KR20120058375A - Communication Method of Agent Using ARP, Network Access Control Method Using ARP and Network System - Google Patents

Abstract

Disclosed are a communication method, a network access control method, and a network system using ALP of an agent program.
In a communication method using ALP according to an embodiment of the present invention, a first agent program installed in a first computer may include: a first in which a specific bit value is assigned to at least one of an 'operation field' and a 'target protocol address field'; Generating an Address Resolution Protocol (ARP) packet; the first agent program broadcasting the first ARP packet to an internal network; and the first ARP from a second agent program installed on a second computer. Receiving a second ARP packet that is a response to the packet.

Description

Communication Method of Agent Program using ARP, Network Access Control Method and Network System {Communication Method of Agent Using ARP, Network Access Control Method Using ARP and Network System}

The present invention relates to a method for communicating between agents using an address resolution protocol (ARP) in an internal network, a network access control method, and a terminal performing the same.

There are many ways to communicate in an internal network. In this case, the internal network refers to a network such as an in-house computer network within an enterprise. In contrast, an external network means an internet network.

Security, cost reduction, ease of installation, and compatibility with existing equipment on the internal network are very important.

Agent programs are installed in computers connected to the internal network, and an agent program installed in each computer may perform an operation for network access control (NAC). However, in the related art NAC related technology, communication between agent programs is blocked due to security technology of an internal network, and it may be difficult to effectively perform NAC.

The present invention is to provide a communication method, network access control method and network system using ALP of the agent program that can improve security / cost reduction / ease of installation / compatibility with existing equipment on the internal network.

In addition, the present invention is to provide a communication method, a network access control method and a network system using the ALP of the agent program that can be various applications by enabling communication between the agent program without providing a separate port or action.

In the network access control method using ALP according to an embodiment of the present invention, the first agent program installed in the first computer is' Enforcer (Enforcer) for the first computer is a network access control (Network Access Control, NAC) Verifying whether the computer is designated to operate as a second computer; and a first address resolution protocol (ARP) packet in which the first agent program modifies at least one field. And a bit value for indicating whether the computer is designated to operate as an Enforcer, and the first agent program sends the first ARP packet to the internal network. And a second computer having a first computer 'and a second computer having a second agent program installed therein.

One of the first agent program and the second agent program operates as an encoder for the NAC.

In a communication method using ALP according to an embodiment of the present invention, a first agent program installed in a first computer may include: a first in which a specific bit value is assigned to at least one of an 'operation field' and a 'target protocol address field'; Generating an Address Resolution Protocol (ARP) packet; the first agent program broadcasting the first ARP packet to an internal network; and the first ARP from a second agent program installed on a second computer. Receiving a second ARP packet that is a response to the packet.

The computer device according to an embodiment of the present disclosure includes a memory in which an agent program for network access control (NAC) is stored and at least one processor configured to execute the agent program. The processor is configured such that the computer device acts as an Enforcer for Network Access Control (NAC) when at least one computer connected to the internal network connects to an external network, and the processor is configured as an 'operation'. And an address resolution protocol (ARP) packet in which a specific bit value is assigned to at least one of the 'target protocol address field' and the at least one other computer.

According to the present invention, it is possible to improve security / cost reduction / ease of installation / compatibility with existing equipment on the internal network.

In addition, according to the present invention, by enabling communication between the agent program without providing a separate port or action, various applications are possible.

1 is a diagram illustrating a network system according to an embodiment of the present invention.
2 is a diagram illustrating a method of exchanging ARP packets according to an embodiment of the present invention.
3 is a diagram illustrating a format of an ARP packet according to an embodiment of the present invention.
4 is a flowchart illustrating a network access control method using ARP according to an embodiment of the present invention.
5 is a view for explaining a communication method using ARP according to an embodiment of the present invention.
6 is a flowchart illustrating a communication method using ARP according to an embodiment of the present invention.
7 is a diagram illustrating a configuration of a computer device according to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a diagram illustrating a network system according to an embodiment of the present invention.

