KR100539760B1 - Agent Installation Guidance System and Method through Internet Access Control - Google Patents

Abstract

The present invention relates to an agent installation induction system and method through Internet access control that induces the installation of a security program on each client using TCP blocking technology.

According to the present invention, in relation to the agent installation induction method through the Internet access control in the network consisting of the agent installation guide packet originating server and a plurality of clients, after intercepting the packets outbound (outbound) from the client, Setting information indicating that the agent is installed in the packet header, and transmitting the modified packet on the network; A second step of the server collecting packets distributed on a network; And a third step of analyzing the packet header from the packets collected in the second step, and if it is determined that no agent is installed in the client that sent the analyzed packet, sending the installation guide packet to the client. Provided is a method for inducing agent installation through internet access control, comprising: a.

Agent, TCP Blocking, Internet Access Control

Description

 System and method for inducing installing agent using internet access control             

FIG. 1 is a schematic diagram of an Internet Connection Firewall (ICF) for protecting a computer and a network in a Microsoft Windows XP.

FIG. 2 is a view briefly showing a function of allowing the software to be normally used by adding a port, a protocol, an IP, etc. used by a software operating as a server in the Internet connection firewall shown in FIG.

Figure 3 is a block diagram of the mode division of the Microsoft Windows operating system used in the present invention,

4 is a view showing a message after receiving an ASN.1 attack in Windows XP,

5 is a block diagram of an agent installation induction system through the Internet access control according to an embodiment of the present invention,

FIG. 6 is a diagram illustrating a result of disconnection of a TCP connection by system B, although system A requests a connection to server S according to a TCP blocking technique.

7 is a view showing a screen desired by the system B on the screen of the system A, according to the TCP blocking technology,

FIG. 8 is a diagram illustrating a case in which a system A requests a connection to the server S through a web browser, and connects to the server S on a screen of the web browser, and opens a new pop-up window according to the TCP blocking technology.

FIG. 9 is a diagram illustrating a method of connecting a server S to a screen of a web browser and opening a new ActiveX window when System A requests a connection to server S from a web browser according to the TCP blocking technology.

10 is a flowchart illustrating a procedure occurring in the installation guide packet sending unit shown in FIG. 5;

FIG. 11 is a flowchart illustrating a procedure occurring in the agent originating packet corrector illustrated in FIG. 5.

The present invention relates to an agent installation induction system and method through the Internet access control, in particular, agent installation induction system through the Internet access control to induce to install a security program, etc. to each client using the TCP blocking technology And to a method thereof.

A firewall is a security system, like a protective boundary between a network and the outside world. As shown in FIG. 1, Microsoft provides an Internet Connection Firewall (ICF) function to protect a computer and a network from a Windows XP version.

Internet Connection Firewall is firewall software used to set restrictions on the information communicated between a network or small network and the Internet. It protects the Internet connection of a single computer connected to the Internet.

Internet Connection Firewall is a "stateful" firewall. Stateful firewalls monitor every part of the communication that passes through the path and examine the source and destination addresses and ports of each message that is processed. This feature is also known as the Stealth feature in personal PC firewalls because Internet Connection Firewall allows outbound traffic and blocks inbound traffic, making it invisible from the outside on the network.

The network firewall protects against external attacks through session management, IP, and port control, and the network IDS uses TCP blocking technology to prevent attacks from the outside. This TCP blocking technique is a well known technique.

Internet Connection Firewall, on the other hand, keeps track of all communication tables by tracking traffic originating from Internet Connection Firewall computers to prevent unwanted traffic from entering private connections. All inbound traffic on the Internet is then compared with the entries in the table. Inbound Internet traffic connects to the network computer only if there is a match in the table, proving that the communication exchange originated from the user's computer.

Internet Connection Firewall will be disconnected by the firewall unless the current communication is allowed in the firewall whitelist. Thus, it automatically cancels unwanted communications to block common hacks such as port scanning.

If you scan an Internet Connection Firewall computer with Linux's nmap scanning tool, nmap determines that the target computer does not exist on the network because, for every scan, the Internet Connection Firewall computer does not respond to all scan operations. Seems Down "message is displayed. As such, Internet Connection Firewall automatically cancels unwanted communications to block common hacks such as port scanning.

