WO2024242485A1 - Method and apparatus for physical network separation based on single pc - Google Patents

Abstract

The present invention presents a method for implementing a physical network separation operation based on a single PC through a block configuration and an operation flow chart. To specify same, a physical network separation control means used in a desktop PC comprises: a network separation control board; a network connection/blocking means; a network selection means; and two M.2 adapter cards to which M.2 SSDs having internal/external network operating systems installed therein, respectively, are coupled, and a physical network separation operation is executed as a web browser is operated on virtual machine software and/or a main screen on a monitor connected to a user PC in which the virtual machine software is installed, by an operation of an operation flow chart presented for a linkage operation with a device driver. In order to enable a single PC-based physical network separation to be used also in a laptop PC use environment, along with a block configuration diagram for a physical network separation dongle, a detailed configuration of the physical network separation dongle in which the physical network separation dongle is specified in hardware is presented.

Description

Single PC-based physical network separation method and device

The present invention has been criticized for the following problems: although the existing physical network separation environment using two PCs is secure from a security perspective, the hardware introduction budget and software license purchase costs are doubled because it consists of two PCs, it takes up a lot of installation space, and it consumes a lot of power.

In order to solve this problem, the present invention uses one PC, but allows the user to independently install an operating system for an internal network and an operating system for an external network, and allows the PC to boot with either the operating system for the internal network or the operating system for the external network according to the user's selection.

In particular, when the PC is booted by an external network operating system, only the external network connection is maintained, but when the PC is booted by an internal network operating system, the installed virtual machine software connects the external network, and the main screen connects the internal network network, thereby providing a web browser usage environment via the external network in the internal network usage environment without rebooting the PC.

The present invention relates to a physical network separation technology in which a web browser launched in virtual machine software and/or a web browser launched in the main screen is monitored by the device driver of the present invention to control the activation or deactivation of the network adapter of the virtual machine software and the network adapter of the main screen, and at the same time, to transmit the information to the hardware side of the present invention through a PCI Express or low-speed USB interface means, so that when the network adapter of the virtual machine software is activated, the network separation network dongle connected to the internal/external network in hardware selects the external network, and conversely, when the network adapter of the main screen is activated, the network separation network dongle also selects the internal network, thereby allowing physical network separation to be maintained even in a single PC environment.

When a PC user presses the power button to use the PC, the PC starts booting, and during this process, the PC connects to a network regardless of the user's will, and even for the built-in disk device for user data that does not have an operating system installed, it maintains a connection state even after recognizing the device. As a result, when the PC is booted and can be used, the built-in disk device for user data is exposed to the network, making the PC hackable before the user can finally use his or her PC.

In order to fundamentally solve these problems, physical network separation was introduced about 10 years ago and has continued to be implemented to date, with the aforementioned problems still occurring, with physical network separation configured with two PCs for one user.

However, if we look at the usage environment of a physical network separation PC consisting of two PCs from the user's perspective, it is an inevitable case that two PCs must be used. For example, if the user searches for some data on the external network (the Internet) and references this data on the internal network (the business network) to write a report, then a two-PC environment is inevitably needed.

Accordingly, in the present invention, virtual machine software is used for external network access in order to provide a usage environment similar to using two PCs as described above while using one PC, while maintaining physical network separation.

Meanwhile, the device driver used for the single PC-based physical network separation of the present invention monitors the virtual machine software and/or the web browser launched on the main screen, and in particular, when the web browser is launched simultaneously on the virtual machine software and the main screen, the network control operation for allowing the web browsers on both sides to run without interruption is performed in a manner in which the device driver proactively performs the network control operation, or in a manner in which the hardware proactively performs the network connection or switching operation through the network separation control unit of the physical network separation control means, so that the network connection or switching operation is repeatedly performed at regular intervals.

Meanwhile, if the user does not launch a web browser, the device driver naturally keeps the network blocked, and also keeps the built-in disk device for user data blocked if the user does not access the disk device. This prevents the disk device from being exposed to the network even if the user launches a web browser and uses the network, thereby providing a highly complete PC security environment.

In this regard, the disk connection/disconnection control for the built-in disk device described in the applicant's registered patent No. 10-2318716 (filing date 2018.09.28.) and No. 10-2320090 (filing date 2020.10.05. “Data storage means control device and method having data protection function by wireless communication with a smartphone”) can be considered one of the background technologies of the present invention.

<CROSS-REFERENCE TO RELATED APPLICATION>

This patent application claims priority to the following patent application numbers filed in the Republic of Korea, which are incorporated herein by reference in their entirety:

- May 23, 2023, Patent Application No. 10-2023-0066393

- June 14, 2023, Patent Application No. 10-2023-0075982

- July 25, 2023, Patent Application No. 10-2023-0096573

- January 26, 2024, Patent Application No. 10-2024-0012738

- May 22, 2024, Patent Application No. 10-2024-0066664

In the conventional physical network separation, two PCs had to be used for configuration, but the physical network separation method using two PCs has disadvantages in terms of high construction costs, spatial aspects, power consumption, and management aspects such as maintenance, as it requires the use of two PCs to construct a single environment, compared to the physical network separation of the present invention using a single PC.

Figure 1 is a drawing showing a conventional physical network separation environment (10) using two PCs. In terms of the user environment, if a user using a network separation PC accesses the Internet using a PC main body (11) for an external network and a monitor (13) connected thereto to find data required for work reference and display it on the monitor (13), and then looks at a PC main body (17) for an internal network and a monitor (15) connected thereto to write a report or other tasks, only two PC main bodies (11, 17) and two monitors (13, 15) are required.

Meanwhile, in the physical network separation using two conventional PC bodies (11, 17), a physical network separation environment using a KVM (Keyboard, Video monitor, Mouse) switch (not shown) that includes a switching switch is also being used. However, depending on the situation, if only one monitor is provided and work is performed while switching the screens of the two PCs, there is a problem that it is inconvenient to search for work-related data on the Internet, an external network, and display it, and constantly view the content without switching the screen, while working on the internal network.

In addition, in the case of logical network separation using one PC (not shown), the shortcomings pointed out in the physical network separation configured using the two PCs are improved, but since virtual machine software that is not supported by the operating system itself is used for physical network separation, not only is the introduction cost of the virtual machine software itself high, but security vulnerabilities in the virtual machine software itself are constantly being pointed out, and fundamental questions about security are still not resolved.

In particular, in the case of server-based logical network separation, which is more widely used among logical network separations, the initial introduction cost is excessive, so it can be competitive in introduction cost with respect to the physical network separation (10) based on two PCs of Fig. 1 only when a certain number of people are involved.

Accordingly, the single PC-based physical network separation of the present invention maintains the security effect of the reliable physical network separation using two conventional PCs, while presenting solutions to the disadvantages pointed out so far, such as high construction cost, large space occupancy, high power consumption, and maintenance.

In addition, when using a physical network separation (10) using two PCs, a logical network separation (not shown), and a general PC (not shown), the network is connected along with the PC booting, and the built-in disk device is exposed to the connected network, making it possible for the PC to be hacked at the time of PC use. However, before the user starts a web browser, the network is kept in a blocked state, and even if the web browser is started and the network is connected, the disk device for user data is kept in a blocked state unless the user accesses it, so that the disk device is not exposed on the network even while using the Internet.

The single PC-based physical network separation method and device of the present invention for achieving the above purpose comprises: a first network adapter provided for a main screen when an operating system is booted; a second network adapter provided for virtual machine software installed in the operating system; a device driver installed in the operating system and monitoring a web browser launched from the main screen and/or the virtual machine software; a physical network separation control means including an interface conversion unit for receiving or transmitting various status information with the device driver, a network connection means to which a network cable for an internal network and a network cable for an external network are connected, and a network separation control unit for generating various control signals including a connection control signal for the network connection means according to the status information value received through the interface conversion unit; The device driver detects that a web browser has been launched on the main screen, switches the first network adapter to a used state and the second network adapter to an unused state, and simultaneously transmits to the physical network separation control means information on the state in which the web browser of the main screen or the first network adapter is used, so that the physical network separation control means connects the internal network in accordance with the state in which the first network adapter is in use, and when the device driver detects that a web browser has been launched in the virtual machine software, switches the second network adapter to a used state and the first network adapter to an unused state, and simultaneously transmits to the physical network separation control means information on the state in which the web browser of the virtual machine software or the second network adapter is in use, so that the physical network separation control means connects the external network in accordance with the state in which the web browser of the virtual machine software or the second network adapter is in use, and when the device driver detects that a web browser has been launched on the main screen and the virtual machine software, In the case where it is detected, the first or second network adapter corresponding to the web browser that is started or activated later is switched to a used state, and the first or second network adapter corresponding to the web browser that is started or activated first is switched to a not-used state, and at the same time, the status information of the web browser that is started or activated later or the first or second network adapter that is in a used state is transmitted to the physical network separation control means, so that the physical network separation control means causes the web browser of the main screen corresponding to the web browser that is started or activated later or the first network adapter that is switched to a used state later, to connect an internal network, and when the web browser of the virtual machine software is started or activated later or the second network adapter is in a used state, the external network is connected, thereby maintaining physical network separation.

