Logical network separation method and apparatus

US 9,503,420 B2
Filed: 10/09/2013
Issued: 11/22/2016
Est. Priority Date: 04/09/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A logical network separation method for a service request packet, performed by a network separation apparatus, the logical network separation method comprising:

wherein the network separation apparatus includes a user interface, an external network interface, and an internal network interface, the user interface is used for communication with a user terminal, the external network interface is used for communication with an external network, the internal network interface is used for communication with an internal network,receiving the service request packet from the user terminal via the user interface;

determining whether a destination of the service request packet is an external network or an internal network;

generating a first hash key on the basis of address information included in the service request packet when it is determined that the destination of the service request packet is the external network;

determining whether the first hash key is in a hash table;

generating hash information on the basis of a transmission property of the service request packet corresponding to the first hash key when the first hash key is not in the hash table;

generating a policy about reception of a service response packet corresponding to the service request packet on the basis of the destination of the service request packet, wherein the policy is used for determining whether to permit reception of the service response packet; and

transmitting the service request packet to the external network via the external network interface,wherein the policy about the reception of the service response packet comprises a policy to permit the reception of the service response packet corresponding to the service request packet or a policy to block the reception of the service response packet corresponding to the service request packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are a logical network separation method and apparatus. The logical network separation method includes generating a first hash key on the basis of address information included in a service request packet, generating hash information on the basis of a transmission property of the service request packet corresponding to the first hash key when the same hash key as the first hash key is not in the hash table, and generating the policy about the reception of the service response packet corresponding to the service request packet on the basis of a destination of the service request packet. Accordingly, it is possible to block a cyber attack such as hacking, a malicious program, etc.

Citations

15 Claims

1. A logical network separation method for a service request packet, performed by a network separation apparatus, the logical network separation method comprising:
- wherein the network separation apparatus includes a user interface, an external network interface, and an internal network interface, the user interface is used for communication with a user terminal, the external network interface is used for communication with an external network, the internal network interface is used for communication with an internal network,receiving the service request packet from the user terminal via the user interface;
  
  determining whether a destination of the service request packet is an external network or an internal network;
  
  generating a first hash key on the basis of address information included in the service request packet when it is determined that the destination of the service request packet is the external network;
  
  determining whether the first hash key is in a hash table;
  
  generating hash information on the basis of a transmission property of the service request packet corresponding to the first hash key when the first hash key is not in the hash table;
  
  generating a policy about reception of a service response packet corresponding to the service request packet on the basis of the destination of the service request packet, wherein the policy is used for determining whether to permit reception of the service response packet; and
  
  transmitting the service request packet to the external network via the external network interface,wherein the policy about the reception of the service response packet comprises a policy to permit the reception of the service response packet corresponding to the service request packet or a policy to block the reception of the service response packet corresponding to the service request packet.
- View Dependent Claims (2, 3, 5, 6)
- - 2. The logical network separation method of claim 1, wherein the generating of the first hash key comprises generating the first hash key with a predefined hash algorithm, andthe predefined hash algorithm generates a hash key, having the same value as the first hack key, of the service response packet corresponding to the service request packet.
  - 3. The logical network separation method of claim 1, wherein the address information comprises source Internet protocol (IP) address information, destination IP address information, source port address information, and destination port address information regarding the service request packet.
  - 5. The logical network separation method of claim 1, further comprising storing the first hash key, the hash information corresponding to the first hash key, and the policy corresponding to the first hash key in the hash table.
  - 6. The logical network separation method of claim 1, wherein the hash information comprises service request number information, session reference time information, and interface information.

4. The logical network separation method of claim further comprising generating a second hash key by adding a predefined value to the first hash key when the first hash key is in the hash table.

7. A logical network separation method for a service response packet, performed by a network separation apparatus, the logical network separation method comprising:
- wherein the network separation apparatus includes a user interface, an external network interface, and an internal network interface, the user interface is used for communication with a user terminal, the external network interface is used for communication with an external network, the internal network interface is used for communication with an internal network,receiving the service response packet from the external network via the external network interface;
  
  generating a first hash key on the basis of address information included in the service response packet;
  
  determining whether the first hash key is in a hash table for logical network separation;
  
  updating hash information corresponding to the first hash key when the first hash key is in the hash table;
  
  determining whether to receive the service response packet on the basis of a policy corresponding to the first hash key, wherein the policy is generated on the basis of a destination of a service request packet to request the service response packet; and
  
  transmitting, when reception of the service response packet is permitted, the service response packet to the user terminal which has transmitted the service request packet via the user interface,wherein the determining of whether to receive the service response packet comprises receiving the service response packet when the policy is a policy to permit the reception of the service response packet and blocking the reception of the service response packet when the policy is a policy to block the reception of the service response packet.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The logical network separation method of claim 7, wherein the generating of the first hash key comprises generating the first hash key with a predefined hash algorithm, andthe predefined hash algorithm generates a hash key, having the same value as the first hack key, of the service request packet corresponding to the service response packet.
  - 9. The logical network separation method of claim 7, further comprising blocking the reception of the service response packet corresponding to the first hash key when the first hash key is not in the hash table.
  - 10. The logical network separation method of claim 7, wherein the address information comprises source Internet protocol (IP) address information, destination IP address information, source port address information, and destination port address information regarding the service response packet.
  - 11. The logical network separation method of claim 7, wherein the hash information comprises service response number information, session reference time information, and interface information.

12. A logical network separation apparatus comprising:
- a user interface configured to communicate with a user terminal;
  
  an external network interface configured to communicate with an external network;
  
  an internal network interface configured to communicate with an internal network;
  
  a processing unit configured to receive a service request packet from the user terminal via the user interface, determine whether a destination of the service request packet is the external network or the internal network, generate a first hash key on the basis of address information included in a service request packet when it is determined that the destination of the service request packet is the external network, determine whether the first hash key is in the hash table, generate hash information on the basis of a transmission property of the service request packet corresponding to the first hash key when the first hash key is not in the hash table, generate a policy about reception of a service response packet corresponding to the service request packet on the basis of a destination of the service request packet, wherein the policy is used for determining whether to permit reception of the service response packet, and transmit the service request packet to the external network via the external network interface; and
  
  a storage unit configured to store information being processed and having been processed by the processing unit,wherein the processing unit receives the service response packet when the policy is a policy to permit the reception of the service response packet and blocks the reception of the service response packet when the policy is a policy to block the reception of the service response packet.
- View Dependent Claims (13, 14, 15)
- - 13. The logical network separation apparatus of claim 12, wherein the processing unit generates the first hash key with a predefined hash algorithm, andthe predefined hash algorithm generates a hash key, having the same value as the first hash key, of the service response packet corresponding to the service request packet.
  - 14. The logical network separation apparatus of claim 12, wherein the address information comprises source Internet protocol (IP) address information, destination IP address information, source port address information, and destination port address information regarding the service request packet.
  - 15. The logical network separation apparatus of claim 12, wherein the processing unit generates a second hash key on the basis of the address information included in the service response packet, determines whether the second hash key is in the hash table, updates the hash information corresponding to the second hash key when the second hash key is in the hash table, and determines whether to receive the service response packet on the basis of the policy corresponding to the second hash key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Park, Pyung Koo, Ryu, Ho Yong
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US14/049,729
Publication Number

US 20140304504A1
Time in Patent Office

1,140 Days
Field of Search

726/3, 726/4, 726/5, 726/6, 726/7, 713/162, 713/165, 713/170, 709/204, 709/226
US Class Current

1/1
CPC Class Codes

H04L 63/02 for separating internal fro...

Logical network separation method and apparatus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Logical network separation method and apparatus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links