If Internet Connection Firewall is a computer that provides Web services, inbound traffic will be blocked, and the connection will be broken, preventing normal web services. On the other hand, the Internet connection firewall can provide normal web services by allowing inbound traffic to port 80 used by the service. Thus, Internet connection firewall can use normal service by adding service and protocol. It also allows file / printer sharing by allowing ports 135,137,138,139,445.

In addition to the Internet Connection Firewall in Windows XP, Personal PC Firewall software provides a "stealth firewall" function similar to the Internet Connection Firewall, and also provides IP / Port / Protocol blocking to prevent external access.

Meanwhile, recent Internet-enabled software such as a web server, an FTP server, a telnet server, a P2P program, a remote control program, and a messenger program operate as a service providing server. In addition, the number of software operating as a server is gradually increasing, and the general users are also using this software a lot.

Internet Connection Firewall is an excellent feature that automatically cancels unwanted communications to block common hacks such as port scanning. However, most users do not use the stealth function of the Internet connection firewall or the personal PC firewall because the above software that acts as a server does not operate normally.

Of course, as illustrated in FIG. 2, by adding a port, a protocol, an IP, or the like used by a software operating as a server, the corresponding software can be used normally. In order to use file / printer sharing, the sharing function can be used by allowing a port and a protocol used for sharing. However, the more you allow IPs, ports or protocols, the more vulnerable your security becomes.

Recently, there have been increasing cases of hacking or distributing worm viruses using vulnerabilities in the network, and new vulnerabilities continue to be discovered. Microsoft continues to provide new service packs or patches for vulnerabilities, but vulnerabilities continue to be discovered. In addition, the vulnerability code can be easily obtained through the Internet.

ASN.1 vulnerability recently announced by Microsoft is one such vulnerability. This ASN.1 attack results in multiple integer overflows in the Microsoft ASN.1 library (MSASN1.DLL). A remote attacker overwrites arbitrary heap data through an ASN.1 encoded large Length field. This allows arbitrary code to be executed.

4 shows a message after receiving an ASN.1 attack in Windows XP.

When you run the sample ASN.1 vulnerability attack, which is readily available on the Internet, an error message appears and shuts down the Windows OS. This only results in rebooting the PC, but with minor modifications to the ASN.1 exploit code, the PC is in full control.

In addition, the recent worms do not attack the PC, but excessively cause unnecessary traffic to the network to paralyze the network, causing many users to prevent the use of the Internet itself.

These attacks can be prevented by updating the OS security patches, or using an Internet-facing firewall can effectively defend against vulnerabilities, but they are not efficient because users cannot use the services they want.

For this reason, companies are encouraging their employees to install security software such as security patches, vaccines, and personal PC firewalls, but the fact is that many employees do not install them.

On the other hand, in order to enforce the installation of OS security patches or security software, an enterprise installs an access control and installation induction system for the use of the Internet using TCP blocking technology in a network backbone. Can lead to installation.

However, if it is necessary to install specific software, it is possible to determine whether to install specific software for public IP, but if there is a network with a private IP such as NAT (Network Address Translation) inside, It is impossible for internal users to verify the installation of a specific software. This is because, from the network backbone, all the users' IP inside the NAT is the IP of the NAT. For this reason, there is a problem in that an installation induction system using TCP blocking technology has to be installed one per segment.

An object of the present invention for solving the problems of the prior art as described above provides an agent installation induction system and method through the Internet access control to induce to install a security program on each client using the TCP blocking technology. It is to.

In order to achieve the above object, according to the present invention, a network packet collecting unit is installed on the server side in relation to the agent installation induction system through the Internet access control on the network of the server-client structure; An agent installation guide packet sending unit installed at the server side; And an agent outgoing packet corrector installed on some or all of the clients; Wherein the network packet collector collects packets transmitted on a network; The installation guide packet sender receives a raw packet from the network packet collector and analyzes a packet header to determine that an agent is not installed in the client that sent the packet. Send an induction packet; The agent outgoing packet modifying unit intercepts outbound packets from the client on which the client is installed, sets information indicating that the agent is installed in the packet header, and transmits the modified packet on the network. Provided is an agent installation induction system through Internet access control.

