Abstract: A system and a method for providing a secure network access of a terminal, the system including: a terminal; a gateway located at a boundary of a network to which the terminal belongs; and a server which manages data transmission between the terminal and the gateway. The server generates a control flow between the terminal and the server upon receiving a controller access request from the terminal; transmits, to the terminal, identification information of the control flow, and a threat detection policy stored in a database of the server; receives, from the terminal, the controller access update request including threat detection information indicating a result of executing a threat detection function installed in the terminal on the basis of the threat detection policy; and, when detection of a threat is confirmed from the threat detection information, cancels the control flow on the basis of the threat detection policy.

Abstract: A node according to an embodiment disclosed in the present document may comprise a communication circuit, a processor operatively connected to the communication circuit, and a memory which is operatively connected to the processor and stores a reception application and an access control application, wherein the memory stores instructions causing, when executed by the processor, the node to: detect a network reception event from a source network through the access control application; through the access control application, identify the presence or absence of a data flow which is applied from an external server and corresponds to a destination service port included in a data packet from the source network; and through the access control application, request network reception from the external server on the basis of the presence or absence of the applied data flow and whether the applied data flow includes identification information of the source network.

Abstract: A network access control device generates, in a tunnel-based access control network environment, a tunnel that connects a terminal application to the gateway of a destination network, on the basis of a tunnel between the terminal application and a gateway and a tunnel between gateways, thereby enabling safe transmission of a data packet from the terminal application to a destination node. It can include: a memory for storing a tunnel policy, a tunnel routing policy, and a tunnel table; and a control unit which generates tunnel information and data flow information on the basis of the tunnel policy, the tunnel routing policy, and the tunnel table according to a network access request of the terminal, and which transmits the generated tunnel information and data flow information to the terminal and the gateway of each network so that a tunnel between the terminal and the destination network is generated.

Abstract: A terminal including a communication circuit, a processor, and a memory storing a target application and an access control application. The memory may store instructions which, when executed by the processor, enable the terminal to detect a network access event for a destination network of the target application, via the access control application, identify whether identification information of the target application and data flow information corresponding to the destination network are present via the access control application, identify whether authentication of data flow indicated by the data flow information is valid via the access control information, and drop a data packet of the target application when the data flow information is not present or the authentication of data flow is not valid or transmit the data packet of the target application when the data flow information is present and the authentication of data flow is valid.

Abstract: A node according to an embodiment disclosed in the present document may store instructions which cause the node to: detect a network access event through an access control application; transmit a domain name system (DNS) query request packet to a first external server through the access control application; receive a DNS query result from the first external server, wherein the DNS query result includes domain information and IP information; and transmit a domain validation request or a network access request including the domain information to a second external server on the basis of whether a data 10 flow corresponding to the IP information exists, through the access control application.

Abstract: A node according to an embodiment disclosed in the present document may store instructions for: performing a network access request to an external server through an access control application, the network access request including identification information of a target application and identification information of a destination network; receiving a data flow from the external server through the access control application, the data flow corresponding to identification information of the node and the identification information of the destination network and including information about whether a data packet can be transmitted through a virtual router; and transmitting a data packet of the target application on the basis of the received data flow, through the access control application. The virtual router may be included in a switch to which the node transmits the data packet.

Abstract: A node according to an embodiment disclosed in the present document can store instructions so as to: determine a communication protocol on the basis of whether an operating system transport layer can be accessed through an access control application; transmit, on the basis of the determined communication protocol, an authentication data packet including first authentication information stored in the access control application to an external server, and request authentication; receive an authentication result with respect to the authentication data packet from the external server; and change an authentication state of a control data packet on the basis of the received authentication result. If a control data processing request for the external server is performed, the control data processing request is performed on the basis of the control data packet having a changed authentication state.

Abstract: A method for managing a control flow by a server including: receiving a control flow generation request data packet from the terminal; transmitting a control flow communication code to the terminal; and receiving the result of executing the control flow communication code from the terminal, wherein if the result of executing the control flow communication code is normal, the server generates the control flow with the terminal, and if the execution result value is abnormal, or the execution result is not received from the terminal within a predetermined time, the server blocks the generation of the control flow with the terminal.

Abstract: A network system according to an embodiment disclosed in the present disclosure includes a node, a destination network, a network node, and a server. The node is configured to transmit or drop a data packet depending on whether there is data flow, by means of an access control application, delete the data flow corresponding to identification information of an ended application, when a running end event of the target application or the access control application is identified, and transmit a list of the deleted data flow to the server. The server is configured to transmit the list of the deleted data flow to the network node and collect a network node policy from the node. The network node is configured to process a data packet corresponding to the list of the deleted data flow to be no longer forwarded.

Abstract: According to an embodiment disclosed in the specification, a network node may include a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory. The processor may receive, from a server, a data flow including a node IP, a destination network IP, and port information, which are created to allow creation of a TCP session between a source node and a destination network, may monitor a data packet broadcast or multicast from the source node at a network boundary, may transmit an IP blocking data packet to the source node when there is no data flow corresponding to a source IP of the data packet received through the monitoring, or may transmit a TCP data packet for forcibly terminating a TCP session to the source node when there is no data flow corresponding to a destination IP and destination port information of the data packet received through the monitoring.

