WO2002084512A1 - Method and system for restricting access from external - Google Patents

Method and system for restricting access from external Download PDF

Info

Publication number
WO2002084512A1
WO2002084512A1 PCT/KR2002/000597 KR0200597W WO02084512A1 WO 2002084512 A1 WO2002084512 A1 WO 2002084512A1 KR 0200597 W KR0200597 W KR 0200597W WO 02084512 A1 WO02084512 A1 WO 02084512A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
access
packets
allowable
network interface
Prior art date
Application number
PCT/KR2002/000597
Other languages
French (fr)
Inventor
Mookyung An
Original Assignee
Safei Co.,Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Safei Co.,Ltd. filed Critical Safei Co.,Ltd.
Priority to JP2002582384A priority Critical patent/JP2004535096A/en
Publication of WO2002084512A1 publication Critical patent/WO2002084512A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/90Buffering arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • the present invention relates generally to a method and apparatus for controlling access from the outside through the Internet, and more particularly to a method of controlling access from the outside through the Internet and apparatus for realizing the same, which receives packets transmitted/received through a network interface card, stores them in a transmission/reception buffer, extracts an address from the stored packets, compares the extracted address with secure IP addresses stored in a storage list communicating with the network interface card, and determines access allowance or access prohibition according to the compared result .
  • FIG. 1 is a view showing the construction of a typical network used in a conventional enterprise.
  • the network of the conventional enterprise is generally constructed as shown in FIG. 1.
  • the network comprises a router 10 connected to the Internet to determine an optimal path and transmit packets to the determined path, and a firewall 20 connected to the router 10.
  • the firewall 20 serves to formulate access control policies between two networks.
  • various servers or hosts 60 and 80, etc., to be protected according to the access control are connected to back end of the firewall 20 through a switching hub 70.
  • servers can be generally classified into a mail server 40, a Web server 30, a FTP server 50, etc. Functions of the respective servers are well known in the field, so detailed description of the functions are omitted.
  • the hosts 60 and 80 which are personal computers used by users, are connected to the back end of the firewall 20 through the switching hub 70.
  • Important work-related data are stored in the hosts 60 and 80 used in enterprises.
  • hacking techniques through the Internet have become increasingly intelligent, and direct hacking " of the hosts 60 and 80, not hackings of servers, is increasingly being attempted. As the hacking of the hosts 60 and 80 are attempted, a risk that important data may be leaked from computers becomes great .
  • a personal computer is not fundamentally different from a normal computer.
  • Security problems with which personal computer users confront include confidentiality, integrity and availability of programs, data and hardware, like in the case of a mainframe computer. Therefore, standard control techniques, such as an access restriction list, protection memory, a user authentication technique, a reliable operation system, etc., must be equally applied even under personal computer environments.
  • the personal computer is not typically strict in its security control, compared with that of the mainframe computer or similar types.
  • even a mainframe computer is not secure from data destruction by internal users.
  • the personal computer scarcely provides hardware-level protection against intentional hacking by external Internet users. Typical hardware-level protection equipment is mostly used in servers.
  • an object of the present invention is to provide a method and apparatus for controlling intentional access from the outside through the Internet.
  • Another object of the present invention is to provide a method and apparatus for controlling access from the outside, which can prevent a user from removing packets arbitrarily.
  • a further object of the present invention is to provide a method and apparatus for controlling access from the outside through the Internet, which is performed by each user computer without an additional firewall.
  • Still another object of the present invention is to provide a method and apparatus for controlling access from the outside through the Internet, which does not require an additional manager.
  • the present invention uses a storage unit for storing an access-allowable address list communicating with a network interface card, extracts an address from packets transmitted/received through the network interface card, and compares the extracted address with addresses on the access-allowable address list, and determines access allowance or access prohibition according to the compared result. Accesses from a user host (60) to the outside are freely carried out, and any arbitrary access request from the outside to the user host (60) can be prohibited. Further, an external terminal first access- requested by the user host (60) accepts the access request from the user host (60) .
  • FIG. 1 is a view showing the construction of a typical network used in a conventional enterprise
  • FIG. 2 is a conceptual view showing an access request process using a SYN bit
  • FIG. 3 is a view showing the construction of a network for realizing a method of controlling access from the outside through the Internet according to a preferred embodiment of the present invention
  • FIG. 4 is a block diagram showing the internal construction of a network interface card having an access control function through the Internet according to a preferred embodiment of the present invention
  • FIG. 5 is a flowchart of a process of allowing/prohibiting an access request by checking reception packets by an address determining unit
  • FIG. 6 is a flowchart of a process of allowing/prohibiting an access request by checking transmission packets by the address determining unit. Best Mode for Carrying Out the Invention
  • FIG. 2 is a conceptual view showing an access request process using a SYN bit.
  • TCP transmission control protocol
  • TCP provides stream-type connection- oriented services, which are reliable, that is, perform error control and flow control by re-transmission.
  • TCP establishes a connection between logical terminals of two communicating computers. Before communication is performed between two computes, control information called Handshake is transmitted. The Handshake used in TCP is called three-way Handshake because three segments are exchanged.
  • a user host 60 initiates access by sending a segment, inside of which a ⁇ synchronize sequence numbers' (SYN) bit is contained, to a connector host 80.
  • SYN ⁇ synchronize sequence numbers'
  • This segment informs the connector host 80 that the user host 60 desires to begin accessing, and assigns a serial number which the user host 60 uses as a start number of segments.
  • the connector host 80 responds by sending a segment in which ACK and SYN bits are set to the user host 60. Further, the segment from the connector host 80 informs the user host 60 that the connector host 80 has received the segment from the user host 60, and informs the user host 60 of the starting serial number to be used by the connector host 80. Finally, the user host 60 sends to the connector host 80 a segment indicating that the user host 60 has received the segment from the connector host 80, and transmits the first valid data to the connector host 80, thus enabling the user host 60 and the connector host 80 to reliably exchange data therebetween.
