KR101873972B1 - Method for exetended physically separating network using diskless solution - Google Patents

Abstract

The present invention provides a computer system comprising at least one business PC; A backbone switch used when connecting to a server in a business network, a business network at another branch office, or an Internet network; An L2 switch connecting the business PC and the backbone switch; And a business VPN device used for establishing a virtual private network for network connection with a business network of another point; at least one Internet PC; A backbone switch used when connecting to the Internet or an Internet network at another point; An L2 switch for connecting the Internet PC to the backbone switch, the smart disk server, and the smart disk server; And an Internet network including an Internet VPN device used for establishing a virtual private network for network connection with an Internet network at another point, and a network separation method in which the business network and the Internet network are physically separated OS and software are provided to all Internet PCs in the Internet network and Internet PCs in other points connected through the Internet VPN device using the smart disk server and the files of the Internet PCs are stored and managed And controls the I / O port to prevent the external data input / output device from being connected to the Internet PC, thereby managing and controlling all the data of each Internet PC. And a method for separating an extended physical network.

Description

METHOD FOR EXECUTING PHYSICALLY SEPARATING NETWORK USING DISKLESS SOLUTION

The present invention relates to a scalable physical network separation method using a diskless solution, and more particularly, to a network separation system in which a business network and an Internet network are physically separated from each other, The present invention relates to a scalable network separation method using a diskless solution capable of supplying and managing operating system and software to an Internet PC in an internet network at another point connected via an Internet PC and a VPN.

Network separation is the separation of external Internet network and business network. In general, physical network separation and logical network separation method are used.

The physical network separation refers to physically separating the network from the network, and the external network and the internal network are separately constructed. The advantage of this method is that it is physically separated so that the visibility can be confirmed, the separated state can be confirmed directly by the eye, the system is complete, and no special technique is needed, However, since PCs are needed for each network, there is a problem of cost to pay two PCs per person, and there is a drawback in that it is necessary to work while going to each PC.

In addition, in the conventional physical network separation method, security may be threatened by network connection of an external terminal. For example, if one employee is resting at home and has a good idea, write a draft with a PC at home, put it on a USB memory stick, and then connect the USB memory to a business PC connected to the internal network, If there was a malicious code that attacked a USB memory or a word program, it could be infected with malicious code.

To overcome the disadvantages of the physical network separation, the network separation using the virtualization technology, that is, the logical network separation method has been developed. The logical network separation method includes SBC network separation, virtualization network separation on the desktop, and network separation using OS level virtualization.

The SBC (Server-based Computing) is based on virtualization technology, which is being developed two to 30 years ago, and is equipped with a virtual machine such as VMWare at the center and each terminal connects to a central server . The user PC must be connected to the virtual machine server for business processing, and the generated or inquired document can not escape from the central server, thereby preventing the document from being leaked. This method requires only one physical PC and has a special advantage in maintenance by controlling each work environment from a central server.

For example, a case where a hard disk of a PC is physically destroyed can be considered. If you have important data or documents you are working on, if you have a problem with your PC, you will not be able to do business immediately, and in serious cases there is a risk that the entire data will be lost. In addition, it takes a lot of time to repair the PC, reinstall the OS and reinstall the business applications, and the work will become paralyzed during this time. However, in the case of SBC, even if the PC is physically permanently damaged, it is possible to work immediately at the next person's place or on receipt of a new PC. All of the data and work environment is preserved on the server. Another advantage is that the terminal only needs to be connected to the server, so the terminal may not necessarily be a PC. Mobile terminals can handle tasks in the same environment any number of times. The disadvantages are that it is not as visible as physical network separation and it is not a well-proven technology because it is early. Moreover, since it is server-based, there is also a disadvantage that hardware resources of PC such as high-performance CPU and 3D card can not be used. This means that PC hardware resources such as CAD, design, animation, and game development can not be applied in areas where it is important.

Also, the separation of the virtualization network from the desktop is based on virtualization technology like SBC, but the difference is that the virtual machine runs on the PC. By using two NICs (LAN cards), it is possible to allocate them to the host operating system and the virtual machine, respectively, and connect them to separate networks or connect them to the internal network through VPN. Compared with the second SBC method, there is no merit of central data concentration, but it has the advantage of using all the hardware resources of the PC. The disadvantage of this method is that the hardware of the PC must have enough performance to run the virtual machine.

