METHOD AND SYSTEM FOR RESTRICTING ACCESS FROM EXTERNAL
Technical Field
The present invention relates generally to a method and apparatus for controlling access from the outside through the Internet, and more particularly to a method of controlling access from the outside through the Internet and apparatus for realizing the same, which receives packets transmitted/received through a network interface card, stores them in a transmission/reception buffer, extracts an address from the stored packets, compares the extracted address with secure IP addresses stored in a storage list communicating with the network interface card, and determines access allowance or access prohibition according to the compared result .
Background Art
After Internet protocols were standardized in 1983, the Internet has been popularized mainly through the government, large enterprises, and a plurality of academic computer networks for various purposes such as e-mail, file transmission (FTP) , Gopher, network news, etc. Further, when the USA's National Science Foundation (NSF) constructed
NSFNET in 1985, the NSF adopted TCP/IP, which is the Internet protocol of ARPA, as the basic protocol of communication. Accordingly, the NSFNET functions as a backbone network of the Internet, and has been popularized very rapidly. Further, in 1988, ARPA began to remove original devices of the ARPANET. As the ARPANET was no longer being used for military applications in 1990, the Internet finally reappeared as a private network. Further, among many phenomena appearing with the progress of an information society, there has been an integration of media and communication networks. Due to this integration, the Internet has become worthy of media with the development of the Internet. As advanced information and communication technologies have been developed, the Internet has settled into a conventional society, so great profits are created. On the other hand, however, the Internet also causes great social problems.
FIG. 1 is a view showing the construction of a typical network used in a conventional enterprise. Referring to FIG. 1, the network of the conventional enterprise is generally constructed as shown in FIG. 1. The network comprises a router 10 connected to the Internet to determine an optimal path and transmit packets to the determined path, and a firewall 20 connected to the router 10. The firewall 20 serves to formulate access control policies between two networks. Further, various servers or hosts 60 and 80, etc.,
to be protected according to the access control, are connected to back end of the firewall 20 through a switching hub 70. Further, servers can be generally classified into a mail server 40, a Web server 30, a FTP server 50, etc. Functions of the respective servers are well known in the field, so detailed description of the functions are omitted. Further, the hosts 60 and 80, which are personal computers used by users, are connected to the back end of the firewall 20 through the switching hub 70. Important work-related data are stored in the hosts 60 and 80 used in enterprises. However, hacking techniques through the Internet have become increasingly intelligent, and direct hacking" of the hosts 60 and 80, not hackings of servers, is increasingly being attempted. As the hacking of the hosts 60 and 80 are attempted, a risk that important data may be leaked from computers becomes great .
Meanwhile, a personal computer is not fundamentally different from a normal computer. Security problems with which personal computer users confront include confidentiality, integrity and availability of programs, data and hardware, like in the case of a mainframe computer. Therefore, standard control techniques, such as an access restriction list, protection memory, a user authentication technique, a reliable operation system, etc., must be equally applied even under personal computer environments. However,
the personal computer is not typically strict in its security control, compared with that of the mainframe computer or similar types. Moreover, even a mainframe computer is not secure from data destruction by internal users. The personal computer scarcely provides hardware-level protection against intentional hacking by external Internet users. Typical hardware-level protection equipment is mostly used in servers. However, such hardware-level protection equipment is problematic in that it is too expensive to be used by small-and medium-sized enterprises. Further, there is another problem in that even though the enterprise purchases equipment for providing hardware-level protection, the management of the equipment is usually not optimized due to the shortage of manpower capable of controlling the equipment, so the equipment becomes useless in many cases.