Abstract: Disclosed is a gateway which includes a communication circuit, a memory, and a processor operatively connected with the communication circuit and the memory. The processor receives a data packet of a node through a network processing layer, identifies whether there is data flow corresponding to the data packet of the node and authorized from an external server, inspects authentication information of the data packet, when there is a need to inspect the authentication information of the data packet based on authentication information included in the data flow, generates data flow identification information capable of being identified by an application processing layer based on the data packet and forward the data packet to the application processing layer, and processes the forwarded data packet based on the data flow identification information by means of the application processing layer.

Abstract: Disclosed is a gateway which a communication circuit, a memory, and a processor operatively connected with the communication circuit and the memory. The processor receives a service request from a node, identifies whether the service request is received through at least any one of a tunnel authorized by an external server, a security session, or a logical connection, identifies whether there is data flow corresponding to the service request and authorized by the external server, generates authentication information to be inserted into the service request, based on authentication information included in the data flow, and inserts and forwards the authentication information to be inserted into the service request and information associated with the node into the service request to a service server.

Abstract: Disclosed is a gateway which includes a communication circuit, a memory, and a processor operatively connected with the communication circuit and the memory. The processor receives a data packet of a node through a network processing layer, identifies whether there is data flow corresponding to the data packet of the node and authorized from an external server, inspects authentication information of the data packet, when there is a need to inspect the authentication information of the data packet based on authentication information included in the data flow, and inserts and forwards data flow identification information capable of being identified by an application processing layer into the data packet to the application processing layer.

Abstract: A node includes a communication circuit, a processor, and a memory storing an access control application. The memory stores instructions, when executed by the processor, causing the node to detect a network access event for a destination network, by means of the access control application, identify whether there are data flow and a tunnel corresponding to the destination network and authorized from an external server, by means of the access control application, and transmit a data packet through the tunnel, when there are the authorized data flow and the authorized tunnel. The tunnel is generated between the node and a gateway based on tunneling information received from the external server. The tunneling information includes information about tunnels and gateways in which the node is able to perform tunneling among the tunnels and gateways listed by the external server based on a node environment of the node and a network environment.

Abstract: A node includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and storing a reception application and an access control application, and the memory stores instructions that, when executed by the processor, cause the node to detect an event of a network reception from a source network of the reception application through the access control application, to determine whether a data flow, which corresponds to identification information of the reception application, a service port, and the source network and is authorized from an external server exists, through the access control application, to receive a data packet using the communication circuit, when the authorized data flow exists and the reception application is attempting to receive, and to drop the data packet when the authorized data flow information does not exist or the reception application is not attempting to receive.

Abstract: A node according to an embodiment disclosed in the present specification includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and that stores a target application and a access control application, and the memory stores instructions that when executed by the processor, cause the node to detect an event of a network access with respect to a destination network of the target application through the access control application, to determine whether a data flow and a tunnel, which correspond to identification information of the target application and the destination network and are authorized from an external server exist through the access control application, to determine whether an inspection of a data packet of the target application is necessary based on data packet inspection information included in the authorized data flow when the authorized data flow and the authorized tunnel exist, to inspect the data packet b

Abstract: A node according to an embodiment of the present disclosure includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and that stores a target application and an access control application, and the memory stores instructions that, when executed by the processor, cause the node to receive tunnel generation information necessary to generate a gateway and a tunnel from an external server, through the access control application, to request the gateway to generate the tunnel based on the tunnel generation information, through the access control application, to receive static IP information assigned to the node or each user of the node from the gateway, through the access control application, and to transmit the static IP information to the external server, through the access control application.

Abstract: A network access control system and a method are disclosed. In a step of generating a transmission control protocol (TCP) session between a terminal and a gateway (or a server), the TCP session is authenticated, and whether or not to generate the TCP session is determined on the basis of a result of the authentication, thereby preventing, in advance, a target application within the terminal from bypassing control of an access control application and transmitting a data packet to a destination network through an authorized tunnel.

Abstract: A system and a method for providing a secure network access of a terminal, the system including: a terminal; a gateway located at a boundary of a network to which the terminal belongs; and a server which manages data transmission between the terminal and the gateway. The server: generates a control flow between the terminal and the server upon receiving a controller access request from the terminal; transmits, to the terminal, identification information of the control flow, and a threat detection policy stored in a database of the server; receives, from the terminal, the controller access update request including threat detection information indicating a result of executing a threat detection function installed in the terminal on the basis of the threat detection policy; and, when detection of a threat is confirmed from the threat detection information, cancels the control flow on the basis of the threat detection policy.

Abstract: A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory which is operatively connected to the processor and stores an access control application. The memory may store instructions that, upon being executed by the processor, cause the node to: sense a controller access event with respect to an external server through the access control application; insert a first protection header to a first control data packet for requesting controller access, the first protection header including a protection information ID for identifying protection information used for authenticating the first control data packet, and first authentication information that is generated on the basis of the protection information and used for authenticating and checking the integrity of the first control data packet; and transmit the first control data packet having the inserted first protection header to the external server by using the communication circuit.