Method and system for controlling federation policy based on zta for enterprise wireless network infrastructure
The zero-trust structure-based federated policy control method remotely configures security settings and automatically creates VPN tunnels, addressing inconsistent configurations and enhancing network security by ensuring all connections are verified and managed dynamically.
Patent Information
- Authority / Receiving Office
- KR · KR
- Patent Type
- Patents
- Current Assignee / Owner
- ELECTRONICS & TELECOMM RES INST
- Filing Date
- 2022-10-06
- Publication Date
- 2026-07-15
AI Technical Summary
Conventional wireless network security systems require manual configuration of security features on each Wi-Fi router, leading to inconsistent security settings and vulnerabilities, and lack the ability to apply enterprise access policies to VPN tunnels dynamically.
A federated policy control method based on a zero-trust structure that remotely configures security settings across multiple Wi-Fi routers and automatically creates VPN tunnels based on enterprise policies when user terminals request authentication, using a policy decision unit to manage and monitor user, device, and connection policies.
Enhances security by ensuring all connections are verified and trusted, providing real-time management and control, and enabling scalable application of security policies across the network infrastructure.
Smart Images

Figure R1020220127611_ABST
Abstract
Description
Technology Field
[0001] The present invention relates to a zero-trust structure-based federated policy control method and system for wireless network infrastructure. Background Technology
[0002] To enhance the security of enterprise wireless networks, Wi-Fi router security features, Extensible Authentication Protocol (EAP) authentication features, and VPN technology are provided.
[0003] The security features of a Wi-Fi router include MAC address filtering, static IP assignment, firewall functionality, and EAP authentication. EAP authentication is a technology that operates in conjunction with an authentication server, requiring a user ID and password to access the wireless network. Additionally, VPN technology enhances security by using private IP addresses instead of public ones to prevent direct connections from wireless devices to the server, and by encrypting packets during transmission.
[0004] In such conventional technology, there is the inconvenience of having to access each router individually and manually configure its security features to use them. Consequently, security functions are not configured, allowing access to specific devices, and firewall settings are not applied, resulting in access to all networks within the organization simply by connecting to Wi-Fi. As a result, major institutions concerned with security tend to avoid using Wi-Fi.
[0005] In addition, since it is unknown when a terminal will connect, VPN tunnels are created before the terminal connects. This presents a problem in that additional enterprise access policies cannot be applied to the creation of VPN tunnels. Prior art literature
[0006] Published Patent Application No. 10-2017-0109953 (October 10, 2017) The problem to be solved
[0007] The present invention provides a federated policy control method based on a zero-trust structure for a wireless network infrastructure, which enables remote configuration rather than direct access to each Wi-Fi router to configure security settings, and allows for the automatic creation of network firewall settings and VPN tunnels by applying enterprise policies when a user terminal requests EAP authentication.
[0008] However, the problems that the present invention aims to solve are not limited to those described above, and other problems may exist. means of solving the problem
[0009] A federated policy control method based on a zero-trust structure for a wireless network infrastructure according to one aspect of the present invention for solving the above-mentioned problem comprises: a step of receiving a resource within an enterprise from an administrator; a step of transmitting a whitelist to an authentication server and a Wi-Fi router upon completion of the resource registration; a step of receiving information of the terminal from the authentication server upon the terminal logging into the authentication server through the Wi-Fi router; and a step of requesting the creation of a VPN tunnel to a VPN server according to a predefined profile based on the information of the terminal. At this time, the terminal connects to the VPN server through the VPN tunnel.
[0010] In some embodiments of the present invention, the step of registering resources within the enterprise from the administrator may include registering employee ID and password information of the enterprise, terminal information to use wireless network access, Wi-Fi router information, enterprise server information connected by the terminal, and VPN service information to be connected by the terminal.
[0011] In some embodiments of the present invention, the step of transmitting a whitelist to an authentication server and a Wi-Fi router upon completion of the resource registration may include: transmitting a first whitelist containing authorized users to the authentication server; and transmitting a second whitelist containing MAC addresses to be allowed to network access to the Wi-Fi router.
[0012] In some embodiments of the present invention, a user corresponding to a MAC address not registered with the Wi-Fi router may be denied access to the Wi-Fi network by the Wi-Fi router.
[0013] In some embodiments of the present invention, a user not registered with the authentication server may be denied access to the network as authentication fails.
[0014] In some embodiments of the present invention, a terminal not configured in the previously defined profile may be denied access when attempting to access the VPN service.
[0015] Some embodiments of the present invention may further include the step of setting the profile information, which includes a user group, a network group, a service group, a connection profile, and a channel profile corresponding to the registered resource.