In addition, the network separation method using virtualization at the OS level does not require an OS in addition to the above method. A virtual space is created on the currently used OS, and only applications executed in the virtual space are connected to the Internet, thereby realizing network separation. Unlike the previous method, this method does not require special hardware and does not consume a lot of system resources. Therefore, it can be applied to existing PC, so it is possible to construct network separation with minimum cost. The disadvantage is that it is vulnerable to malicious code attacking programs implemented at the OS level, resulting in relatively low security.

As described above, among the network separation methods generally used, the complete system separation of the network is the physical network separation. However, in the physical network separation as described above, a separate PC is required for each network, and As the number of branch offices increased, additional costs such as the addition of PCs, management points, and management costs at each branch could not be solved.

According to the above-mentioned situation, it is possible to prevent unnecessary expenses such as PC, management point and management cost from being consumed even in the physical network separation and branch addition situation, to stabilize the hardware including the PC, A new network separation method is required. Even if the network is separated, malicious codes of the external network can be introduced to the internal network by various scenarios such as USB.

Hereinafter, the prior art in the technical field will be described, and the present invention will be described by distinguishing it from the prior art.

Korean Patent Registration No. 1432626 relates to a physical separation device for internal and external networks, and more particularly, to a network separation board on which a network separation operating system connected to an internal network or an external network is mounted; A mounting member provided on one side of the network separation board and mounted on a built-in terminal slot in a main body of the PC; A KVM module mounted on the network separation board and supporting the network separation operating system and the main operating system of the main board provided in the main body of the PC to share and use peripherals (keyboard, monitor, mouse, etc.) of the PC; Desc / Clms Page number 2 > physical network separating apparatus, which is incorporated herein by reference.

The prior art document does not require a separate PC for each of the internal and external networks by separating the physical network through a separate device (network separation device) in order to construct a physical network separation system. However, There is a problem in that the network separation construction cost is consumed by the number of PCs.

Korean Patent Laid-Open Publication No. 2015-0019315 relates to a method for controlling physically separated computers on a single monitor screen and a security system thereof. More specifically, a set-top box stores a position of a cursor displayed on the monitor screen The set-top box may include a keyboard signal generated from a mouse signal generated from a mouse connected to the set-top box or a keyboard connected to the set-top box, Transmitting a mouse signal or a keyboard signal to a computer judged to be a computer to which the set-top box will connect, generating a mouse signal or a keyboard signal and generating a video signal, Outputting the set-top box, Controlling the scaling conversion or the color space conversion according to whether the video signals received from the main computer and the non-connected computer are connected computers, and synthesizing the converted video signals and displaying them on the monitor is described .

The above prior art document can solve some of the resource waste which is a disadvantage of the conventional physical network separation technology by controlling a plurality of computers separated by a network using a single monitor, a keyboard and a mouse connected to a set-top box, A keyboard, and a mouse. However, there is still a problem that a separate PC must be provided in accordance with the physical network separation.

The present invention has been made in order to solve the above problems, and it is an object of the present invention to provide a physical network separation system that uses a smart disk server and thus consumes additional costs such as the addition of a PC for Internet, management points, And further to provide a scalable physical network separation method using a diskless solution for supporting PC resources from a smart disk server installed at one point to an Internet PC at another point.

According to an embodiment of the present invention, an extended physical network separation method using a diskless solution includes at least one business PC; A backbone switch used when connecting to a server in a business network, a business network at another branch office, or an Internet network; An L2 switch connecting the business PC and the backbone switch; And a business VPN device used for establishing a virtual private network for network connection with a business network of another point; at least one Internet PC; A backbone switch used when connecting to the Internet or an Internet network at another point; Smart disk server; An L2 switch for connecting the Internet PC to the backbone switch and the smart disk server; And an Internet network including an Internet VPN device used for establishing a virtual private network for network connection with an Internet network at another point, and a network separation method in which the business network and the Internet network are physically separated OS and software are provided to all Internet PCs in the Internet network and Internet PCs in other points connected through the Internet VPN device using the smart disk server and the files of the Internet PCs are stored and managed And controls the I / O port to prevent the external data input / output device from being connected to the Internet PC, thereby managing and controlling all data of each Internet PC.