  • the above method is the three-way Handshake method, which corresponds to the most often-used method when the user desires to access a computer through TCP.
  • FIG. 3 is a view showing the construction of a network for realizing an access control method through the Internet according to a preferred embodiment of the present invention.
  • a network interface card 100 installed in the user host 60 is constructed to communicate with an access- allowable address storage unit 200. Packets corresponding to an access request from the connector host 80 to the user host 60 are constructed to necessarily pass through the network interface card 100. Therefore, the network interface card 100 extracts a source address from the passed packets and compares the extracted source address with addresses stored in the access-allowable address storage unit 200. According to the compared result, if the same address as the source address exists in the access-allowable address storage unit 200, the network interface card 100 passes on the packets. On the contrary, if the same address as the source address does not exist in the access-allowable address storage unit 200, the network interface card 100 removes the packet.
  • the network interface card 100 may store addresses, which are recently access-requested, in an additional buffer to search for addresses later so as to stand by for a response signal received from the connector host 80 access-requested by the user host 60. Accordingly, if the user host 60 requests access to the connector host 80, there is no restriction in transmission of packets, and packets corresponding to the access request from the connector host 80 to the user host 60 are removed. However, if an access request from the connector host 80 according to a request from the user host 60 is inputted, the network interface card 100 temporarily stores packets in a buffer to pass on the packets.
  • the connector host 80 can access the user host 60 if an address extracted from the transmitted packets exists in the buffer as an access- allowable address.
  • packets for access from the user host 60 to the external server 300 are not restricted for the purpose of free transmission of packets.
  • access to the external server 300 can be allowed by setting a flag for access allowance to the external server 300. Therefore, there is no restriction even in electronic payment when the user purchases a commodity through Internet sites.
  • FIG. 4 is a block diagram showing the internal construction of the network interface card having an access control function through the Internet in accordance with the present invention.
  • the network interface card 100 uses a PCI bus for communication with computers.
  • the network interface card 100 comprises a media access control (MAC) processing unit 150 for processing MAC for packets transmitted through the PCI bus, a PHY processing unit 160 for processing a physical layer, a buffer 120 required for packet process, a BootROM, a connector, etc.
  • MAC media access control
  • the network interface card 100 of the present invention further comprises an address determining unit 110, the access-allowable address storage unit 200, a transmission packet queue 130, and a reception packet queue 140. Further, the network interface card 100 can be implemented to further comprise the buffer 120 for storing information on access requests from the user computer to the connector host 80 or the external server 300.
  • the address determining unit 110 is connected to the previous stage of the MAC processing unit 150; however, it can be disposed between the MAC processing unit 150 and the PHY processing unit 160, or it can be connected to the next stage of the PHY processing unit 160. Further, in FIG. 4, the transmission packet queue 130 and the reception packet queue 140 are separately arranged; however, they can be integrated into a signal packet queue.
  • the address determining unit 110 extracts source/destination addresses from packets transmitted through Ethernet/PCI bus. The destination address is extracted from packets transmitted through the PCI bus, while the source address is extracted from packets transmitted through the Ethernet bus.
  • the address determining unit 110 extracts an address from input packets, compares the address with addresses on an address list stored in the buffer 120 or the access-allowable address storage unit 200, and determines whether to pass on the packets or not according to the compared result. Further, the address determining unit 110 may check all packets passing therethrough. However, it is preferable to determine whether input packets are targets of process, to pass on packets which are not targets of process, and then to determine whether to pass them on or not with respect to only packets which are targets of process. Packets which are targets of process are preferably limited to packets using TCP and UDP.
  • the packets inputted to the address determining unit 110 are temporarily stored in the transmission packet queue 130 or the reception packet queue 140, as described later, through the address determining unit 110.
  • the address determining unit 110 further performs a function of storing addresses extracted from the packets in the buffer 120.
  • the access-allowable address storage unit 200 stores addresses of computers which are always allowable for access requests from external computers of the user host 60, and is constructed to communicate with the network interface card 100. That is, the access-allowable address storage unit 200 can be stored in a hard disc installed in the computer, or the network interface card 100 may include an additional storage device. Non-volatile memory, such as flash memory, EEPROM, etc., is used as the additional storage device. Contents stored in the access-allowable address storage unit 200 are numbers corresponding to IP addresses of access- allowable computers, or character values corresponding to URL addresses thereof. Preferably, the numbers and the character values are not stored in the access-allowable address storage unit 200 as they are, but stored therein as Hash-processed formats by Hash function.
  • the access-allowable address storage unit 200 may additionally include an access prohibition list, which is a list of addresses always prohibited from gaining access, to allow the address determining unit 110 to determine access prohibition. If the user host 60 has recently requested access via the Internet, the buffer 120 temporarily stores contents on access requests, which are transmitted by the user host 60, so as to pass on packets for additional access requests which can be provided from the external server 300.
  • the 0 buffer 120 is constructed such that the number of recent access-requested packets stored in the buffer 120 can be arbitrarily set. That is, the number of packets increases according to the capacity of the buffer 120, so information on all access request packets from the beginning to the end i' ⁇ of the Internet access by a normal computer user can be stored in the buffer 120. Further, if the capacity of the buffer 120 is small, the access request packet received most recently is stored in the buffer 120, and the access request packet received first is first removed. Further, the buffer 120 can be realized as nonvolatile memory such as flash memory, or volatile memory such as RAM. However, it is preferable to use volatile memory, due to its high access speed.