Referring to FIG. 1, the network system includes an internal network 110. The internal network 110 may be a small network such as an in-house computer network. The internal network 110 may access an external network through a gateway, a VPN device 120, or the like. In addition, the internal network 110 may communicate with other internal networks 140 and 150 by connecting to an external network.

Internal network 110 may be configured to include a plurality of computers (111, 113, 115). In addition, although not explicitly shown in FIG. 1, the internal network 110 includes at least one server device for managing the plurality of computers 111, 113, and 115.

Hereinafter, for convenience of description, 111 will be referred to as a first computer, 113 as a second computer, and 115 as a third computer. In FIG. 1, 130 denotes a laptop provided by an external visitor or a computer temporarily connected to the internal network 110.

The agent program may be installed in at least one of the first computer 111, the second computer 113, and the third computer 115. Here, the agent program means a program for network access control (NAC). In other words, the agent program may perform NAC in the internal network 110. Hereinafter, for convenience of description, the agent program installed in the first computer 111 will be referred to as a 'first agent program', and the agent program installed in the second computer 113 will be referred to as a 'second agent program'.

In addition, according to an embodiment of the present invention, agent programs installed in each computer may communicate with each other using an ARP packet.

The function of NAC is to "authenticate whether a user connecting through a particular computer accessing the internal network 110 is a valid (authorized user)", "make sure that the security mechanism is operating properly" and "Granting or restricting access rights of a network". Further examples of the function of the NAC, there are eight below, the function of the NAC is not limited to this.

① User authentication and terminal (PC, notebook, smartphone, etc.) authentication (Pre ?? Admission)

-Verify by authenticating user or authorized visitor.

No matter which user enters through which path, the user and the terminal must pass the test before entering the internal network.

-If an outside employee visits the network where NAC is installed, the user must be authenticated before using the network, and it must be checked that it is safe to connect the laptop to the network.

-Also, if you are using the network and performing any strange traffic, it is detected by the NAC and isolated from the network.

② New Element Detection

-New user PC performs security measures when accessing the network.

-In the case of vulnerable systems, it can be a security measure.

③ Host Intergrity Check

-Check the status of the user's PC, such as the update status of PC security solutions such as OS patches and vaccines, operating system security settings, whether companies use required or prohibited software, and whether illegal external storage devices are used.

④ Quarantine

-Automatic recognition and quarantine for vulnerable PCs and suspicious terminals.

⑤ Remediation

-Automatic update and remediation are performed to remove the vulnerability automatically according to the integrity check result.

⑥ Enforcement

-Block network access for unauthorized and failed users.

⑦ Authorization

-Grant access to the network by user type, including authorized internal users and authorized visitors.

⑧ Post-Admission Protection

-Automatically and repeatedly managed continuously while using the network even after normal authentication.

In the present specification, a computer designated as an 'enforcer' performs '⑥ enforcement' among the functions of the NAC. In addition, when the first computer 111 is designated as an encoder, the first computer 111 is recognized as a gateway in the internal network 110. That is, the agent program installed in each of the computers is programmed to recognize the computer designated as the Enforcer as the gateway. Accordingly, all data transmitted and received through the internal network 110 and the external network are transmitted and received through the first computer 111. In this way, by determining the encoder in software, security, cost reduction, ease of installation, and compatibility with existing equipment may be improved on the internal network.

2 is a diagram illustrating a method of exchanging ARP packets according to an embodiment of the present invention.

In Fig. 2, A, B, C, D and E each represent an agent program installed in each of a plurality of computers. In this case, each of the plurality of computers represents a computer connected to the internal network 110. In the present specification, for convenience of description, a computer is described as an example, but at least one of A, B, C, D, and E may be installed in a portable electronic device such as a smartphone or a tablet PC. In this case, an agent program installed in a smartphone or tablet PC may be used to implement a program suitable for a mobile environment.

Any one of the computers corresponding to A, B, C, D and E may be designated by the security administrator to act as an Enforcer for Network Access Control (NAC). Also, the Enforcer is not specified and may be determined by the ARP packet exchange of each of the agent programs. First, a case where a computer on which A is installed is designated as an enforcer by an administrator will be described. Next, a method of determining an enforcer when the enforcer is not specified will be described.