Furthermore, there are few enterprises which perform respective security services for the hosts 60 and 80, that is, computers for works. In order to solve the above problems, the user personally installs and uses a security program for clients. The above-described personal firewall is problematic in that it is implemented in a software manner, and the user installing the firewall must directly manage the program, so the risk of hacking due to insufficient management always exists. Further, in typical computers for home use,
communication environments using xDSL are dominant with the development of Internet environments. Further, hacking methods targeting computers for home use have been produced as simple programs and have been widely spread under the communication environments. Examples of these hacking programs are Back Orifice 2K, Schoolbus, Netbus, SubSeven y3k, etc. Those skilled in computer use can easily hack personal computers of other persons only by studying manuals of the above hacking programs. However, methods of preventing hacking are different according to user's computing levels . User-level security provides various protection methods such as functions of file encryption, screen locking, IP control, port control, access-log control, process task-managing window, sharing control, etc. However, there is a problem that few client users can suitably maintain the installation and management of such programs.
Disclosure of the Invention
Accordingly, the present invention has been made keeping in mind the above problems occurring in the prior art, and an object of the present invention is to provide a method and apparatus for controlling intentional access from the outside through the Internet. Another object of the present invention is to provide
a method and apparatus for controlling access from the outside, which can prevent a user from removing packets arbitrarily.
A further object of the present invention is to provide a method and apparatus for controlling access from the outside through the Internet, which is performed by each user computer without an additional firewall.
Still another object of the present invention is to provide a method and apparatus for controlling access from the outside through the Internet, which does not require an additional manager.
In order to accomplish the above object, the present invention uses a storage unit for storing an access-allowable address list communicating with a network interface card, extracts an address from packets transmitted/received through the network interface card, and compares the extracted address with addresses on the access-allowable address list, and determines access allowance or access prohibition according to the compared result. Accesses from a user host (60) to the outside are freely carried out, and any arbitrary access request from the outside to the user host (60) can be prohibited. Further, an external terminal first access- requested by the user host (60) accepts the access request from the user host (60) .
Brief Description of the Drawings
The above and other objects, features and other advantages of the present invention will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which:
FIG. 1 is a view showing the construction of a typical network used in a conventional enterprise;
FIG. 2 is a conceptual view showing an access request process using a SYN bit;
FIG. 3 is a view showing the construction of a network for realizing a method of controlling access from the outside through the Internet according to a preferred embodiment of the present invention; FIG. 4 is a block diagram showing the internal construction of a network interface card having an access control function through the Internet according to a preferred embodiment of the present invention;
FIG. 5 is a flowchart of a process of allowing/prohibiting an access request by checking reception packets by an address determining unit; and
FIG. 6 is a flowchart of a process of allowing/prohibiting an access request by checking transmission packets by the address determining unit.
Best Mode for Carrying Out the Invention
FIG. 2 is a conceptual view showing an access request process using a SYN bit. When communication through the Internet, the most typical method of transmitting data to an opposite computer is to transmit data using transmission control protocol (TCP) . TCP provides stream-type connection- oriented services, which are reliable, that is, perform error control and flow control by re-transmission. TCP establishes a connection between logical terminals of two communicating computers. Before communication is performed between two computes, control information called Handshake is transmitted. The Handshake used in TCP is called three-way Handshake because three segments are exchanged. A user host 60 initiates access by sending a segment, inside of which a λsynchronize sequence numbers' (SYN) bit is contained, to a connector host 80. This segment informs the connector host 80 that the user host 60 desires to begin accessing, and assigns a serial number which the user host 60 uses as a start number of segments. The connector host 80 responds by sending a segment in which ACK and SYN bits are set to the user host 60. Further, the segment from the connector host 80 informs the user host 60 that the connector host 80 has received the segment from the user host 60, and informs the user host 60 of the starting serial number to be used by the
connector host 80. Finally, the user host 60 sends to the connector host 80 a segment indicating that the user host 60 has received the segment from the connector host 80, and transmits the first valid data to the connector host 80, thus enabling the user host 60 and the connector host 80 to reliably exchange data therebetween. The above method is the three-way Handshake method, which corresponds to the most often-used method when the user desires to access a computer through TCP. Hereinafter, embodiments of the present invention will be described in detail with reference to the attached drawings .
