Patent Application
20090190602
This application claims the benefit under 35 U.S.C. § 119(a) of a Korean Patent Application No. 10-2008-0008782, filed on Jan. 28, 2008, in the Korean Intellectual Property Office, the entire disclosure of which is incorporated herein by reference.
The following description relates to a communication network, and more particularly, to a method for detecting a gateway and an apparatus and/or system using the same.
Along with the development of mobile communication techniques, applications of a handheld device such as a cellular phone, a personal digital assistant (PDA), and the like are increasing. Accordingly, existing wired Internet services are gradually expanded into a wireless Internet environment.
Where a device being connectable with the wireless Internet (referred to as a ‘radio Internet device’) is connected with a private network, the radio Internet device may be exposed to an external network and an outflow of resources of the private network may occur.
For example, where a connection with the private network through the radio Internet device is allowed, security of the private network may be jeopardized due to the device being connectable with a radio Internet using a wireless broadband (WiBro) and the like.
Where the connection with the private network through the radio Internet device is restricted, the connection with the private network may only be established through devices such as a personal computer (PC), a laptop, and the like, which are connectable with the external network only through a single gateway.
Further, where a private device in which at least two network interface cards (NICs) (such as for an Ethernet network, the WiBro, and the like) are enabled is provided in a network, the private device may be readily connected with the external network through the radio Internet device without going through the private gateway.
Accordingly, in one general aspect, there is provided a gateway detection method for preventing security of a private network from being jeopardized.
In another general aspect, there is provided a gateway detection method which determines whether a gateway program is installed in a private device being connectable with an external network so as to prevent the private device from being connected with the external network.
In still another general aspect, there is provided a gateway detection method which compares Internet Protocol (IP) packets transmitted/received via a network interface card (NIC) being connectable with different Internet environments so as to determine whether a gateway program is being executed.
In yet another general aspect, a gateway detection method includes verifying whether a connectable state exists with respect to at least two Internet environments and detecting a driving of a gateway for connection between a private network and an external network in response to verifying the connectable state with respect to the at least two Internet environments.
The verifying operation may comprise verifying whether the at least two NICs are in an active state. The at least two NICs may include a first NIC for connection with the private network and a second NIC for connection with the external network.
The detecting operation may comprise determining whether the gateway is driven using an Internet Protocol (IP) packet transmitted/received via the first and second NICs.
The determining of whether the gateway is driven may comprise comparing IP packets included in the first and second NICs, and determining that the gateway is driven in response to an identical IP packet existing in the first and second NICs, respectively.
The comparing of the IP packets may comprise comparing a header and payload of the IP packets to verify whether the IP packets are an identical IP packet.
The comparing of the IP packets may comprise comparing an IP packet transmitted to the second NIC and an IP packet transmitted from the private network to the first NIC while maintaining the IP packet transmitted from the private network to the first NIC for a predetermined time period, in response to detecting the driving of the gateway for connection from the private network to the external network, and comparing an IP packet transmitted to the first NIC and an IP packet transmitted from the external network to the second NIC while maintaining the IP packet transmitted from the external network to the second NIC for a predetermined time period, in response to detecting the driving of the gateway for connection from the external network to the private network.
In response to detecting the driving of the gateway for the connection from the private network to the external network, the comparing may comprise acquiring an IP packet transmitted from a media access control (MAC) layer to a network layer of the first NIC, acquiring an IP packet transmitted from a network layer to a MAC layer of the second NIC after a predetermined time period, and comparing the IP packet acquired from the first NIC and the IP packet acquired from the second NIC, wherein the predetermined time period is a time required for transmitting an IP packet from the network layer of the first NIC to the network layer of the second NIC.
In response to detecting the driving of the gateway for the connection from the external network to the private network, the comparing may comprise acquiring an IP packet transmitted from a MAC layer to a network layer of the second NIC, acquiring an IP packet transmitted from a network layer to a MAC layer of the first NIC after a predetermined time period, and comparing the IP packet acquired from the second NIC and the IP packet acquired from the first NIC, wherein the predetermined time period is a time required for transmitting an IP packet from the network layer of the first NIC to the network layer of the second NIC.
The gateway detection method may further comprise restricting a connection with either the private network or the external network where the gateway is detected as being driven.
In yet another general aspect, a gateway detection apparatus includes a state verification unit which verifies whether a connectable state exists with respect to at least two Internet environments and a gateway detection unit which detects a driving of a gateway for connection between a private network and an external network in response to verifying the connectable state with respect to the at least two Internet environments.
The state verification unit may include an NIC verification unit which verifies whether a first NIC for connection with the private network and a second NIC for connection with the external network are in an active state.
The gateway detection unit may include an IP acquisition unit which acquires IP packets transmitted/received via a Transmission Control Protocol/Internet Protocol (TCP/IP) stack of the first NIC and a TCP/IP stack of the second NIC, respectively, and an IP comparison unit which compares the IP packet acquired from the first NIC and the IP packet acquired from the second NIC.
The IP comparison unit may determine that the gateway is driven where an identical IP packet exists in the first and second NICs, respectively.
The IP acquisition unit may acquire an IP packet transmitted from a MAC layer to a network layer of the first NIC, and acquire an IP packet transmitted from a network layer to a MAC layer of the second NIC where a connection from the private network to the external network is performed.
The IP acquisition unit may acquire an IP packet transmitted from a MAC layer to a network layer of the second NIC, and acquire an IP packet transmitted from a network layer to a MAC layer of the first NIC where a connection from the external network to the private network is performed.
The IP comparison unit may compare a header and payload of the respective IP packets of the first and second NICs.
The IP comparison unit may determine that the gateway is driven where an identical IP packet exists in the first and second NICs.
The gateway detection unit may further include a connection control unit which restricts a connection with either the private network or the external network where the gateway is detected as being driven.
Other features will become apparent to those skilled in the art from the following detailed description, which, taken in conjunction with the attached drawings, discloses exemplary embodiments of the invention.
Throughout the drawings and the detailed description, unless otherwise described, the same drawing reference numerals will be understood to refer to the same elements, features, and structures. The elements may be exaggerated for clarity and convenience.
The following detailed description is provided to assist the reader in gaining a comprehensive understanding of the media, apparatuses, methods and/or systems described herein. Accordingly, various changes, modifications, and equivalents of the systems, methods, apparatuses and/or media described herein will be suggested to those of ordinary skill in the art. Also, description of well-known functions and constructions are omitted to increase clarity and conciseness.
A private network system according to an exemplary embodiment may verify whether the external gateway is driven in the private devices 110 and 120, and be applicable to a wired/wireless network system forming a private network. In order to detect the driving of the external gateway in the private network system, where the private gateway 130 is connected with the private devices 110 and 120, the private devices 110 and 120 may include a predetermined program capable of verifying whether the external gateway is driven. Also, a predetermined program module may be connectively configured within the private network, and the external gateway of the private devices 110 and 120 may be detected using the predetermined program module.
The private devices 110 and 120 may include a network interface card (NIC) for connection with the private network. Referring to
A private network system according to an exemplary embodiment detects the external gateway, so that the private device B 120 capable of being connected with the private network and the external network, for example, a radio Internet, may be connected with the Internet 140 only through the private gateway 130.
In operation S201, a private network system verifies whether at least two NICs are activated in a private device. The private network system verifies whether the private device is in a state of being connectable with at least two Internet environments, that is, in a state of being connectable with an external network other than a private network. The private network system may verify whether an NIC for connection with the private network of the private device (hereinafter, referred to as ‘a first NIC’) and an NIC for connection with the external network (hereinafter, referred to as ‘a second NIC’) are in an active state.
In operation S202, the private network system executes a gateway detection program for detecting the driving of the external gateway where the first and second NICs of the private device are in the active state. The private network system may compare Internet protocol (IP) packets transmitted/received via a Transmission Control Protocol/Internet Protocol (TCP/IP) stack of the first and second NICs. The private network system may ascertain that the external gateway is driven in the private device where an identical IP packet is present in the TCP/IP stack of the first and second NICs, respectively.
The operation S202 for detecting the external gateway using the IP packets transmitted/received via the first and second NIC will be described in detail with reference to
In operation S203, the private network system controls network connection of the private device where the identical IP packet is present in the TCP/IP stack of the first and second NICs, respectively. The private network system may restrict either the connection with the external network where a connection from the private network to the external network is established, or the connection with the private network where a connection from the external network to the private network is established.
In operation S301, the private device B 120 receives a data packet intended to be transmitted from the private device A 110 to the external network.
Returning to
In operation S302, the private device B 120 verifies whether a data packet received from the private device A 110 is a packet transmitted to the private device B 120 using the MAC address within the data packet received from the private device A 110, and then transmit an IP packet of the private device A 110 from a MAC layer 501 to a network layer 502 of an NIC1510.
In operation S303, the private device B 120 transmits the IP packet of the private device A 110 to a network layer 503 of an NIC2520, according to activation of the NIC2520, using a gateway program 530 installed to connect with the external network.
In operation S304, the private device B 120 transmits the IP packet of the private device A 110 from the network layer 503 to a MAC layer 504 of the NIC2520. Here, a data packet is generated with respect to the IP packet of the private device A 110 in the MAC layer 504 of the NIC2520, and the generated data packet is transmitted to the external network.
The connection from the private network to the external network or the connection from the external network to the private network may be established using a device in which an NIC connectable with the private network and an NIC connectable with the external network are activated.
An exemplary gateway detection method may detect the external gateway using an IP packet transmitted/received via different NICs in the process for driving the gateway as described in
In operation S801, the private network system acquires an IP packet 505 transmitted from the MAC layer 501 to the network layer 502 of the NIC1510. The private network system may monitor a moment of transmitting the IP packet from the MAC layer 501 to the network layer 502 at the time of transmission of the IP packet between layers within the NIC1510 to acquire the corresponding IP packet 505.
In operation S802, the private network system maintains the IP packet 505 for a predetermined time period from a time when acquiring the IP packet 505 in the NIC1510. The predetermined time period for maintaining the IP packet 505 may denote a time required for transmitting the IP packet 505 from the network layer 502 of the NIC1510 to the network layer 503 of the NIC2520.
In operation S803, the private network system acquires an IP packet 506 transmitted from the network layer 503 to MAC layer 504 of the NIC2520. The private network system may monitor a moment of transmitting the IP packet from the network layer 503 to the MAC layer 504 to thereby acquire the corresponding IP packet 506.
In operation S804, the private network system compares the IP packet 505 acquired in the NIC1510 and the IP packet 506 acquired in the NIC2520, and detects the driving of the gateway for connection with the external network. The private network system may compare a header and payload of the IP packets, so that whether the IP packet 505 acquired in the NIC1510 and the IP packet 506 acquired in the NIC2520 are an identical IP packet may be determined.
Where the identical IP packet is present in the NIC1510 and the NIC2520, respectively, the private network system may determine that the external gateway program is driven, and restrict the connection with the network.
Also, the gateway detection process for restricting the connection from the external network to the private network may be performed similar to the method described in
The NIC verification unit 910 may be configured to verify whether at least two NICs are activated in a private device, and more particularly, may function to verify whether a first NIC for connection with a private network and a second NIC for connection with an external network are in an active state.
The IP acquisition unit 920 may acquire IP packets transmitted/received via a TCP/IP stack of the first NIC and a TCP/IP stack of the second NIC, respectively, where the first and second NICs of the private network are activated.
Where the connection from the private network to the external network is detected, the IP acquisition unit 920 may acquire an IP packet transmitted from a MAC layer to a network layer of the first NIC, and acquire an IP packet transmitted from a network layer to a MAC layer of the second NIC. Also, where the connection from the external network to the private network is established, the IP acquisition unit 920 may acquire an IP packet transmitted from the MAC layer to the network layer of the second NIC, and acquire an IP packet transmitted from the network layer to the MAC layer of the first NIC.
The IP comparison unit 930 may function to compare the IP packets acquired from the first and second NICs, respectively. That is, the IP comparison unit 930 may compare a header and payload of the IP packets to determine whether they are an identical IP packet. The IP comparison unit 930 may determine that the gateway for the connection with the external network is driven where the identical IP packet is present in the first and second NICs, respectively.
Where the external gateway is determined to be driven, the connection control unit 940 may restrict the connection with the private network of the private device or with the external network.
The exemplary gateway detection apparatus may be configured either separately from the private network, or to be included in the private device.
A gateway detection method according to an exemplary embodiment may compare IP packets existing in different NICs where at least two NICs are activated in a private device, and detect whether an external gateway is driven, thereby restricting access from a private network to the external network or access from the external network to the private network. The exemplary gateway detection method may be connectable with the external network even without passing through the private gateway in a state where the NIC connected with the private network is not activated, so as to provide convenience to a user using the external network such as a radio Internet, while also protecting the private network.
The methods described above including a gateway detection method may be recorded, or fixed in one or more computer-readable media that includes program instructions to be implemented by a computer to cause a processor to execute or perform the program instructions. The media may also include, independent or in combination with the program instructions, data files, data structures, and the like. The media and program instructions may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts. Examples of computer-readable media may include magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CD ROM disks and DVD; magneto-optical media such as optical disks; and hardware devices that are specially configured to store and perform program instructions, such as read-only memory (ROM), random access memory (RAM), flash memory, and the like. Examples of program instructions include both machine code, such as produced by a compiler, and files containing higher level code that may be executed by the computer using an interpreter. The described hardware devices may be configured to act as one or more software modules in order to perform the operations and/or methods described above.
A number of exemplary embodiments have been described above. Nevertheless, it will be understood that various modifications may be made. For example, suitable results may be achieved if the described techniques are performed in a different order and/or if components in a described system, architecture, device, or circuit are combined in a different manner and/or replaced or supplemented by other components or their equivalents. Accordingly, other implementations are within the scope of the following claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10-2008-0008782 | Jan 2008 | KR | national |
