Abstract: A node includes a communication circuit, a processor, and a memory storing an access control application. The memory stores instructions, when executed by the processor, causing the node to detect a network access event for a destination network, via the access control application, identify whether there are data flow and a tunnel corresponding to the destination network and authorized from an external server, via the access control application, and transmit a data packet through the tunnel, when there are the authorized data flow and the authorized tunnel. The tunnel is generated between the node and a gateway based on tunneling information received from the external server. The tunneling information includes information about tunnels and gateways in which the node is able to perform tunneling among the tunnels and gateways listed by the external server based on a node environment of the node and a network environment.

Abstract: A node according to an embodiment disclosed in the present document may store instructions which cause the node to: detect a network access event through an access control application; transmit a domain name system (DNS) query request packet to a first external server through the access control application; receive a DNS query result from the first external server, wherein the DNS query result includes domain information and IP information; and transmit a domain validation request or a network access request including the domain information to a second external server on the basis of whether a data flow corresponding to the IP information exists, through the access control application.

Abstract: A node according to an embodiment disclosed in the present document may store instructions for: performing a network access request to an external server through an access control application, the network access request including identification information of a target application and identification information of a destination network; receiving a data flow from the external server through the access control application, the data flow corresponding to identification information of the node and the identification information of the destination network and including information about whether a data packet can be transmitted through a virtual router; and transmitting a data packet of the target application on the basis of the received data flow, through the access control application. The virtual router may be included in a switch to which the node transmits the data packet.

Abstract: A node according to an embodiment disclosed in the present specification includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and that stores a target application and a access control application, and the memory stores instructions that when executed by the processor, cause the node to detect an event of a network access with respect to a destination network of the target application through the access control application, to determine whether a data flow and a tunnel, which correspond to identification information of the target application and the destination network and are authorized from an external server exist through the access control application, to determine whether an inspection of a data packet of the target application is necessary based on data packet inspection information included in the authorized data flow when the authorized data flow and the authorized tunnel exist, to inspect the data packet b

Abstract: A technology for controlling network access based on a tunnel and a data flow in a network environment, including a node to detect, through an access control application, a network access event in which a target application accesses a destination network; check, through the access control application, whether or not there is a tunnel generated in a unit of nodes or IPs and applied from an external server, and whether or not there is a data flow generated in a unit of TCP sessions or applications and generated by the external server; if there is the applied tunnel and data flow, transmit a data packet of the target application through the applied tunnel by using a communication circuit; and if there is no applied tunnel or data flow, drop a data packet of the target application.

Abstract: Disclosed is a gateway which a communication circuit, a memory, and a processor operatively connected with the communication circuit and the memory. The processor receives a service request from a node, identifies whether the service request is received through at least any one of a tunnel authorized by an external server, a security session, or a logical connection, identifies whether there is data flow corresponding to the service request and authorized by the external server, generates authentication information to be inserted into the service request, based on authentication information included in the data flow, and inserts and forwards the authentication information to be inserted into the service request and information associated with the node into the service request to a service server.

Abstract: A system and a method for providing a secure network access of a terminal, the system including: a terminal; a gateway located at a boundary of a network to which the terminal belongs; and a server which manages data transmission between the terminal and the gateway. The server generates a control flow between the terminal and the server upon receiving a controller access request from the terminal; transmits, to the terminal, identification information of the control flow, and a threat detection policy stored in a database of the server; receives, from the terminal, the controller access update request including threat detection information indicating a result of executing a threat detection function installed in the terminal on the basis of the threat detection policy; and, when detection of a threat is confirmed from the threat detection information, cancels the control flow on the basis of the threat detection policy.

Abstract: A network access control device generates, in a tunnel-based access control network environment, a tunnel that connects a terminal application to the gateway of a destination network, on the basis of a tunnel between the terminal application and a gateway and a tunnel between gateways, thereby enabling safe transmission of a data packet from the terminal application to a destination node. It can include: a memory for storing a tunnel policy, a tunnel routing policy, and a tunnel table; and a control unit which generates tunnel information and data flow information on the basis of the tunnel policy, the tunnel routing policy, and the tunnel table according to a network access request of the terminal, and which transmits the generated tunnel information and data flow information to the terminal and the gateway of each network so that a tunnel between the terminal and the destination network is generated.

Abstract: A terminal including a communication circuit, a processor, and a memory storing a target application and an access control application. The memory may store instructions which, when executed by the processor, enable the terminal to detect a network access event for a destination network of the target application, via the access control application, identify whether identification information of the target application and data flow information corresponding to the destination network are present via the access control application, identify whether authentication of data flow indicated by the data flow information is valid via the access control information, and drop a data packet of the target application when the data flow information is not present or the authentication of data flow is not valid or transmit the data packet of the target application when the data flow information is present and the authentication of data flow is valid.

Abstract: A method for managing a control flow by a server including: receiving a control flow generation request data packet from the terminal; transmitting a control flow communication code to the terminal; and receiving the result of executing the control flow communication code from the terminal, wherein if the result of executing the control flow communication code is normal, the server generates the control flow with the terminal, and if the execution result value is abnormal, or the execution result is not received from the terminal within a predetermined time, the server blocks the generation of the control flow with the terminal.

Abstract: A network access control system and a method are disclosed. In a step of generating a transmission control protocol (TCP) session between a terminal and a gateway (or a server), the TCP session is authenticated, and whether or not to generate the TCP session is determined on the basis of a result of the authentication, thereby preventing, in advance, a target application within the terminal from bypassing control of an access control application and transmitting a data packet to a destination network through an authorized tunnel.

Abstract: The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. the perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. the perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.

Abstract: A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing a target application and an access control application, wherein the memory stores instructions that when executed by the processor, cause the node to: detect a network access event of the target application to a destination network through the access control application, identify whether a tunnel corresponding to identification information of the target application and the destination network and authorized by an external server exists, transmit a data packet of the target application through the authorized tunnel using the communication circuit, when the authorized tunnel exists, and drop the data packet of the target application, when the authorized tunnel does not exist.

Abstract: The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. The perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. The perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.

Abstract: A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing a target application and an access control application, wherein the memory stores instructions that when executed by the processor, cause the node to: detect a network access event of the target application to a destination network through the access control application, identify whether a tunnel corresponding to identification information of the target application and the destination network and authorized by an external server exists, transmit a data packet of the target application through the authorized tunnel using the communication circuit, when the authorized tunnel exists, and drop the data packet of the target application, when the authorized tunnel does not exist.

Abstract: The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. The perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. The perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.

Abstract: The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. the perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. the perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.