  • the transmission packet queue 130 serves to temporarily store packets inputted to the address determining unit 110 from the PCI bus. Further, the transmission packet queue 130 temporarily stores the packets while the address determining unit 110 extracts an address from the packets. Thereafter, if a SYN bit corresponding to an access request is set in packets to be transmitted from the user host 60 to the external server 300 or the connector host 80, the transmission packet queue 130 temporarily stores the packets while a destination address is stored in the buffer 120 so as to stand by for a signal with SYN and ACK bits. Further, the transmission packet queue 130 temporarily stores the packets while an access-allowable address list is stored in the buffer 120, separate from the access-allowable address storage unit 200.
  • the transmission packet queue 130 can be realized as volatile memory such as RAM, or non-volatile memory such as flash memory. However, it is preferable to use volatile memory in consideration of access speed.
  • the reception packet queue 140 serves to temporarily store packets inputted to the address determining unit 110 from the Ethernet. Further, the reception packet queue 140 temporarily stores the packets while the address determining unit 110 extracts an address from the packets. If the address determining unit 110 determines the address as access-prohibited, the corresponding packets are removed. However, if the inputted packets are packets corresponding to an address access-requested by the user host 60, the reception packet queue 140 passes on the packets because the address is stored in the buffer 120 as an access-allowable address. That is, the transmission of a SYN bit to the external computer access-requested by the user host 60 enables SYN and ACK bits received from the external computer to be access-allowed.
  • reception packet queue 140 may be realized as either volatile memory or non-volatile memory, like the transmission packet queue 130; however, the reception packet queue 140 is preferably realized as volatile memor .
  • access allowance/prohibition of reception packets is described with reference to FIG. 5.
  • FIG. 5 is a flowchart of a process of allowing/prohibiting an access request by checking reception packets by the address determining unit according to a preferred embodiment of this invention.
  • the network interface card 100 installed in the user host 60 connected to the Internet receives packets from the external server 300 or the connector host 80 at step S100.
  • the network interface card 100 stores the received packets in the reception packet queue 140 by copying the received packets at step S110.
  • the address determining unit 110 extracts a source address from the received packets at step S120. Further, the address determining unit 110 compares the extracted source address with addresses stored in the buffer 120 at step S130.
  • the address determining unit 110 passes on the packets at step S134, while if the address is classified as an access-prohibited address at step S133, the address determining unit 110 removes the corresponding packets at step S135. Further, if the same address as the extracted address does not exist in the buffer 120 at step S130-2, the address determining unit 110 compares the extracted address with addresses on the address list stored in the access-allowable address storage unit 200 at step S140.
  • the address determining unit 110 determines whether any address on the address list stored in the access- allowable address storage unit 200 is identical with the extracted address at step S150. If it is determined that any address on the address list is not identical with the extracted address at step S150-1, the address corresponds to reception prohibition at step S151. Therefore, the extracted address is recorded in the buffer as an access-prohibited address at step S152, and the corresponding packets are removed at step S153.
  • the extracted address is recorded in the buffer as an access-allowable address at step S160, and the corresponding packets are passed on at step S170.
  • FIG. 6 is a flowchart of a process of allowing/prohibiting an access request by checking transmission packets by the address determining unit according to a preferred embodiment of this invention.
  • the network interface card 100 installed in the user host 60 receives transmission packets at step S200. Accordingly, the network interface card 100 stores the packets in the transmission packet queue 130 at step S210.
  • the address determining unit 110 extracts a destination address from the received packets at step S220, and compares the extracted destination address with addresses stored in the buffer 120 at step S230.
  • the address determining unit 110 passes on the corresponding packets at step S231, while if the same address as the extracted destination address does not exist in the buffer 120 at step S230-2, the address determining unit 110 determines whether a SYN bit is set in the packets at step S240.
  • the destination address is recorded in the buffer as an access-allowable address at step S250, and a standby state for reception of a packet with an ACK bit to be transmitted from the destination address is stored at step S260. Further, the address determining unit 110 passes on the packets so as to allow the packets to be transmitted to the outside through the Ethernet at step S270.
  • the destination address is stored in the buffer at step S241. Further, the address determining unit 110 passes on the packets so as to allow the packets to be transmitted to the outside through the Ethernet at step S242.
  • a method and apparatus for controlling access from the outside through the Internet according to the present invention is advantageous in that it can control intentional access from the outside via the
  • the present invention is advantageous in that it can prevent a user from deleting or removing packets arbitrarily.
  • the present invention is advantageous in that it can control access from the outside via the Internet using each individual computer without an additional firewall .
  • the present invention is advantageous in that it can control access from the outside via the Internet without requiring additional management for access control.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed herein is a method and apparatus for controlling access from the outside through the Internet. The present invention uses a storage unit for storing an access-allowable address list communicating with a network interface card, extracts an address from packets transmitted/received through the network interface card, an compares the extracted address with addresses on the access-allowable address list, and determines access allowance or access prohibition according to the compared result. The network interface card of the present invention communicates with a storage device for storing a secure access-allowable list on the Internet. Further, an address determining unit of the network interface card extracts an address from packets received from the outside and allows only accesses by secure computers, so as to control international accesses. Further, the present invention uses a server to provide an update service for allow-allowable addresses or access-prohibited addresses according to a user's requirement.