In addition, in connection with the agent installation induction method through the Internet access control in the network consisting of the agent installation guide packet originating server and a plurality of clients, the packet outbound from the some clients are intercepted, A first step of setting information informing that the agent is installed and transmitting the modified packet on a network; A second step of the server collecting packets distributed on a network; And a third step of analyzing the packet header from the packets collected in the second step and sending an installation induction packet to the client if it is determined that no agent is installed in the client that sent the analyzed packet. Provided is a method for inducing agent installation through internet access control, comprising: a.

Hereinafter, with reference to the accompanying drawings will be described in more detail the agent installation guidance system and method through the Internet access control according to an embodiment of the present invention.

First, let's briefly look at the background technology used in the present invention.

3 is a mode division block diagram of the Windows operating system of Microsoft Corporation used in the present invention.

Referring to FIG. 3, Windows XP provided by Microsoft is divided into a kernel mode 110 and a user mode 150. In the kernel mode, an operating system kernel and various device drivers are driven. The application is mainly driven. In addition, programs that run in kernel mode exist in the form of device drivers.

The kernel-mode network architecture of Microsoft's Windows operating system includes AFD (afd.sys), NDIS (Network Driver Interface Specification), and TDI (Transport Driver Interface Specification), which are kernel parts of Windows Sockets. Interface).

In kernel mode, afd.sys, which resides at the top level, communicates with msafd.dll, the lowest-level DLL in the user mode (Windows Dynamic Link Library) on Windows Sockets, and interfaces with TDI at the bottom level.

TDI defines a kernel mode interface that resides on top of the protocol stack. NDIS provides a standard interface for NIC device drivers (Network Interface Card Device Drivers).

This article outlines how to create a firewall or monitor packets in user mode on Microsoft's Windows operating system.

In the packet transmission and reception, Windows NDIS does not actually transmit a raw packet, but follows the NDIS_PACKET format. Therefore, the actual raw packet must be obtained from NDIS_PACKET. The process is obtained through NdisQueryPacket () API, NDIS_BUFFER from NDIS_PACKET, and then via NdisQueryBuffer () API, NdisGetNextBuffer () API from NDIS_BUFFER. Raw) packets can be obtained.

In order to monitor packets in a network monitoring program or network IDS, an NDIS packet driver is generally manufactured and used.

In addition, the method of modifying a packet in a firewall, NAT, or virtual private network (VPN) client in a client other than the network may access a virtual memory where a real packet exists and change the value, or replace the original packet. Create and send a new packet.

These methods include packet data modification in user mode and packet data modification in kernel mode.

First, the packet modification method in the user mode will be described.

* Winsock Layered Service Provider (LSP): This method is provided by Microsoft, and is a component of Microsoft networking that is widely used for quality of service (QOS), URL filtering, and encryption of data streams. Based on the Service Provider Interface (SPI).

* Winsock DLL replacement: It is based on the filtering method by replacing Winsock DLL of Microsoft Windows operating system with user-created DLL.

Global Function Hooking: Hooks Windows socket functions such as Connect, Listen, Send, Recv, Sendto, and Receive Prompt. It is based on the technique of hooking the DeviceIoControl () function that user-mode applications use to communicate with kernel-mode drivers.

The following briefly describes how to monitor or modify packets in kernel mode on Microsoft's Windows operating system.

* NDIS packet driver: Collects packet contents based on the technique of registering protocol driver that can send / receive packets using NdisRegisterProtocol function. This technology is a method that MicroSopot provides to its users, and common packet monitoring drivers use it. However, it cannot be used as a firewall to block packets.

Kernel Mode Socket Filter: Based on the technique that msafd.dll, the lowest level DLL of Windows sockets in user mode, hooks all I / Os that communicate with afd.sys, a kernel mode Windows socket. .

* TDI filter driver: Filter driver using IoAttackDevce () API on the device created by tcpip.sys driver (\ Device \ RawIp, \ Device \ Udp, \ Device \ Tcp, \ Device \ Ip, \ Device \ MULTICAST) This is how to apply. Alternatively, it is based on the technique of hooking all I / O by changing the dispatch table in the driver object of tcpip.sys.

* NDIS IM (InterMediate) Driver: A method provided by Microsoft to users. It is a technique for developing a firewall, network address translation (NAT), and the like between a NIC driver and a protocol driver such as TCP / IP.