[0016] Some embodiments of the present invention may further include the step of controlling and monitoring the Wi-Fi router. In this case, the policy decision unit controls at least one of the SSID, signal strength, and MAC filtering method of the Wi-Fi router and can monitor the status of the Wi-Fi router in real time.
[0017] Some embodiments of the present invention may further include the step of controlling and monitoring the authentication server. In this case, the policy decision unit performs any one of adding, deleting, changing, or querying the ID, password, and name of the user to be authenticated by the authentication server based on the whitelist according to the control, and can check the query, login, and logout of the registered user in real time.
[0018] Some embodiments of the present invention may further include the step of controlling and monitoring the VPN server. In this case, the policy decision unit performs control over at least one of the creation, deletion, and querying of tunnels from the terminal to the VPN gateway, and can monitor the status information of the created VPN tunnel and the connected VPN tunnel in real time.
[0019] A computer program according to another aspect of the present invention for solving the above-mentioned problem is combined with a computer, which is hardware, to execute a federated policy control method based on a zero-trust structure for a wireless network infrastructure, and is stored on a computer-readable recording medium.
[0020] Other specific details of the present invention are included in the detailed description and drawings. Effects of the invention
[0021] Conventional wireless network security technologies used location-based trust policies to distinguish trusted targets based solely on internal and external connections. Since network-based connections allowed for easy attack propagation from within once the boundary was breached, there was a problem in that multi-environment security was not considered, as only the security of a single entity was taken into account.
[0022] According to one embodiment of the present invention for resolving these problems, by applying a zero-trust architecture and applying an enterprise trust policy to all connections, all connections can be verified regardless of when, where, or by whom they connect; if a verified user is not a legitimate terminal or connection, it is blocked; and in all environments, an identity / trust verification-based security policy is autonomously applied by the policy control system, thereby enhancing the security and safety of the enterprise wireless network.
[0023] In addition, it enhances the convenience of network system management and provides a framework for applying new security policies, thereby increasing the scalability of the policy control system.
[0024] The effects of the present invention are not limited to those mentioned above, and other unmentioned effects will be clearly understood by a person skilled in the art from the description below. Brief explanation of the drawing
[0025] FIG. 1 is a block diagram of a federated policy control system according to one embodiment of the present invention. FIG. 2 is a detailed functional block diagram of a federated policy control system according to one embodiment of the present invention. FIG. 3 is a flowchart of a federated policy control method according to one embodiment of the present invention. Specific details for implementing the invention
[0026] The advantages and features of the present invention and the methods for achieving them will become clear by referring to the embodiments described below in detail together with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below but may be implemented in various different forms. These embodiments are provided merely to ensure that the disclosure of the present invention is complete and to fully inform those skilled in the art of the scope of the present invention, and the present invention is defined only by the scope of the claims.
[0027] The terms used in this specification are for describing embodiments and are not intended to limit the invention. In this specification, the singular form includes the plural form unless specifically stated otherwise in the text. The terms "comprises" and / or "comprising" used in this specification do not exclude the presence or addition of one or more other components in addition to the components mentioned. Throughout the specification, the same reference numerals refer to the same components, and "and / or" includes each of the mentioned components and all combinations of one or more. Although terms such as "first," "second," etc., are used to describe various components, these components are not limited by these terms. These terms are used merely to distinguish one component from another. Therefore, the first component mentioned below may be the second component within the technical scope of the invention.
[0028] Unless otherwise defined, all terms used herein (including technical and scientific terms) may be used in a meaning commonly understood by those skilled in the art to which the present invention pertains. Additionally, terms defined in commonly used dictionaries are not to be interpreted ideally or excessively unless explicitly and specifically defined otherwise.
[0029] The present invention relates to a federated policy control method based on a zero-trust structure for a wireless network infrastructure, wherein a Wi-Fi router, an authentication server, a control server, and a VPN gateway are interconnected and combined to autonomously control enterprise policies in order to enhance the security of an enterprise wireless network.
[0030] To resolve the problems of conventional technology, one embodiment of the present invention enables remote configuration without directly connecting to each router to set security, and enables network firewall configuration and automatic creation of a VPN tunnel by applying an enterprise policy when a user terminal requests EAP authentication.
[0031] Accordingly, one embodiment of the present invention remotely controls a Wi-Fi router to resolve the problems of the prior art and enable additional security policy settings, and when a terminal is authenticated, the authentication server notifies the device control and connection control function blocks of this so that additional control can be automatically applied to enhance the security of the wireless network.
[0032] Hereinafter, with reference to FIGS. 1 and 2, the configuration of a federated policy control system based on a zero-trust structure for a wireless network infrastructure according to an embodiment of the present invention will be described.