Referring to FIG. 3, a method of controlling access from the outside through the Internet is described in detail. FIG. 3 is a view showing the construction of a network for realizing an access control method through the Internet according to a preferred embodiment of the present invention.
A network interface card 100 installed in the user host 60 is constructed to communicate with an access- allowable address storage unit 200. Packets corresponding to an access request from the connector host 80 to the user host 60 are constructed to necessarily pass through the network interface card 100. Therefore, the network interface card 100 extracts a source address from the passed packets and compares the extracted source address with addresses stored
in the access-allowable address storage unit 200. According to the compared result, if the same address as the source address exists in the access-allowable address storage unit 200, the network interface card 100 passes on the packets. On the contrary, if the same address as the source address does not exist in the access-allowable address storage unit 200, the network interface card 100 removes the packet. Further, in order to facilitate interface between hosts, if the user host 60 additionally requests access to the external connector host 80, the network interface card 100 may store addresses, which are recently access-requested, in an additional buffer to search for addresses later so as to stand by for a response signal received from the connector host 80 access-requested by the user host 60. Accordingly, if the user host 60 requests access to the connector host 80, there is no restriction in transmission of packets, and packets corresponding to the access request from the connector host 80 to the user host 60 are removed. However, if an access request from the connector host 80 according to a request from the user host 60 is inputted, the network interface card 100 temporarily stores packets in a buffer to pass on the packets. Therefore, the connector host 80 can access the user host 60 if an address extracted from the transmitted packets exists in the buffer as an access- allowable address. As described above, since accesses to the
external server 300 are frequently required for data search using the Internet, etc. by the user host 60, packets for access from the user host 60 to the external server 300 are not restricted for the purpose of free transmission of packets. Further, even though access request packets from the external server 300 are transmitted, access to the external server 300 can be allowed by setting a flag for access allowance to the external server 300. Therefore, there is no restriction even in electronic payment when the user purchases a commodity through Internet sites.
Next, the network interface card according to a preferred embodiment of the present invention is described in detail with reference to FIG. 4. FIG. 4 is a block diagram showing the internal construction of the network interface card having an access control function through the Internet in accordance with the present invention.
The network interface card 100 uses a PCI bus for communication with computers. The network interface card 100 comprises a media access control (MAC) processing unit 150 for processing MAC for packets transmitted through the PCI bus, a PHY processing unit 160 for processing a physical layer, a buffer 120 required for packet process, a BootROM, a connector, etc.
The network interface card 100 of the present invention further comprises an address determining unit 110,
the access-allowable address storage unit 200, a transmission packet queue 130, and a reception packet queue 140. Further, the network interface card 100 can be implemented to further comprise the buffer 120 for storing information on access requests from the user computer to the connector host 80 or the external server 300.
Referring to FIG. 4, the address determining unit 110 is connected to the previous stage of the MAC processing unit 150; however, it can be disposed between the MAC processing unit 150 and the PHY processing unit 160, or it can be connected to the next stage of the PHY processing unit 160. Further, in FIG. 4, the transmission packet queue 130 and the reception packet queue 140 are separately arranged; however, they can be integrated into a signal packet queue. The address determining unit 110 extracts source/destination addresses from packets transmitted through Ethernet/PCI bus. The destination address is extracted from packets transmitted through the PCI bus, while the source address is extracted from packets transmitted through the Ethernet bus. The address determining unit 110 extracts an address from input packets, compares the address with addresses on an address list stored in the buffer 120 or the access-allowable address storage unit 200, and determines whether to pass on the packets or not according to the compared result. Further, the address determining unit 110
may check all packets passing therethrough. However, it is preferable to determine whether input packets are targets of process, to pass on packets which are not targets of process, and then to determine whether to pass them on or not with respect to only packets which are targets of process. Packets which are targets of process are preferably limited to packets using TCP and UDP. The packets inputted to the address determining unit 110 are temporarily stored in the transmission packet queue 130 or the reception packet queue 140, as described later, through the address determining unit 110. The address determining unit 110 further performs a function of storing addresses extracted from the packets in the buffer 120.