* NDIS hooking filter driver: A method of hooking functions of the NDIS library, based on the NdisProtocolHandle returned by hooking functions such as NdisRegisterProtocol, NdisDeregisterProtocol, NdisOpenAdapter, NdisCloseAdapter, and NdisSend, or NdisRegisterProtocol which registers its protocol driver. It is based on the technique of hooking existing registered protocol driver links such as TCP / IP and I / O of protocol drivers and NIC drivers that communicate with NDIS.

The packet collection unit proposed by the present invention can be implemented in the above-described kernel mode socket filter, NDIS packet driver, TDI filter driver, NDIS IM driver, NDIS hooking filter driver, and the like, and is generally implemented in NDIS packet driver. And, the packet modification part of client can be implemented in LSP, Winsock DLL replacement, global function hooking, kernel mode socket filter, TDI filter driver, NDIS IM (InterMediate) driver, NDIS hooking filter driver, and generally NDIS IM driver or NDIS hooking. Implemented in the filter driver.

The following describes a method for restricting Internet use of a system remote from a network, which is a key technical component of the present invention.

This method differs from installing a program on a local system to restrict the use of the Internet. Instead of installing a program on the local system, it sends a specific packet to a remote system on the network, thereby preventing the remote system from using the Internet. It is a limiting technique.

This method uses the TCP blocking technique.

5 is a configuration diagram of an agent installation inducing system through internet access control according to an embodiment of the present invention.

The TCP blocking technique is a well-known technique for switching a connection by transmitting a packet in which a flag field of a TCP header is set to RST (Reset) while monitoring a packet.

TCP uses a 3-way handshake to establish a connection. Initially, the host sends a request to set the flag field of the TCP header to the SYN bit to connect to the server. The server then sends a response with the SYN and ACK bits set. The host then sends a response with the ACK bit set. This three-way handshake allows the two systems to establish a connection.

On the other hand, once the connection is established in the above manner, data transmission can occur in both directions. Unlike a normal close operation, an abnormal situation in which an application or network software forcibly disconnects may occur. For these situations, the TCP protocol provides a reset function.

In order to terminate the connection, one side is initialized by sending a reset packet in which the RST (reset) bit is set, and the other side responds to cancel the connection immediately. This reset stops transmission in both directions at the same time, and all resources are released. In order to send the reset packet for disconnecting the TCP connection as described above, the packet collection unit must monitor the communication between the system A and the server S. Such packet monitoring can be monitored using a packet monitoring technique as described above.

Looking at the actual TCP disconnection procedure, it is assumed that when System A on the LAN connects to Server S, System B exists to disconnect this connection. The system A on the LAN sends a TCP request packet to connect to the server S, and then waits for a response from the server S. At this time, the remote system B monitoring the packet on the LAN immediately sends a fake reset packet to system A as if system B is a server S, and similarly sends a fake reset packet to server S as if it were a system A. Can disconnect the system A from the server S.

6 shows the result of the system A requesting a connection to the server S, but the TCP connection is lost by the system B. This is possible because the system B on the LAN responds faster than the actual server S on the Internet responds.

Also, in the communication between the system A and the server S, when the ACK and PSH (Push) are set in the flags field of the TCP header, the system B sets the flags field of the TCP header to FIN, PSH, and ACK. By sending a packet including data to be displayed on the screen of System A, and then sending a packet in which the flag field of the TCP header is set to RST, the screen of System A may be displayed on the screen of System A as shown in FIG. You can change the entire contents of a web browser, some frame content, pop-up windows, or open a new pop-up window.

In addition, a new pop-up window or an ActiveX window may be displayed while allowing the system A to access the site to be accessed through the redirect.

As described above, FIG. 7 shows that the system A requests a connection to the server S through a web browser, but the contents of the content are changed by the data and the RST packet sent by the system B.

In addition, FIG. 8 shows a case in which the system A makes a request to connect to the server S by a web browser, connects to the server S on a screen of the web browser, and displays a new pop-up window.

In addition, Figure 9 shows a system A when the web browser requests a connection to the server S, the web browser screen is connected to the server S, and a new ActiveX window is displayed.

The functions of each major component of the agent installation induction system shown in FIG. 5 will be described in more detail.