In addition, a first network adapter equipped for the main screen when the operating system is booted; a second network adapter equipped for virtual machine software installed in the operating system; a device driver installed in the operating system and monitoring a web browser launched from the main screen and/or the virtual machine software; a physical network separation control means through which a network cable for an internal network and a network cable for an external network are connected and connected to the device driver through an interface means; It is composed of, when the device driver detects that the web browser is not launched on the main screen and also detects that the web browser is not launched in the virtual machine software, the first network adapter provided on the main screen and the second network adapter provided in the virtual machine software are each switched to an unused state, and at the same time, state information that the web browser on the main screen and the web browser on the virtual machine software are not launched or that both the first network adapter and the second network adapter are unused is transmitted to the physical network separation control means, so that the physical network separation control means maintains a state in which the internal network and the external network are simultaneously blocked.

In addition, a first network adapter equipped for the main screen when the operating system is booted; a second network adapter equipped for virtual machine software installed in the operating system; a device driver installed in the operating system and monitoring a web browser launched from the main screen and/or the virtual machine software; a physical network separation control means through which a network cable for an internal network and a network cable for an external network are connected and connected to the device driver through an interface means; The device driver detects that a web browser is launched or later selected and activated on the main screen and/or the virtual machine software, and transmits status information to the physical network separation control means, and the physical network separation control means performs, as a subsequent operation, if it is determined that the web browser is launched only on the main screen, the internal network is connected and at the same time, network connection information is transmitted to the device driver, so that the device driver switches the first network adapter of the main screen to a used state and the second network adapter of the virtual machine software to an unused state; if it is determined that the web browser is launched only on the virtual machine software, the external network is connected and at the same time, network connection information is transmitted to the device driver, so that the device driver switches the second network adapter of the virtual machine software to a used state and the first network adapter of the main screen to an unused state; if it is determined that web browsers are launched simultaneously on the main screen and the virtual machine software, and the current network connection status is connected to an external network, the internal network is connected. At the same time, network connection information is transmitted to the device driver side so that the device driver switches the first network adapter of the main screen to a used state and the second network adapter of the virtual machine software to an unused state, and then after a certain period of time, an external network is connected, and at the same time, network connection information is transmitted to the device driver side so that the device driver switches the first network adapter of the main screen to a unused state and the second network adapter of the virtual machine software to a used state, and then after a certain period of time, an external network is connected, and at the same time, network connection information is transmitted to the device driver side so that the device driver switches the second network adapter of the virtual machine software to a used state and the first network adapter of the main screen to an unused state, and then after a certain period of time, an internal network is connected, and at the same time, network connection information is transmitted to the device driver side so that the device driver switches the second network adapter of the virtual machine software to a used state and the first network adapter of the main screen to an unused state. The adapter is switched to an unused state, and the first network adapter of the main screen is repeatedly switched to an used state.

In addition, in the physical network separation control means, which comprises: an interface conversion means for receiving status information about a network browser that is started or later activated in the main screen and/or virtual machine software detected by the device driver, or a network adapter that is later set to a used state; a network separation control unit that is connected to the interface conversion means and generates an internal network or an external network selection signal according to the received status information; and a network connection means for selecting and connecting an internal network or an external network according to the network selection signal output from the network separation control unit; wherein, if the status information value received by the network separation control unit from the interface conversion means is that the web browser of the main screen is activated, the network connection means is connected to an internal network, and if the web browser of the virtual machine software is activated, the network connection means is connected to an external network.

In addition, a USB-C type connector for connection with a notebook PC; a low-speed USB hub (HUB) connected to low-speed USB pins provided in the USB-C type connector to expand a first low-speed USB connection signal and a second low-speed USB connection signal; a high-speed interface signal conversion unit connected to the high-speed USB pins provided in the USB-C type connector to convert into the same interface as an M. 2 SSD on which an operating system is installed; a high-speed interface signal switching means connected to the high-speed interface signal conversion unit; an M. 2 SSD on which an operating system for an internal network is installed and an M. 2 SSD on which an operating system for an external network is installed, which are respectively connected to the high-speed interface signal switching means and the M. 2 connector; a low-speed interface conversion means connected to the low-speed USB hub and the first low-speed USB signal; a network separation control unit connected to the low-speed interface conversion means to receive status information transmitted from a device driver or to output whether the booted operating system is by the M. 2 SSD for the internal network or the M. 2 SSD for the external network; In a physical network separation dongle comprising: a network connection means which is connected to the low-speed USB hub through the second low-speed USB connection signal, and which connects the internal network or the external network according to the internal network or external network selection signal output from the network separation control unit; a power supply which is connected to the power pins provided in the USB-C type connector and generates power used internally; and a printed circuit board for mounting parts of each of the components; wherein the control unit causes the network connection means to be connected to the internal network when the web browser received from the device driver through the low-speed interface conversion means is a web browser of the main screen or a network adapter of the main screen is used, and causes the network connection means to be connected to the external network when the web browser received from the device driver is a web browser of virtual machine software or a network adapter of the virtual machine software is used.

In the single PC-based physical network separation according to the present invention, since physical network separation can be achieved with a single PC, not only is a certain security effect due to physical network separation maintained, but compared to the conventional physical network separation consisting of two PCs, there are advantages such as reduced introduction budget, low power consumption, minimization of installation area, heat generation is reduced by half, and the possibility of failure is low, so the frequency of maintenance is low.

In addition, from a software perspective, in the case of conventional physical network separation based on two PCs, since the motherboards and CPUs are different between the PCs, the MAC (Media Access Control) addresses of the PCs, which serve as the criteria for determining software licenses, are different, so a software license had to be obtained for each PC. However, in the case of the single PC-based physical network separation of the present invention, since the motherboard and CPU maintain the same MAC addresses for the internal/external network operating systems, not only is it possible to apply a single license from the installed operating system, but also a single license is applied to licenses for general software used after the installation of the operating system, which entails cost savings.

In addition, in the past, when a PC was booted, the network was connected regardless of the user's will, making it possible to hack through the network, but in the single PC-based physical network separation of the present invention, even if the PC is booted, if the user does not start a web browser, the network is blocked, making it impossible to hack.

Finally, when the PC is booted by an external network operating system, only the external network connection is maintained, but when the PC is booted by an internal network operating system, the installed virtual machine software connects the external network, and the main screen connects the internal network, while maintaining physical network separation, and providing a web browser usage environment for the external network through the virtual machine software in the internal network usage environment without rebooting the PC.

Figure 1 is a drawing showing a physical network separation usage environment using two conventional PC main bodies and two monitors.

FIG. 2 is a block diagram for physical network separation based on a single PC according to the present invention, which shows physical network separation operation by displaying an internal network web browser on the main screen and an external network web browser on the virtual machine software screen according to organic operation between a device driver and a network separation control unit.

FIG. 3 is an execution screen of an embodiment showing a web browser displayed on a main screen used for an internal network on a monitor (100) shown in the block diagram of FIG. 2 according to the present invention and a web browser displayed on virtual machine software used for an external network.

FIG. 4 is a block diagram illustrating the embodiment of the present invention according to the present invention, and is an example of a single PC-based physical network separation means for a desktop PC, which comprises a network separation PCIe card, a network separation network dongle as a network connection means, a network selection means, and an M.2 adapter card in which two M.2 SSDs, each of which has an operating system for internal and external networks installed, are combined.

Fig. 5 is a circuit configuration of an embodiment of the low-speed USB interface unit provided in Fig. 4.

FIG. 6 is a flowchart of a device driver showing a single PC-based physical network separation operation of the present invention.

Figure 7 is a block diagram of a physical network separation dongle for realizing physical network separation for a notebook PC according to the present invention.

FIG. 8 is an embodiment of a physical network separation dongle for a notebook PC that embodies the hardware of the block diagram of FIG. 7 of the present invention.

The terminology used herein is for the purpose of describing embodiments only and is not intended to be limiting of the invention. In this specification, the singular also includes the plural unless specifically stated otherwise in the phrase.

Hereinafter, a single PC-based physical network separation according to a preferred embodiment of the present invention will be described in detail with reference to the drawings.

FIG. 2 is a block diagram for physical network separation based on a single PC according to the present invention, in which the physical network separation operation is performed by displaying the internal network web browser (103) on the main screen (101) and the external network web browser (105) on the virtual machine software screen (107) together with the execution screen of the embodiment illustrated in FIG. 3 according to the organic operation between the device driver (B15) and the network separation control unit (B7). The blocks or components are examined according to the indicated symbols as follows.

First, the physical network separation control means (B2) is composed of a network separation control board (B8), a network connection means (B6), and a network selector (B5), and is configured in such a way that an M.2 SSD (B20) with an operating system for an internal network installed and an M.2 SSD (B22) with an operating system for an external network are inserted into two M.2 adapter cards (B23, B25) that are connected to two M.2 connectors (not shown) provided on a motherboard (not shown) of a PC (B1), respectively.

The network separation control board (B8) corresponds to the physical network separation card (200) illustrated in Fig. 4. The specific components will be described in detail in the physical network separation card (200) illustrated in Fig. 4. The following is an explanation of how a single PC-based physical network separation is configured.

When a user presses the power switch (not shown) of a PC (B1), a network separation control unit (B7) equipped in a physical network separation control means (B2) installed in a PCI Express slot (not shown) equipped on a motherboard (not shown) of the PC (B1) performs a booting operation according to a pre-set value (i.e., an operating system for an internal network when shipped from the factory, or an operating system previously specified by a network selector (B5)). As an example, the following explanation is given assuming that the current PC is booted with an operating system for an internal network.