Further, the access-allowable address storage unit 200 stores addresses of computers which are always allowable for access requests from external computers of the user host 60, and is constructed to communicate with the network interface card 100. That is, the access-allowable address storage unit 200 can be stored in a hard disc installed in the computer, or the network interface card 100 may include an additional storage device. Non-volatile memory, such as flash memory, EEPROM, etc., is used as the additional storage device. Contents stored in the access-allowable address storage unit 200 are numbers corresponding to IP addresses of access- allowable computers, or character values corresponding to URL
addresses thereof. Preferably, the numbers and the character values are not stored in the access-allowable address storage unit 200 as they are, but stored therein as Hash-processed formats by Hash function. Since Hash function does not have an inverse function, the stored contents become values which cannot be read even though anyone attempts to read the stored contents. Further, the contents stored as Hash values are advantageous in that they are formed as indexes and stored, so they can be promptly searched for, compared with the search of normal text. Further, the access-allowable address storage unit 200 may additionally include an access prohibition list, which is a list of addresses always prohibited from gaining access, to allow the address determining unit 110 to determine access prohibition. If the user host 60 has recently requested access via the Internet, the buffer 120 temporarily stores contents on access requests, which are transmitted by the user host 60, so as to pass on packets for additional access requests which can be provided from the external server 300. Further, the 0 buffer 120 is constructed such that the number of recent access-requested packets stored in the buffer 120 can be arbitrarily set. That is, the number of packets increases according to the capacity of the buffer 120, so information on all access request packets from the beginning to the end i' < of the Internet access by a normal computer user can be
stored in the buffer 120. Further, if the capacity of the buffer 120 is small, the access request packet received most recently is stored in the buffer 120, and the access request packet received first is first removed. Further, the buffer 120 can be realized as nonvolatile memory such as flash memory, or volatile memory such as RAM. However, it is preferable to use volatile memory, due to its high access speed.
The transmission packet queue 130 serves to temporarily store packets inputted to the address determining unit 110 from the PCI bus. Further, the transmission packet queue 130 temporarily stores the packets while the address determining unit 110 extracts an address from the packets. Thereafter, if a SYN bit corresponding to an access request is set in packets to be transmitted from the user host 60 to the external server 300 or the connector host 80, the transmission packet queue 130 temporarily stores the packets while a destination address is stored in the buffer 120 so as to stand by for a signal with SYN and ACK bits. Further, the transmission packet queue 130 temporarily stores the packets while an access-allowable address list is stored in the buffer 120, separate from the access-allowable address storage unit 200. Therefore, when an access request packet in which the SYN bit is set is received from an access- allowable address stored in the buffer 120, access to the
user host 60 can be allowed. Moreover, the transmission packet queue 130 can be realized as volatile memory such as RAM, or non-volatile memory such as flash memory. However, it is preferable to use volatile memory in consideration of access speed.
The reception packet queue 140 serves to temporarily store packets inputted to the address determining unit 110 from the Ethernet. Further, the reception packet queue 140 temporarily stores the packets while the address determining unit 110 extracts an address from the packets. If the address determining unit 110 determines the address as access-prohibited, the corresponding packets are removed. However, if the inputted packets are packets corresponding to an address access-requested by the user host 60, the reception packet queue 140 passes on the packets because the address is stored in the buffer 120 as an access-allowable address. That is, the transmission of a SYN bit to the external computer access-requested by the user host 60 enables SYN and ACK bits received from the external computer to be access-allowed. Further, the reception packet queue 140 may be realized as either volatile memory or non-volatile memory, like the transmission packet queue 130; however, the reception packet queue 140 is preferably realized as volatile memor . Hereinafter, access allowance/prohibition of reception
packets is described with reference to FIG. 5. FIG. 5 is a flowchart of a process of allowing/prohibiting an access request by checking reception packets by the address determining unit according to a preferred embodiment of this invention.
