user terminal is not allowed to access the network and if the URL of the management server managing the specific S/W is provided (Step 850), the user terminal accesses the management server to download and install the S/W (Step 860) . Next, the user terminal reads out the S/W registration information of the user terminal again to compare the security information with the read-out S/W registration information and transmits comparison result information to the authentication server (Step 830) , so that the authentication server allows the user terminal to access the network. The network security system according to the preferred embodiments of the present invention performs authentication for users intending to access the network and checks installation and version of specific software, O/S patch programs, virus vaccine programs, or the like stored in the user terminal to allow the user terminal to access the network. In addition, if the specific software is not installed or if a new version thereof is not updated, the authentication server according to the present invention denies the user terminal to access the network in cooperation with the security server. After the specific software is installed or updated, the authentication server allows the user terminal to access the network. Here, various programs such as virus vaccine programs, 0/S patch program, and other PC security associated programs can be used for the specific software. In particular, in a case where the registration information on the virus vaccine program is used for security of the user terminal, the virus vaccine program can be updated at the same time of performing the authentication, so that it is possible to preserve security of the network as well as the user terminal such as PC. On the other hand, in a network security system according to another embodiment of the present invention, a module having a function of the aforementioned security server may be built in the authentication server, so that the security and authentication servers can be integrated. In addition, in a network security system according to still another embodiment of the present invention, the user terminal may transmit S/W processing result information as well as the comparison result information of comparing the security information with the S/W registration information of the user terminal. In addition, the authentication server may analyze the information received from the user terminal to determine whether or not to allow the user terminal to access the network. Here, the virus vaccine program is set up as the S/W. If the S/W processing result information of the user terminal indicates that the terminal is infected with a virus, the authentication server does not allow the user terminal to access the network. At the same time, the authentication server allocates a secure network path to the user terminal, so that the user terminal can access the vaccine management server to treat virus-infected programs. While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. The exemplary embodiments should be considered in descriptive sense only and not for purposes of limitation. For example, S/W used for security of the user terminals and data fields of database st.ored in and managed by the authentication and security servers may be modified in various manners in order to improve performance of a whole network or in consideration of sizes of network devices thereof. Therefore, the scope of the invention is defined not by the detailed description of the invention but by the appended claims, and all differences within the scope will be construed as being included in the present invention.
INDUSTRIAL APPLICABILITY A network security system according to the present invention can be used to enhance network security by denying a virus-infected terminal or a specific-S/W non- installed terminal to access a network.

Claims

1. A network security system performing an authentication process on users accessing a network and a network security process, comprising: a security server for storing and managing personal security policies applied to registered users and security information on the personal security policies; a terminal for transmitting basic authentication information input by a user to request authentication; and an authentication server for performing the authentication process on the user based on the basic authentication information received from the terminal and receiving the personal security policies applied to the user and the associated security information from the security server, wherein, when authentication is granted to the user, the authentication server determines whether or not to allow the terminal to access the network based on the personal security policies and the security information received from the security server.
2. The network security system according to claim 1, wherein the security information of the personal security policies includes a list of specific software to be installed in the terminal of each user and registration information of the specific software, and wherein the security information in the security server includes a list of specific software to which the personal security policies are applied, registration information of the specific software, and information on a management server managing the S/W.
3. The network security system according to claim 2, wherein the specific software is one of a virus vaccine program, an 0/S patch program, and a PC security program.
4. The network security system according to any one of claims 1 to 3, wherein the authentication server determines whether or not the user is a registered one based on the basic authentication information received from the terminal, and wherein, if the user is not a registered one, the authentication server dose not grant authentication and allow the user to access the network.
5. The network security system according to claim 2 or 3, wherein the authentication server determines whether or not the user is a registered one based on the basic authentication information received from the terminal, wherein, if the user is a registered one, the authentication server transmits to the terminal the security information received from the security server, wherein the terminal transmits comparison result information of comprising the security information with the registration information on the terminal to the authentication server, and wherein, if the security information matches with the registration information on the terminal as the comparison result information, the authentication server allows the terminal to access the network.
6. The network security system according to claim 2 or 3, wherein the authentication server determines whether or not the user is a registered one based on the basic authentication information received from the terminal, wherein, if the user is a registered one, the authentication server transmits to the terminal the security information received from the security server, wherein the terminal transmits comparison result information of comprising the security information with the registration information on the terminal to the authentication server, and wherein, if the security information does not match with the registration information on the terminal as the comparison result information, the authentication server sets up a VLAN ID of the terminal to the same as a VLAN ID of a management server managing the specific software and provides an URL of the management server to the terminal .
7. The network security system according to any one of claims 1 to 3, further comprising at least one of access points and switches enabling the terminal to access the network, wherein the access points or switches transmit the authentication request received from the terminal to the authentication server or information received from the authentication server to the terminal.
8. The network security system according to any one of claims 1 to 3, wherein the terminal reads out the software list from the security information received from the authentication server, wherein the terminal reads out the registration information on the software installed in the terminal, wherein the terminal compares the security information with the read-out registration information and transmits comparison result information to the authentication server.
9. The network security system according to any one of claims 1 to 3, wherein, if the terminal receives the URL of the specific software management server from the authentication server, the terminal accesses the management server to download the specific software or update a new version thereof.
10. A security server comprising a database for storing and managing personal security policies to be set up and applied to users and security information on the personal security policies, wherein the security information includes a list of specific software to which the personal security policies are applied, registration information of the specific software, and information on a management server managing the S/W, and wherein the security server updates the database in a predetermined time period in cooperation with the management server and transmits the personal security policy applied to the specific user and the security information on the applied personal security policy in response to a request of the authentication server.
11. A network security method of performing a security process on a network and a user terminal accessing the network, comprising: a step (a) of receiving basic authentication information and an authentication request from a user terminal of a user; a step (b) of determining whether or not the user is a registered one based on the received basic authentication information; a step (c) of receiving personal security policy applied to the user and the security information and transmitting the security information to the user terminal if the user is a registered one; a step (d) of receiving comparison result information of comparison of the security information with the corresponding information on the user terminal; and a step (e) of allowing the user terminal to access the network if the security information matches with the corresponding information on the user terminal as the comparison result information.
12. The network security method according to claim 11, further comprising a step (f) of setting up a VLAN ID of the user terminal to the same as a VLAN ID of a management server managing the software and providing an URL of the management server to the user terminal if the security information does not match with the associated information on the user terminal as the comparison result information.
PCT/KR2005/000857 2004-03-24 2005-03-24 Netwok security system co-operated with an authentification server and method thereof WO2006001590A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR20040020027 2004-03-24
KR10-2004-0020027 2004-03-24
KR10-2005-0024389 2005-03-24
KR1020050024389A KR100714367B1 (en) 2004-03-24 2005-03-24 Network security system co-operated with an authentication server and method thereof

