[DESCRIPTION]
[invention Title] NETWORK INTEGRATED MANAGEMENT SYSTEM
[Technical Field] The present invention relates to an integrated network management system that performs 802.Ix protocol- based authentication and security on a network and, more particularly, to an integrated network management system, which can authenticate users who try to gain access to the network, and modify authorization policies, which will be applied to Voice Over Internet Protocol client modules, Virtual Private Network client modules and personal firewall modules installed in user terminals, as authorization policies set in an authentication server for respective users, or dynamically control the network access privileges of users according to the status of particular software installed in user terminals.
[Background Art] FIG. 1 is a schematic diagram illustrating an authentication system on a wired/wireless network. FIG. 2 is a view illustrating an authentication process sequence in the authentication system of FIG. 1. Referring to FIGS. 1 and 2,
currently, the IEEE 802.Ix standard specification defines three types of entities, that is, a supplicant 100, an authenticator 110 and an authentication server 120. The supplicant is an entity that provides the authenticator with a user's authentication information and requests user authentication, an example of which is a wired/wireless terminal that tries to gain access to the network. Access by the supplicant to the network is controlled by the authenticator, and the supplicant and the authenticator are referred to as Port Authentication Entities (PAE) . When the supplicant requests authentication from the authenticator, the initial port status of the authenticator is set to an uncontrolled port status. At this time, the supplicant and the authenticator can communicate with each other only through the Extensible Authentication Protocol (EAP) . That is, when authentication information and an authentication request are transferred from the supplicant to the authenticator, EAP Over LAN (EAPOL) or EAP Over Wireless (EAPOW) is used as the protocol. Meanwhile, the authenticator transmits the authentication information and the authentication request, which are received from the supplicant, to the authentication server. If the authentication through the authentication server is successful, the authenticator transfers an
authentication success message to the supplicant and switches the port of the authenticator to a controlled port status. An example of the authenticator may be one of an access point, a router and a switch. At this time, the authenticator terminates only link layer authentication exchange, does not maintain user information, and transmits all requests, which are received from the supplicant, to the authentication server for processing. Meanwhile, authentication exchange is logically carried out between the supplicant and the authentication server. The authenticator serves only as a bridge. The authentication server is an entity that receives a request for supplicant authentication from the authenticator and authenticates the supplicant. The authentication server stores and manages user authentication information in its internal database, or receives user authentication information through communication with an external entity, and then authenticates users. At this time, although a protocol used between the authentication server and the authenticator is not defined in IEEE 802.Ix, it is recommended that the protocol used in a typical Authentication, Authorization and Accounting (AAA) server be used. Accordingly, the Remote Authentication Dial-In User
Service (RADIUS) protocol became a de facto standard in the industry. In the case where communication between the authenticator and the authentication server is performed using the RADIUS protocol, the control of the network access privileges of users can be implemented using the determination of authentication through the internal authentication algorithm of the authentication server, RADIUS attributes transferable through an authentication success message, and Vendor Specific Attributes (VSAs) . As described above, the prior art 802.Ix supplicant is mainly composed of an EAPOL-based packet processor and a PAE state machine. Recently, a supplicant program installed in a user terminal has wireless network management functions, in addition to the above-described functions. Furthermore, the applicant of the present invention proposes a new integrated network management system that can integrally perform a new type of security, user authentication and privilege management on the basis of the conventional 802.Ix protocol.
[Disclosure] [Technical Problem] An object of the present invention is to provide an integrated network management system that can integrally
perform security, user authentication and privilege management on a network on the basis of the 802.Ix protocol. Another object of the present invention is to provide an integrated network management system that can authenticate user terminals that try to gain access to a network and, at the same time, modify authorization policies, which will be applied to Voice over Internet Protocol (VoIP) client modules, Virtual Private Network (VPN) client modules and personal firewall modules installed in the user terminals, as authorization policies set in an authentication server for respective users. Still another object of the present invention is to provide an integrated network management system that can authenticate user terminals that try to gain access to a network and, at the same time, dynamically control the network access privileges of users according to the status of particular software installed in the user terminals.