Description

METHOD AND SYSTEM FOR RESTRICTING ACCESS FROM EXTERNAL
Technical Field
The present invention relates generally to a method and apparatus for controlling access from the outside through the Internet, and more particularly to a method of controlling access from the outside through the Internet and apparatus for realizing the same, which receives packets transmitted/received through a network interface card, stores them in a transmission/reception buffer, extracts an address from the stored packets, compares the extracted address with secure IP addresses stored in a storage list communicating with the network interface card, and determines access allowance or access prohibition according to the compared result .
Background Art
After Internet protocols were standardized in 1983, the Internet has been popularized mainly through the government, large enterprises, and a plurality of academic computer networks for various purposes such as e-mail, file transmission (FTP) , Gopher, network news, etc. Further, when the USA's National Science Foundation (NSF) constructed NSFNET in 1985, the NSF adopted TCP/IP, which is the Internet protocol of ARPA, as the basic protocol of communication. Accordingly, the NSFNET functions as a backbone network of the Internet, and has been popularized very rapidly. Further, in 1988, ARPA began to remove original devices of the ARPANET. As the ARPANET was no longer being used for military applications in 1990, the Internet finally reappeared as a private network. Further, among many phenomena appearing with the progress of an information society, there has been an integration of media and communication networks. Due to this integration, the Internet has become worthy of media with the development of the Internet. As advanced information and communication technologies have been developed, the Internet has settled into a conventional society, so great profits are created. On the other hand, however, the Internet also causes great social problems.
FIG. 1 is a view showing the construction of a typical network used in a conventional enterprise. Referring to FIG. 1, the network of the conventional enterprise is generally constructed as shown in FIG. 1. The network comprises a router 10 connected to the Internet to determine an optimal path and transmit packets to the determined path, and a firewall 20 connected to the router 10. The firewall 20 serves to formulate access control policies between two networks. Further, various servers or hosts 60 and 80, etc., to be protected according to the access control, are connected to back end of the firewall 20 through a switching hub 70. Further, servers can be generally classified into a mail server 40, a Web server 30, a FTP server 50, etc. Functions of the respective servers are well known in the field, so detailed description of the functions are omitted. Further, the hosts 60 and 80, which are personal computers used by users, are connected to the back end of the firewall 20 through the switching hub 70. Important work-related data are stored in the hosts 60 and 80 used in enterprises. However, hacking techniques through the Internet have become increasingly intelligent, and direct hacking" of the hosts 60 and 80, not hackings of servers, is increasingly being attempted. As the hacking of the hosts 60 and 80 are attempted, a risk that important data may be leaked from computers becomes great .
Meanwhile, a personal computer is not fundamentally different from a normal computer. Security problems with which personal computer users confront include confidentiality, integrity and availability of programs, data and hardware, like in the case of a mainframe computer. Therefore, standard control techniques, such as an access restriction list, protection memory, a user authentication technique, a reliable operation system, etc., must be equally applied even under personal computer environments. However, the personal computer is not typically strict in its security control, compared with that of the mainframe computer or similar types. Moreover, even a mainframe computer is not secure from data destruction by internal users. The personal computer scarcely provides hardware-level protection against intentional hacking by external Internet users. Typical hardware-level protection equipment is mostly used in servers. However, such hardware-level protection equipment is problematic in that it is too expensive to be used by small-and medium-sized enterprises. Further, there is another problem in that even though the enterprise purchases equipment for providing hardware-level protection, the management of the equipment is usually not optimized due to the shortage of manpower capable of controlling the equipment, so the equipment becomes useless in many cases.
Furthermore, there are few enterprises which perform respective security services for the hosts 60 and 80, that is, computers for works. In order to solve the above problems, the user personally installs and uses a security program for clients. The above-described personal firewall is problematic in that it is implemented in a software manner, and the user installing the firewall must directly manage the program, so the risk of hacking due to insufficient management always exists. Further, in typical computers for home use, communication environments using xDSL are dominant with the development of Internet environments. Further, hacking methods targeting computers for home use have been produced as simple programs and have been widely spread under the communication environments. Examples of these hacking programs are Back Orifice 2K, Schoolbus, Netbus, SubSeven y3k, etc. Those skilled in computer use can easily hack personal computers of other persons only by studying manuals of the above hacking programs. However, methods of preventing hacking are different according to user's computing levels . User-level security provides various protection methods such as functions of file encryption, screen locking, IP control, port control, access-log control, process task-managing window, sharing control, etc. However, there is a problem that few client users can suitably maintain the installation and management of such programs.
Disclosure of the Invention
Accordingly, the present invention has been made keeping in mind the above problems occurring in the prior art, and an object of the present invention is to provide a method and apparatus for controlling intentional access from the outside through the Internet. Another object of the present invention is to provide a method and apparatus for controlling access from the outside, which can prevent a user from removing packets arbitrarily.
A further object of the present invention is to provide a method and apparatus for controlling access from the outside through the Internet, which is performed by each user computer without an additional firewall.
Still another object of the present invention is to provide a method and apparatus for controlling access from the outside through the Internet, which does not require an additional manager.
In order to accomplish the above object, the present invention uses a storage unit for storing an access-allowable address list communicating with a network interface card, extracts an address from packets transmitted/received through the network interface card, and compares the extracted address with addresses on the access-allowable address list, and determines access allowance or access prohibition according to the compared result. Accesses from a user host (60) to the outside are freely carried out, and any arbitrary access request from the outside to the user host (60) can be prohibited. Further, an external terminal first access- requested by the user host (60) accepts the access request from the user host (60) . Brief Description of the Drawings
The above and other objects, features and other advantages of the present invention will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which:
FIG. 1 is a view showing the construction of a typical network used in a conventional enterprise;
FIG. 2 is a conceptual view showing an access request process using a SYN bit;
FIG. 3 is a view showing the construction of a network for realizing a method of controlling access from the outside through the Internet according to a preferred embodiment of the present invention; FIG. 4 is a block diagram showing the internal construction of a network interface card having an access control function through the Internet according to a preferred embodiment of the present invention;
FIG. 5 is a flowchart of a process of allowing/prohibiting an access request by checking reception packets by an address determining unit; and
FIG. 6 is a flowchart of a process of allowing/prohibiting an access request by checking transmission packets by the address determining unit. Best Mode for Carrying Out the Invention