[0033] FIG. 1 is a block diagram of a federated policy control system (1) according to one embodiment of the present invention. FIG. 2 is a detailed functional block diagram of a federated policy control system (1) according to one embodiment of the present invention.
[0034] Referring to FIG. 1, a federated policy control system (1) according to one embodiment of the present invention is applied to an enterprise wireless network infrastructure and includes a policy decision unit (PDP, 100) and a policy implementer (PEP, 200).
[0035] In one embodiment, the policy decision unit (100) includes a policy engine (PE, 110) and a policy manager (PA, 120). The policy engine (110) acts as a brain that combines policies under management to make a final decision, and the final decision is executed by the policy manager (120) issuing a command to the policy implementer (200). Meanwhile, the policy engine (110) and the policy manager (120) can be distinguished by their logical operational meanings within software function blocks.
[0036] Referring to FIG. 2, the policy decision unit (100) is operated by an edge manager controller (EMC: Edge Manager Controller, 101), and the detailed components of the policy decision unit (100) include a user control function block (UCF: User Control Function, 102), a device control function block (DCF: Device Control Function, 103), a profile control function block (PCF: Profile Control Function, 104), and a connection control function block (CCF: Connection Control Function, 105).
[0037] In addition, the function blocks corresponding to the policy implementer (200) include the Authentication Server Function block (AUSF: Authentication Server Function, 210), Wi-Fi router function blocks (220-1~220-N), and VPN server function block (VSF: VPN Server Function, 230).
[0038] In one embodiment, the user control function block (102) controls authentication information, such as a user ID and password, for the Extensible Authentication Protocol (EAP). Additionally, whenever a user logs in or logs out, this is reported to the terminal control function block (103) and the connection control function block (105) so that additional security policies are applied.
[0039] The terminal control function block (103) manages user terminals, Wi-Fi routers, and servers within the organization as a device manager. The profile control function block (104) manages the access control relationships between assets (resources) within the enterprise as a profile manager. The connection control function block (105) performs the function of managing connectivity between the user, the network user terminal, and the VPN server.
[0040] Hereinafter, with reference to FIG. 3, a method performed by a federated policy control system according to an embodiment of the present invention will be described.
[0041] FIG. 3 is a flowchart of a federated policy control method according to one embodiment of the present invention.
[0042] A federated policy control method according to one embodiment of the present invention first receives registration of all resources within the enterprise, such as users, terminals, Wi-Fi routers, and servers, from an administrator at a policy decision unit. In one embodiment, the policy decision unit may receive registration of enterprise employee ID and password information, terminal information to use for wireless network access, Wi-Fi router information, enterprise server information connected by the terminal (IP Address, Protocol type, Port number), and VPN service information to be connected by the terminal (IP Address, Protocol type, Port number).
[0043] Next, the policy decision unit operates automatically upon completion of resource registration and transmits the whitelist to the authentication server and Wi-Fi router.
[0044] In one embodiment, the policy decision unit transmits a first whitelist containing authorized users to an authentication server (S105) and transmits a second whitelist containing MAC addresses to be allowed network access to a Wi-Fi router (S110).
[0045] Next, as the terminal logs into the authentication server through the Wi-Fi router (S115, S120), the terminal's login information is received from the authentication server (S125, S130), and the login information is transmitted to the policy implementer, and the policy implementer requests the creation of a VPN tunnel to the VPN server according to the defined profile (S135, S140).
[0046] Accordingly, the terminal can connect to the VPN server through the VPN tunnel (S145, S150).
[0047] Meanwhile, in one embodiment of the present invention, a user corresponding to a MAC address not registered with the Wi-Fi router is denied Wi-Fi access by the Wi-Fi router (S155), and a user not registered with the authentication server is denied access to the network as authentication fails (S160).
[0048] In addition, in one embodiment of the present invention, if a terminal that is not set in a predefined profile attempts to connect to a VPN service, the connection is denied (S165, S170, S175).
[0049] In addition, in one embodiment of the present invention, the policy decision unit may provide a function that visualizes the operation of all function blocks and enables monitoring and control via a GUI.
[0050] In the case of conventional technology, there was a problem in that comprehensive real-time management and control were difficult due to the characteristics of wireless networks, where it is difficult to know where and with which terminal the connection is made, making usage unsafe. However, to overcome these limitations, one embodiment of the present invention can enhance enterprise wireless network security by combining network entities and security entities to determine and execute comprehensive policies as shown in FIG. 3.
[0051] Hereinafter, detailed embodiments performed in a zero-trust structure-based federated policy control method for a wireless network infrastructure according to one embodiment of the present invention will be described.