In relation to the boot control of the operating system for the M.2 adapter card (B23) combined with the M.2 SSD (B20) having an operating system for an internal network installed, when the user presses the switch (401) provided in the network selector (B5, 400) while the PC (B1) is already booted with the operating system for the internal network, and the network separation control unit (B7, 217) determines that it is the same operating system as the currently booted internal network operating system, then when the user selects one of the power options among system shutdown, maximum power saving mode, or restart and the PC (B1) is shut down, the network separation control unit (B7) maintains the reset signal for the M.2 adapter card (B23, 501) combined with the M.2 SSD (B20, 511) having the currently booted operating system installed in a released state so that it can be booted again with the internal network operating system, and at the same time, the M.2 adapter combined with the M.2 SSD (B22, 611) having an external network operating system that is not currently selected For cards (B25, 601), keep the reset signal set so that it cannot be booted by an external network operating system.

This time, when the user presses the switch (401) equipped on the network selector (B5, 400) while the PC (B1) is already booted with an operating system for the internal network, and the network isolation control unit (B7, 217) determines that it is an external network operating system and not the currently booted internal network operating system, and then when the user selects one of the power options among system shutdown, hibernation, or restart and the PC (B1) is shut down, the network isolation control unit (B7) maintains the reset signal set for the M.2 adapter card (B23, 501) to which the M.2 SSD (B20, 511) to which the currently booted operating system is installed is combined so that it cannot be booted again with the internal network operating system, and at the same time, maintains the reset signal released for the M.2 adapter card (B25, 601) to which the M.2 SSD (B22, 611) to which the external network operating system that is not currently selected is combined so that it can be booted with the external network operating system.

When the PC is booted, if the user does not open a web browser [B15 (corresponding to 103), B17 (corresponding to 105)] on the main screen (101) used for internal network purposes or on the virtual machine software (107) used for external network purposes, the device driver (B15) transmits this state to the network separation control unit (B7) by causing the GP0 pin and GP1 pin of the low-speed USB interface unit (220) shown in Fig. 5 to be output in a HIGH state.

When a user starts a web browser (corresponding to B15, 103) only on the main screen (101), the device driver (B15) switches the network adapter (B11) of the main screen (101) used for the internal network to the used state and the network adapter (B13) of the virtual machine software (107) to the unused state, and at the same time, transmits the GP0 pin of the low-speed USB interface unit (220) shown in Fig. 5 to the LOW state and the GP1 pin to the HIGH state to the network separation control unit (B7).

When a user starts a web browser (corresponding to B17, 105) only in the virtual machine software (107), the device driver (B15) switches the network adapter (B13) of the virtual machine software (107) used for the external network to the used state and the network adapter (B11) of the main screen (101) to the unused state, and at the same time, transmits the GP0 pin of the low-speed USB interface unit (220) shown in Fig. 5 to the HIGH state and the GP1 pin to the LOW state to the network separation control unit (B7).

If a web browser is launched simultaneously on the main screen (101) and the virtual machine software (107), the device driver (B15) switches to a used state for the network adapter (B11 or B13) of the location where the web browser (103, 105) launched later is opened among the main screen (101) or the virtual machine software (107), and switches to an unused state for the network adapter (B11 or B13) of the location where it was opened first, and at the same time outputs the GP0 pin and the GP1 pin of the low-speed USB interface unit (220) illustrated in FIG. 5 so as to correspond to the main screen (101) or the virtual machine software (107) to which the web browser (103, 105) launched later belongs.

Meanwhile, in a state where a web browser is opened simultaneously on the main screen (101) and the virtual machine software (107), the device driver (B15) switches the network adapter (B11 or B13) of the location to which the web browser (103, 105) that was later activated by the user through a mouse (not shown) click, etc., among the main screen (101) or the virtual machine software (107) to a used state, and switches the network adapter (B11 or B13) for the web browser (103, 105) that was activated first to a not-used state, and at the same time outputs the GP0 pin and the GP1 pin of the low-speed USB interface unit (220) shown in FIG. 5 so that they correspond to the main screen (101) or the virtual machine software (107) to which the web browser (103, 105) that was later activated by the user through a mouse (not shown) click, etc.

For reference, the operation of setting the device driver (B15) to a used or unused state for the network adapter (B11, B13) is performed in the network switching unit (B10) in the block diagram of Fig. 2.

When the device driver (B15) transmits the output results for the GP0 pin and GP1 pin of the low-speed USB interface section (220) described above to the network separation control section (B7), the network separation control section (B7) reads the input for the GP0 pin and GP1 pin and outputs the following network selection signal to the network separation network dongle (300) corresponding to the network connection means (B6).

① GP0 = HIGH, GP1 = HIGH → Network connection blocked

② GP0 = LOW, GP1 = HIGH → External network connection

③ GP0 = HIGH, GP1 = LOW → Internal network connection

Meanwhile, when the device driver (B15) outputs the following to the GP0 pin and GP1 pin of the low-speed USB interface unit (220), the settings for the network adapter (B11, B13) are made under the initiative of the network separation control unit (B7).

④ GP0 = LOW, GP1 = LOW → Network connection control led by the network separation control unit (B7)

That is, in this case, the network separation control unit (B7) inputs a DYNAMIC_NET_SEL_INT_L__EXT_H signal to the GP2 pin used as an input pin, causing the device driver (B15) to connect the network adapter (B11, B13) to the internal network or to the external network by referring to ‘control signal-2’ (indicated by a dotted line).

At this time, the network separation control unit (B7) inputs a control signal input to the GP2 pin at regular intervals by repeating LOW/HIGH at regular intervals, and the time setting information for the regular interval is set by the user selecting one of the selection buttons displayed as 10 seconds, 20 seconds, 30 seconds, ... 60 seconds in the form of radio buttons on the graphical user interface (GUI, not shown), and the device driver (B15) transmits this to a register (not shown) equipped in the network separation control unit (B7) through the UART port (UART_Rx, UART_Tx), which is a general-purpose serial interface equipped in the low-speed USB interface unit (220), thereby setting the driving cycle.

FIG. 4 is a drawing that concretizes the block diagram of FIG. 2 according to the present invention, and in detail, it shows a physical network separation card (200), a network separation network dongle (300) corresponding to a network connection means (B2), a network selection means (400) concretizing a network selector (B5), and an M. 2 adapter card and M. 2 SSD (500) for a business network (or, internal network) and an M. 2 adapter card and M. 2 SSD (600) for the Internet (or external network) concretizing an M. 2 adapter card (B23, B25) in which an M. 2 SSD (B20) having an internal network operating system installed and an M. 2 SSD (B22) having an external network operating system installed are respectively combined. The functions of each component according to the symbol are as follows.

First, the components provided on the outside of the PCIe Bracket (201) of the physical network separation card (200) are as follows.

Two LED modules (203, 204) are arranged at the top, and only the circular head portion of the LED protrudes outside the PCIe Bracket (201). When booting is performed by an external network operating system, the LED module (203) provided at the upper outer portion lights up, and when booting is performed by an internal network operating system, the LED module (204) provided at the inner portion lights up.

The TACT (or TACTILE) switch (205) is connected to the control unit (217), and operates as a built-in network selection means when the network selection means (400) is not connected to the USB Type-C port at the bottom, and when connected, it is used to perform a short operation test of one-tenth of the set timer value to determine whether the timer operates properly according to the set timer value when the built-in disk device is used with the timer in wired mode, or to distinguish devices in wireless mode.

Each time the tact switch (205) is pressed, the control unit (217) sets the internal network or external network selection bit in a toggle manner, and the network selection bit set in this way is transmitted as a control signal for selecting the operating system to be booted for the M.2 adapter card (500) combined with the M.2 SSD (511) with the internal network operating system installed corresponding to the corresponding network or the M.2 adapter card (600) combined with the M.2 SSD (611) with the external network operating system installed at the next boot.

The two USB Type-C connectors (207, 209) are used to connect a network isolation network dongle (300) and a network selection means (400), respectively. The network isolation network dongle (300) and the network selection means (400) are connected to the USB Type-C connector (207) indicated as ND (Network Dongle) with reference to the marks engraved on the PCIe Bracket on the outside of the two USB Type-C connectors (207, 209), and the network isolation network dongle (300) is connected to the USB Type-C connector (207) indicated as NS (Network Selector), and the network selection means (400) is connected to the USB Type-C connector (209) indicated as NS (Network Selector).

The +12V power supplied through the PCIe Edge-Finger portion (221) to the power pin (not shown) of the USB Type-C connector (207, 209) may be input to the power portion (219) and generated as a +5V output voltage, which is a typical USB power voltage, and applied thereto. In addition, when the low-speed USB interface portion (220) described later is connected to a low-speed USB connection port equipped on a motherboard (not shown) using a separate cable (not shown), the +5V power supplied from the motherboard may be used as the input power of the USB Type-C connector (207, 209).

Meanwhile, among a series of pins provided on the USB Type-C connector (209) to which the network selection means (400) is connected, a network selection signal output from the network selection means (400) is connected to the control unit (217), and depending on the level of this signal, the control unit (217) and the control unit (309) provided on the network separation network dongle (300) recognize the network selection information set by the user in the current state.