[Technical Solution] In order to accomplish the above objects, the present invention provides an integrated network management system, including: a user terminal having a predetermined access program, the terminal trying to gain access to a network using the access program;
a security management server having at least one of authorization policies, which may be applied to a Voice Over Internet Protocol (VoIP) client module, a Virtual Private Network (VPN) client module and a personal firewall module, for each registered user; and an authentication server for authenticating a user and a user terminal trying to gain access to the network for each user, and transmitting authorization policies, which will be applied to a successfully authenticated user terminal, to the user terminal while operating in conjunction with the security management server; wherein the access program of the user terminal comprises at least one of the VoIP client module, the VPN client module and the personal firewall module; and wherein the access program comprises: an authentication supplicant module for gaining access to an end terminal of a network, transmitting basic user authentication information to the end terminal, and making a request for user authentication, and a security management module for receiving authorization policies, which will be applied to the VoIP client module, the VPN client module and the personal firewall module, from the authentication server, and modifying authorization policies for corresponding modules
into the authorization policies received from the authentication server, when the authentication is performed by the authentication supplicant module. Preferably, the security management server causes an administrator to previously register the authorization policies for the VoIP client module, the VPN client module and the personal firewall module that will be applied to each user. Preferably, in the integrated network management system having the above-described features: the security management server stores and updates registration information about particular software while operating in conjunction with an external software management server; the access program of the user terminal further includes a software management module for storing registration information about particular software installed in the user terminal, and the authentication supplicant module transmits the basic authentication information and the registration information stored in the software management module to the authentication server when the authentication is requested; and the authentication server authenticates the user using the basic user authentication information, and transmits an authentication success message only when the registration
information about the particular software, which is received from the user terminal, is identical to corresponding information of the security management server even if the authentication is successful. A computer readable recording medium according to another aspect of the present invention stores an access program installed in a predetermined terminal and configured to allow a user to gain access to a network, wherein: the access program comprises at least one of a VoIP client module, a VPN client module and a personal firewall module; and the access program comprises: an authentication supplicant module for transmitting basic user authentication information to an authentication server and making a request for user authentication, and a security management module for modifying authorization policies for corresponding modules using authorization policies for at least one of the VoIP client module, the VPN client module and the personal firewall module, which are received from the authentication server, when the authentication is performed by the authentication supplicant module. Meanwhile, in the recording medium having the above- described features,
the access program further includes a software management module for storing and managing registration information about particular software installed in the user terminal, the authentication supplicant module transmits the registration information about particular software, which is installed in the software management module, to the authentication server, along with the basic authentication information, when making a request for user authentication, and the software management module installs or updates corresponding software when installation and update of particular software is requested by the authentication server. In accordance with the present invention, new concept- based security and user authentication, and user privilege management on a network can be performed for respective users on the basis of the 802.Ix protocol.
[Advantageous Effects] The present invention modifies authorization policies, which will be applied to VoIP client modules, VPN client modules and personal firewall modules installed in user terminals, while performing an authentication procedure for allowing users to gain access to a network, so that the
authentication and authorization of user terminals that try to gain access to the network can be performed for respective users in various ways, with the result that it is possible to dynamically limit network access privileges for respective users regardless of the infrastructure of a network. Furthermore, the present invention determines whether virus vaccine programs, Operating System (O/S) patch programs and other specific software have been installed in user terminals or whether programs installed in the user terminals have been updated, at the time of user authentication, and can limit the network access privileges of the user terminals in various ways according to the determination results. Furthermore, the conventional 802.1x-based supplicant is simply composed of an EAPoL Packet Processor and a supplicant PAE state machine, whereas the integrated network management system of the present invention can additionally perform functions of user authentication, network management, user privilege management and security.
[Description of Drawings] FIG. 1 is a configuration diagram illustrating a typical 802.1x-based authentication system on a network; FIG. 2 is a flowchart showing the operational sequence of the authentication system of FIG. 1;
FIG. 3 is a configuration diagram showing a complete integrated network management system according to a first embodiment of the present invention; FIG. 4 is a flowchart showing the operational sequence of the system of FIG. 3; FIG. 5 is a configuration diagram showing a complete integrated network management system according to a second embodiment of the present invention; FIG. 6 is a flowchart showing the operational sequence of the system of FIG. 5; and FIG. 7 is a configuration diagram showing a complete integrated network management system according to a third embodiment of the present invention.