When the security manager designates that the computer on which A is installed is to act as an encoder, A broadcasts an 'ARP packet with a specific field value changed'. In the following description, an ARP packet refers to an 'ARP packet whose specific field value is changed' unless otherwise described.

The ARP packet broadcasted by A includes a bit value indicating that it is designated as an encoder in a specific field value. An ARP packet defined in a communication standard or a network standard is used as an address resolution protocol. According to an embodiment of the present invention, some fields of an ARP packet defined in a communication standard or a network standard are modified to 'enforcer designation' or 'simple command'. broadcast (command) ' 210 in FIG. 1 shows a process in which each agent program broadcasts an ARP packet according to an embodiment of the present invention. The structure of an ARP packet according to an embodiment of the present invention will be described in detail with reference to FIG. 3.

In operation 210 of FIG. 1, C and E may also broadcast an 'ARP packet whose specific field value is changed'. In addition, B and D may forward APR packets to neighbor nodes (computer or agent programs).

If A is designated as an enforcer, in step 220, A broadcasts to the internal network 110 that it is the enforcer. In step 210, since the other agents know that A is an encoder, it no longer performs ARP packet broadcast for specifying an encoder.

Meanwhile, A may periodically broadcast an ARP packet for notifying that it is an encoder. If the ARP packet is not broadcast from A even after a certain time, any one of B to E may broadcast an ARP packet to operate as an encoder. As such, when a determination of a new Enforcer is required or an Enforcer is not designated by an administrator, each agent program may perform a process of exchanging ARP packets to function as an Enforcer. The determination of the encoder may be determined by comparing the priority information included in a specific field of the ARP packet. In this case, the priority information may be a time stamp corresponding to the IP assignment order or the generation time of the ARP packet.

3 is a diagram illustrating a format of an ARP packet according to an embodiment of the present invention.

Referring to FIG. 3, the format of the ARP packet is the same as the format defined in the communication standard or the network standard, but in the 'Operation field 310' or the 'Target protocol address field 320'. Specific bit values can be specified. In this case, the bit value designated in the 'operation field 310' may be a value of a flag promised between agent programs. The value of the promised flag may indicate whether to perform a specific role designated by the administrator. For example, a specific role assigned by an administrator may be a security-related function, such as 'Enforcer', 'New Element Detection', 'Quarantine', or a network that is not strongly related to security. It may be a function required to operate. In addition, according to an application, a command indicating that a specific request or a response to the request may be specified in the operation field 310.

The bit value specified in the 'target protocol address field 320' may be a command for transferring to an agent program installed in another computer. In this case, the 'command' may be information on an IP assignment order or may be information on a time stamp. In addition, depending on the application example, the 'command' may be a specific message required to operate the network.

The ARP packet defined in the communication standard or network standard is the most basic protocol for communication. Thus, computers with personal firewalls do not block APR packets. Similarly, the ARP packets shown in FIG. 3 can be exchanged between computers regardless of personal firewall.

4 is a flowchart illustrating a network access control method using ARP according to an embodiment of the present invention.

The method of FIG. 4 may be performed by a first agent program installed in the first computer 111.

In operation 410, the first agent program checks whether the first computer 111 is a computer designated to operate as an Enforcer for a network access control (NAC). The assignment of the Enforcer may be predefined by the Security Administrator.

In step 420, the first agent program generates a first ARP packet in which at least one field is modified. In this case, the at least one modified field includes a bit value for indicating whether the computer is designated to operate as an Enforcer. In this case, the at least one field is the operation field 310 or the target protocol address field 320. In this case, if the first computer is a computer designated to operate as the encoder, in step 420, the first agent program designates a bit value of one byte of two bytes of the operation field of the first ARP packet as '0xFF'. An example of specifying a bit value will be described in detail later in "Operation scenario of a network system according to an embodiment of the present invention".

In step 430, the first agent program broadcasts the first ARP packet to the internal network. At this time, any one of the first agent program and the second agent program operates as an encoder for the NAC.

In operation 440, a second ARP packet generated by the second agent program is received from a second agent program installed in the second computer 113.