In addition, the other pin of the USB Type-C connector (207) to which the network separation network dongle (300) is connected transmits a network cable separation status signal, which is the result of the network separation network dongle (300) monitoring the connection status of the network cable (not shown) for PC connection, and inputs it to the control unit (217).

The antenna connection terminal (211) is connected to an external Bluetooth antenna when the physical network separation card (200) is used in wireless mode by setting the DIP switch (215).

The DIP switch (215) is used with at least two knob switches, and the first switch knob is used to set whether to use the control unit (217) with the built-in wireless communication function block in wired mode by disabling the wireless communication function block or to use it in wireless mode by activating the wireless communication function block, and the second switch knob is used to set whether to apply a timer function to the built-in disk device for user data connected to the SATA connector (227, 229) and to switch to a disconnected state after a certain period of time has elapsed according to the set timer after the user switches the disk device to a connected state, or to maintain the connected state until the user switches it to a disconnected state.

The cover opening/closing drive unit (213) is used to prevent users using a single PC-based physical network separation PC from arbitrarily opening the side cover of the desktop PC without the permission of an administrator to arbitrarily manipulate the DIP switch (215) that enables wired/wireless settings or arbitrarily cross-connect the built-in disk device cable for user data connected to the physical network separation card (200). It is used to drive a solenoid (not shown) that is used for a purpose similar to a lock by being connected to a fingerprint recognition device (not shown).

If the wireless communication function block embedded in the control unit (217) is activated, the network selection means (400) on the USB Type-C connector (207, 209) may be replaced with a button (not shown) provided by an app installed on the user's smartphone (not shown), and thus may not be connected. Since the network separation network dongle (300) must be supplied with power, it must be connected to the USB connector (207) provided on the physical network separation card (200).

As described above, the power supply unit (219) receives +12V voltage from the PCIe Edge-Finger unit (221) to generate power used within the physical network separation card (200), and, if necessary, also generates +5V power supplied to the USB Type-C connector (207, 209). For this purpose, a DC-to-DC Step-down converter (not shown) is used to generate power.

The low-speed USB interface section (220) is for the interface between the control section (217) and the device driver (B15), and in FIG. 4, it can be implemented using a PCI Express ~ USB2.0 conversion IC (not shown) connected to the PCIe Edge-Finger section (321), but it can also be connected to the control section (217) using a box-type connector (not shown) that provides a USB2.0 port (not shown) provided on a motherboard (not shown) and a separate cable (not shown), and connected in the following interface manner.

In the connection between the control unit (217) and the connector provided in the low-speed USB interface unit (220), if the control unit (217) supports a USB2.0 interface pin, it can be directly connected with a USB2.0 signal, or if it is desired to connect a USB2.0 signal with a universal serial interface, it can be connected using a low-speed USB to UART (Universal Asynchronous Receiver / Transmitter) conversion IC, a low-speed USB to I2C conversion IC, or a low-speed USB to GPIO (General Purpose I/O) conversion IC.

In case of connection using a low-speed USB ~ GPIO conversion IC, the designated pins of the conversion IC are defined as input pins or output pins and then connected so that they can be interfaced with the control unit (217) by signal level. An example of an embodiment applied to the present invention will be described in more detail in FIG. 5.

When a SATA connector (227, 229) is provided for connecting an internal disk device for user data, a 3.5-inch hard disk drive (not shown) or a 2.5-inch SSD (not shown) is connected, and when an M.2 SSD connector (not shown) is provided, an M.2 SSD (not shown) is connected and used together with an M.2 adapter card (501, 601).

When SATA connectors (227, 229) are used for the purpose of connecting an embedded disk device for user data, these connectors are connected to a bidirectional multiplexer/demultiplexer (225), and the bidirectional multiplexer/demultiplexer (225) is then connected to a SATA connector (331) for connection to a motherboard, and is connected to a SATA connector (not shown) provided on the motherboard using a separately provided SATA cable (not shown).

A bidirectional multiplexer/demultiplexer (225) is connected to a SATA connector (229) to which a disk device (not shown) for user data for an internal network is connected and a SATA connector (227) to which a disk device (not shown) for user data for an external network is connected.

If a PC with a physical network separation card (200) installed is booted and booted with an M.2 SSD (511) with an operating system for an internal network, the control unit (217) outputs a signal that connects the disk selection signal (SEL) of the bidirectional multiplexer/demultiplexer (225) to the SATA connector (229) to which a disk device (not shown) for user data for the internal network is connected, and when the user presses the built-in disk device connection/disconnection switch (407) for user data provided on one side of the network selection means (400) input to the control unit (217), the control unit (217) outputs a PD (Power Down, power cutoff) signal in a LOW state or a HIGH state.

When the PD signal output from the control unit (217) is in the LOW state, the disk device (not shown) for user data for the internal network is put into the disk connection state when booted by the internal network operating system by the disk selection signal of the bidirectional multiplexer/demultiplexer (225), and when booted by the external network operating system, the disk device (not shown) for user data for the external network is put into the disk connection state.

Meanwhile, if the PD signal output from the control unit (217) is in a HIGH state, regardless of the state of the disk selection signal connected to the bidirectional multiplexer/demultiplexer (225), power is cut off to the bidirectional multiplexer/demultiplexer (225), and both the built-in disk device for internal network user data (not shown) and the built-in disk device for external network user data (not shown) are switched to a cut-off state.

The M.2 adapter connection part (223) is composed of a connector (not shown) for connecting an internal network operating system, which is connected by a cable (not shown) separately provided from a connection port (507) provided on an M.2 adapter card (501) to which an M.2 SSD (511) having an internal network operating system installed is connected, and a connector (not shown) for connecting an external network operating system, which is connected by a cable (not shown) separately provided from a connection port (607) provided on an M.2 adapter card (601) to which an M.2 SSD (611) having an external network operating system installed is connected.

The power switch connection part (224) is formed by separating a two-strand integrated wire harness that is connected to the power switch (not shown) of the PC and the header pin (not shown) for power switch connection provided on the motherboard (290) from the motherboard (not shown), and connecting the wire harness that was separated from the motherboard (290) to a male type pin terminal (not shown) protruding on the upper right side of a 'Y'-shaped wire harness (not shown) additionally provided for the present invention so that the colors (red and black) with the correct polarity are matched to each other, and then connecting a female type housing connector (not shown) provided on the upper left side of the 'Y'-shaped wire harness to a 2.54 mm pitch 2-pin header pin that constitutes the power switch connection part (324).

Next, connect the female type housing connector (not shown) provided at the lower end of the ‘Y’ shaped wire harness (not shown) to the header pin (not shown) for the power switch provided on the motherboard (not shown) with the polarity (or color) matching.

The pin to which the red wire of the ‘Y’-shaped wire harness (not shown) corresponding to the + polarity of the header pin (not shown) for the power switch is connected is connected to any I/O pin provided in the control unit (217) to transmit the pressed state of the power switch (not shown) of the PC to the control unit (217) or transmit the power switch control signal output from the control unit (217) to the header pin for power switch connection provided in the motherboard (not shown).

The network separation network dongle (300) corresponds to the network connection means (B6) in the block diagram of Fig. 2, and is connected to a USB Type-C connector (209) engraved with ND (Network Dongle) provided on the outside of the PCIe Bracket (201) of the physical network separation card (200) and a separate USB cable (not shown), and receives power from the physical network separation card (200) side, receives a reset signal from the control unit (217, corresponding to the network separation control unit (B7)) and a signal regarding whether a web browser has been started as status information received from the device driver (B15) side, and transmits status information regarding whether a network cable (C1) connected to a PC has been disconnected to the control unit (217).

The network dongle (300) is equipped with three RJ45 Ethernet connectors. The RJ45 Ethernet connector (305) arranged alone next to the USB Type-C connector (307) is for connection to the network port (B9) equipped on the PC (B1), and among those arranged side by side on the opposite side, one is an RJ45 Ethernet connector (301) to which an internal network (B3) cable is connected, and the other is an RJ45 Ethernet connector (303) to which an external network (B4) cable is connected.

Although not shown in the network separation network dongle (300) illustrated in FIG. 4, a bidirectional multiplexer/demultiplexer (not shown) IC for Ethernet is provided as an element constituting the network separation network dongle (300), so that the network signal of the RJ45 Ethernet connector (301) to which the network (B3) cable for the internal network is connected is connected via a magnetic coil (313) for signal insulation, and the network signal of the RJ45 Ethernet connector (303) to which the network (B4) cable for the external network is connected is also connected via a magnetic coil (313).

The control unit (309) receives status information about a web browser input through the USB Type-C connector (307) described above and transmits a control signal to a bidirectional multiplexer/demultiplexer (not shown) equipped on the lower surface of the network separation network dongle. The bidirectional multiplexer/demultiplexer (not shown) then selects a signal from either the internal network (B3) or the external network (B4) based on the control signal and transmits the signal to the network port (B9) equipped on the PC (B1) side through a cable (C1) connected to the RJ45 Ethernet connector (305).

However, if the signal received by the control unit (309) on whether the web browser has been started is determined to be not started, the PD (Power Down) pin for the bidirectional multiplexer/demultiplexer (not shown) is switched to a HIGH state so that both the internal network (B3) and the external network (B4) are blocked.