(1) network packet collection unit

As described above, the network packet collector collects packets using an NDIS packet driver, which is a method of monitoring network packets in kernel mode, which is generally used to collect packets. At this time, in order to collect all packets of the network, the packet is changed by changing the mode of the NIC to the promiscuous mode.

(2) installation guide packet sending unit

FIG. 10 is a flowchart illustrating a procedure occurring in the installation guide packet sending unit shown in FIG. 5.

First, in step S1001, the installation guide packet sending unit receives a raw packet from the network packet collecting unit. Then, in step S1003, the source IP is extracted from the raw packet, and the extracted source IP is extracted. Determines whether the agent exists in the IP address of the agent installation target

As a result of the determination in step S1003, if it does not exist, it ends, and if it exists, in step S1005, it is determined whether the destination IP of the packet exists in the allowed IP storage.

As a result of the determination in step S1005, if it exists, the process ends. If not, in step S1007, it is determined whether the packet is a TCP packet.

As a result of the determination in step S1007, if it is not a TCP packet, the procedure ends. If it is a TCP packet, it is determined in step S1009 whether the flag fields of the TCP header are set to ACK and PSH.

As a result of the determination in step S1009, if not set, the procedure ends. If set, in step S1011, the reserved field value or reserved bit value of the TCP header of the packet is checked.

As a result of the check in step S1011, if the value is 1, it is determined that the agent is installed, and if it is not 1, it is determined that the agent is not installed, and the installation guide packet is sent. This installation derivation packet uses the TCP blocking technique as described above.

On the other hand, the present embodiment is designed to determine whether the agent is installed by analyzing the flag field and the reserved field value (or reserved bit value) of the TCP header. However, the present invention is not necessarily limited to this method. This does not exclude the possibility of analyzing through a value that can be specified.

In addition, the installation induction packet is configured as a packet including a command to disconnect the client received by using the TCP blocking technology, to open a predetermined screen, or to force a connection to any particular server as described above. It is good to do.

In the present embodiment, the case where the packet is a TCP packet has been described, but the case where the packet is an IP packet or the like is not excluded.

(3) Agent Outgoing Packet Correction

FIG. 11 is a flowchart illustrating a procedure occurring in the agent outgoing packet corrector shown in FIG. 5.

First, in step S1101, the agent outgoing packet modifying unit is an NDIS IM (InterMediate) driver, NDIS that can modify a packet in a network packet monitoring method in a kernel-mode which is generally widely used to collect packets as described above. Collect packets using a hooking filter driver, etc. At this time, the packets that are outbound from the inside (outbound) from the packets transmitted and received are collected.

Next, in step S1103, it is determined whether the collected outgoing packet is a TCP packet.

As a result of the determination in step S1103, if it is not a TCP packet, it ends. If it is a TCP packet, a value of 1 is set in the reserved field or reserved bit of the TCP header of the packet. As described above, the method of modifying a packet uses a method of accessing a virtual memory in which a real packet exists and changing a value so that the modified packet can be sent as described above, or generating and sending a new packet instead of the original packet. .

In other words, set the Reserved field (or reserved bit) of the TCP header to a non-zero value in the Agent Outgoing Packet Corrector of the client, and set the non-zero TCP Reserved field in the Install Guided Packet Sender installed in the network backbone. If you use the verification method, there is an advantage of knowing whether the agent is installed for each PC in the NAT.

On the other hand, in the agent outgoing packet correction unit, the specific value may be set in the reserved field (or reserved bit) of the TCP header only when ACK and PSH are set in the flag field.

In this embodiment, the packet is modified by setting a specific value in a reserved field (or reserved bit) of the TCP header. However, the packet is not necessarily limited thereto, but a value specifying whether to install an agent in any field of the TCP header is set. It does not preclude you from doing it.

In the present embodiment, the case where the packet is a TCP packet has been described, but the case where the packet is an IP packet or the like is not excluded.

While the invention has been described above based on the preferred embodiments thereof, these embodiments are intended to illustrate rather than limit the invention. It will be apparent to those skilled in the art that various changes, modifications, or adjustments to the above embodiments can be made without departing from the spirit of the invention. Therefore, the protection scope of the present invention will be limited by the appended claims, and should be construed as including all such changes, modifications or adjustments.