FIG. 2 is a conceptual view showing an access request process using a SYN bit. When communication through the Internet, the most typical method of transmitting data to an opposite computer is to transmit data using transmission control protocol (TCP) . TCP provides stream-type connection- oriented services, which are reliable, that is, perform error control and flow control by re-transmission. TCP establishes a connection between logical terminals of two communicating computers. Before communication is performed between two computes, control information called Handshake is transmitted. The Handshake used in TCP is called three-way Handshake because three segments are exchanged. A user host 60 initiates access by sending a segment, inside of which a λsynchronize sequence numbers' (SYN) bit is contained, to a connector host 80. This segment informs the connector host 80 that the user host 60 desires to begin accessing, and assigns a serial number which the user host 60 uses as a start number of segments. The connector host 80 responds by sending a segment in which ACK and SYN bits are set to the user host 60. Further, the segment from the connector host 80 informs the user host 60 that the connector host 80 has received the segment from the user host 60, and informs the user host 60 of the starting serial number to be used by the connector host 80. Finally, the user host 60 sends to the connector host 80 a segment indicating that the user host 60 has received the segment from the connector host 80, and transmits the first valid data to the connector host 80, thus enabling the user host 60 and the connector host 80 to reliably exchange data therebetween. The above method is the three-way Handshake method, which corresponds to the most often-used method when the user desires to access a computer through TCP. Hereinafter, embodiments of the present invention will be described in detail with reference to the attached drawings .
Referring to FIG. 3, a method of controlling access from the outside through the Internet is described in detail. FIG. 3 is a view showing the construction of a network for realizing an access control method through the Internet according to a preferred embodiment of the present invention.
A network interface card 100 installed in the user host 60 is constructed to communicate with an access- allowable address storage unit 200. Packets corresponding to an access request from the connector host 80 to the user host 60 are constructed to necessarily pass through the network interface card 100. Therefore, the network interface card 100 extracts a source address from the passed packets and compares the extracted source address with addresses stored in the access-allowable address storage unit 200. According to the compared result, if the same address as the source address exists in the access-allowable address storage unit 200, the network interface card 100 passes on the packets. On the contrary, if the same address as the source address does not exist in the access-allowable address storage unit 200, the network interface card 100 removes the packet. Further, in order to facilitate interface between hosts, if the user host 60 additionally requests access to the external connector host 80, the network interface card 100 may store addresses, which are recently access-requested, in an additional buffer to search for addresses later so as to stand by for a response signal received from the connector host 80 access-requested by the user host 60. Accordingly, if the user host 60 requests access to the connector host 80, there is no restriction in transmission of packets, and packets corresponding to the access request from the connector host 80 to the user host 60 are removed. However, if an access request from the connector host 80 according to a request from the user host 60 is inputted, the network interface card 100 temporarily stores packets in a buffer to pass on the packets. Therefore, the connector host 80 can access the user host 60 if an address extracted from the transmitted packets exists in the buffer as an access- allowable address. As described above, since accesses to the external server 300 are frequently required for data search using the Internet, etc. by the user host 60, packets for access from the user host 60 to the external server 300 are not restricted for the purpose of free transmission of packets. Further, even though access request packets from the external server 300 are transmitted, access to the external server 300 can be allowed by setting a flag for access allowance to the external server 300. Therefore, there is no restriction even in electronic payment when the user purchases a commodity through Internet sites.
Next, the network interface card according to a preferred embodiment of the present invention is described in detail with reference to FIG. 4. FIG. 4 is a block diagram showing the internal construction of the network interface card having an access control function through the Internet in accordance with the present invention.
The network interface card 100 uses a PCI bus for communication with computers. The network interface card 100 comprises a media access control (MAC) processing unit 150 for processing MAC for packets transmitted through the PCI bus, a PHY processing unit 160 for processing a physical layer, a buffer 120 required for packet process, a BootROM, a connector, etc.
The network interface card 100 of the present invention further comprises an address determining unit 110, the access-allowable address storage unit 200, a transmission packet queue 130, and a reception packet queue 140. Further, the network interface card 100 can be implemented to further comprise the buffer 120 for storing information on access requests from the user computer to the connector host 80 or the external server 300.
Referring to FIG. 4, the address determining unit 110 is connected to the previous stage of the MAC processing unit 150; however, it can be disposed between the MAC processing unit 150 and the PHY processing unit 160, or it can be connected to the next stage of the PHY processing unit 160. Further, in FIG. 4, the transmission packet queue 130 and the reception packet queue 140 are separately arranged; however, they can be integrated into a signal packet queue. The address determining unit 110 extracts source/destination addresses from packets transmitted through Ethernet/PCI bus. The destination address is extracted from packets transmitted through the PCI bus, while the source address is extracted from packets transmitted through the Ethernet bus. The address determining unit 110 extracts an address from input packets, compares the address with addresses on an address list stored in the buffer 120 or the access-allowable address storage unit 200, and determines whether to pass on the packets or not according to the compared result. Further, the address determining unit 110 may check all packets passing therethrough. However, it is preferable to determine whether input packets are targets of process, to pass on packets which are not targets of process, and then to determine whether to pass them on or not with respect to only packets which are targets of process. Packets which are targets of process are preferably limited to packets using TCP and UDP. The packets inputted to the address determining unit 110 are temporarily stored in the transmission packet queue 130 or the reception packet queue 140, as described later, through the address determining unit 110. The address determining unit 110 further performs a function of storing addresses extracted from the packets in the buffer 120.
Further, the access-allowable address storage unit 200 stores addresses of computers which are always allowable for access requests from external computers of the user host 60, and is constructed to communicate with the network interface card 100. That is, the access-allowable address storage unit 200 can be stored in a hard disc installed in the computer, or the network interface card 100 may include an additional storage device. Non-volatile memory, such as flash memory, EEPROM, etc., is used as the additional storage device. Contents stored in the access-allowable address storage unit 200 are numbers corresponding to IP addresses of access- allowable computers, or character values corresponding to URL addresses thereof. Preferably, the numbers and the character values are not stored in the access-allowable address storage unit 200 as they are, but stored therein as Hash-processed formats by Hash function. Since Hash function does not have an inverse function, the stored contents become values which cannot be read even though anyone attempts to read the stored contents. Further, the contents stored as Hash values are advantageous in that they are formed as indexes and stored, so they can be promptly searched for, compared with the search of normal text. Further, the access-allowable address storage unit 200 may additionally include an access prohibition list, which is a list of addresses always prohibited from gaining access, to allow the address determining unit 110 to determine access prohibition. If the user host 60 has recently requested access via the Internet, the buffer 120 temporarily stores contents on access requests, which are transmitted by the user host 60, so as to pass on packets for additional access requests which can be provided from the external server 300. Further, the 0 buffer 120 is constructed such that the number of recent access-requested packets stored in the buffer 120 can be arbitrarily set. That is, the number of packets increases according to the capacity of the buffer 120, so information on all access request packets from the beginning to the end i' < of the Internet access by a normal computer user can be stored in the buffer 120. Further, if the capacity of the buffer 120 is small, the access request packet received most recently is stored in the buffer 120, and the access request packet received first is first removed. Further, the buffer 120 can be realized as nonvolatile memory such as flash memory, or volatile memory such as RAM. However, it is preferable to use volatile memory, due to its high access speed.