The network interface card 100 installed in the user host 60 connected to the Internet receives packets from the external server 300 or the connector host 80 at step S100. The network interface card 100 stores the received packets in the reception packet queue 140 by copying the received packets at step S110. The address determining unit 110 extracts a source address from the received packets at step S120. Further, the address determining unit 110 compares the extracted source address with addresses stored in the buffer 120 at step S130.
Regarding addresses classified in the buffer 120, if the same address as the extracted address exists at step S130-1, it is determined whether the extracted address is classified as an access-allowable address at step S131. If the address is classified as an access-allowable address at step S132, the address determining unit 110 passes on the packets at step S134, while if the address is classified as an access-prohibited address at step S133, the address determining unit 110 removes the corresponding packets at step S135.
Further, if the same address as the extracted address does not exist in the buffer 120 at step S130-2, the address determining unit 110 compares the extracted address with addresses on the address list stored in the access-allowable address storage unit 200 at step S140.
The address determining unit 110 determines whether any address on the address list stored in the access- allowable address storage unit 200 is identical with the extracted address at step S150. If it is determined that any address on the address list is not identical with the extracted address at step S150-1, the address corresponds to reception prohibition at step S151. Therefore, the extracted address is recorded in the buffer as an access-prohibited address at step S152, and the corresponding packets are removed at step S153.
Further, if it is determined that any address on the address list stored in the access-allowable address storage unit 200 is identical with the extracted address at step S150-2, the extracted address is recorded in the buffer as an access-allowable address at step S160, and the corresponding packets are passed on at step S170.
Hereinafter, access allowance/prohibition of transmission packets is described with reference to FIG. 6. FIG. 6 is a flowchart of a process of allowing/prohibiting an access request by checking transmission packets by the
address determining unit according to a preferred embodiment of this invention.
If the user host 60 requests access to the connector host 80 or the external server 300, such as an arbitrary Web server 30, using a Web browser or other application program, the network interface card 100 installed in the user host 60 receives transmission packets at step S200. Accordingly, the network interface card 100 stores the packets in the transmission packet queue 130 at step S210. The address determining unit 110 extracts a destination address from the received packets at step S220, and compares the extracted destination address with addresses stored in the buffer 120 at step S230.
If the same address as the extracted destination address exists in the buffer 120 at step S230-1, the address determining unit 110 passes on the corresponding packets at step S231, while if the same address as the extracted destination address does not exist in the buffer 120 at step S230-2, the address determining unit 110 determines whether a SYN bit is set in the packets at step S240.
If the SYN bit is set in the packets at step S240-1, the destination address is recorded in the buffer as an access-allowable address at step S250, and a standby state for reception of a packet with an ACK bit to be transmitted from the destination address is stored at step S260.
Further, the address determining unit 110 passes on the packets so as to allow the packets to be transmitted to the outside through the Ethernet at step S270.
On the other hand, if the SYN bit is not set in the packets at step S240-2, the destination address is stored in the buffer at step S241. Further, the address determining unit 110 passes on the packets so as to allow the packets to be transmitted to the outside through the Ethernet at step S242. Although the preferred embodiments of the present invention have been disclosed for illustrative purposes, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, without departing from the scope and spirit of the invention as disclosed in the accompanying claims.
Industrial Applicability
As described above, a method and apparatus for controlling access from the outside through the Internet according to the present invention is advantageous in that it can control intentional access from the outside via the
Internet.
Further, the present invention is advantageous in that it can prevent a user from deleting or removing packets
arbitrarily.
Further, the present invention is advantageous in that it can control access from the outside via the Internet using each individual computer without an additional firewall .
Moreover, the present invention is advantageous in that it can control access from the outside via the Internet without requiring additional management for access control.