As an embodiment of the extended physical network separation method utilizing the diskless solution of the present invention, a separate smart disk server is provided in the Internet network at another point, and a separate PC management policy is applied to each branch office for operation .

In an embodiment of the extended physical network separation method using the diskless solution of the present invention, the Internet network includes a Network Access Controller (NAC), and the terminal information connected to the Internet network through the NAC Monitoring or terminal connection can be blocked or released.

In addition, as an embodiment of the extended physical network separation method utilizing the diskless solution of the present invention, the NAC may provide a real-time notification function, a blocking function for a specific IP address and a MAC address, A function of allocating an IP to a visitor or a temporary user by setting a time period, an automatic recovery of an IP address not used for a long time, and a function of blocking a network when using the corresponding IP after automatic recovery.

In addition, as an embodiment of the extended physical network separation method utilizing the diskless solution of the present invention, a secure data transmission and a strip connection between the business network and the Internet network are performed through a data transmission system and a strip connection system do.

In addition, the data transmission system includes an L4 switch on the side of the business network, an internal system server for data transmission, an L4 switch on the side of the Internet network, And data transmission is performed through an external system server for data transmission.

In addition, the data transmission system may include at least one of a topology / modulation and a malicious code checking function at the time of file transmission, a top / A function of blocking the transmission of the tampering file, a function of blocking the transmission of the infected file after checking the malicious code of the transmission file, an encryption communication function between the sender and the receiver at the time of file transmission, and a file integrity checking function of the transmission / do.

As an embodiment of the extended physical network separation method utilizing the diskless solution of the present invention, the data transmission system uses its own protocol as NON-TCP communication, analyzes the communication request protocol in file transmission, And the communication is interrupted.

In an embodiment of the extended physical network separation method using the diskless solution of the present invention, the strip connection system includes an L4 switch on the side of the business network, an internal system server for strip connection, an L4 switch on the side of the Internet network, And a strip connection is performed through an external system server for strip connection.

In addition, in an embodiment of the extended physical network separation method using the diskless solution of the present invention, the strip connection system may include a unidirectional communication session from the internal system server for strip connection to the external system server for strip connection Thereby preventing a security vulnerability and a threat of hacking due to the opening of an inbound port.

In addition, in one embodiment of the extended physical network separation method utilizing the diskless solution of the present invention, the strip connection system uses its own protocol as NON-TCP communication, analyzes the communication request protocol in strip connection, And the communication is interrupted.

As an embodiment of the extended physical network separation method utilizing the diskless solution of the present invention, the file transmission system or the strip connection system may be constructed by using two internal system servers and two external system servers, Thus, even if a failure occurs in one file transfer system section or a strip link system section, normal file transfer or strip linkage can be performed.

In addition, the file transfer system or the strip connection system according to an embodiment of the extended physical network separation method using the diskless solution of the present invention may be a system for connecting the two internal system servers and two external system servers The L4 switch on the network side and the L4 switch on the Internet network side are provided so that normal file transmission or strip connection can be performed even if a failure occurs in the L4 switch failure and the file transmission system section or the strip connection system section do.

Disclosed is a method for separating a business network and an Internet network by a physical network separation method and constructing a diskless server for an Internet PC in the Internet network, It is possible to operate and manage the operating system and software of the Internet PC at other points which are connected to the main office and the main office through a VPN.

1 is a diagram for explaining an extended physical network separation method using a diskless solution according to an embodiment of the present invention.
2 is a diagram for explaining managing a PC for Internet at another point using a smart disk server according to an embodiment of the present invention.
FIG. 3 is a view for explaining a redundancy configuration of an eternal system server and an external system server according to an embodiment of the present invention.
4 is a view for explaining the L4 switch duplication configuration according to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, a preferred embodiment of an extended physical network separation method using a diskless solution according to the present invention will be described with reference to the accompanying drawings. This will be described in detail.