By using the agent installation induction system through the Internet access control according to the present invention as described above, it is possible to induce agent installation for users in NAT as well as authorized IP, operating system security patch, security through such agent installation Software and other companies have the effect of inducing the installation of software that must be installed on the system of users in the enterprise.

Claims (19)

delete delete In connection with a system for inducing agent installation through internet access control on a network of a server-client structure, a network packet collecting unit installed on the server side and collecting packets transmitted on a network, and installed on the server side and collecting the network packets If the agent is not installed in the client that sends the packet by receiving a raw packet from the mobile station, and sends the packet to the client, the agent induction packet sending unit sends an agent installation induction packet to the client. And intercepting outbound packets from a client that is installed in some or all of the clients, and setting information indicating that the agent is installed in the packet header to set the modified packet on the network. Agent outgoing packet sent In the agent installation guidance system comprises a government, The network packet collecting unit collects packets using a NDIS (Network Driver Interface Specification) packet driver in kernel mode, but collects all the packets of the network. Agent installation guidance system through the Internet access control, characterized in that to collect packets by changing the mode of the card) to the promiscuous mode. The method of claim 3, wherein The agent outgoing packet modification unit intercepts a packet using any one of an NDIS IM driver or an NDIS hooking filter driver in kernel mode, and installs the agent through the Internet access control system. The method of claim 3, wherein The agent outgoing packet modifying unit, if the collected outgoing packet is not a TCP / IP packet, the agent installation inducing system through the Internet access control, characterized in that for transmitting the packet on the network without modifying the packet. The method of claim 3, wherein The agent outgoing packet modifying unit modifies the packet by accessing a virtual memory in which the actual packet exists and changing a value or creating a new packet instead of the original packet and replacing the original packet with the agent. Installation induction system. The method of claim 3, wherein The agent outgoing packet modification unit sets the specific value representing the agent installation presence information in the reserved field or reserved bit of the intercepted packet header. . The method of claim 3, wherein The agent originating packet modifying unit installs an agent through internet access control, wherein a specific value is set in the reserved field or a reserved bit only when ACK and PSH are set in a flag field of an intercepted packet header. Induction system. The method according to claim 7 or 8, The installation induction packet sending unit determines whether an agent is installed in a client that sends the packet according to a value set in a reserved field or a reservation bit of a collected packet header. Induction system. The method of claim 9, And the installation guide packet sending unit determines the reserved field value or the reserved bit value only when ACK and PSH are set in a flag field of the collected packet header. The method of claim 3, wherein The installation guide packet sending unit generates the setup guide packet and transmits the setup guide packet to a corresponding client by using a TCP blocking method. The method of claim 11, The installation guide packet, Agent installation induction system through the Internet access control, characterized in that the packet containing a command to disconnect the client, received a predetermined screen, or a forced connection to any particular server. delete Agent Installation Guidance Packet In connection with the Agent installation induction method through the Internet access control in the network consisting of the originating server and the plurality of clients, after intercepting outbound packets from the some clients, the agent in the packet header A first step of setting information informing that it has been installed and transmitting the modified packet on the network, a second step of collecting the packet circulated on the network by the server, and a packet header from the packet collected in the second step. In the agent installation method comprising the step of sending an analysis guide packet to the client if it is determined that the agent is not installed on the client that sent the analyzed packet, The first step is, A method of inducing agent installation through internet access control, comprising specifying a specific value representing agent installation presence information in a reserved field or a reserved bit of an intercepted packet header. The method of claim 14, The first step is, The reserved field is set only when ACK and PSH are set in the flag field of the intercepted packet header instead of setting a specific value indicating agent installation information in the reserved field or the reserved bit of the intercepted packet header. Or setting a specific value in a reserved bit. The method according to claim 14 or 15, The third step, And determining whether an agent is installed in the client that sent the packet according to a value set in a reserved field or a reserved bit of a collected packet header. The method of claim 16, The third step, And determining the reserved field value or the reserved bit value only when ACK and PSH are set in the flag field of the collected packet header. The method of claim 14, Generating the installation induction packet and transmitting it to the corresponding client agent installation guidance method through the Internet access control, characterized in that the TCP blocking (blocking) method. The method of claim 18, The installation guide packet, Method for inducing agent installation through Internet access control, characterized in that the packet containing a command to disconnect the client, open a predetermined screen, or force a connection to any particular server.

Images