In operation 450, the first agent program compares the priorities of each of the first computer and the second computer.

In operation 460, the first agent program may determine whether to operate as the encoder according to the comparison result. That is, after the first agent program broadcasts the first ARP packet to the internal network, the first agent program checks whether or not the 'second ARP packet generated by the second agent program' is received within a preset time. When 2 ARP packets are received within the preset time, the priority of each of the first computer and the second computer may be compared, and it may be determined whether to operate as the encoder according to the comparison result. Here, the priority may be 'the order of assigning IPs to the first computer and the second computer in the internal network' or 'timestamp values set by timers of the first agent and the second agent'. It can be determined based on.

The first agent program also sets a 'time stamp of the first computer'. If the first computer is a computer that is not designated to operate as the encoder, the first agent program designates a bit value of one byte of two bytes of the operation field of the first ARP packet as '0xF0' in step 420. The 'priority information corresponding to the set time stamp of the first computer' may be designated in the 'target protocol address field' of the first ARP packet.

In addition, after the first agent program broadcasts the first ARP packet to the internal network, the first agent program checks whether the 'second ARP packet generated by the second agent program' is received within a preset time period, and If the second ARP packet is not received within the preset time, the second ARP packet may operate as the encoder.

In addition, when the first agent program receives the third ARP packet from the third agent installed in the third computer after operating as the encoder, 'priority information corresponding to the time stamp of the set first computer' and 'the Priority information corresponding to a time stamp of a third computer may be compared, and it may be determined whether to continue to operate with the encoder according to the comparison result.

5 is a view for explaining a communication method using ARP according to an embodiment of the present invention.

Referring to FIG. 5, an agent program is installed in each of the first and second computers connected to the internal network. First, in step 510, the first computer transmits a 'modulated ARP packet' to the second computer to perform communication using ARP. In this case, the 'modulated ARP packet' refers to the ARP packet shown in FIG.

In operation 520, the second computer may transmit a response to the ARP packet received from the first computer to the first computer. As mentioned above, the ARP packet is the most basic packet for communication, so communication is possible regardless of the firewall. However, since the ARP packet can change 2 bytes of the operation field 310 and 4 bytes of the target protocol address field 320, there is not much data that can be included. However, when an agent program is installed and a specific bit value is promised to mean a specific message between agent programs, communication between the agent programs becomes possible.

Hereinafter, a communication method using ARP according to an embodiment of the present invention will be described in detail with reference to FIG. 6.

6 is a flowchart illustrating a communication method using ARP according to an embodiment of the present invention.

The method shown in FIG. 6 may be performed by a first agent program installed in the first computer 111.

In operation 610, the first agent program generates a first Address Resolution Protocol (ARP) packet in which a specific bit value is specified in at least one of the 'operation field' and the 'target protocol address field'. At this time, the first ALP packet has a packet format shown in FIG. 3. In this case, the bit value designated in the 'operation field 310' may be a value of a flag promised with the second agent program. In addition, the bit value specified in the operation field 310 may indicate whether the first computer is a computer designated to operate as an Enforcer for Network Access Control (NAC). In addition, the bit value designated in the 'target protocol address field 320' may be 'information about the time stamp of the first computer set by the first agent program'.

In step 620, the first agent program broadcasts the first ARP packet to the internal network.

In operation 630, the first agent program receives a second ARP packet, which is a response to the first ARP packet, from the second agent program installed in the second computer. If the 'specific request' is designated in the first ARP packet, the second ARP packet may include 'accept or reject' for the 'specific request'.

7 is a diagram illustrating a configuration of a computer device according to an embodiment of the present invention.

The computer device 700 shown in FIG. 7 may be employed to perform the method of FIGS. 2, 4, 5, 6.

Computer device 700 includes one or more processors 710 connected to a main memory device including random access memory (RAM) 720 and read only memory (ROM) 730. The processor 710 is also called a central processing unit (CPU). As is well known in the art, the ROM 730 serves to transfer data and instructions to the CPU unidirectionally, and the RAM 720 typically transfers data and instructions bidirectionally. Used to.