Through this operation, if the user does not start a web browser on the main screen (101) used for the internal network or the virtual machine software (107) used for the external network on the PC (B1), the network separation network dongle (300) blocks the network signal to prevent the PC (B1) from being exposed to the network. In relation to this, the organic operation with the device driver (B15) and the block diagram of FIG. 2 and the example of the embodiment of FIG. 4 will be described in detail later in the operation flowchart of FIG. 6.

As described above, the network selection means (400) is connected to the USB Type-C connector (403) using a separately provided USB cable (not shown) to the USB Type-C connector (211) provided side by side with the NS mark on the outside of the PCIe Bracket (201).

The network selection switch (401) is used when booting a different operating system from the internal network to the external network or from the external network to the internal network while the PC (B1) is booted and in use.

The USB Type-C connector (403) receives +5V power from the physical network separation card (200), receives a network signal for connection status along with an LED (405) driving signal, and transmits a signal by the network selection switch (401) and a signal for connecting or disconnecting a disk device for user data to the network separation control unit (B7, corresponding to 217 in FIG. 4).

The LED (405) is lit by receiving a driving signal output from the control unit (217). When booted by an M.2 SSD (B20, corresponding to 511 in FIG. 4) on which an operating system for an internal network is installed, it is driven in green, and when booted by an M.2 SSD (B22, corresponding to 611 in FIG. 4) on which an operating system for an external network is installed, it is driven in red.

If the user presses the network selection switch (401), the LED flashes alternately from the color that was used during booting to another color, indicating that the user's pressing of the network selection switch (401) has been transmitted to the control unit (217) and recognized.

In addition, when the PC (B1) is booted by an M.2 SSD (511) with an operating system for an internal network installed, the current network connection status connected by the network connection means (B6) is displayed as an internal network or an external network depending on whether a web browser is started or activated on the main screen (101) or virtual machine software (107), and for this purpose, an LED (not shown) separate from the LED (405) that displays the booted operating system is provided and displayed.

The built-in disk device connection/disconnect switch (407) for user data is used to connect or disconnect the disk device (not shown) for user data connected to the SATA connector (227, 229) in a toggle manner by pressing this switch (407).

The LED (409) for indicating the connection status of the built-in disk device for user data for an external network indicates the connection (lit) status and the disconnection (lit) status of the built-in disk device for user data for an external network (not shown) according to pressing the connection/disconnection switch (407) for the built-in disk device for user data for an internal network, and the LED (411) for indicating the connection status and the disconnection (lit) status of the built-in disk device for user data for an internal network (not shown) according to pressing the connection/disconnection switch (407) for the built-in disk device for user data for an internal network.

FIG. 5 is a circuit configuration of an embodiment of a low-speed USB interface part provided in FIG. 4. The explanation continues with the pin numbers of the IC used as the embodiment and the pin names and assigned signal names.

Pin 1 is a power pin, and in the physical network separation card (200) of the present invention, +3.3V is the internal power supply, so it is connected to this power supply.

Pin 2 is a GPIO (General Purpose Input/Output) pin, the pin name is GP0, and it is set as an output pin. When a web browser is running in the virtual machine software used for external networks, it is output as a LOW signal level, and when the web browser is closed, it is output as a HIGH signal level, and the signal name is VM_WB_OPEN_L__CLOSE_H.

Pin 3 is a GPIO (General Purpose Input/Output) pin, the pin name is GP1, and it is set as an output pin. When the web browser is running on the main screen used as the internal network, it is output as a LOW signal level, and when the web browser is closed, it is output as a HIGH signal level, and the signal name is MW_WB_OPEN__CLOSE_H.

Pin 4 is a power pin, and in the physical network separation card (200) of the present invention, +3.3V is the internal power supply, so it is connected to this power supply.

Pin 5 is a GPIO (General Purpose Input/Output) pin, the pin name is GP2, and it is set as an input pin so that the control unit (217) outputs by referencing the GP0 signal of No. 1 or the GP1 signal of No. 2, and the signal name is DYNAMIC_NET_SEL_INT_L__EXT_H.

When the control unit (217) equipped in the physical network separation card (200) outputs this signal to proactively perform network connection/disconnection, the device driver (B15) refers to this signal and, when it is LOW, designates the network adapter of the main screen as being used and the network adapter of the virtual machine software as being unused. Conversely, when this signal is HIGH, the device driver (B15) designates the network adapter of the main screen as being unused and the network adapter of the virtual machine software as being used.

Meanwhile, when the device driver (B15) proactively controls the network connection/disconnection operation, this signal is set to an output pin so that the control unit (217) switches the disk device for user data to a connected state when this signal is LOW, and to a disconnected state when this signal is HIGH.

Pin 6 is a GPIO (General Purpose Input/Output) pin, the pin name is GP3, and when it is set as an input pin and the signal output from the control unit (217) is LOW, it indicates that the booting was done by the M.2 SSD (511) on which the internal network operating system is installed, and when it is HIGH, it indicates that the booting was done by the M.2 SSD (611) on which the external network operating system is installed.

The device driver (B15) that receives this signal controls the network connection and virtual machine software differently when booted by an operating system for an internal network and when booted by an operating system for an external network. This will be described in detail in the operation flow diagram illustrated in Fig. 6.

Pin 7 is a pin used as an SDA signal, which is used as a data signal pin in a serial interface using the I2C interface method. However, in the present invention, it is explained by replacing it with a serial interface of another method (i.e., UART) together with the SCL signal.

Pin 8 is the SCL signal used as a clock signal pin in the serial interface using the I2C interface method.

Pins 9 and 10 are pins used for low-speed USB interface purposes, and a PCI Express to low-speed USB conversion IC (not shown) connected to the PCIe Edge-Finger section (221) may be provided, and the connector may be connected to the motherboard via the PCIe Edge-Finger. Alternatively, as described above, a low-speed USB connection port provided on the motherboard and a connection connector (not shown) provided in the low-speed USB interface section (220) may be connected using a separate cable (not shown).

However, when the connection connector (not shown) provided in the low-speed USB interface section (220) is connected to the low-speed USB port provided in the motherboard (not shown) using a separate cable (not shown), in addition to the low-speed USB signals being connected from the motherboard (not shown), +5V power can be supplied, and thus, it is possible to supply this power to the power pins provided in the USB Type-C connectors (207, 209) provided in the physical network separation card (200).

Pin 11 is a reset pin, the pin name is RESET#, and is connected to the PERST# pin, which is a reset signal pin provided in the PCIe Edge-Finger section (221).

Pins 12 and 13 are universal serial interface (UART) pins, which are connected to the control unit (217) and can be used as replacements for the GPIO pins 2, 3, 5, and 6.

In this case, since the device driver (B15) can send/receive 64 bits of data at a time if it is a 64 bit operating system, it can be more appropriately utilized when more diverse status information and control bits are required, such as when interfacing with 3rd party software is required.

Pin 14 is the ground pin.

FIG. 6 is a flow chart of a device driver (B15) that displays a single PC-based physical network separation operation of the present invention. The following shows how a single PC-based physical network separation operation can be achieved through organic operation with the detailed functional blocks mentioned in FIGS. 2 to 5 described above.

When the PC is powered on (S1) as a starting step, the device driver (B15) performs the following initial state setting changes as its first operation.

① GP0 = HIGH → Block external network

② GP1 = HIGH → Internal network network blocking

③ Network adapter (B13) of SandBox, a virtual machine software (107) used for external network → Disabled (i.e., not in use)

④ Network adapter (B11) on the main screen (101) → Disabled (i.e. not in use)

Next, the device driver (B15) reads the signal level being input to the GP3 input pin of the low-speed USB interface (220) equipped in the physical network separation card (200). (S3)

In determining whether the operating system for the internal network or the operating system for the external network has been booted (S5), the simple operating process for booting the external network operating system will be explained first as follows.

When the GP3 input signal of the USB interface section (220) is HIGH, the device driver (B15) considers that the PC has been booted by the M.2 SSD (611) on which the external network operating system is installed. (S5)

When booted with an operating system for an external network, the device driver (B15) performs the following three operations on the IC of Fig. 5 constituting the low-speed USB interface section (220) to fix the network connection means (B6) equipped in the physical network separation control means (B2) to the external network (i.e., to prevent access to the internal network). (S9)

① GP0 = LOW → External network connection

② GP1 = HIGH → Internal network network blocking

③ Network adapter (B13) of SandBox, a virtual machine software (107) used for external network → Activated (i.e. in use)

④ Network adapter (B11) on the main screen (101) → Activated (i.e. in use)

According to the performance of the above ①, the network connection means (B6) equipped in the physical network separation control means (B2) connects the external network (B4) in hardware according to the control signal output from the network separation control unit (B7), thereby forming a network signal flow reaching the network port (B9) equipped in the motherboard (not shown) of the PC (B1) through the network cable (C1) connected to the network connection means (B6).

Due to this, even if both the virtual machine software (107) and the network adapters (B11, B13) of the main screen (101) are set to an activated state, i.e., in use, web browsers launched on both screens are connected to the external network (B4).