[0052] 1. Register Enterprise Resources (Assets)
[0053] One embodiment of the present invention registers enterprise resources to be managed. The resources may include the IDs and passwords of enterprise employees, terminals to use wireless network access, Wi-Fi routers, enterprise servers accessed by terminals, VPN services to be accessed by terminals, etc.
[0054] 2. Registered Resource-Based Profile Settings
[0055] In one embodiment of the present invention, the policy decisioner can set profile information including a user group, network group, service group, connection profile, and channel profile corresponding to a registered resource.
[0056] 3. Wi-Fi Router Control and Status Monitoring
[0057] In one embodiment of the present invention, the policy decision unit controls at least one of the SSID, signal strength, and MAC filtering method of the Wi-Fi router and can monitor the status of the Wi-Fi router in real time.
[0058] 4. Authentication Server Control and Monitoring
[0059] In one embodiment of the present invention, the policy decision unit performs any one of adding, deleting, changing, or looking up the ID, password, and name of a user to be authenticated from a whitelist-based authentication server according to control, and can check the lookup, login, and logout of registered users in real time.
[0060] 5. VPN Server Control and Monitoring
[0061] In one embodiment of the present invention, the policy decision unit performs control over at least one of the creation, deletion, and inquiry of tunnels from a terminal to a VPN gateway, and can monitor status information of the created VPN tunnel and the connected VPN tunnel in real time.
[0062] 6. Monitoring the status of connected terminals
[0063] In one embodiment of the present invention, the policy decision unit can monitor the IP address, signal strength, and traffic usage (tx / rx) of a terminal connected to a Wi-Fi router in real time.
[0064] 7. Monitoring of connection policy status combining user, terminal, and network
[0065] In one embodiment of the present invention, the policy decision unit can check the firewall policy set on the Wi-Fi router in real time on a Wi-Fi router and user terminal basis.
[0066] 8. Channel policy status monitoring combining user, terminal, and server
[0067] In one embodiment of the present invention, the policy decision unit can check the status of the currently operating VPN tunnel in real time according to the tunnel policy set between the user terminal and the VPN gateway.
[0068] Meanwhile, in the above description, steps S105 to S175 may be further divided into additional steps or combined into fewer steps according to an embodiment of the present invention. Also, some steps may be omitted as necessary, and the order between steps may be changed. Meanwhile, the contents of FIGS. 1 and 2 may also be applied to the contents of the federated policy control method of FIG. 3.
[0069] The federated policy control method based on a zero-trust structure for a wireless network infrastructure according to one embodiment of the present invention described above may be implemented as a program (or application) and stored on a medium to be executed in combination with a computer, which is hardware.
[0070] The aforementioned program may include code encoded in computer languages such as C, C++, JAVA, Ruby, and machine language, which can be read by the computer's processor (CPU) through the computer's device interface, in order for the computer to read the program and execute the methods implemented in the program. Such code may include functional code related to functions that define the necessary functions for executing the methods, and may include control code related to execution procedures necessary for the computer's processor to execute the functions according to a predetermined procedure. Additionally, such code may further include memory reference code regarding where (address) additional information or media necessary for the computer's processor to execute the functions should be referenced in the computer's internal or external memory. In addition, if the processor of the computer needs to communicate with any other computer or server located remotely in order to execute the above functions, the code may further include communication-related code regarding how to communicate with any other computer or server located remotely using the communication module of the computer, and what information or media to transmit or receive during communication.
[0071] The above-mentioned storage medium refers to a medium that stores data semi-permanently and is readable by a device, rather than a medium that stores data for a short period of time, such as a register, cache, or memory. Specifically, examples of the above-mentioned storage medium include, but are not limited to, ROM, RAM, CD-ROM, magnetic tape, floppy disk, and optical data storage device. That is, the above-mentioned program may be stored on various recording media on various servers that the computer can access, or on various recording media on the user's computer. Additionally, the above-mentioned medium may be distributed across networked computer systems, and computer-readable code may be stored in a distributed manner.
[0072] The foregoing description of the present invention is for illustrative purposes only, and those skilled in the art will understand that other specific forms can be easily modified without altering the technical spirit or essential features of the present invention. Therefore, the embodiments described above should be understood as illustrative in all respects and not restrictive. For example, each component described as a single unit may be implemented in a distributed manner, and components described as distributed may likewise be implemented in a combined form.
