Abstract: A node according to an embodiment of the present disclosure includes a communication circuit, a processor operatively connected to the communication circuit, and a memory operatively connected to the processor and that stores a target application and an access control application, and the memory stores instructions that, when executed by the processor, cause the node to receive tunnel generation information necessary to generate a gateway and a tunnel from an external server, through the access control application, to request the gateway to generate the tunnel based on the tunnel generation information, through the access control application, to receive static IP information assigned to the node or each user of the node from the gateway, through the access control application, and to transmit the static IP information to the external server, through the access control application.

Abstract: A network access control system and a method are disclosed. In a step of generating a transmission control protocol (TCP) session between a terminal and a gateway (or a server), the TCP session is authenticated, and whether or not to generate the TCP session is determined on the basis of a result of the authentication, thereby preventing, in advance, a target application within the terminal from bypassing control of an access control application and transmitting a data packet to a destination network through an authorized tunnel.

Abstract: A system and a method for providing a secure network access of a terminal, the system including: a terminal; a gateway located at a boundary of a network to which the terminal belongs; and a server which manages data transmission between the terminal and the gateway. The server: generates a control flow between the terminal and the server upon receiving a controller access request from the terminal; transmits, to the terminal, identification information of the control flow, and a threat detection policy stored in a database of the server; receives, from the terminal, the controller access update request including threat detection information indicating a result of executing a threat detection function installed in the terminal on the basis of the threat detection policy; and, when detection of a threat is confirmed from the threat detection information, cancels the control flow on the basis of the threat detection policy.

Abstract: A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory which is operatively connected to the processor and stores an access control application. The memory may store instructions that, upon being executed by the processor, cause the node to: sense a controller access event with respect to an external server through the access control application; insert a first protection header to a first control data packet for requesting controller access, the first protection header including a protection information ID for identifying protection information used for authenticating the first control data packet, and first authentication information that is generated on the basis of the protection information and used for authenticating and checking the integrity of the first control data packet; and transmit the first control data packet having the inserted first protection header to the external server by using the communication circuit.

Abstract: A method for managing a control flow by a server including: receiving a control flow generation request data packet from the terminal; transmitting a control flow communication code to the terminal; and receiving the result of executing the control flow communication code from the terminal, wherein if the result of executing the control flow communication code is normal, the server generates the control flow with the terminal, and if the execution result value is abnormal, or the execution result is not received from the terminal within a predetermined time, the server blocks the generation of the control flow with the terminal.

Abstract: A network access control device generates, in a tunnel-based access control network environment, a tunnel that connects a terminal application to the gateway of a destination network, on the basis of a tunnel between the terminal application and a gateway and a tunnel between gateways, thereby enabling safe transmission of a data packet from the terminal application to a destination node. It can include: a memory for storing a tunnel policy, a tunnel routing policy, and a tunnel table; and a control unit which generates tunnel information and data flow information on the basis of the tunnel policy, the tunnel routing policy, and the tunnel table according to a network access request of the terminal, and which transmits the generated tunnel information and data flow information to the terminal and the gateway of each network so that a tunnel between the terminal and the destination network is generated.

Abstract: A network access control system and a method are disclosed. In a step of generating a transmission control protocol (TCP) session between a terminal and a gateway (or a server), the TCP session is authenticated, and whether or not to generate the TCP session is determined on the basis of a result of the authentication, thereby preventing, in advance, a target application within the terminal from bypassing control of an access control application and transmitting a data packet to a destination network through an authorized tunnel.

Abstract: A terminal including a communication circuit, a processor, and a memory storing a target application and an access control application. The memory may store instructions which, when executed by the processor, enable the terminal to detect a network access event for a destination network of the target application, via the access control application, identify whether identification information of the target application and data flow information corresponding to the destination network are present via the access control application, identify whether authentication of data flow indicated by the data flow information is valid via the access control information, and drop a data packet of the target application when the data flow information is not present or the authentication of data flow is not valid or transmit the data packet of the target application when the data flow information is present and the authentication of data flow is valid.

Abstract: A technology for controlling network access based on a tunnel and a data flow in a network environment, including a node to detect, through an access control application, a network access event in which a target application accesses a destination network; check, through the access control application, whether or not there is a tunnel generated in a unit of nodes or IPs and applied from an external server, and whether or not there is a data flow generated in a unit of TCP sessions or applications and generated by the external server; if there is the applied tunnel and data flow, transmit a data packet of the target application through the applied tunnel by using a communication circuit; and if there is no applied tunnel or data flow, drop a data packet of the target application.

Abstract: The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. the perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. the perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.

Abstract: A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing a target application and an access control application, wherein the memory stores instructions that when executed by the processor, cause the node to: detect a network access event of the target application to a destination network through the access control application, identify whether a tunnel corresponding to identification information of the target application and the destination network and authorized by an external server exists, transmit a data packet of the target application through the authorized tunnel using the communication circuit, when the authorized tunnel exists, and drop the data packet of the target application, when the authorized tunnel does not exist.

Abstract: The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. The perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. The perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.

Abstract: A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing a target application and an access control application, wherein the memory stores instructions that when executed by the processor, cause the node to: detect a network access event of the target application to a destination network through the access control application, identify whether a tunnel corresponding to identification information of the target application and the destination network and authorized by an external server exists, transmit a data packet of the target application through the authorized tunnel using the communication circuit, when the authorized tunnel exists, and drop the data packet of the target application, when the authorized tunnel does not exist.

Abstract: A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing a target application and an access control application, wherein the memory stores instructions that when executed by the processor, cause the node to: detect a network access event of the target application to a destination network through the access control application, identify whether a tunnel corresponding to identification information of the target application and the destination network and authorized by an external server exists, transmit a data packet of the target application through the authorized tunnel using the communication circuit, when the authorized tunnel exists, and drop the data packet of the target application, when the authorized tunnel does not exist.

Abstract: A node includes: a communication circuit; a processor operatively connected to the communication circuit; and a memory operatively connected to the processor and storing a target application and an access control application, wherein the memory stores instructions that when executed by the processor, cause the node to: detect a network access event of the target application to a destination network through the access control application, identify whether a tunnel corresponding to identification information of the target application and the destination network and authorized by an external server exists, transmit a data packet of the target application through the authorized tunnel using the communication circuit, when the authorized tunnel exists, and drop the data packet of the target application, when the authorized tunnel does not exist.

Abstract: The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. the perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. the perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.

Abstract: The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. The perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. The perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.

Abstract: The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. The perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. The perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.

Abstract: The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. the perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. the perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.