Next, the device driver (B15) checks (S13) whether SandBox, which is a virtual machine software (107) embedded in the operating system, is started and opened. If SandBox (107) is determined to be open, it performs activation processing so that the user can use various control means within SandBox, including the network, the clipboard, shared folders, video, microphone, printer, etc. (S17). Then, it enters the step (S41) of checking whether the PC is shut down. If SandBox (107) is determined to be closed, it immediately enters the step (S41) of checking whether the PC is shut down.

If the PC is not in a shutdown state, the step of checking which operating system has been booted (S5) and the step of checking whether the PC has been shut down (S41) are repeatedly performed as described above. This concludes the explanation of the case where the operating system has been booted for an external network. The explanation of the case where the operating system has been booted for an internal network is continued as follows.

When the PC (B1) boots into the operating system for the internal network (S5), the device driver (B15) checks (S7) whether SandBox, a virtual machine software (107), is opened.

If the SandBox, which is the virtual machine software (107), is determined to be open, the clipboard, shared folders, video, microphone, printer, etc. are deactivated (S11) so that the user cannot use them, except for the network, by various control means within the SandBox, and then the vice driver determines (S15) whether a web browser is open simultaneously within the main screen (101) and the SandBox (107), and if it is determined that the web browser is not open simultaneously or if it is determined (S19) that the user has not input a hotkey (for example, Alt+N) designated in advance, it is considered that only the main screen (101) or the virtual machine software (107) where the web browser that is later activated (Aptiv) is located needs to be connected to the network, and the next step, S23, is then entered.

If, in the step (S7) of determining whether the SandBox, which is the virtual machine software (107), is started and open, the SandBox is determined not to be open, the process proceeds to step S29.

The device driver (B15) determines (S23) whether a web browser is opened within the SandBox, which is a virtual machine software (107), and whether it is most recently active.

If the judgment result of step S23 is confirmed to be true, the device driver (B15) performs the following processing in step S25.

① GP0 = LOW → External network connection

② GP1 = HIGH → Internal network network blocking

③ Network adapter (B13) of SandBox, a virtual machine software (107) used for external network → Activated (i.e. in use)

④ Network adapter (B11) on the main screen (101) → Disabled (i.e. not in use)

If the determination result of step S23 is found to be false, the device driver (B15) performs the next step S29, and even if the determination result of step S7 indicates that the SandBox is not opened, the execution of step S29 is continued.

The device driver (B15) determines (S29) whether a web browser is opened within the main screen (101) and whether it is most recently active.

If the judgment result of step S29 is confirmed to be true, the device driver (B15) performs the following processing in step S33.

① GP0 = HIGH → Block external network

② GP1 = LOW → Internal network connection

③ Network adapter (B13) of SandBox, a virtual machine software (107) used for external network → Disabled (i.e., not in use)

④ Network adapter (B11) on the main screen (101) → Activated (i.e. in use)

If the determination result of step S29 is found to be false, the device driver (B15) determines whether the PC (B1) is in a shutdown state (S41), and if the PC (B1) is determined not to be in a shutdown state, it enters the reboot operating system determination step (S5), and if the PC (B1) is determined to be in a shutdown state (S41), it initializes various settings to the initial settings and then terminates (S43).

Meanwhile, if it is determined that web browsers are simultaneously open on the main screen (101) and within the SandBox, which is the virtual machine software (107), in step S15, and that the hotkey (Alt+N) has been input by the user in the following step S19, the device driver (B15) connects the internal network (B3) of the main screen (101) and the external network (B4) of the virtual machine software (107) for a period of time selected by the user through a separate graphical user interface (GUI) among 10 seconds, 20 seconds, ..., 60 seconds so that the web browsers on the main screen (101) and the web browsers within the SandBox, which is the virtual machine software (107), can be displayed continuously without network disconnection, so that a sufficient amount of buffer memory (not shown) can be filled when the network is connected to the buffer memory (not shown) created on the main memory (not shown) of the PC (B1) secured at startup.

To this end, at step S21, it is determined whether the currently connected network is an internal network (B3) or an external network (B4) (S21).

If the determination result of the device driver (B15) is that the current network connection status is an external network (B4), step S27 is entered and the following processing is performed.

① GP0 = HIGH → Block external network

② GP1 = LOW → Internal network connection

③ Network adapter (B13) of SandBox, a virtual machine software (107) used for external network → Disabled (i.e., not in use)

④ Network adapter (B11) on the main screen (101) → Activated (i.e. in use)

Meanwhile, if the determination result of the device driver (B15) at step S21 is that the current network connection status is an internal network (B3), step S31 is entered and the following processing is performed.

① GP0 = LOW → External network connection

② GP1 = HIGH → Block external network

③ Network adapter (B13) of SandBox, a virtual machine software (107) used for external network → Activated (i.e. in use)

④ Network adapter (B11) on the main screen (101) → Disabled (i.e. not in use)

If processing (S27, S31) based on the determination result of the current network connection status at step S21 is completed, the device driver (B15) starts a timer (not shown) (S35).

The device driver (B15) determines whether the timer started in step S35 has expired (S37) and maintains the network setting status processed in step S27 or step S31 (S39) until the timer expires.

When it is determined (S37) that the timer started at step S35 has ended, the device driver (B15) determines (S41) whether the PC (B1) is in a shutdown state, and if the PC is not in a shutdown state, it enters the step (S5) for determining whether the operating system has been rebooted as described above, and repeatedly performs the steps between this step (S5) and the step (S41) for checking whether the PC is shut down.

If it is determined that the PC (B1) is in a shutdown state, all setting states are initialized to the initial settings and then the entire operation process is terminated. (S43)

Figure 7 is a block diagram of a physical network separation dongle (700) for realizing physical network separation for a notebook PC according to the present invention. The detailed description of each functional block is as follows according to the symbols described for each functional block.

The USB Type-C connector (D1) is connected to a USB TYpe-C port (not shown) provided on the side of a notebook PC (not shown) using a separately provided USB cable (not shown).

The low-speed USB HUB (D3) is connected to the low-speed USB interface signal pins provided on the USB Type-C connector (D1) and is used to generate and expand the first low-speed USB interface signal and the second low-speed USB interface signal.

The high-speed interface signal conversion unit (D5) is connected to the high-speed USB interface pins provided in the USB Type-C connector (D1), and if the notebook PC (not shown) used supports the Thunderbolt interface and the M. 2 SSD used supports the PCI Express interface port with the NVMe standard, the unit converts the Thunderbolt signal into a PCI Express interface signal, and if the notebook PC used (not shown) does not support the Thunderbolt interface port, the unit converts the high-speed USB signal into a SATA interface signal or a PCI Express interface signal depending on the interface conversion IC used so that the interface is the same as that of the M. 2 SSD used for installing the operating system.

The power supply unit (D7) is composed of a DC to DC converter and its peripheral components that receive +5V power supplied from a notebook PC through a power pin provided in the USB Type-C connector (D1) and generate +3.3V power, which is the power used internally in the physical network separation dongle (700).

The ETHERNET to low-speed USB converter (D9) performs the function of converting an Ethernet network signal transmitted through the network connection (D15) into a low-speed USB interface signal.

Flash PROM-1 (D4) and Flash PROM-2 (D11) are used to store various setting information required for the operation of the high-speed interface signal conversion unit (D5) and the ETHERNET to low-speed USB conversion unit (D9), but may not be provided if the high-speed interface signal conversion unit (D5) or the ETHERNET to low-speed USB conversion unit (D9) has its own built-in Flash PROM.

The network connection unit (D15) is connected to a network signal of an RJ45 connector-I (D25, corresponding to 301 in FIG. 4) to which an internal network (B3) cable is connected, and a network signal of an RJ45 connector-E (D27, corresponding to 303 in FIG. 4) to which an external network (B4) cable is connected, and according to a network selection signal of a network separation control unit (D29), either the internal network (B3) or the external network (B4) is selected and transmitted to the ETHERNET to low-speed USB conversion unit (D9).

In addition, when the control unit outputs the PD (Power Down) signal in a HIGH state, the network connection unit (D15) is cut off from the power supply, so that the internal network or external network (B3, B4) is not transmitted to the network connection unit (D15).

The low-speed USB interface unit (D17) uses the same IC as that (220) equipped in the physical network separation card (200) shown in Fig. 4, has the same function, and is connected to any low-speed USB interface signal generated from the low-speed USB HUB (D3) and is connected to the network separation control unit (D29) via a GPIO (General Purpose I/O) and a UART (Universal Asynchronous Receiver / Transmitter), which is a general-purpose serial interface, to transmit a control signal output by the device driver (B15) to the network separation control unit (D29) side, or transmit a control signal output by the network separation control unit (D29) side to the device driver (B15).

As described above, if the high-speed interface signal conversion unit (D5) converts a Thunderbolt signal into a PCI Express interface signal, the high-speed signal switching unit (D13) selects one of the NVMe standard M.2 SSD#1 (D19) on which an internal network operating system is installed or the NVMe standard M.2 SSD#2 (D21) on which an external network operating system is installed, based on the operating system selection signal output from the network separation control unit (D29), and transmits the signal to the PCI Express interface. If the high-speed interface signal conversion unit (D5) converts a high-speed USB signal into a SATA interface signal or a PCI Express interface signal, the high-speed interface signal conversion unit (D5) selects one of the M.2 SSD#1 (D19) on which an internal network operating system is installed or the M.2 SSD#2 (D21) on which an external network operating system is installed, based on the operating system selection signal output from the network separation control unit (D29), and transmits the signal to the SATA interface or the PCI Express interface according to the interface supported by these M.2 SSD#1 (D19) and M.2 SSD#2 (D21). Allows switching and transfer to occur.