The transmission packet queue 130 serves to temporarily store packets inputted to the address determining unit 110 from the PCI bus. Further, the transmission packet queue 130 temporarily stores the packets while the address determining unit 110 extracts an address from the packets. Thereafter, if a SYN bit corresponding to an access request is set in packets to be transmitted from the user host 60 to the external server 300 or the connector host 80, the transmission packet queue 130 temporarily stores the packets while a destination address is stored in the buffer 120 so as to stand by for a signal with SYN and ACK bits. Further, the transmission packet queue 130 temporarily stores the packets while an access-allowable address list is stored in the buffer 120, separate from the access-allowable address storage unit 200. Therefore, when an access request packet in which the SYN bit is set is received from an access- allowable address stored in the buffer 120, access to the user host 60 can be allowed. Moreover, the transmission packet queue 130 can be realized as volatile memory such as RAM, or non-volatile memory such as flash memory. However, it is preferable to use volatile memory in consideration of access speed.
The reception packet queue 140 serves to temporarily store packets inputted to the address determining unit 110 from the Ethernet. Further, the reception packet queue 140 temporarily stores the packets while the address determining unit 110 extracts an address from the packets. If the address determining unit 110 determines the address as access-prohibited, the corresponding packets are removed. However, if the inputted packets are packets corresponding to an address access-requested by the user host 60, the reception packet queue 140 passes on the packets because the address is stored in the buffer 120 as an access-allowable address. That is, the transmission of a SYN bit to the external computer access-requested by the user host 60 enables SYN and ACK bits received from the external computer to be access-allowed. Further, the reception packet queue 140 may be realized as either volatile memory or non-volatile memory, like the transmission packet queue 130; however, the reception packet queue 140 is preferably realized as volatile memor . Hereinafter, access allowance/prohibition of reception packets is described with reference to FIG. 5. FIG. 5 is a flowchart of a process of allowing/prohibiting an access request by checking reception packets by the address determining unit according to a preferred embodiment of this invention.
The network interface card 100 installed in the user host 60 connected to the Internet receives packets from the external server 300 or the connector host 80 at step S100. The network interface card 100 stores the received packets in the reception packet queue 140 by copying the received packets at step S110. The address determining unit 110 extracts a source address from the received packets at step S120. Further, the address determining unit 110 compares the extracted source address with addresses stored in the buffer 120 at step S130.
Regarding addresses classified in the buffer 120, if the same address as the extracted address exists at step S130-1, it is determined whether the extracted address is classified as an access-allowable address at step S131. If the address is classified as an access-allowable address at step S132, the address determining unit 110 passes on the packets at step S134, while if the address is classified as an access-prohibited address at step S133, the address determining unit 110 removes the corresponding packets at step S135. Further, if the same address as the extracted address does not exist in the buffer 120 at step S130-2, the address determining unit 110 compares the extracted address with addresses on the address list stored in the access-allowable address storage unit 200 at step S140.
The address determining unit 110 determines whether any address on the address list stored in the access- allowable address storage unit 200 is identical with the extracted address at step S150. If it is determined that any address on the address list is not identical with the extracted address at step S150-1, the address corresponds to reception prohibition at step S151. Therefore, the extracted address is recorded in the buffer as an access-prohibited address at step S152, and the corresponding packets are removed at step S153.
Further, if it is determined that any address on the address list stored in the access-allowable address storage unit 200 is identical with the extracted address at step S150-2, the extracted address is recorded in the buffer as an access-allowable address at step S160, and the corresponding packets are passed on at step S170.
Hereinafter, access allowance/prohibition of transmission packets is described with reference to FIG. 6. FIG. 6 is a flowchart of a process of allowing/prohibiting an access request by checking transmission packets by the address determining unit according to a preferred embodiment of this invention.
If the user host 60 requests access to the connector host 80 or the external server 300, such as an arbitrary Web server 30, using a Web browser or other application program, the network interface card 100 installed in the user host 60 receives transmission packets at step S200. Accordingly, the network interface card 100 stores the packets in the transmission packet queue 130 at step S210. The address determining unit 110 extracts a destination address from the received packets at step S220, and compares the extracted destination address with addresses stored in the buffer 120 at step S230.
If the same address as the extracted destination address exists in the buffer 120 at step S230-1, the address determining unit 110 passes on the corresponding packets at step S231, while if the same address as the extracted destination address does not exist in the buffer 120 at step S230-2, the address determining unit 110 determines whether a SYN bit is set in the packets at step S240.
If the SYN bit is set in the packets at step S240-1, the destination address is recorded in the buffer as an access-allowable address at step S250, and a standby state for reception of a packet with an ACK bit to be transmitted from the destination address is stored at step S260. Further, the address determining unit 110 passes on the packets so as to allow the packets to be transmitted to the outside through the Ethernet at step S270.
On the other hand, if the SYN bit is not set in the packets at step S240-2, the destination address is stored in the buffer at step S241. Further, the address determining unit 110 passes on the packets so as to allow the packets to be transmitted to the outside through the Ethernet at step S242. Although the preferred embodiments of the present invention have been disclosed for illustrative purposes, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, without departing from the scope and spirit of the invention as disclosed in the accompanying claims.
Industrial Applicability
As described above, a method and apparatus for controlling access from the outside through the Internet according to the present invention is advantageous in that it can control intentional access from the outside via the
Internet.
Further, the present invention is advantageous in that it can prevent a user from deleting or removing packets arbitrarily.
Further, the present invention is advantageous in that it can control access from the outside via the Internet using each individual computer without an additional firewall .
Moreover, the present invention is advantageous in that it can control access from the outside via the Internet without requiring additional management for access control.