RAM 720 and ROM 730 may include any suitable form of computer readable media. That is, the computer device 700 may include a memory, and an agent program for a network access control (NAC) may be stored in the memory.

Processor 710 is configured to execute an agent program. The processor 710 is configured to allow the computer device 700 for network access control (NAC) when at least one computer connected to an internal network, for example, the second computer 113, connects to an external network. It is configured to act as an Enforcer. In addition, the processor 710 uses the at least one Address Resolution Protocol (ARP) packet in which a specific bit value is assigned to at least one of the 'operation field 310' and the 'target protocol address field 320'. It is configured to communicate with one computer. Accordingly, the processor may determine whether the at least one of the 'operation field 310' and the 'target protocol address field 320' of the ARP packet received from the computer includes the specific bit value. It can be determined whether the agent program is installed. In this case, the bit value designated in the 'operation field 310' indicates whether the computer apparatus 700 is designated to operate as an Enforcer for a network access control (NAC). . In addition, the bit value specified in the 'target protocol address field 320' is 'information on the time stamp of the computer apparatus 700 set by the agent program'.

Mass storage 740 is bidirectionally coupled to processor 710 to provide additional data storage capabilities, and may be any of the computer readable recording media described above.

The mass storage device 740 is used to store programs, data, and the like, and is typically an auxiliary memory device such as a hard disk which is slower than the main memory device. Certain mass storage devices such as CD ROM 760 may be used. The processor 710 may include one or more input / output interfaces, such as video monitors, trackballs, mice, keyboards, microphones, touchscreen displays, card readers, magnetic or paper tape readers, voice or handwriting readers, joysticks, or other known computer input / output devices. 750 is connected. Finally, the processor 710 may be connected to a wired or wireless communication network through the network interface 770. Through this network connection, the procedure of the method described above can be performed. The apparatus and tools described above are well known to those skilled in the computer hardware and software arts. On the other hand, the hardware device described above may be configured to operate as one or more software modules to perform the operations of the present invention.

<Operation Scenario of Network System According to an Embodiment of the Present Invention>

1) The security administrator designates that the agent program plays a specific role (eg, an information role) among user PCs.

2) After the designated PC agent program is installed, it communicates by setting FF01 in the operation field 310 in ARP communication.

The upper 1 byte of the 2 bytes of the operation field 310 may be designated as follows.

FF01 (or 0xFF): assign an Enforcer by the administrator

FF02 (or 0xF0): unspecified

Since 'FF01' and 'FF02' are described as one example, they can be designated by various other bit values.

In addition, the upper 1 byte of the 2 bytes of the operation field 310 may be designated as follows.

-0x01: REQUEST, indicating that you want to operate as an Enforcer.

-0x02: REPLY, indicating that you are already operating as an Enforcer.

Since '0x01' and '0x02' are described as one example, of course, they may be designated with various other bit values.

3) Another PC agent program checks the FF01 of the broadcasted ARP and checks the IP (or time stamp).

The IP (or time stamp) may be specified as a specific bit value in the target protocol address field 320. That is, if the priority of the operation field 310 is the same, the encoder may be designated using the time stamp value specified in the target protocol address field 320. Here, 'the priority of the operation field 310 is the same' means, for example, comparing the time stamp values when the upper one byte of the two bytes of the operation field 310 is 0x01.

4) By comparing the IP (or time stamp), if one's own IP number (or time stamp) is high, he works. If he is low, he does not work.

5) If there is no FF01 in the broadcasted ARP, it communicates by setting FF02 called its specific action (for example, enforcer). At this time, the criterion of the high and low IP may be the order of IP application. In other words, 199.199.199.001 and 199.199.199.003 are 001 higher than 003.

6) Setting standard of time stamp

-Set Timestamp on first run.

If you are running as an Enforcer and the Enforcer mode is terminated by another Enforcer, reset the Timestamp. This is to ensure that the existing Enforcer maintains the function if there are multiple identical Priorities.

7) Request / Reply related operation

If you are running as an Enforcer and a higher priority request comes in, release the Enforcer mode and wait.

If there is a lower priority reply, broadcast the ARP packet again and wait for the other computer to become a non-Enforcer.