M.2 SSD#1 (D19) and M.2 SSD#2 (D21) are used to install the internal network operating system and the external network operating system, respectively.

Typically, a notebook PC (not shown) is equipped with an M.2 SSD (not shown) on which an operating system is installed internally. In order to use the physical network separation dongle (700) of the present invention, the operating system installed inside the notebook PC (not shown) must be copied to the M.2 SSD#1 on which an operating system for an internal network is installed and the M.2 SSD#2 on which an operating system for an external network is installed, both of which are installed inside the physical network separation dongle (700). After the copying is complete, the M.2 SSD on which an operating system is installed inside the notebook PC (not shown) must be formatted to convert it into an internal disk device for user data.

The network separation control unit (D29) receives status information of the device driver (B15) according to the operation flow diagram of Fig. 6 transmitted through the low-speed USB HUB (D3) and the low-speed USB interface unit (D17), performs network switching operation for the internal/external network (B3, B3) for the network connection unit (D15), or selects an operating system to be booted through control of the high-speed signal switching unit (D13), and transmits status information about the operating system to be booted to the device driver (B15) through the low-speed USB interface unit (D17).

The LED display unit (D23) is driven by a signal output from the network separation control unit (D29) to indicate the operating system for the internal network or external network that is booting, and this directly reflects the operation of the network selection display LED (405) provided in the network selection means (400) illustrated in the above-described FIG. 4.

The network selection switch (D31) performs the same function as the network selection switch (401) provided in the network selection means (400) of Fig. 4, and selects and boots the internal network operating system or the external network operating system at the next PC boot according to the internal network or external network network selection signal output from the network separation control unit (D29).

FIG. 8 is an example of a physical network separation dongle (700) for a notebook PC that embodies the block diagram of FIG. 7 of the present invention in hardware. The main components are as follows according to symbols.

The overall shape of the physical network isolation dongle (700) is as shown in the front projection (740) for the physical network isolation dongle and the back projection (760) for the physical network isolation dongle.

The front side (730) of the physical network separation dongle is provided with a USB Type-C connector (705, corresponding to D1) and a network selection switch (707, corresponding to D31), and the rear side (750) is provided with a single-body dual type RJ45 Ethernet connector (715) that constitutes an internal network port (714) for connecting an internal network (B3) cable (not shown) and an external network port (716) for connecting an external network (B4) cable.

As for the arrangement of major parts for the components in the block diagram of Fig. 7, the components provided on the top surface (700) of the physical network separation dongle board include a USB Type-C connector (705, D1), a network selection switch (707, D31), a network separation control unit (711), and a dual type RJ45 Ethernet connector (715, D25, D27). As a component not shown in the block diagram of Fig. 7, a magnetic coil (717) is provided between the network connection unit (D15) and the dual type RJ45 Ethernet connector (715, D25, D27), and a program port (713) for the control unit is arranged at a position adjacent to the network separation control unit (711).

Additionally, the LED (710) constituting the LED display unit (D23) is located at the exact center of the printed circuit board.

Components provided on the bottom surface (770) of the physical network separation dongle board include two M.2 connectors (719, 727) symmetrically arranged at each end of the printed circuit board, and an M.2 SSD support (723) in the center having a ‘ㄷ’ shape and a groove (not shown) provided on the inner side of the end, such that it is inserted through an insertion guide groove (726) provided on the printed circuit board and slides horizontally along the printed circuit board to move to the central position.

The M.2 SSD support (723) is made of an extruded aluminum material and has a fixing hole (not shown) in the center position that can simultaneously connect two M.2 SSDs (721, 725), so that two M.2 SSDs (721, 725) can be fixed simultaneously using one SSD fixing bolt (724), and since the fixing bolt does not penetrate the printed circuit board, there is no need to provide a hole punched in the center position of the already narrow printed circuit board, so that dense signal wiring can be freely performed.

Meanwhile, other components in the block diagram presented in Fig. 7 that are not shown on the physical network separation dongle board Top surface (701) and Bottom surface (770) are placed using the Top/Bottom surface of the printed circuit board within the component placement area indicated by the dotted line.

In this way, the physical network separation dongle (700) of the block diagram of FIG. 7 and the embodiment of FIG. 8 may be applied in the same manner with respect to the operation of the device driver (B15) implementing the operation flow diagram of FIG. 6, although there are some differences from the physical network separation control means (B2) for desktop PCs illustrated in FIG. 2 and FIG. 4 described above in terms of some block diagram components and external shape.

Although preferred embodiments of the present invention have been described in detail above, those skilled in the art will appreciate that various modifications and variations can be made without departing from the scope of the patent claims.

In a form for implementing the present invention,

The main screen displayed on the monitor of Fig. 3 and the web browser of the embodiment launched or activated by the virtual machine software illustrate the operation of the device driver according to the block diagram of Fig. 2 and the operation flow diagram of Fig. 6.

In addition, the physical network separation based on a single PC can be used on a desktop PC in the form of a physical network separation card, a network separation network dongle, and a network selection means as shown in Fig. 4.

Finally, the physical network separation dongle of the embodiment illustrated in FIG. 8 according to the block diagram of FIG. 7 provides a single PC-based physical network separation usage environment for a notebook PC.

As mentioned above, since the PC appeared on the market, built-in disk devices have always been connected to the PC when it boots up, and since the network is also connected when the PC boots up, when the PC is actually booted up and used, the built-in disk devices for user data are exposed to the network, making them vulnerable to hacking from the outside.

Until now, security has been achieved only through software methods as a countermeasure to this, but limitations are being revealed in the pursuit of perfect security.

Software-based security uses the resources of the PC's CPU, main memory, and disk device because it operates through software through security software installed on the PC, and requires frequent security patches and software upgrades.

However, users of security software cannot properly know whether security is being implemented properly or whether there is a data leak.

In comparison, the single PC-based physical network separation card for desktop PCs and the physical network separation dongle for notebook PCs of the present invention physically separate the internal network and the external network, thereby providing a safe PC usage environment at least for the internal network, and not only uses almost no PC resources, but also does not require frequent security patches or software upgrades, so it will be in the spotlight in the PC security field, and an industrial ripple effect is expected through appropriate product merger with existing security software.

Claims (14)