Claims

Claims
1. A method of controlling access from outside through the Internet, the method being processed by a network interface card, comprising the steps of: receiving one or more packets transmitted/received through the network interface card and storing the packets in a transmission/reception buffer; extracting an address from the stored packets; comparing the extracted address with secure IP addresses stored in a storage list communicating with the network interface card; and determining access allowance or access prohibition according to the compared result.
2. A method of controlling access from outside through the Internet, the method being processed by a network interface card, comprising the steps of: storing one or more packets received by the network interface card in a predetermined region, and extracting an address from the packets; checking whether an address identical with the extracted address is stored in an access-allowable list communicating with the network interface card; and determining access allowance/access prohibition by checking whether the address identical with the extracted address is stored in the access-allowable list.
3. The access control method according to claim 1 or 2, further comprising the steps of: storing a packet, in which a SYN bit is set, of the packets transmitted through the network interface card in the buffer, and extracting an address from the packet; transmitting the packet in which the SYN bit is set through the network interface card; and receiving a packet with an ACK bit, received from the same address as the extracted address, and setting an access- allowable flag in the buffer.
4. The access control method according to claim 1 or
2, further comprising the steps of: storing a packet, inside of which a SYN bit is set, of packets transmitted through the network interface card in the buffer, and extracting and storing an address from the packet; comparing the extracted address with each address stored in the buffer, and determining whether the addresses are identical and whether an access-allowable flag is set; and passing on the received packets if the compared addresses are identical, and the access-allowable flag is set.
5. The access control method according to claim 1 or 2, further comprising the steps of: storing a packet, inside of which a SYN bit is set, of packets received through the network interface card in the buffer, and extracting and storing an address from the packet; comparing the extracted address with each address stored in the buffer, and determining whether the addresses are identical and whether an access-allowable flag is set; and removing the received packets if the compared addresses are not identical, and the access-allowable flag is not set.
6. An apparatus for controlling access from outside through the Internet, comprising: an access-allowable address storage unit for storing secure addresses of computers to be access-allowed according to requests; a transmission packet queue for temporarily storing transmission packets to be transmitted to the outside; a reception packet queue for temporarily storing reception packets received from the outside; and an address determining unit for extracting an address from the reception packets, determining whether the extracted address is access-allowable with reference to the access- allowable address storage unit, removing the received packets if the same address as the extracted address does not exist in the access-allowable address storage unit, and accepting the received packets if the same address as the extracted address exists in the access-allowable address storage unit.
7. The access control apparatus according to claim 6, wherein the access-allowable address storage unit stores address information as encrypted formats using Hash function.
PCT/KR2002/000597 2001-04-11 2002-04-04 Method and system for restricting access from external WO2002084512A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2002582384A JP2004535096A (en) 2001-04-11 2002-04-04 Method and system for regulating external access

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2001-0019395A KR100418445B1 (en) 2001-04-11 2001-04-11 Method and system for restricting access from external
KR2001/19395 2001-04-11

Publications (1)

Publication Number Publication Date
WO2002084512A1 true WO2002084512A1 (en) 2002-10-24

Family

ID=19708107

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2002/000597 WO2002084512A1 (en) 2001-04-11 2002-04-04 Method and system for restricting access from external

Country Status (4)

Country Link
JP (1) JP2004535096A (en)
KR (1) KR100418445B1 (en)
CN (1) CN1503952A (en)
WO (1) WO2002084512A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8799465B2 (en) 2004-10-13 2014-08-05 International Business Machines Corporation Fake web addresses and hyperlinks
US20190288985A1 (en) * 2018-03-16 2019-09-19 Lightspeed Systems, Inc. User device-based enterprise web filtering

