1. Technical Field
The present invention relates generally to a whitelist-based network switch and, more particularly, to a whitelist-based network switch, which defines a communication node and a communication rule permitted by a network switch as a whitelist, and generates an alarm or blocks the corresponding communication traffic when communication traffic violating the whitelist occurs.
2. Description of the Related Art
A network switch performs functions such as the configuration of a network topology, the use of a line, the detection of errors, and the transfer of frames, through a physical link. A typical network switch has various problems, such as a port mirroring security problem, the Address Resolution Protocol (ARP) cache poisoning problem of falsifying the Medium Access Control (MAC) address of an attacker, the hubbing-out problem of connecting a hub to a switch and being able to analyze a packet in a broadcast domain, the ARP spoofing problem of allowing an attacker to falsify a MAC address thereof, the Internet Control Message Protocol (ICMP) redirect problem of faking a gateway, and the switch jamming attack problem of making a buffer overflow attack in a cache space for the MAC table of a switch.
A security network switch introduced to solve such problems solves the security problem of typical network switches, controls all end-point nodes connected to the network, and provides functions such as a network status analysis function, a traffic monitoring function, an access control function, and a security function.
However, existing security network switches detect attacks based on a blacklist, thus making it impossible to cope with modified attacks not represented in the blacklist, zero-day attacks, and Advanced Persistent Threat (APT) attacks.
Network Access Control (NAC) technology, which is technology for checking the security state of devices accessing a network and permitting the access of only secure devices, is based on a scheme for installing a management program in the PC of a user, a server or other equipment. This NAC scheme cannot be used in an embedded system or a system in which a Programmable Logic Controller (PLC) or the like is installed.
Further, when additional equipment (tapping equipment) is used to monitor the traffic of an internal network, it is difficult to realistically manage such equipment due to high introduction cost and complicated line connections. Further, when a switch mirroring function is utilized, the mirroring function may apply a load to the network switch, thus hindering the stability of the switching function itself. Furthermore, there is a disadvantage in that when a cyber threat is detected, it is impossible to cope with the threat such as by intercepting the threat to guarantee the security of other equipment.
Therefore, the requirement for the development of network security equipment which can monitor and control internal network traffic without requiring additional equipment has been raised.
As related preceding technology, Korean Patent Application Publication No. 10-2007-0003409 (entitled “Security gateway system having an internal network user authentication and packet control function and operation method thereof”) discloses technology which can apply respective security policies even to a plurality of final client PCs in an internal network, unlike existing security policies that were uniformly applied to the entire network, and which can isolate a defective client PC from neighboring client PCs and then perform stable network management.
As another preceding technology, Korean Patent Application Publication No. 10-2007-0073293 (entitled “Intrusion prevention system and method supporting multiple ports”) discloses technology which can obtain considerable effects from the standpoint of performance, compared to a method using the address of packet headers, by applying different security policies based on the network ports of an Intrusion Prevention System (IPS), and which can apply different security policies to respective network ports and operate the security policies, thus enabling the network to be more flexibly managed.
As further preceding technology, Korean Patent No. 0656403 (entitled “Intrusion detection system in a network system”) discloses technology which does not need to perform pattern matching after waiting for all packets fragmented for pattern matching to have arrived, and which performs pattern matching whenever each fragmented packet is received, thus reducing a load caused by the reassembly of fragmented packets, and shortening the time required to perform pattern matching on all packets, with the result that high-speed intrusion detection is possible.