DOI QR코드

DOI QR Code

네트워크 접근제어 시스템의 보안성 메트릭 개발

Development of Security Metric of Network Access Control

  • 이하용 (서울벤처대학원대학교 융합산업학과) ;
  • 양효식 (삼일회계법인 IT Risk & Security)
  • Lee, Ha-Yong (Dept. of Fusion Industry, Seoul Venture University) ;
  • Yang, Hyo-Sik (Samil PricewaterhouseCoopers IT Risk & Security)
  • 투고 : 2017.03.16
  • 심사 : 2017.06.20
  • 발행 : 2017.06.28

초록

네트워크 접근제어(Network Access Control)를 통해 IT 인프라에 대한 보안위협 즉, 비인가 사용자, 단말의 네트워크 무단 접속, 직원의 내부 서버 불법접근 등을 효과적으로 차단할 수있어야 한다. 이러한 관점에서는 보안성을 충족시키고 있음을 확실히 하기 위해 관련 표준에 기반을 둔 메트릭 구축이 요구된다. 그러므로 관련 표준에 따른 NAC의 보안성 평가를 위한 방법의 체계화가 필요하다. 따라서 이 연구에서는 네트워크 접근제어시스템의 보안성 메트릭 개발을 위해 ISO/IEC 15408(CC:Common Criteria)과 ISO 25000 시리즈의 보안성 평가 부분을 융합한 모델을 구축하였다. 이를 위해 네트워크 접근제어시스템의 품질 요구사항을 분석하고 두 국제표준의 보안성에 관한 융합 평가메트릭을 개발하였다. 이를 통해 네트워크 접근제어시스템의 보안성 품질수준 평가 모델을 구축하고, 향후 네트워크 접근제어시스템에 대한 평가방법의 표준화에 적용할 수 있을 것으로 사료된다.

Network access control should be able to effectively block security threats to the IT infrastructure, such as unauthorized access of unauthorized users and terminals, and illegal access of employees to internal servers. From this perspective, it is necessary to build metrics based on relevant standards to ensure that security is being met. Therefore, it is necessary to organize the method for security evaluation of NAC according to the related standards. Therefore, this study builds a model that combines the security evaluation part of ISO / IEC 15408 (CC: Common Criteria) and ISO 25000 series to develop security metric of network access control system. For this purpose, we analyzed the quality requirements of the network access control system and developed the convergence evaluation metric for security of the two international standards. It can be applied to standardization of evaluation method for network access control system in the future by constructing evaluation model of security quality level of network access control system.

키워드

참고문헌

  1. Byung-Jun Jeon, Deok-Byeong Yoon, Seung-Soo Shin, "Improved Integrated Monitoring System Design and Construction", Journal of Convergence Society for SMB, Vol. 7, No. 1, pp. 25-33, 2017.
  2. Seung-Hyun Paik, Sung-Kwang Kim, Hong-Bae Park, "Design and Implementation of Network Access Control for Security of Campany Network", Journal of the Institute of Electronics Engineers of Korea, Vol. 47, No. 12, p. 91, 2010.
  3. Hyung-Jun Mun, Yooncheol Hwang, Ho-Yeob Kim, "Countermeasure for Prevention and Detection against Attacks to SMB Information System - A Survey", Journal of Convergence Society for SMB, Vol. 5, No. 2, p. 1, 2015.
  4. Kang-Soo Lee, Young-Soo Kim et al.,, "Label-based Access Control System Protection Profile V2.0", Korea Information Security Agency & Hannam University, April, 2008.
  5. ISO/IEC 25010, "Systems and software engineering -- Systems and software Quality Requirements and Evaluation(SQuaRE) -- system and software quality models", 2011.
  6. Garter, "Gartner Market Guide 2016 - Network Access Control", May, 2016.
  7. NIS, MSIP, KCC, MOI, KISA, NSR, "2016, A white paper on national information protection", 2016.
  8. Hyo-Sik Yang, In-Oh Heon, "A Study the Test Methods and Evaluation Practices of Network Access Control System", Journal of Digital Convergence, Vol. 12, No. 9, pp. 159-168, 2014. https://doi.org/10.14400/JDC.2014.12.9.159
  9. Sang-Won Kang, In-Oh Jeon, Hae-Sool Yang, "Reliability Evaluation Model of Network Access Control(NAC) Product", Proceeding of Korea Academia-Industrial Cooperation Society, pp. 159-168, 2011.
  10. Kyong-Ho Choi, Sung-Kwan Kang, Kyung-Yong Chung, Jung-Hyun Lee, "A Study of Network 2-Factor Access Control Model for Prevention the Medical_Data Leakage", Journal of Digital Convergence, Vol. 10, No. 6, pp. 341-347, 2012. https://doi.org/10.14400/JDPM.2012.10.6.341
  11. ISO/IEC 25020, "Software product Quality Requirements and Evaluation(SQuaRE) -- Measurement reference model and guide", 2007.
  12. ISO/IEC 25030, "Soiftware product Quality Requirements and Evaluation(SQuaRE) -- Quality requirements", 2007.
  13. ISO/IEC 25051, "Software engineering -- Systems and software Quality Requirements and Evaluation (SQuaRE) -- Requirements for quality of Ready to Use Software Product (RUSP) and instructions for testing", 2014.
  14. ISO/IEC 25041, "Systems and software engineering - - Systems and software Quality Requirements and Evaluation(SQuaRE) -- Evaluation guide for developers, acquirers and independent evaluators", 2012.
  15. ISO/IEC 9126-1(2001), 2(2003), Software engineering -- Product quality, 2001.