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100475970B1 (en) * 2002-07-06 2005-03-10 주식회사 잉카인터넷 Method for controlling network access in gateway
KR20070068377A (en) * 2005-02-18 2007-06-29 듀아키시즈 가부시키가이샤 Data processing device
DE602005010994D1 (en) * 2005-07-01 2008-12-24 Research In Motion Ltd Device and method for managing prohibited network lists in a wireless user terminal (UE)
CN101370020B (en) * 2008-10-17 2013-12-11 北京中星微电子有限公司 Peripheral information product, method and system for updating its collocation information
CN102547684A (en) * 2011-12-28 2012-07-04 中兴通讯股份有限公司 Method and device for controlling digital mobile network alliance contents
KR101391508B1 (en) * 2012-08-29 2014-05-29 주식회사 팬택 Terminal and method for protecting stored file
KR101428999B1 (en) * 2013-04-12 2014-08-12 주식회사 엑스게이트 Packet filtering method and firewall using dns information
CN103347213A (en) * 2013-06-29 2013-10-09 深圳市龙视传媒有限公司 Method, terminal, server and system for controlling terminal network cards
JP7114769B2 (en) * 2021-03-05 2022-08-08 Necプラットフォームズ株式会社 Communications system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR19980063709A (en) * 1996-12-23 1998-10-07 제프리엘.포먼 Web Basic Management of IP Tunneling on Internet Firewall
KR19980063454A (en) * 1996-12-23 1998-10-07 제프리엘.포먼 Web Basic Management of IP Filtering on Internet Firewall
KR20000001117A (en) * 1998-06-08 2000-01-15 이계철 Method for limiting special information access in communication processing service network
KR20010025209A (en) * 2000-10-20 2001-04-06 고진선 Business method for providing harmful information intercept service using network and computer readable medium having stored thereon computer executable instruction for performing the method

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3593762B2 (en) * 1995-11-08 2004-11-24 富士通株式会社 Relay device
CA2248577C (en) * 1996-04-24 2002-11-05 Northern Telecom Limited Internet protocol filter
JPH11187016A (en) * 1997-12-24 1999-07-09 Toyo Commun Equip Co Ltd Network authenticating system
JP2000201143A (en) * 1999-01-05 2000-07-18 Nec Corp Terminal certification device
JP2001077811A (en) * 1999-09-01 2001-03-23 Akuton Technology Kk Network interface card
KR20000024492A (en) * 2000-02-16 2000-05-06 이성호 Method and Apparatus for Certifying User and Method and Apparatus for Recording Shop and Goods
KR20000054777A (en) * 2000-06-23 2000-09-05 김상돈 Method of authenticating on the basis of mac address in a network connection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR19980063709A (en) * 1996-12-23 1998-10-07 제프리엘.포먼 Web Basic Management of IP Tunneling on Internet Firewall
KR19980063454A (en) * 1996-12-23 1998-10-07 제프리엘.포먼 Web Basic Management of IP Filtering on Internet Firewall
KR20000001117A (en) * 1998-06-08 2000-01-15 이계철 Method for limiting special information access in communication processing service network
KR20010025209A (en) * 2000-10-20 2001-04-06 고진선 Business method for providing harmful information intercept service using network and computer readable medium having stored thereon computer executable instruction for performing the method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8799465B2 (en) 2004-10-13 2014-08-05 International Business Machines Corporation Fake web addresses and hyperlinks
US10069863B2 (en) 2004-10-13 2018-09-04 International Business Machines Corporation Fake web address detection
US10693910B2 (en) 2004-10-13 2020-06-23 International Business Machines Corporation Fake web addresses and hyperlinks
US20190288985A1 (en) * 2018-03-16 2019-09-19 Lightspeed Systems, Inc. User device-based enterprise web filtering
US10841280B2 (en) * 2018-03-16 2020-11-17 Lightspeed Systems, Inc. User device-based enterprise web filtering
US11711343B2 (en) 2018-03-16 2023-07-25 Lightspeed Solutions, Llc User device-based enterprise web filtering

Also Published As

Publication number Publication date
JP2004535096A (en) 2004-11-18
CN1503952A (en) 2004-06-09
KR20020080142A (en) 2002-10-23
KR100418445B1 (en) 2004-02-14

Similar Documents

Publication Publication Date Title
US6530025B1 (en) Network connection controlling method and system thereof
US7779470B2 (en) Server denial of service shield
EP1547337B1 (en) Watermarking at the packet level
US7793094B2 (en) HTTP cookie protection by a network security device
US7624434B2 (en) System for providing firewall capabilities to a communication device
US20050283831A1 (en) Security system and method using server security solution and network security solution
US7752269B2 (en) Adhoc secure document exchange
US8990573B2 (en) System and method for using variable security tag location in network communications
US8191131B2 (en) Obscuring authentication data of remote user
AU6564601A (en) Method and computer system for controlling access by applications to this and other computer systems
US8176543B2 (en) Enabling network communication from role based authentication
US20050138402A1 (en) Methods and apparatus for hierarchical system validation
US20090119745A1 (en) System and method for preventing private information from leaking out through access context analysis in personal mobile terminal
KR20000054538A (en) System and method for intrusion detection in network and it&#39;s readable record medium by computer
CN114553540B (en) Zero trust-based Internet of things system, data access method, device and medium
US20020129239A1 (en) System for secure communication between domains
JP2010026662A (en) Information leakage prevention system
EP2790354A1 (en) Security management system having multiple relay servers, and security management method
WO2002084512A1 (en) Method and system for restricting access from external
US7634655B2 (en) Efficient hash table protection for data transport protocols
KR101858207B1 (en) System for security network
WO2002077852A1 (en) Method and system for restricting access to specific internet sites and lan card for the same
JP2004062416A (en) Method for preventing illegal access, method for downloading security policy, personal computer, and policy server
KR20020023452A (en) Security method of server system
WO2022101934A1 (en) A system to protect data exfilteration through detection and validation and method thereof

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2002582384

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 028081927

Country of ref document: CN

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase