KR-20260063286-A - METHOD FOR APPLYING SOFTWARE-DEFINED PERIMETER ARCHITECTURE IN ENTERPRISE WIRELESS LAN INFRASTRUCTURE

Abstract

The present invention relates to a wireless LAN service system and method that applies a Software-Defined Perimeter architecture to an existing wireless network (Wi-Fi) infrastructure to more securely protect enterprise resources open to the wireless network and dynamically configure service access control for each user and device. A wireless LAN service method according to the present invention comprises the steps of: a terminal device transmitting a login request message to a policy server; the policy server determining whether to approve a login for the terminal device based on the login request message and authentication information for the terminal device; and, if the login for the terminal device is approved, the policy server transmitting a message allowing the establishment of a data path for the terminal device and a pre-configured service access policy for the terminal device to a gateway.

Inventors

• 유윤식
• 정부금
• 박혜숙
• 이종국
• 이형규
• 임진혁
• 최진규

Assignees

• 한국전자통신연구원

Dates

Publication Date

20260507

Application Date

20241030

Claims (1)

1. A step in which the terminal device transmits a login request message to a policy server; The above policy server determines whether to approve the login of the terminal device based on the login request message and authentication information for the terminal device; and When a login for the terminal device is approved, the policy server transmits a message allowing the establishment of a data path for the terminal device and a pre-configured service access policy for the terminal device to the gateway; Wireless LAN service method including

Description

Method for Applying Software-Defined Perimeter Architecture in Enterprise Wireless LAN Infrastructure The present invention relates to a method and system for providing wireless LAN (Wi-Fi) services by applying a Software-Defined Perimeter (SDP) architecture in an enterprise environment. 1. Software-Defined Perimeter (SDP) Recently, there has been a significant increase in demand for Zero-Trust network configurations to enhance the security of network access to private and public services. Zero-Trust is a security model based on the philosophy of "trusting no one," which does not allow access to private or public services until authentication is complete. While conventional security models adopt a method of blocking cyber threats using blacklists containing information about cyber attacks, the concept of a whitelist is gaining attention for implementing Zero-Trust. The Software-Defined Perimeter (SDP) architecture is proposed as one method for configuring Zero-Trust networks; in the SDP architecture, a whitelist—which contains connection information between Initiating Hosts (IHs) and Accepting Hosts (AHs) that are allowed to connect with each other—is defined in advance, and the SDP Controller provides this whitelist to each IH and AH through a control channel. The SDP controller monitors the authentication and connection status of the IH and, accordingly, blocks the spoofed terminal from connecting to the AH by sending a message to the AH regarding whether connection to the IH is allowed. In addition, the SDP architecture separates the data channel and the control channel (see Fig. 1, Source: Cloud Security Alliance SDP Specification 1.0). The SDP controller has a flexible structure that allows it to dynamically distribute and apply network access policies to IHs and AHs through the control channel established after authentication. Fig. 2 is an example of a network access policy for SDP. As shown in Fig. 2, under the SDP architecture, it can be seen that the AHs that each IH can connect to vary depending on the network access policy (whitelist). 2. Wireless LAN Service Provision Structure in an Enterprise Environment Wi-Fi services currently applied and provided in enterprise environments are based on an ID/PW-based authentication structure. When additional device authentication is required, device information (such as MAC Address) is configured in advance on a Wi-Fi authentication server (RADIUS Server, RADIUS (Remote Authentication Dial-In User Service) Server) and utilized. It is common practice to authenticate account information by linking the RADIUS Server with an SSO (Single Sign-On) server within the corporate infrastructure. Existing enterprise wireless LAN services basically authenticate based on accounts (ID and password), and since there is no separate procedure after authentication , there is a problem in that it is difficult to provide fine-grained service access control functions for each user and terminal. Figure 1 is a block diagram illustrating the data channel and control channel of an SDP architecture. Figure 2 is an example diagram of a network access policy for SDP. FIG. 3 is a diagram showing a wireless LAN service system and method applying an SDP architecture according to an embodiment of the present invention. Figure 4 is a diagram illustrating the authentication and data path establishment procedure in the system and method of Figure 3. FIG. 5 is a block diagram showing a computer system for implementing a method according to an embodiment of the present invention. The advantages and features of the present invention and the methods for achieving them will become clear by referring to the embodiments described below in detail together with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below but may be implemented in various different forms. These embodiments are provided merely to ensure that the disclosure of the present invention is complete and to fully inform those skilled in the art of the scope of the invention, and the present invention is defined only by the scope of the claims. Meanwhile, the terms used in this specification are for describing the embodiments and are not intended to limit the present invention. In this specification, the singular form includes the plural form unless specifically stated otherwise in the text. The terms "comprises" and/or "comprising" as used in this specification do not exclude the presence or addition of one or more other components, steps, actions, and/or elements in addition to the mentioned components, steps, actions, and/or elements. Terms such as "first," "second," etc., may be used to describe various components, but said components should not be limited by said terms. These terms may be used for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be named the second component