The first network adapter provided for the main screen when the operating system boots; A second network adapter provided for virtual machine software installed on the above operating system; A device driver installed in the above operating system and monitoring a web browser launched on at least one of the above main screen and the above virtual machine software; It consists of a physical network separation control means including an interface conversion unit for receiving or transmitting the above device driver and various status information, a network connection means to which a network cable for an internal network and a network cable for an external network are connected, and a network separation control unit for generating various control signals including a network connection control signal for the network connection means according to the status information value received through the interface conversion unit; When the device driver detects that a web browser is launched on the main screen, the first network adapter is switched to a used state and the second network adapter is switched to an unused state, and at the same time, information on the state in which the web browser of the main screen or the first network adapter is used is transmitted to the physical network separation control means, so that the physical network separation control means connects the internal network corresponding to the state in which the first network adapter is used. When the device driver detects that a web browser is launched in the virtual machine software, the second network adapter is switched to a used state and the first network adapter is switched to an unused state, and at the same time, information on the state in which the web browser of the virtual machine software or the second network adapter is used is transmitted to the physical network separation control means, so that the physical network separation control means connects an external network corresponding to the state in which the web browser of the virtual machine software or the second network adapter is used. A single PC characterized in that, when the device driver detects that a web browser is launched on the main screen and the virtual machine software, the first or second network adapter corresponding to the web browser launched or activated later is switched to a used state, and the first or second network adapter corresponding to the web browser launched or activated first is switched to an unused state, and at the same time, the status information of the web browser launched or activated later on the main screen or the virtual machine software or the first or second network adapter in a used state is transmitted to the physical network separation control means, so that the physical network separation control means causes the internal network to be connected when the web browser of the main screen is launched or activated later or the first network adapter is in a used state corresponding to the web browser launched or activated later or the first or second network adapter switched to a used state corresponding thereto, and causes the external network to be connected when the web browser of the virtual machine software is launched or activated later or the second network adapter is in a used state, thereby maintaining physical network separation. A physical network separation method based on. In paragraph 1, A single PC-based physical network separation method characterized in that the above device driver causes the first network adapter provided on the main screen and the second network adapter of the virtual machine software to alternate between being used and not used at regular intervals when a hotkey set in advance is input, thereby allowing the web browser on the main screen and the web browser on the virtual machine software to be constantly displayed without a network disconnection phenomenon from the user's perspective, while maintaining physical network separation. In paragraph 1, A single PC-based physical network separation method, characterized in that the physical network separation control means transmits status information on whether the operating system was booted by an internal network operating system or an external network operating system when the operating system was booted to the device driver side through the interface conversion unit. In paragraph 1, The above device driver keeps the network, clipboard, shared folder, printer, video, and microphone for the virtual machine software in use at the same time as the virtual machine software is executed when the operating system is booted by the operating system for the external network. A single PC-based physical network separation method characterized in that when the above operating system is booted by an operating system for an internal network, the network for the virtual machine software is kept in a used state while the virtual machine software is executed, but the clipboard, shared folders, printer, video, and microphone are kept in an unused state. The first network adapter provided for the main screen when the operating system boots; A second network adapter provided for virtual machine software installed on the above operating system; A device driver installed in the above operating system and monitoring a web browser launched on at least one of the above main screen and the above virtual machine software; It consists of a physical network separation control means in which a network cable for an internal network and a network cable for an external network are connected and connected through the device driver and interface means; A single PC-based physical network separation method, characterized in that, when the device driver detects that a web browser is not launched on the main screen and that a web browser is not launched in the virtual machine software, the device driver switches the first network adapter provided on the main screen and the second network adapter provided in the virtual machine software to an unused state, and simultaneously transmits state information that the web browser on the main screen and the web browser on the virtual machine software are not launched or that both the first network adapter and the second network adapter are unused to the physical network separation control means, thereby causing the physical network separation control means to maintain a state in which the internal network and the external network are simultaneously blocked. The first network adapter provided for the main screen when the operating system boots; A second network adapter provided for virtual machine software installed on the above operating system; A device driver installed in the above operating system and monitoring a web browser launched on at least one of the above main screen and the above virtual machine software; It consists of a physical network separation control means in which a network cable for an internal network and a network cable for an external network are connected and connected through the device driver and interface means; The above device driver detects that a web browser is started or later selected and activated on the main screen and/or the virtual machine software and transmits status information to the physical network separation control means, and the physical network separation control means performs the following operations: If it is determined that the web browser is launched only on the main screen, the internal network is connected and network connection information is transmitted to the device driver side, so that the device driver switches the first network adapter of the main screen to a used state and the second network adapter of the virtual machine software to an unused state. In the case where it is determined that the web browser is launched only in the above virtual machine software, the external network is connected and network connection information is transmitted to the device driver side, so that the device driver switches the second network adapter of the virtual machine software to a state in which it is used and the first network adapter of the main screen to a state in which it is not used. If it is determined that a web browser is launched simultaneously on the main screen and the virtual machine software, and if the current network connection status is connected to an external network, the internal network is connected and network connection information is transmitted to the device driver side so that the device driver switches the first network adapter of the main screen to a used state and the second network adapter of the virtual machine software to an unused state, and after a certain period of time, the external network is connected and network connection information is transmitted to the device driver side so that the device driver switches the first network adapter of the main screen to an unused state and the second network adapter of the virtual machine software to a used state, and the operation is repeatedly performed. A single PC-based physical network separation method, characterized in that when it is determined that a web browser has been launched simultaneously on the main screen and the virtual machine software, and the current network connection status is connected to the internal network, the external network is connected while simultaneously transmitting network connection information to the device driver, so that the device driver switches the second network adapter of the virtual machine software to a used state and the first network adapter of the main screen to an unused state, and then after a certain period of time, the internal network is connected while simultaneously transmitting network connection information to the device driver, so that the device driver switches the second network adapter of the virtual machine software to an unused state and the first network adapter of the main screen to a used state, so that the operation is repeatedly performed. Interface conversion means for receiving status information about a web browser that is started or later activated by the device driver detected by the main screen and/or virtual machine software, or a network adapter that is later set to a used state; A network separation control unit that is connected to the above interface conversion means and generates an internal network or external network selection signal according to the received status information; In a physical network separation control means, comprising: a network connection means for selecting and connecting an internal network or an external network according to a network selection signal output from the above network separation control unit; A single PC-based physical network separation device characterized in that the network separation control unit connects the network connection means to an internal network if the web browser of the main screen is activated based on status information received from the interface conversion means, and connects the network connection means to an external network if the web browser of the virtual machine software is activated. In Article 7, A network selection means having a switch that can select whether to boot with an internal network operating system or an external network operating system by being connected to the above physical network separation control means; In addition, an M.2 adapter card is provided, which is connected to the above physical network separation control means and a cable, and an M.2 SSD with an operating system for an internal network is combined with an M.2 adapter card with an M.2 SSD with an operating system for an external network is combined; When the user presses the switch provided in the network selection means, the network separation control unit determines this and determines that the same operating system as the currently booted operating system is selected. Then, when the user selects one of the power options among system shutdown, hibernation, or restart and the PC is shut down, the network separation control unit maintains the reset signal for the M.2 adapter card to which the M.2 SSD on which the currently booted operating system is installed is combined in a released state so that it can be booted again with the internal network operating system, and at the same time, maintains the reset signal for the M.2 adapter card to which the M.2 SSD on which the currently unselected operating system is combined in a set state so that the operating system cannot be booted. A single PC-based physical network separation device characterized in that, if the determination result of the above network separation control unit determines that an operating system other than the currently booted operating system has been selected, when the user subsequently selects a power option from among system shutdown, hibernation, or restart to shut down the PC, the network separation control unit maintains a reset signal set for the M.2 adapter card to which the currently booted operating system is connected so that the current operating system cannot be booted again, and at the same time, maintains a reset signal released for the M.2 adapter card to which the M.2 SSD to which the currently unselected operating system is connected so that the operating system can be booted. In Article 8, A single PC-based physical network separation device, characterized in that the network connection means and the network selection means are physically separated from the physical network separation control means by cables, respectively. In Article 8, A first connector for connecting an internal disk device for internal network user data; A second connector for connecting an internal disk device for external network user data; A bidirectional multiplexer/demultiplexer respectively connected to the disk device connection pins of the first connector and the second connector; In addition, a third connector is provided for connection to the above bidirectional multiplexer/demultiplexer and for connection to a connector for connecting any built-in disk device provided on the motherboard; A single PC-based physical network separation device, characterized in that, when the internal network operating system is booted, the network separation control unit maintains the disk selection signal of the bidirectional multiplexer/demultiplexer in a state connected to the first connector side, and when the external network operating system is booted, the disk selection signal of the bidirectional multiplexer/demultiplexer in a state connected to the second connector side, and then, when the user presses the built-in disk device connection/disconnection switch for the user data provided in the network selection means, if the power switching signal output from the network separation control unit is output in a LOW state, power is supplied to the bidirectional multiplexer/demultiplexer so that the built-in disk device for the internal network user data or the built-in disk device for the external network user data is connected, and if the power switching signal is output in a HIGH state, power is cut off to the bidirectional multiplexer/demultiplexer so that both the built-in disk device for the internal network user data and the built-in disk device for the external network user data are cut off regardless of the connection state of the disk selection signal. USB Type-C connector for connection to a notebook PC; A low-speed USB hub (HUB) connected to the low-speed USB pins provided on the above USB Type-C connector to generate and expand a first low-speed USB interface signal and a second low-speed USB interface signal; A high-speed interface signal conversion unit that converts the high-speed USB pins provided on the USB Type-C connector into the same interface supported by the M.2 SSD on which the operating system is installed; A high-speed interface signal switching means connected to the above high-speed interface signal conversion unit; An M.2 SSD having an operating system for an internal network and an M.2 SSD having an operating system for an external network, each connected via the high-speed interface signal switching means and the M.2 connector; A low-speed interface conversion means connected to the above low-speed USB hub and the first low-speed USB interface signal; A network separation control unit connected to the above low-speed interface conversion means to receive status information transmitted from a device driver or output whether the booting operating system is via an M.2 SSD for an internal network or an M.2 SSD for an external network; A network connection means connected to the low-speed USB hub through the second low-speed USB interface signal, and connecting the internal network or the external network according to the internal network or external network selection signal output from the network separation control unit; A power supply unit that generates power used internally and is connected to the power pins provided in the USB Type-C connector; and In a physical network separation dongle comprising a printed circuit board for mounting the components of each of the above components; A single PC-based physical network separation device characterized in that the control unit causes the network connection means to be connected to an internal network when the web browser received from the device driver through the low-speed interface conversion means is a web browser of the main screen or a network adapter of the main screen is used, and causes the network connection means to be connected to an external network when the web browser received from the device driver is a web browser of virtual machine software or a network adapter of virtual machine software is used. In Article 11, A single PC-based physical network separation device characterized in that the network separation control unit transmits status information on whether the internal network operating system is booted by an M.2 SSD installed or an external network operating system is booted by an M.2 SSD installed, to the device driver side through the low-speed interface conversion means. In Article 11, In addition, an LED display unit connected to the above control unit is provided; A single PC-based physical network separation device characterized in that it displays whether the booting is performed by an M.2 SSD having an operating system for the internal network installed or an M.2 SSD having an operating system for the external network installed, or whether the network currently connected by the network connection means is an internal network or an external network, according to a control signal from the control unit. In Article 11, An M.2 SSD support that slides horizontally along the printed circuit board through a groove provided on the printed circuit board and acts as a fixing support for an M.2 SSD having an operating system for an internal network installed and an M.2 SSD having an operating system for an external network installed; Additional fixing bolts for fixing the M.2 SSD are provided; A single PC-based physical network separation device characterized in that when two M.2 SSDs are arranged facing each other with the fixing hole provided in the M.2 SSD support as the center, and are fixed to the fixing hole provided in the M.2 SSD support using one fixing bolt, the fixing bolt does not penetrate the printed circuit board.

Images