[0073] The scope of the present invention is defined by the claims set forth below rather than by the detailed description above, and all modifications or variations derived from the meaning and scope of the claims and equivalent concepts thereof should be interpreted as being included within the scope of the present invention. Explanation of the symbols
[0074] 1: Coalition Policy Control System 100: Policy decision-making stage 101: Edge Management Control Unit 102: User Control Function Blocks 103: Terminal Control Function Block 104: Profile Control Function Block 105: Connection Control Function Block 110: Policy Engine 120: Policy Manager 200: Policy Executor 210: Authentication Server Function Block 220: Wi-Fi Router Function Blocks 230: VPN Server Function Block
Claims
Claim 1 A method for federated policy control based on a zero-trust structure for a wireless network infrastructure, comprising: a step of registering resources within an enterprise, including terminals and Wi-Fi routers to be used by employees, according to input by an administrator; a step of controlling at least one of the SSID, signal strength, and MAC filtering method of the Wi-Fi router and monitoring the status of the Wi-Fi router in real time; a step of transmitting a first whitelist to an authentication server and transmitting a second whitelist including the MAC address of the terminal to the Wi-Fi router upon completion of the resource registration; a step of, when the terminal attempts to log in to the authentication server through the Wi-Fi router, controlling the Wi-Fi router to deny Wi-Fi access to users corresponding to MAC addresses not registered in the second whitelist and to cause authentication by the authentication server to fail for users not registered in the first whitelist; a step of receiving information of the terminal from the authentication server as the terminal registered with the Wi-Fi router and the authentication server logs in; and a step of requesting the creation of a VPN tunnel to a VPN server according to a predefined profile based on the information of the terminal. Claim 2 A zero-trust structure-based federated policy control method for a wireless network infrastructure, wherein, in claim 1, the step of registering resources within the enterprise from the administrator is to register employee ID and password information of the enterprise, terminal information to use wireless network access, Wi-Fi router information, enterprise server information accessed by the terminal, and VPN service information to be accessed by the terminal. Claim 3 According to claim 1, the step of transmitting the whitelist includes: transmitting a first whitelist including permitted target users to the authentication server; and transmitting a second whitelist including MAC addresses for which network access is permitted to the Wi-Fi router, A zero-trust architecture-based federated policy control method for a wireless network infrastructure. Claim 4 According to claim 1, when a terminal not set in the predefined profile attempts to access the VPN service, the access is denied, A zero-trust architecture-based federated policy control method for a wireless network infrastructure. Claim 5 According to claim 1, the method further includes setting profile information including a user group, a network group, a service group, a connection profile, and a channel profile corresponding to the registered resources, A zero-trust architecture-based federated policy control method for a wireless network infrastructure. Claim 6 According to claim 1, the method further includes controlling and monitoring the authentication server, wherein the policy decision unit performs any one of addition, deletion, modification, and inquiry of the ID, password, and name of a user to be authenticated by the authentication server based on the whitelist according to the control, and real-time checks the inquiry, login, and logout of registered users, A zero-trust architecture-based federated policy control method for a wireless network infrastructure. Claim 7 According to claim 1, the method further includes controlling and monitoring the VPN server, wherein the policy decision unit performs control over at least one of creation, deletion, and inquiry of a tunnel from the terminal to the VPN gateway, and real-time monitors the status information of the created VPN tunnel and the connected VPN tunnel, A zero-trust architecture-based federated policy control method for a wireless network infrastructure. Claim 8 A policy decision maker that registers all resources within an enterprise, such as users, terminals, Wi-Fi routers, servers, etc., controls at least one of the SSID, signal strength, and MAC filtering method of the Wi-Fi router, monitors the status of the Wi-Fi router in real time, transmits a first whitelist to an authentication server as resource registration is completed, and transmits a second whitelist including the MAC address of the terminal to the Wi-Fi router; A Wi-Fi router that rejects Wi-Fi access for users corresponding to MAC addresses not registered in the second whitelist; An authentication server that rejects access to the network when a user not registered in the first whitelist attempts authentication; And A VPN server that generates a VPN tunnel upon receiving a request for VPN tunnel generation from the policy decision maker; A zero-trust architecture-based federated policy control system for a wireless network infrastructure including. Claim 9 The system according to claim 8, wherein the policy decision maker registers employee ID and password information of an enterprise, terminal information to be used for wireless network access, Wi-Fi router information, enterprise server information (IP Address, Protocol type, Port number) accessed by the terminal, and VPN service information (IP Address, Protocol type, Port number) to be accessed by the terminal in a zero-trust architecture-based federated policy control system for a wireless network infrastructure. Claim 10 The system according to claim 8, wherein the policy decision maker requests the VPN server to generate a VPN tunnel according to a predefined profile when receiving login information to the authentication server from the terminal in a zero-trust architecture-based federated policy control system for a wireless network infrastructure.