[Best Mode] The construction and operation of a wireless integrated network management system according to the present invention are described with reference to the accompanying drawings below. First Embodiment FIG. 3 is a configuration diagram showing a complete integrated network management system according to a first embodiment of the present invention. The construction and operation of the wireless integrated network management
system according to the present embodiment are described below with reference to FIGS. 3 and 4. Referring to FIG. 3, the system according to the present embodiment includes an authentication server 300, a security management server 310, a network end terminal 320 and a user terminal 330. In this case, the network end terminal 320 is a terminal located at the end of the network, and it may be an Access Point (AP) , a switch, a router or the like. The user terminal 330 can gain access to the authentication server or the network through the end terminal. In the system of the present embodiment to which the 802.Ix protocol is applied, an access program 340 for performing functions of user authentication request and network access, is installed in the user terminal 330 that serves as a supplicant. Furthermore, the access program 340 according to the present embodiment includes a VoIP client module 350, a VPN client module 352, a personal firewall module 354, an authentication supplicant module 356 and a security management module 358. In this case, the basic construction and functions of the VoIP client module 350, the VPN client module 352 and the personal firewall module 354 are the same as those of the conventional ones. However, they have additional construction and functions for receiving
user-based authorization policies, which will be applied to respective client modules, from an external authentication server through an interface with the authentication supplicant module 356 and the security management module 358, and dynamically applying the received authorization policies. The construction and operation of the authentication supplicant module 356 and the security management module 358 are described later. In this case, the term "authorization policy" refers to conditions or references that are set to determine whether to permit access by users, who request access to a network or specific equipment, to the network or corresponding equipment. The authorization policy includes information corresponding to conditions that are previously set for respective users . Furthermore, the end terminal 320 serving as an authenticator transmits a user authentication request signal to the authentication server at the request of the access program of the user terminal 330, or transmits a signal, which is received from the authentication server, to the user terminal. Meanwhile, the authentication server 300 operates in conjunction with the security management server 310 and performs a user authentication procedure at the request of
the authenticator. The security management server 310 has at least one of an authorization policy for a VoIP client module, an authorization policy for an IPSec-based VPN client module and a security policy for a dynamically controlled personal firewall module, which will be applied for each registered user. Meanwhile, the authentication server 300 and the security management server 310 are servers for performing logically different functions, but can be implemented using the same physical system. The operational sequence of the authentication supplicant module 356 of the access program 340 is described with reference to FIG. 4 below. The authentication supplicant module gains access to the authenticator, transmits basic user authentication information, which is received from the user, to the authenticator, and makes a request for user authentication, at step 400. In this case, the basic authentication information includes the identification (ID) information and password of the user. The contents of the basic authentication information may vary according to the network or communication protocol. The authenticator transmits the basic authentication information to the authentication server and makes a request for user authentication at step 410. The
authenticator then receives an authentication result message from the authentication server and transfers the message to the user terminal at step 420. Meanwhile, if the user authentication is -successful, the authentication server requests an authorization policy for a VoIP client module, an authorization policy for an IPSec-based VPN client module and a security policy for a dynamically controlled personal firewall module, which will be applied to a corresponding user, from the security management server at step 430. The security management server transmits corresponding information to the authentication server at the request of the authentication server at step 440. The authentication server transfers the received information to the user terminal via the authenticator at step 450. Meanwhile, the security management module 358 modifies authorization policies for corresponding modules within the user terminal, that is, the VoIP client module, the VPN module and the personal firewall module, using the information received from the authentication server through the authentication supplicant module at step 460. In accordance with the wireless integrated network management system according to the present invention, the user terminal who tries to gain access to the network is authenticated by the authentication server and, at the same
time, authorization policies for the corresponding modules of the user terminal are modified according to authorization policies (for example, authorization policies for the VoIP client module, the IPSec-based VPN client module and the dynamically controlled personal firewall module) that are set in the authentication server and the security management server for each user. The corresponding modules of the user terminal operate according to the modified authorization policies. As described above, the security management server can previously set the authorization policies for the VoIP client module, the authorization policies for the IPSec-based VPN client module, and the security policies for the dynamically controlled personal firewall module that will be applied for respective users. If the user authentication is successful, the authentication server receives authorization policies, which will be applied to a corresponding user, from the security management server, retransmits the authorization policies to the user terminal and allows corresponding modules to be modified. Finally, the user terminal operates according to the authorization policies set in the security management server. As a result, although a switch or an access point of a network does not support dynamic VLAN or other authorization
policies, authentication and authorization for a user terminal that has gained access to a network can be performed. Furthermore, according to the present invention, although a network system does not support VLAN, Routing and Access Control List (ACL) , traffic blocking and firewall rule set can be dynamically applied on a user basis. Therefore, according to the present invention, practical authentication and authorization on a network are made possible.