-If there is no request or request with higher priority for a certain period of time, it operates as an Enforcer and broadcasts a Reply packet.

In one aspect of the invention, a procedure for Network Access Control (NAC) may be performed at a first computer connected to a network. Here, when the second computer connected to the network accesses an external network through a gateway without an agent installed, the first computer may block it. The first computer may control the agent program to be installed in the second computer. Here, the first computer performs the procedure using the ARP protocol in which some fields have been changed, and the determination of the first computer among the plurality of computers connected to the network uses an ARP packet in which the some fields have been changed, The first computer that performs the procedure may be designated by an administrator or determined through broadcast of an ARP in which some of the fields have been changed. In addition, a first computer that performs the procedure may be determined by comparing a time stamp between any two computers, where each of the computers on which the agent program is installed receives an ARP packet from another computer. It may be determined whether the format of the packet is modulated, and if modulated, the operation according to the message or command included in the modulated ARP packet may be performed.

On the other hand, even when the agent is deleted after the agent is installed in the second computer, the agent program is controlled to be installed in the second computer by the first computer serving as the informationr. Hereinafter, the induction of the initial installation of the agent program and the reinstallation after the deletion will be described in more detail.

Inducing Initial Installation of Agent Programs

Derivation of the initial installation of the agent program can be performed by a 'computer designated as the Enforcer'. An agent program installed on a computer designated as an enforcer will be referred to as an 'enforcer agent' for convenience.

The Enforcer Agent can perform the scanning function and spoof list creation function of the internal network. In this case, the scanning of the internal network may allow the Enforcer agent to find a computer on which the agent is not installed through transmission and reception of 'modulated ARP packets'. The Enforcer agent can perform initial installation of the agent program through the following three steps.

1. The Enforcer Agent scans the internal network to create a spoof list for the IP whose extension field in the HTTP header or the packet TTL value of the surrounding IP is not a 'value indicating that the agent program is installed', and spoofing it. Maintain the list.

2. The Enforcer Agent refers to the spoofing list and, via ARP, causes the computers included in the list to recognize the G / W (Gateway) brewery as its own (the computer with the Enforcer agent installed). The Enforcer Agent then installs an agent program on the computer. That is, the Enforcer agent can induce the initial installation of the agent program by changing the gateway MAC address of the ARP packet to its own address.

3. When the agent program is installed on the computer, the value recorded in the extension field of the HTTP header or the TTL value is changed, which can be checked by the Enforcer Agent through scanning. Therefore, the Enforcer Agent excludes the computer from the spoofing list, and the computer again obtains a normal G / W beer address. Therefore, the computer may be directly connected to the network without passing through the computer on which the Enforcer agent is installed.

<Re-installation after deleting agent program>

If the agent program installed previously is deleted, it is possible to induce reinstallation by the Enforcer agent.

First, if an agent program previously installed is deleted, the spoofing list is updated through periodic scanning of the Enforcer agent, and the computer from which the agent program is deleted is added to the spoofing list again. Therefore, reinstallation of the agent program may be induced again through the above process 2 and 3.

Methods according to an embodiment of the present invention can be implemented in the form of program instructions that can be executed by various computer means and recorded in a computer readable medium.

The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks, such as floppy disks. Magneto-optical media, and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.

As described above, the present invention has been described by way of limited embodiments and drawings, but the present invention is not limited to the above embodiments, and those skilled in the art to which the present invention pertains various modifications and variations from such descriptions. This is possible.

Therefore, the scope of the present invention should not be limited to the described embodiments, but should be determined not only by the claims below but also by the equivalents of the claims.