In the drawings of the present invention, the sizes and dimensions of the structures are enlarged or reduced from the actual size in order to clarify the present invention, and the known structures are omitted so as to reveal the characteristic features, and the present invention is not limited to the drawings .

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description, well-known functions or constructions are not described in detail to avoid obscuring the subject matter of the present invention.

In addition, since the embodiments described in the present specification and the configurations shown in the drawings are only the most preferred embodiments of the present invention and do not represent all the technical ideas of the present invention, It is to be understood that equivalents and modifications are possible.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, an extended physical network separation method using a diskless solution according to the present invention will be described in detail with reference to the accompanying drawings.

The present invention relates to a network separation system in which a business network and an Internet network are physically separated, in which not only all Internet PCs in the Internet network using a smart disk server but also operating system and software And a method for supplying and managing the same.

For reference, a diskless solution is a network system consisting of a LAN, an Ethernet card, and a switch hub, which is generally called DISKLESS, HARDLESS, NOHARD, etc., Is uploaded to a virtual IMG file arbitrarily generated by a manager from a central server (a smart disk server in the present invention), and then each PC user uses the PC using the IMG file stored in the server in a LAN booting manner It is possible to operate PC without installing separate HDD in each PC.

In other words, the diskless solution uses the LAN communication method and the LAN boot method to transfer the OS file and the software file from the central server, so that the PC can be operated without the HDD.

1 is a view for explaining an extended physical network separation system utilizing a diskless solution according to an embodiment of the present invention.

As shown in FIG. 1, the extended physical network separation system utilizing the diskless solution is constructed by physically separating the business network and the Internet network and having a smart disk server in the Internet network.

The business network includes at least one business PC, a server in a business network, a backbone switch, an L2 switch, and a business virtual private network (VPN) device.

The backbone switch is used when the business network is linked to the other branch office network or in connection with the Internet network, and all packets are passed through the backbone switch.

The L2 switch connects the business PC and the backbone switch, and the business VPN device is used to establish a virtual private network for network connection with a business network at another point.

The Internet network includes at least one Internet PC, a backbone switch, an L2 switch, a smart disk server, and a VPN (Virtual Private Network) device for the Internet.

The backbone switch in the Internet network is commonly used when the Internet PC is connected to the Internet or an Internet network at another point.

The L2 switch in the Internet network is used when connecting the Internet PC to the backbone switch and the smart disk server.

The Internet VPN device is used to establish a virtual private network for network connection with an Internet network at another point.

In addition, the smart disk server provides OS and software to all Internet PCs in the Internet network, stores and manages the files of the Internet PCs, controls the I / O port, By preventing the devices from being connected, it is possible to manage and control all the data of each Internet PC.

As described above, the present invention separates the business network and the Internet network into physical network separation methods, establishes a discless server for the Internet PC in the Internet network, and controls the operating system and software of each Internet PC through the discless server It is advantageous to increase the convenience of management such that the recovery solution for each PC for the Internet is unnecessary and the software can be easily managed.

In addition, all Internet PCs are always initialized to the same state at the time of rebooting by the smart disk server, and the PC state of the initial setting state is always retrieved. Therefore, the same SSD class booting, reading and writing speeds can always be implemented, The PC state can be maintained.

In addition, since all the OS and software are stored and managed in the smart disk server, it is possible to solve the HDD failure which occupies 50% of the PC hardware failure because no separate hard disk is required for each PC, It is possible to protect the PC from the power consumption and the hardware stabilization effect.

In addition, since the administrator can manage each PC through the diskless server, it is possible to prevent installation of software not authorized by the administrator, to protect intellectual property rights such as prevention of illegal software use, By operating system virtualization by server and application virtualization, each PC can be protected from malicious code and virus. By controlling I / O port of each PC, it is possible to control not to use keyboard, mouse and unauthorized USB port So that the security of the network and the manganese can be improved.

Since the Internet PC is operated through a smart disk server, a hard disk is not required. Therefore, the Internet PC is composed of a monitor, a keyboard, a mouse, and a computer main body. The computer includes a main board, a CPU, a RAM, It shall be the minimum component.

2 is a diagram for explaining managing a PC for Internet at another point using a smart disk server according to an embodiment of the present invention.