Publications (1)

Publication Number Publication Date
WO2006001590A1 true WO2006001590A1 (en) 2006-01-05

Family

ID=35781975

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2005/000857 WO2006001590A1 (en) 2004-03-24 2005-03-24 Netwok security system co-operated with an authentification server and method thereof

Country Status (1)

Country Link
WO (1) WO2006001590A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015090089A1 (en) * 2013-12-18 2015-06-25 烽火通信科技股份有限公司 Authentication and authorization system and method for management of communication network
WO2020052416A1 (en) * 2018-09-15 2020-03-19 华为技术有限公司 Security protection method, device, and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5864683A (en) * 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
US6662228B1 (en) * 2000-02-01 2003-12-09 Sun Microsystems, Inc. Internet server authentication client
US6678733B1 (en) * 1999-10-26 2004-01-13 At Home Corporation Method and system for authorizing and authenticating users

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5864683A (en) * 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
US6678733B1 (en) * 1999-10-26 2004-01-13 At Home Corporation Method and system for authorizing and authenticating users
US6662228B1 (en) * 2000-02-01 2003-12-09 Sun Microsystems, Inc. Internet server authentication client

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015090089A1 (en) * 2013-12-18 2015-06-25 烽火通信科技股份有限公司 Authentication and authorization system and method for management of communication network
WO2020052416A1 (en) * 2018-09-15 2020-03-19 华为技术有限公司 Security protection method, device, and system
CN110912854A (en) * 2018-09-15 2020-03-24 华为技术有限公司 Safety protection method, equipment and system
CN110912854B (en) * 2018-09-15 2021-03-23 华为技术有限公司 Safety protection method, equipment and system
US11647391B2 (en) 2018-09-15 2023-05-09 Huawei Technologies Co., Ltd. Security protection method, device, and system

Similar Documents

Publication Publication Date Title
US10764264B2 (en) Technique for authenticating network users
US7526792B2 (en) Integration of policy compliance enforcement and device authentication
US8555348B2 (en) Hierarchical trust based posture reporting and policy enforcement
KR101047641B1 (en) Enhance security and privacy for security devices
US8868907B2 (en) Device, method, and system for processing communications for secure operation of industrial control system field devices
EP2321928B1 (en) Authentication in a network using client health enforcement framework
US8826378B2 (en) Techniques for authenticated posture reporting and associated enforcement of network access
US20070294759A1 (en) Wireless network control and protection system
US20070157313A1 (en) Autonomic self-healing network
EP2352323A1 (en) Method and system for controlling context-based wireless access to secured network resources
KR100714367B1 (en) Network security system co-operated with an authentication server and method thereof
JP2008500632A (en) Network system and method for providing an ad hoc access environment
WO2004008683A2 (en) Automated network security system and method
EP3876497A1 (en) Updated compliance evaluation of endpoints
JP2022519433A (en) Zero Trust Wireless Surveillance Systems and Methods for Behavior-Based Monitoring of Radio Frequency Environments
WO2006001647A1 (en) Network integrated management system
WO2006068690A1 (en) Method and system for network intrusion prevention
KR20060044494A (en) Network management system and network management server of co-operating with authentication server
KR100819942B1 (en) Method for access control in wire and wireless network
WO2006001590A1 (en) Netwok security system co-operated with an authentification server and method thereof
JP5321256B2 (en) Quarantine network system, access management apparatus, access management method, and access management program
WO2006001587A1 (en) Network management system and network management server of co-operating with authentication server
US9239915B2 (en) Synchronizing between host and management co-processor for network access control
JP4418211B2 (en) Network security maintenance method, connection permission server, and connection permission server program
KR101175667B1 (en) Network access management method for user terminal using firewall

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: COMMUNICATION PURSUANT TO RULE 69 (1) EPC ( EPO FORM DATED 06.12.06)

122 Ep: pct application non-entry in european phase