[Mode for Invention] Second Embodiment A wireless integrated network management system according to a second embodiment of the present invention is described in detail below. FIG. 5 is a configuration diagram showing the entire integrated network management system according to a second embodiment of the present invention. Referring to FIG. 5, the system according to the present embodiment includes an authentication server 500, a security management server 510, a network end terminal 520 and a user terminal 530. An access program 540 for executing functions of user authentication request and network access is installed in the user terminal 530. The access program 540 includes a software management module 550 and an authentication supplicant module 556.
Furthermore, the end terminal 520 serving as an authenticator is the same as that of the first embodiment. Accordingly, descriptions thereof are omitted here. Meanwhile, the authentication server 500 operates in conjunction with the security management server 510, and performs a user authentication procedure at the request of the authenticator. The security management server 510 according to the present embodiment has a database that stores lists of particular software set for respective users and registration information about respective pieces of software. The security management server also operates in conjunction with management servers 560, 562 and 564 managing respective pieces of software registered in the lists, stores and manages the newest registration information about corresponding software in the database, and transmits the corresponding information to the authentication server 500 at the request of the authentication server. Software managed according to the present embodiment can include virus vaccine programs, 0/S patch programs, other security-related programs and the like. Servers for managing and operating these programs are the vaccine server 560, the O/S patch server 562, the PC security server 564 and the like. However, it is apparent that the type of software managed in the security
management server can vary according to the system administrator or the requirements of the system. With reference to FIG. 6, the operational sequence of the authentication supplicant module 356 of the access program according to the present embodiment is described below. The authentication supplicant module gains access to the authenticator, transmits basic authentication information (for example, an ID and a PW) , which is input by the user, to the authenticator, makes a request for user authentication, requests registration information about particular software, which is installed in the user terminal, from the program management module, and transmits information, which is received from the program management -module in response to the request, to the authenticator at step 600. The authenticator transmits the basic user authentication information and registration information about specific software to the authentication server and makes a request for user authentication at step 610. Meanwhile, the authentication server performs a user authentication procedure using the received basic user authentication information at steps 620 and 630. If the user authentication is successful, the authentication server requests registration information about specific software
from the security management server, receives the registration information from the security management server, and compares the registration information received from the security management server with the registration information received from the user terminal. If the registration information received from the user terminal and the registration information received from the security management server are identical to each other, the authentication server transmits an authentication success message to the user terminal so that the user terminal is granted the privilege to gain access to the network at step 640. Meanwhile, if the registration information received from the user terminal and the registration information received from the security management server are not identical to each other, the authentication server permits the user terminal to gain access to the management server through appropriate software, and allows the user terminal to install or update corresponding software from the management server at step 650. In accordance with the present embodiment, even if the user inputs correct authentication information, the status of the user terminal (for example, whether anti-virus software has been installed and updated, the O/S has been patched,
service packs have been installed or specific software has been installed) is determined and the network access privilege of the user terminal can be limited according to the status of the terminal. Third Embodiment A wireless integrated network management system according to a third embodiment of the present invention is described below. FIG. 7 is a configuration diagram showing a complete integrated network management system according to a third embodiment of the present invention. Referring to FIG. 7, the system according to the present embodiment includes an authentication server 700, a security management server 710, a network end terminal 720 and a user terminal. An access program 740 for performing functions of user authentication request and network access is installed in the user terminal, and the access program 740 includes a VoIP client module 750, a VPN client module 752, a personal firewall module 754, an authentication supplicant module 756, a security management module 758 and a software management module 759. The operation and functions of the components constituting the system according to the present embodiment
are the same as those of the first and second embodiments. Redundant descriptions thereof are omitted here. Although the preferred embodiments of the present invention have been described, the embodiments are illustrative and do not limit the present invention, and those skilled in the art can appreciate that various modifications and applications are possible without departing from the scope and spirit of the invention. For example, in the embodiments of the present invention, the component elements, such as the types of software set in the security management server, basic user authentication information and the types of modules included in the access program, may be modified in various ways in order to improve the design or efficiency of the system. Furthermore, it must be understood that differences relating to the modifications and the applications fall within the scope of the present invention defined in the accompanying clams.
[industrial Applicability] The present invention modifies authorization policies, which will be applied to VoIP client modules, VPN client modules and personal firewall modules installed in user terminals, while performing an authentication procedure for allowing users to gain access to a network, so that authentication and authorization for user terminals that try
to gain access to the network can be performed for respective users in various ways, with the result that it is possible to dynamically limit network access privileges for respective users regardless of the infrastructure of a network.