Claims (15)

Confirming, by the first agent program installed in the first computer, whether the first computer is a computer designated to operate as an Enforcer for Network Access Control (NAC);
A first Address Resolution Protocol (ARP) packet in which the first agent program modifies at least one field, wherein the at least one modified field is a computer designated to operate as an Enforcer. Generating a bit value; And
The first agent program broadcasting the first ARP packet to an internal network, the internal network including 'the first computer' and 'a second computer on which a second agent program is installed',
Any one of the first agent program and the second agent program operates as an encoder for the NAC.
Network access control method using ALP. The method of claim 1,
Receiving a second ARP packet generated by the second agent program from the second agent program,
The first agent program compares the priorities of each of the first computer and the second computer, and determines whether to operate as the encoder according to the comparison result,
Network access control method using ALP. The method of claim 1,
The first agent program,
If the first computer is a computer designated to operate as the encoder, in the step of generating the first ARP packet, a bit value of one byte of two bytes of the operation field of the first ARP packet is designated as '0xFF',
After broadcasting the first ARP packet to an internal network, it is checked whether a 'second ARP packet generated by the second agent program' is received within a preset time period.
If the second ARP packet is received within the predetermined time, comparing the priority of each of the first computer and the second computer, and determines whether to operate as the encoder according to the comparison result,
Network access control method using ALP. The method according to claim 2 or 3,
The priority is
Is determined based on a 'order of assigning IPs to the first computer and the second computer in the internal network' or 'timestamp values set by timers of the first agent and the second agent',
Network access control method using ALP. The method of claim 1,
The first agent program,
Set a 'time stamp of the first computer',
If the first computer is a computer that is not designated to operate as the encoder, the bit value of any one of two bytes of the operation field of the first ARP packet is designated as '0xF0' in generating the first ARP packet. And designating 'priority information corresponding to the set time stamp of the first computer' in the 'target protocol address field' of the first ARP packet,
Network access control method using ALP. The method of claim 5,
The first agent program,
After broadcasting the first ARP packet to an internal network, it is checked whether a 'second ARP packet generated by the second agent program' is received within a preset time period.
If the second ARP packet is not received within the preset time, the encoder operates as the encoder;
Network access control method using ALP. The method of claim 6,
The first agent program,
When the third ARP packet is received from the third agent installed in the third computer after operating as the encoder, the priority information corresponding to the time stamp of the set first computer and the time stamp of the third computer are received. Comparing the priority information, and determining whether to continue to operate with the encoder according to the comparison result,
Network access control method using ALP. The method of claim 1,
The first agent program,
By changing the gateway MAC address of the ARP packet to the address of the first computer, the installation of the agent program is induced.
Network access control method using ALP. In the communication method using ALP between agent programs installed in each of the computers,
Generating, by the first agent program installed in the first computer, a first Address Resolution Protocol (ARP) packet in which a specific bit value is specified in at least one of an 'operation field' and a 'target protocol address field';
The first agent program broadcasting the first ARP packet to an internal network; And
Receiving a second ARP packet in response to the first ARP packet from a second agent program installed on a second computer,
Communication method using ALP. 10. The method of claim 9,
The bit value specified in the 'operation field' is a value of a flag promised with the second agent program.
Communication method using ALP. 10. The method of claim 9,
The bit value specified in the 'operation field' indicates 'whether the first computer is a computer designated to operate as an Enforcer for Network Access Control (NAC)',
The bit value specified in the 'target protocol address field' is 'information about the time stamp of the first computer set by the first agent program'.
Communication method using ALP. A computer-readable recording medium having recorded thereon a program for executing the method of any one of claims 1 to 11. A computer device connected to an internal network,
A memory in which an agent program for network access control (NAC) is stored; And
At least one processor configured to execute the agent program,
The processor is configured to operate the computer device as an Enforcer for Network Access Control (NAC) when at least one computer connected to the internal network connects to an external network,
Wherein the processor is configured to communicate with the at least one computer using an Address Resolution Protocol (ARP) packet with a specific bit value assigned to at least one of an 'operation field' and a 'target protocol address field'.
Computer devices. The method of claim 13,
The processor comprising:
Determining whether the agent program is installed in the computer according to whether at least one of an 'operation field' and a 'target protocol address field' of the ARP packet received from the computer includes the specific bit value;
Computer devices. The method of claim 13,
The bit value designated in the 'operation field' indicates 'the computer device is designated to operate as an Enforcer for Network Access Control (NAC)',
The bit value specified in the 'target protocol address field' is 'information on the time stamp of the computer device set by the agent program'.
Computer devices.

Images