As shown in FIG. 2, the present invention may manage an Internet PC at another point connected through an Internet VPN device. That is, the smart disk server can provide the OS and software to the Internet PC for another point, store and manage the files of the Internet PC for each of the other points, and control the I / O port, It is possible to prevent the external data input / output device from being connected to the PC for the Internet, and to manage and control all the data of each Internet PC.

With this method, even if the number of branch offices continues to increase, it becomes possible to replace the Internet PC for the rest of the Internet at one point and manage the OS and the spotware. Thus, The cost of management can be dramatically saved, and the management convenience can be greatly improved since the PC can be managed from one point to all the points.

In addition, the present invention may include a separate smart disk server in the Internet network of another branch office, which may be operated by applying a separate PC management policy to each branch office. Alternatively, a separate smart disk server may be installed, It is also possible to designate and operate a point managed by a smart disk server.

That is, the smart disk server provides OS and software to a specific Internet point PC connected to the Internet via a VPN, stores and manages files of Internet PCs at other points, controls the I / O port, Output device to the Internet PC of the Internet, and to manage and control all the data of each PC for the Internet, and a separate smart disk server is provided in the internet network at another point Optionally, separate PC management policies may be applied to each branch office.

Meanwhile, the present invention may include a network access controller (NAC) in the Internet network for management and control of various terminals connected to the Internet network.

And monitor or access to the terminal connected to the Internet network through the NAC. More specifically, the NAC includes a terminal tracking and monitoring function connected to the Internet network, a real-time notification function for a user and an administrator when blocking a terminal connection, a blocking function for a specific IP address and a MAC address, A function of assigning an IP to a user, an automatic recovery of an IP address that has not been used for a long time, and a function of blocking a network when using the corresponding IP after automatic recovery.

Accordingly, the present invention can secure visibility of the Internet network, perform role-based access control through authentication, secure the integrity of the terminal according to the security standard established by the administrator, It is possible to block and control the connection of weak terminals.

In addition, since the business network and the Internet network are physically separated from each other in the present invention, it is necessary to secure network connection for data exchange and business service connection necessary for business execution. It is difficult to record logs of manganese exchange data when data is exchanged using a removable memory device such as USB without network connection, and it is difficult to track the outflow route when a security incident such as data leakage occurs, There may be a problem that the data is leaked to the outside.

In order to solve such problems, the present invention performs secure data transmission and strip connection between the business network and the Internet through a data transmission system and a strip connection system.

FIG. 3 is a view for explaining a redundancy configuration of an eternal system server and an external system server according to an embodiment of the present invention.

As shown in the figure, the data transmission system performs data transmission through an L4 switch on an office network side, an internal system server for data transmission, an L4 switch on the Internet network side, and an external system server for data transmission.

The file transfer system includes an internal system server for data transfer and an external system server for data transfer, a function for checking whether the file is transferred, a function for checking malicious code, , An infected file transmission blocking function after the malicious code of the transmission file, an encryption communication function between the sender and the receiver at the time of file transmission, and a file integrity checking function during transmission / reception of the file, .

In addition, the strip connection system performs strip connection through the L4 switch on the business network side, the internal system server for strip connection, the L4 switch on the Internet network side, and the external system server for strip connection.

At this time, the strip connection system configures a unidirectional communication session from the internal system server for strip connection to the external server for strip connection on the Internet network side, thereby reducing security vulnerability due to inbound port opening and hacking of business network Threats can be prevented.

In addition, the file transmission system and the strip connection system can use the NON-TCP communication in-house protocol to analyze the communication request protocol in the file transmission and the stipple connection, thereby blocking the out-of-policy communication.

Meanwhile, in constructing the file transfer system and the strip connection system as described above, the present invention overcomes the problem that the manganese file transfer or the strip connection is interrupted when a fault occurs in one file transmission system section or a strip connection system section Therefore, even if a failure occurs in one file transmission system section or a strip connection system section, a file transmission system or a strip connection system can be normally constructed by using two internal system servers and two external system servers, So that the linkage can be performed.

In addition, as shown in FIG. 4, even if an L4 switch failure occurs, an L4 switch on the side of a business network connected to the two internal system servers and two external system servers, And an L4 switch on the Internet network side.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, I will understand the point. Accordingly, the technical scope of the present invention should be determined by the following claims.

100: Business network
110: Business PC
120: Servers in business network
130: Backbone switch (business network)
140: L2 switch (business network)
150: Business VPN device
160: L4 switch (business network)
200: Internet network
210: Internet PC
220: Backbone switch (Internet network)
230: Smart Disk Server
240: L2 switch (Internet network)
250: Internet VPN device
260: L4 switch (for Internet use)
270: NAC
300: Branch office
310: Business PC (branch office)
320: Internet PC (branch office)
400: network connection system
410: Internal system server for file transfer
420: Extension system server for file transfer
430: Internal system server for strip connection
440: External system server for strip connection

Claims (13)

At least one business PC; A backbone switch used when connecting to a server in a business network, a business network at another branch office, or an Internet network; An L2 switch connecting the business PC and the backbone switch; And a business VPN device used for establishing a virtual private network for network connection with a business network at another point,
At least one Internet PC; A backbone switch used when connecting to the Internet or an Internet network at another point; Smart disk server; An L2 switch for connecting the Internet PC to the backbone switch and the smart disk server; And an Internet network including an Internet VPN device used for establishing a virtual private network for network connection with an Internet network at another point, and a network separation method in which the business network and the Internet network are physically separated In this case,
Providing the OS and the software to the Internet PCs of other points connected through the Internet PCs and the Internet PCs using the smart disk server and storing and managing the files of the Internet PCs, It is possible to control and control all the data of each Internet PC by controlling the I / O port and preventing the external data input / output device from being connected to the Internet PC,
Data transmission and strip connection between the business network and the Internet network is performed through a data transmission system and a strip connection system,
The data transmission system performs data transmission through the L4 switch on the side of the business network and the internal system server for data transmission, the L4 switch on the side of the Internet network and the external system server for data transmission, and the strip- The L4 switch and the strip system are connected through the internal system server for the strip connection and the L4 switch for the Internet network side and the external system server for the strip connection,
The data transmission system or the strip connection system is constructed by using two internal system servers and two external system servers and is also connected to the two internal system servers and two external system servers The L4 switch on the network side and the L4 switch on the Internet network side are provided so that the L4 switch failure and the data transmission system section or the strip connection system section can normally perform file transmission or strip connection even if a failure occurs An extended physical network separation method using a diskless solution. The method according to claim 1,
And a separate smart disk server is provided in an Internet network of another branch, and a separate PC management policy is applied to each branch office for operation. The method according to claim 1,
Wherein the Internet network includes a Network Access Controller (NAC), and monitors terminal information connected to the Internet network through the NAC, or can block or cancel terminal access by using the NAC. Physical network separation method. The method of claim 3,
The NAC includes:
Real-time notification function to users and administrators when blocking access to terminals, blocking function for specific IP address and MAC address, function of assigning IP to visitor or temporary user by setting trial period, automatic retrieval and automatic recovery of IP address not used for a long time And then blocking the network when the corresponding IP is used. The method of separating an extended physical network using a diskless solution. delete delete The method according to claim 1,
The data transmission system comprising:
Tampering and malicious code checking during file transmission, blocking the transmission of up / modifying files by analyzing the file header of the transmission file, blocking the transmission of infected files after checking the malicious code of the transmission file, And a file integrity check function for transmission / reception during a file transmission. 8. The method of claim 7,
The data transmission system comprising:
The method of claim 1, wherein the NON-TCP communication uses its own protocol and analyzes a communication request protocol when a file is transmitted, thereby blocking an out-of-policy communication. delete The method according to claim 1,
The strip connection system comprises:
And a unidirectional communication session is established from an internal system server for strip connection to an external system server for strip connection, thereby preventing a security vulnerability and a hacking threat due to inbound port opening. Network separation method. 11. The method of claim 10,
The strip connection system comprises:
A method for separating an extended physical network using a diskless solution, characterized by using its own protocol as NON-TCP communication, and analyzing a communication request protocol in a strip connection and intercepting out-of-policy communication. delete delete

Images