JP2006165877A - Communication system, communication method, and communication program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication system etc improved in serviceability and security. <P>SOLUTION: A communication system capable of improving communication devices in security in a network containing the communication devices is equipped with an unauthorized function detecting unit which detects whether any of the communication devices in the network operate their unauthorized function units having an unauthorized access function or are the unauthorized function communication devices equipped with the unauthorized function units and transmits detection signals, an isolation enforcing unit isolates the unauthorized function communication devices so as to forcibly stop them from communicating with the other communication devices when the unauthorized function detecting unit transmits detection signals, and a watch accelerating unit which transmits warning signals indicating that the detection signals are transmitted to the other communication devices to accelerate watch when the unauthorized function detecting unit transmits detection signals. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a communication system, a communication method, and a communication program, and is suitable for application to, for example, isolating a computer infected with a worm in a LAN.

  As technologies related to conventional security, there are those described in Patent Documents 1 and 2 below.

  In the technology of Patent Document 1, a plurality of firewall function units are mounted on one firewall device, and a different firewall function unit is provided for each combination of user networks, so that processing between a large number of user networks can be performed by one firewall. Configure to run on the device. As a result, the number of necessary firewall devices is reduced, so that it is possible to reduce the cost of the devices related to the firewall devices and save labor in management.

The technique of Patent Document 2 is a switch that is a relay device in a LAN and has a function of detecting illegal packets. As a result, whether a packet exchanged between computers in the LAN or a packet exchanged between a computer in the LAN and a computer on the WAN side is an illegal packet when relayed by the switch. Since the illegal packet is inspected and discarded, it is possible to prevent the infection from spreading within the LAN or spreading the infection range from the LAN to the WAN side due to the illegal packet transmitted by a computer virus or the like.
JP 2001-306421 A JP 2003-348113 A

  By the way, in the technique of the above-mentioned patent document 1, since the said firewall function part cannot change the rule (blocking rule) for blocking a packet etc. dynamically, there exists a surface lacking in convenience.

  For example, if you try to use pattern matching vaccine software that is often used to remove a computer virus from a computer infected with a computer virus (including narrowly defined viruses, worms, Trojan horses, etc.) It is necessary to update the virus definition file installed on the computer, or to install the vaccine software if the vaccine software itself is not installed on the computer. The computer must be allowed to communicate with a server (provider server) that provides virus definition files and vaccine software.

  However, when the blocking rule is fixed, in order to realize such permission, it is necessary for an administrator to perform work for changing the setting of the blocking rule, and the management burden is changed. Increased and low convenience. Alternatively, another computer that is not infected with a computer virus accesses the provider server to download a virus definition file or vaccine software, and stores the file in an external storage medium such as a floppy (registered trademark) disk or CD. It is also possible to insert the external storage medium into the external storage device of the infected computer and read it on the infected computer. It takes time and effort and is not convenient.

  On the other hand, in the technique of Patent Document 2, when a computer (for example, a notebook personal computer) already infected with a computer virus is brought into the LAN and connected to the switch, a packet containing a virus pattern is transmitted. The switch shuts off the port, discards the packet, or notifies a predetermined computer of virus detection. If the port is blocked, packets containing virus patterns (self-replicated) will not be relayed by the switch, preventing the spread of computer virus infection and preventing the spread of virus damage that may occur thereafter, but blocking the port. In this case, a computer infected with a computer virus or the like may not be able to communicate with the provider server, which is not convenient.

  Moreover, even if a packet containing a virus pattern is simply discarded by a switch, even if the spread of a computer virus can be prevented, the spread of virus damage cannot necessarily be prevented, and the security is not sufficiently high. This is because a packet transmitted to a computer infected with a computer virus or the like is not necessarily a packet including the virus pattern, and damage may be caused by a packet not including the virus pattern.

  Furthermore, it is not possible to prevent the spread of infection and the spread of damage simply by notifying a predetermined computer of detection of a virus, so that the security is not sufficiently high.

  In order to solve this problem, according to the first aspect of the present invention, in a communication system that improves security of each communication device in a network including a plurality of communication devices, (1) any one of the communication devices in the network (2) an unauthorized function detection unit that operates an unauthorized function unit having an unauthorized access function or detects that the unauthorized function unit is present and transmits a detection signal; When the unauthorized function detection unit transmits a detection signal, an isolation execution unit that isolates the unauthorized function communication device and forcibly disables communication with another communication device; and (3) the unauthorized function detection unit includes: When a detection signal is transmitted, a warning signal indicating that the detection signal has been transmitted is transmitted to another communication device, and a warning promoting unit that prompts a warning is provided.

  According to the second aspect of the present invention, in a communication method for improving security of each communication device in a network including a plurality of communication devices, (1) the unauthorized function detection unit is connected to any one of the communication devices in the network. , To operate an unauthorized function unit having an unauthorized access function, or to detect that the unauthorized function unit is present and transmit a detection signal, and (2) the unauthorized function detection unit Sends a detection signal, the quarantine execution unit isolates the unauthorized function communication device to forcibly disable communication with another communication device, and (3) the unauthorized function detection unit transmits the detection signal. Then, the warning promotion unit transmits a warning signal indicating that the detection signal has been transmitted to another communication device to promote warning.

  Furthermore, in the third aspect of the present invention, in a communication program for improving security of each communication device in a network including a plurality of communication devices, (1) any one of the communication devices in the network is illegally accessed. An unauthorized function detection function that operates an unauthorized function part having the above function or detects that the unauthorized function part is present and transmits a detection signal; and (2) the unauthorized function. When the detection function detection signal is transmitted, the unauthorized function communication device is isolated, and the isolation execution function forcibly making it impossible to communicate with other communication devices, and (3) the unauthorized function detection function transmits the detection signal. Then, a warning signal indicating that the detection signal has been transmitted is transmitted to another communication device, and a warning promotion function for promoting warning is realized.

  According to the present invention, convenience and security can be improved.

(A) Embodiment Hereinafter, an embodiment will be described by taking as an example a case where the communication system, the communication method, and the communication program according to the present invention are applied to a security system including a layer 2 switch having a VLAN function.

(A-1) Configuration of Embodiment FIG. 2 shows an example of the overall configuration of the security system 10 according to the present embodiment. Of course, servers (not shown) such as a DNS server or a DHCP server may exist in the security system 10.

  In FIG. 2, the security system 10 includes a router 14 and networks 11 to 13.

  These networks 11 to 13 correspond to subnets (layer 3 segments) separated by the router 14.

  A layer 2 switch 15, an isolation notification server 16, and communication terminals 18 and 19 are disposed on the network 11, a recovery server 17 is disposed on the network 12, and communication is performed on the network (relay network) 13. A terminal 20 is arranged. The communication terminal 20 may be any communication terminal, but may be a web server as an example.

  The recovery server 17 includes a program (for example, anti-virus software) and data (for example, a virus definition file) necessary for a communication terminal (for example, 19) infected with a computer virus to remove the computer virus. Is a server that has accumulated A new virus definition file corresponding to a new type of computer virus is provided on the communication terminal 19 by downloading from the recovery server 17.

  The router 14 is a normal router, and relays packets at layer 3 (that is, the network layer of the OSI reference model). However, the router 14 has two logical ports (10.10.10.1/24 and 10.10.30.1/24) for one physical port connected to the layer 2 switch 15. It is set. One of them, 10.10.0.1/24, functions as a regular NHR (next hop router) that hits the default gateway, and the other, 10.10.0.1.24, is infected. It functions when a communication terminal (for example, 19) is isolated.

  One router 14 may contain a plurality of layer 2 switches similar to the layer 2 switch 15. In this case, an isolation notification server similar to the isolation notification server 16 is arranged for each layer 2 switch. However, since only one recovery server 17 is required for the entire security system 10, functions can be saved. .

  Of course, a repeater type hub (not shown) may exist on the network 11. Further, the physical transmission path of the networks 11 to 13 may be a wired transmission path or a wireless transmission path.

  The communication terminals 18 and 19 may be used as servers, but in the following description, a case where they are mainly used as clients is assumed. Specifically, the communication terminals 18 and 19 may be personal computers, for example. The communication terminal 18 is used by the user U1, and the communication terminal 19 is used by the user U2. In the following description, it is assumed that the communication terminal 19 is mainly infected with a computer virus. Here, the computer virus includes not only a narrowly-defined virus but also a worm and a Trojan horse. The packet transmitted by the communication terminal 19 is PK9 regardless of whether it is used for unauthorized access.

  There may be various communication protocols in the network layer of the OSI reference model. Here, since the IP protocol is assumed, the packet PK9 is an IP packet. Although there are various communication protocols in the data link layer of the OSI reference model, here it is assumed that IEEE 802.3 or the like is used and MAC frames are used. In this case, the packet PK9 which is an IP packet is relayed by the layer 2 switch 15 while being accommodated in the MAC frame, and is transmitted from the corresponding port. When transfer to the outside of the network 11 is necessary, the data is supplied to the regular NHR of the router 14.

  The layer 2 switch 15 is a normal layer 2 switch, and relays packets (frames) at layer 2 (that is, the data link layer of the OSI reference model). Note that the term “packet” is used as a protocol data unit (PDU) in the network layer in a narrow sense, but is also used as a protocol data unit such as a data link layer or a transport layer in a broad sense. In the following description, unless otherwise required, a MAC frame containing an IP packet and an IP packet are simply referred to as a packet without distinguishing them.

  The layer 2 switch 15 has a function of sending a copy of the packet PK9 from the physical port 15B when sending the packet PK9 from the physical port 15A connected to the router 14. At this time, the physical port 15A is called a mirror source port, and the physical port 15B is called a mirror destination port. The packet PK9 sent from the mirror source port 15A is delivered to its original destination (for example, 20), and the packet PK9 sent from the mirror destination port 15B is delivered to the quarantine notification server 16 and illegal access is made by the quarantine notification server 16 It is checked whether it is not related to. Since the packet PK9 sent out from the mirror destination port 15B has the same content as that sent out from the mirror source port 15A, this check is performed by unauthorized access to the node that is the original destination of the packet PK9. I'm looking for it.

  If the packet PK9 having the same content can be transmitted from two physical ports (corresponding to the mirror source port 15A and the mirror destination port 15B), what kind of processing is executed in the layer 2 switch 15 for that purpose? It does not matter if it is a thing. In addition, there may be a case where the layer 2 switch 15 itself can have the same configuration even if it does not have a function of transmitting packets having the same contents from two physical ports. For example, a repeater-type hub is disposed on the transmission path between the layer 2 switch 15 and the router 14, and the packet PK9 sent from one of a plurality of ports of the hub is supplied to the router 14, and the other 1 For example, a case where the packet PK9 sent from one is supplied to the quarantine notification server 16 corresponds to this.

  The physical port 15C of the layer 2 switch 15 is an isolation port. When the communication terminal 19 is isolated, the VLAN to which the communication terminal 19 belongs is forcibly changed to the same VLAN as the isolation port 15C, and the packet PK9 is transmitted only from the isolation port 15C. Therefore, when quarantine is performed, the packet PK9 transmitted by the computer virus on the communication terminal 19 is processed by the quarantine notification server 19 and is not delivered to the destination determined by the computer virus.

  In addition, the layer 2 switch 15 transmits the contents of the MAC address table TB1 mounted on the layer 2 switch 15 to the quarantine notification server 16, and can rewrite the contents of the MAC address table TB1 according to control from the quarantine notification server 16. It has.

  As shown in FIG. 3, the MAC address table TB1, that is, FIB (Forwarding Information Base) includes, as data items, a MAC address, a physical port, and a VLAN-ID.

  Of these, the physical port indicates identification information (port number) for uniquely identifying each physical port included in the layer 2 switch 15.

  The MAC address indicates a MAC address obtained from a source MAC address of a MAC frame supplied from each physical port. From the correspondence between the port number and the MAC address, it can be seen which MAC address exists ahead of which physical port.

  The VLAN-ID indicates identification information for uniquely identifying each VLAN in the network 11. As a VLAN system, a VLAN tag is added to a MAC frame, a VLAN VLAN is restricted by identifying a VLAN-ID included in the VLAN tag, and a VLAN is set for each port of the layer 2 switch. There is a port VLAN. Although a tag VLAN can be used in the present invention, a port VLAN is assumed here.

  In the port VLAN, the layer 2 switch 15 registers the correspondence relationship between each physical port number and the VLAN-ID in the MAC address table TB1, and restricts the relay destination of the MAC frame to physical ports belonging to the same VLAN. That is, no matter what the value of the destination MAC address of the MAC frame is, the MAC frame is not relayed to a physical port other than the physical port belonging to the same VLAN as the physical port that received the MAC frame. The communication terminal 19 can be isolated using the function.

  The isolation notification server 16 is a server having a function of isolating an infected communication terminal 19 and a function of notifying a normal communication terminal in the security system 10 that the communication terminal 19 is infected with a computer virus. The internal configuration of the isolation notification server 16 is, for example, as shown in FIG.

(A-1-1) Internal Configuration Example of Quarantine Notification Server In FIG. 1, the quarantine notification server 16 includes an attack predictor determination unit 21, a database unit 22, a warning page generation / insertion unit 23, a control unit 24, A Web notification processing unit 25, a fixed DNS response unit 26, a firewall function unit 27, a DNAT (Destination NAT) redirect processing unit 28, a promiscuous port 29, and transmission / reception units 30 to 32 are provided.

  Among them, the promiscuous port 29 is a part for receiving a packet (a copy thereof) transmitted from the mirror destination port 15B of the layer 2 switch 19, and a destination of a MAC frame containing the packet (for example, the PK9). It has a function to receive whatever MAC address value. Originally, the MAC frame transmitted from the mirror source port 15A has a destination MAC address that designates the MAC address corresponding to the regular NHR, and therefore receives the MAC frame transmitted from the mirror destination port 15B as a copy thereof. In order to do so, such a function is necessary.

  The transmission / reception units 30 and 32 are components corresponding to normal ports connected to the respective ports of the layer 2 switch 15, but in this embodiment, functions of the network layers of the transmission / reception units 30 and 32 (that is, IP interfaces). As a function) is important. Of these, the transmitting / receiving unit 32 corresponds to a pseudo NHR. The pseudo NHR is an IP interface for receiving the packet PK9 that should be received by the normal NHR of the router 14 without contradiction when the isolation is executed.

  The transmission / reception unit 30 is a port used when a normal communication terminal (for example, the communication terminal 18) that is not isolated accesses the HTTP proxy server (corresponding to the Web notification processing unit 25).

  In addition, after the isolation, the transmission / reception unit 30 performs the packet transmission source via the isolation notification server 16 during the recovery operation of the user U2 performed by the communication terminal 19 accessing the recovery server 17 via the isolation notification server 16. It is also an IP interface.

  The transmission / reception unit 31 is a port for accessing the MAC address table TB1 mounted on the layer 2 switch 15.

  The control unit 24 controls the components 21 to 23 and 25 to 32 in the quarantine notification server 16 and controls the layer 2 switch 15. The control unit 24 controls the contents of the MAC address table TB1 mounted on the layer 2 switch 15. It also has a function of rewriting and changing VLAN settings.

  The attack predictor determination unit 21 detects whether an attack (unauthorized access) is detected at an early stage based on a packet (for example, PK9) received via the promiscuous port 29 to determine whether or not unauthorized access is being performed. The determination part may correspond to an IDS (intrusion detection system) or the like. Whether or not to search for an attack target before actually carrying out an attack depends on the function of the computer virus, but in any case, if unauthorized access can be detected at an early stage immediately after unauthorized access is started, It is possible to perform the isolation before actual damage occurs on a server that is the target of unauthorized access or attack.

  For example, a host scan that sends packets PK9 to different destinations while changing the destination IP address randomly or sequentially, or a port scan that sends packets PK9 while changing the destination port number randomly or sequentially Can be regarded as a sign of

  The database unit 22 is a MAC address-physical port correspondence database that receives and stores the contents of the MAC address table TB1 mounted on the layer 2 switch 15 via the transmission / reception unit 31. The control unit 24 can know the contents of the MAC address table TB1 of the layer 2 switch 15 at that time in a short access time by accessing the database unit 22.

  When the communication terminal 19 communicates via the isolation notification server 16 due to the isolation, the firewall function unit 27 causes the isolation notification server 16 itself to be damaged by the packet PK9 that the computer virus transmits to the communication terminal 19. It is a part to avoid. Most of the packets are blocked (rejected) by the firewall function unit 27. For example, the packet PK9 for performing the recovery work using the recovery server 17 needs to pass through the firewall function unit 27. .

  Therefore, for example, the firewall function unit 27 executes access control based on the policy table TB2 having the configuration shown in FIG.

  As shown in FIG. 4, the policy table TB2 includes, as data items, a transmission source IP address, a destination IP address, a protocol, an application, passability, a dynamic filter, and the number of sessions.

  The source IP address indicates the source IP address of a packet that is permitted or denied to pass by the firewall function unit 27.

  The destination IP address indicates a destination IP address of a packet that is permitted or rejected by the firewall function unit 27.

  The protocol indicates a protocol (transport layer protocol) that permits or rejects passage through the firewall function unit 27.

  The application indicates a communication application that permits or rejects passage through the firewall function unit 27.

  The passage permission / inhibition indicates whether the firewall function unit 27 permits or rejects the passage of the packet. The reason why the DNS packet from the infected terminal infected with the computer virus (for example, 19) is permitted is to permit access to the fixed DNS response unit 26 described later. In addition, the HTTP packet from the infected terminal is permitted because the communication between the recovery server 17 and the infected terminal is assumed to be Web. Furthermore, 9119 and 8080 are permitted because it is assumed that 9119 and 8080 are used as the TCP port numbers of the recovery server 17.

  The dynamic filter indicates a packet to which so-called stateful inspection packet filtering is to be applied. In the example of FIG. 4, packet filtering by stateful inspection is performed on a packet input to the firewall function unit 27 from a “quarantine VLAN”, that is, a VLAN for isolating a communication terminal infected with a computer virus (19 in this case). Indicates what to do.

  The number of sessions indicates an upper limit value of the number of sessions allowed to pass through the firewall function unit 27 at the same time.

  The infected terminal must forcibly communicate via the quarantine notification server 16 due to the quarantine, but here, a normal terminal not infected with a computer virus also accesses the recovery server 17 via the transmission / reception unit 31. It is configured as possible. The row LN1 of the policy table TB2 is a row for permitting the passage of packets from such a normal terminal. A row refers to a horizontal array excluding data items in a table. In the example of FIG. 4, the policy table TB2 includes four rows LN2 to LN5 in addition to the row LN1.

  The firewall function unit 27 also has a source address conversion function for converting the source IP address of the passed packet PK9, as will be described later.

  The DNAT redirect processing unit 28 sets a destination IP address of a packet supplied to the quarantine notification server 16 and passed through the firewall function unit 27 to a predetermined IP address set in the quarantine notification server 16 (here, the pseudo-NHR). This is a part to be converted into the set 10.10.10.1/24). This conversion is originally necessary for terminating a packet (a packet having a destination IP address indicating another destination) transmitted to another destination (for example, the communication terminal 20) in the quarantine notification server 16. Become.

  The DNAT redirect processing unit 28 also converts the destination IP address of the packet so that the DNS inquiry message (DNS query) addressed to the original DNS server for the infected terminal 19 becomes the inquiry message addressed to the fixed DNS response unit 26. In addition, it has a function of performing conversion of a source IP address of a packet so that a DNS response message (DNS Response) transmitted by the fixed DNS response unit 26 appears as if it was transmitted by an original DNS server. With this function, an IP protocol processing module and resolver (not shown) in the communication terminal 19 need only perform normal processing (the same processing as when communicating with the original DNS server).

  The Web notification processing unit 25 is a part having a Web server function. When infection of the communication terminal 19 is detected, a predetermined warning page W1 is transmitted to the web browsers of other communication terminals (for example, 18) to urge the user (for example, U1) to be alert.

  The warning page W1 is a Web page that displays a list of communication terminals infected with a computer virus. The warning page W1 is generated by the warning page generation / insertion unit 23 and transmitted to a normal terminal (for example, 18). The warning page generation / insertion unit 23 may also generate a web page (infection notification page) W2 for display on a web browser of an infected terminal (for example, 19). The infection notification page W2 indicates that the communication terminal is infected with a computer virus, that access to the recovery server 17 is necessary to remove the computer virus, and the procedure for the access. The content of the communication terminal user (for example, U2) may be transmitted.

  If an HTTP proxy server has been used in the security system 10 before the isolation notification server 16 is installed, it is also desirable that the Web notification processing unit 25 be equipped with the function of an HTTP proxy server.

  The fixed DNS response unit 26 is a part that functions as a DNS server inside the isolated VLAN. When the communication terminal 19 is isolated, it cannot communicate with the original DNS server, and therefore the fixed DNS response unit 26 is required when accessing the Web server (here, the Web notification processing unit 25).

  Hereinafter, the operation of the present embodiment having the above-described configuration will be described with reference to FIGS. 2, 5, and 6 to 17.

  FIG. 5 is a sequence diagram for illustrating operations related to the DNAT redirect processing unit 28, and includes steps S11 to S22.

  2 and 6 to 17 show the operation of each node in the security system 10. 2 corresponds to step ST1, FIG. 6 corresponds to step ST2, FIG. 7 corresponds to step ST3, FIG. 8 corresponds to step ST4, FIG. 9 corresponds to step ST5, and FIG. 10 corresponds to step ST6. 11 corresponds to step ST7, FIG. 12 corresponds to step ST8, FIG. 13 corresponds to step ST9, FIG. 14 corresponds to step ST10, FIG. 15 corresponds to step ST11, 16 corresponds to step ST12, and FIG. 17 corresponds to step ST13.

(A-2) Operation of Embodiment Normally, a communication terminal in the security system 10 can communicate with any communication terminal belonging to the same VLAN as itself. In addition, since the VLAN is not set beyond the router, when the router 14 is exceeded, basically a communication terminal that can communicate freely can be selected. Therefore, when the computer virus is not infected, as shown in step ST1 shown in FIG. 2, the user U2 uses the communication terminal 19 to connect the communication terminal 19 (eg, a Web server) ahead of the relay network 13, for example. 20 can also be communicated.

  At this time, as shown in step ST1 of FIG. 2, the quarantine notification server 16 acquires the contents of the MAC address table TB1 mounted on the layer 2 switch 15 at a time frequency of a certain time (for example, periodically), The contents of the database unit 22 are updated according to the acquisition result. Note that the contents of the database unit 22 may be manually input by an administrator as necessary.

  However, when the communication terminal 19 is infected with the computer virus, unauthorized access to the communication terminal 20 may be executed depending on the function of the computer virus. As shown in step ST2 of FIG. 6, in the isolation notification server 16 that has received the packet PK9 transmitted from the infected terminal 19 from the mirror destination port 15B of the layer 2 switch 15 via the promiscuous port 29, the attack predictor determination unit 21 However, for example, unauthorized access can be detected at an early stage immediately after the start based on the host scan or port scan.

  When it is determined that the packet PK9 is being illegally accessed, the attack predictor determination unit 21 adds the IP address included in the IP header of the packet PK9 and the MAC header of the MAC frame containing the packet PK9. The included MAC address is extracted, the MAC frame and the packet PK 9 are discarded, and the extracted IP address, MAC address, and IP address are passed to the control unit 24.

  Receiving this, the control unit 24 searches the MAC address table TB1 stored in the database unit 22 based on the MAC address (source MAC address), and specifies the physical report number of the physical port to be isolated. To do. Then, as shown in step ST3 of FIG. 7, the VLAN-ID associated with the physical port number is rewritten on the MAC address table TB1 mounted on the layer 2 switch 15, and is connected to the physical port. The infected terminal 19 is accommodated in the isolated VLAN.

  Next, as shown in step ST4 of FIG. 8, the control unit 24 uses the IP address (source IP address) extracted together with the MAC address for the policy table TB2 of the firewall function unit 27. Make the necessary settings. Until then, the policy table TB2 blocks most of the packets received by the pseudo NHR (rejects passage), but with this setting, the packet PK9 for unauthorized access transmitted from the infected terminal 19 is Although it is also blocked, the packet PK9 of other specific traffic is allowed to pass. Here, the specific traffic to be passed corresponds to the rows LN2 to LN4 in FIG. Rows LN2 to LN4 allow the isolated infected terminal 19 to communicate with the Web notification processing unit 25 and the fixed DNS response unit 26 in the quarantine notification server 16. When the infected terminal 19 communicates with the recovery server 17, it is allowed to pass through the row LN1 as with other communication terminals (not shown) in the isolated VLAN.

  Here, even communication (packets) permitted to pass is not allowed to pass unconditionally, and is monitored by the stateful inspection, and only valid ones are allowed to pass. In this monitoring, for example, the validity of the TCP three-way handshake procedure, whether the number of sessions per second is not more than a predetermined upper limit, or whether the number of UDP pseudo sessions is not more than a predetermined upper limit, etc. Is examined. All of these are countermeasures against well-known attack techniques. These items are monitored, and the firewall function unit 27 blocks traffic according to the monitoring result, so that the quarantine notification server 16 itself, It is possible to prevent the recovery server 17 from being exposed to an attack by the infected terminal 19 in the isolated VLAN.

  Further, since the line LN1 is set to pass specific traffic (corresponding to the TCP port number 9119), communication between the recovery server 17 and the infected terminal 19 is also limited to this traffic. Thereby, for example, even if the communication protocol used by the anti-virus software on the recovery server 17 and the infected terminal 19 is not standard and is vendor-specific, the communication between the two is relayed by the isolation notification server 16. For example, virus definition files can be updated.

  Thereafter, in step ST10 shown in FIG. 14, the warning page W1 can be transmitted to a normal terminal (here, 18). Since the Web is a pull-type communication application, at this time, if the user U1 of the normal terminal 18 does not use the Web browser on the normal terminal 18, the warning page W1 cannot be transmitted to the normal terminal 18. If used, it can be transmitted.

  When the Web notification processing unit 25 has the function of the HTTP proxy server and the corresponding setting is performed on the communication terminal 19, whatever URL is specified by the user U1 in the Web browser, the URL When a Web page corresponding to the above is displayed, communication via the Web notification processing unit 25 as an HTTP proxy server is performed, so that a warning page W1 can be displayed along with the display.

  When the Web notification processing unit 25 does not have the function of the HTTP proxy server or when the corresponding setting is not performed in the communication terminal 19, an external Web is used as in step ST11 shown in FIG. By uploading a file constituting the warning page W1 from the quarantine notification server 19 on the server 9 and allowing the normal terminal 18 to access the warning page W1 on the Web server 9, the warning page W1 is displayed on the normal terminal 18 on the screen. Can be displayed.

  The user U1 of the normal terminal 18 who has read the content of the warning page W1 refrains from communicating with the infected terminal 19 or not necessarily urgently, or the OS (operating system) of the normal terminal 18 is a firewall. If it is equipped with a function, take measures such as enabling its firewall function to prevent the spread of computer virus infection and use a server or relay device infected with a computer virus. Can reduce the possibility of encountering secondary damage that may occur. Note that the firewall function provided in the OS of the communication terminal 18 generally limits the degree of freedom of communication due to its activation, and places a load on the processing capability of the CPU (central processing unit) of the communication terminal 18. In many cases, it is usually disabled.

  On the other hand, it is necessary to display the infection notification page W2 on the infected terminal 19, but since the infected terminal 19 already belongs to the isolated VLAN at this point, the processing at that time displays the warning page W1 on the normal terminal 18. There is a difference from the case of making it. That is, the firewall function unit 27, the DNAT redirect processing unit 28, and the fixed DNS corresponding unit 26 function to supply Web access from the infected terminal 19 to the Web notification processing unit 25.

  When an HTTP request message is transmitted from a web browser for web access, name resolution by DNS is basically performed before that, but name resolution by the infected terminal 19 is shown in the sequence diagram of FIG. Proceed as shown. FIG. 5 shows that DNS name resolution is possible even in an isolated VLAN in which the original DNS server does not exist.

  For example, in step S15, the resolver of the communication terminal 19 is “10.30.10.100:53”, which is the IP address of the original DNS server (note that 53 is a well-known port number of DNS, and is omitted below) In step S16, the DNAT redirect processing unit 28 converts “10.30.10.100” into “10.10.10.1” and fixes the inquiry message. It is delivered to the DNS response unit 26. In response to the inquiry message transmitted by the fixed DNS response unit 26 in step S17, the DNAT redirect processing unit 28 sets “10.10.0.1” as the transmission source IP address to “10.30”. .10.100 ".

  Therefore, the IP protocol processing module and resolver of the infected terminal 19 that has received the response message in step S18 need only perform normal processing (the same processing as when communicating with the original DNS server) as described above. .

  When the Web browser of the infected terminal 19 that has completed name resolution in this way transmits an HTTP request message, for example, as in step S19 shown in FIG. 5, the HTTP request message is processed by the DNAT redirect processing unit 28 as a Web notification process. Accordingly, the Web notification processing unit 25 returns the HTTP response message in step S21 in response thereto. If an HTTP response message containing the infection notification page W2 is transmitted before and after the HTTP response message, the Web browser of the infected terminal 19 that has received the HTTP response message via the DNAT redirect processing unit 28 or the like The infection notification page W2 can be displayed on the screen.

  In many cases, the user U2 recognizes that his / her communication terminal 19 is infected with a computer virus only by browsing the infection notification page W2 displayed on the infected terminal 19. As described above, if the infection notification page W2 conveys that it is necessary to access the recovery server 17 in order to remove a computer virus or the like, the user U2 is prompted to perform the recovery operation. it can. As a result, it is possible to prevent infection by the computer virus and the spread of damage compared to the case where the computer U continues to operate on the communication terminal 19 for a long time without the user U2 knowing the fact.

  Although the work to be performed using such an infection notification page W2 is not completely automated, it is partially automated, so it is a semi-automatic work and is highly convenient for the user U2. .

  The infection notification page W2 can have various configurations. A link (button) to the recovery server 17 is prepared, and the user U1 can easily access the recovery server 17 by clicking the button. be able to.

  This access is executed via the quarantine notification server 16 as shown in step ST6 of FIG. In this access, the source address translation function of the firewall function unit 27 described above operates.

  The source address conversion function uses the source IP address “10.10.10.3/24” of the packet PK9 corresponding to the IP address of the infected terminal 19 as the IP address of the IP interface of the quarantine notification server 16 “ The packet PK9 is relayed after being rewritten to "10.0.30.119/24".

  If the packet PK9 is simply relayed without performing such conversion, a problem occurs in the ARP procedure executed before the normal NHR of the router 14 transmits the packet in order to transmit the response from the recovery server 17. . In other words, the MAC address corresponding to “10.10.10.3” is inquired by the ARP request transmitted from the regular NHR, and it is not the isolation notification server 16 but the infected terminal 19 that responds to this inquiry. Therefore, inconsistency occurs in the relay by the isolation notification server 16.

  In the case of the configuration shown in FIG. 10, the two IP interfaces (“10.10.10.1/24” and “10.10.30.119/24”) of the quarantine notification server 16 are network addresses (here However, since “10.10.10” and “10.10.30”) are different, there is only one IP interface in the same subnet. For example, in the configuration of FIG. It will have IP interfaces (“10.10.10.1/24” and “10.10.10.119/24”).

  In the configuration of FIG. 11, when the quarantine notification server 16 transmits the packet PK9 transmitted from the infected terminal 19 and delivered to the recovery server 17 to relay it, the IP interface of “10.10.10.119/24” On the other hand, in the transmission for relaying the response packet returned from the recovery server 17 to the infected terminal 19, the IP interface (pseudo NHR) of “10.10.10.1/24” is transmitted. It is recommended to send an ARP request from.

  In any case, downloading of a virus definition file or the like from the recovery server 17 to the infected terminal 19 via the quarantine notification server 16 is completed, and the user U2 on the infected terminal 19 is infected with the infected terminal 19 by the computer virus. If the removal or the like succeeds, as shown in step ST8 of FIG. 12, the user U2 operates a return button prepared on a predetermined Web page, and notifies the quarantine notification server 16 to that effect. If the determination of the user U2 is correct, the communication terminal 19 is no longer an infected terminal at this point.

  This Web page may be the same page as the infection notification page W2, or may be a separate page.

  When the return button is operated, a predetermined HTTP request message is delivered to the quarantine notification server 16, and processing such as release of quarantine of the communication terminal 19 and deletion of the communication terminal 19 from the list on the warning page W1 are sequentially performed. Executed.

  However, since the judgment of the user U2 may be wrong, it is determined whether or not the attack predictor determination unit 21 attempts unauthorized access for the packet PK9 received by the transmission / reception unit 32, After confirming that no unauthorized access attempt has been made, the communication terminal 19 may be released from isolation or the like. In this determination, if a determination result indicating that an unauthorized access attempt has been made is obtained, a Web page including a description to that effect is transmitted to the communication terminal 19, and a computer is still running on the communication terminal 19. The user U2 may be notified that the virus is operating.

  The release of the quarantine corresponds to the port number of the physical port to which the communication terminal 19 is connected by rewriting the contents of the MAC address table TB1 mounted on the layer 2 switch 15 by the control unit 24 of the quarantine notification server 16. This can be realized by returning the VLAN-ID to be returned to the value before isolation.

  Also, deleting the communication terminal 19 from the list on the warning page W1 means that the new warning page W1 from which the communication terminal 19 has been deleted from the list is sent to the warning page generation / insertion unit 23 as shown in step ST12 of FIG. This is realized by making it generate. The new warning page W1 is displayed on the normal terminal 20 in the same procedure (via the HTTP proxy or the Web server 9 (case in FIG. 17)) as when the warning page W1 was previously displayed on the normal terminal 18. The If the infected terminal no longer exists in the security system 10 due to the removal of a computer virus on the communication terminal 19 or the like, instead of the warning page W1, a Web page including a description to that effect is displayed. It may be displayed on a communication terminal (19 may be included).

  In the present embodiment, even when it is found that the communication terminal 19 is infected with a computer virus, traffic in the upstream direction (for example, the direction from the communication terminal 19 toward the relay network 13 or the recovery server 17) increases. There is hardly anything. Further, when the isolation is performed from a state in which a computer virus that has infected the communication terminal 19 has already transmitted a copy of itself to increase the traffic in the upstream direction, the communication terminal 19 is isolated in the isolation VLAN. In addition, by blocking the traffic with the firewall function unit 27, it is highly likely that the traffic in the upstream direction will be significantly reduced.

  In the downstream direction, there is a possibility that it will increase somewhat due to the download of the virus definition file, etc., but this is a very slight increase compared to the increase in abnormal traffic caused by attacks by computer viruses. The communication of other communication terminals (for example, 18) in the security system 10 is not affected by this.

(A-3) Effects of the Embodiment According to the present embodiment, the administrator does not need to change the blocking rule step by step as in Patent Document 1, and thus the convenience is high.

  Also, from the standpoint of individual users (for example, U2), tell them that the communication terminal they are using is infected with a computer virus or that other communication terminals are infected with a computer virus. Therefore, convenience and security are improved.

  Further, in this embodiment, even when it is found that a certain communication terminal (for example, 19) is infected with a computer virus, the physical connection relationship of each node in the network (10) is changed. It is highly convenient in the sense that there is no need to change or change the IP address set in the IP interface.

  Furthermore, in this embodiment, an increase in upstream traffic can be suppressed, so that a limited communication band in the network (10) can be used effectively.

(B) Other Embodiments Functions provided in one server in the above embodiments may be distributed to separate servers, and functions distributed to separate servers are concentrated on one server. Also good.

  For example, the function of the recovery server 17 can be arranged in the quarantine notification server 16.

  However, in the configuration of the above embodiment illustrated in FIG. 2 and the like, the isolation notification server similar to the isolation notification server 16 is arranged for each layer 2 switch, and only one recovery server 17 is prepared for the entire security system 10. This is advantageous in that the function can be saved.

  Regardless of the embodiment, it is possible to prepare another router separate from the router 14 and use the router when an infected communication terminal (for example, 19) is isolated. In that case, the router 14 does not need to have a function of setting two logical ports in one physical port.

  In the above embodiment, each process is performed using the Web. However, at least a part of the process may be replaced with another communication application. For example, there is a possibility that the warning page W1 and the infection notification page W2 can be replaced by e-mails.

  Further, there is a possibility that the network configuration shown in FIG. 2 can be changed.

  For example, in FIG. 2 and the like, many IP addresses and subnet values are illustrated, but it is natural that these values can be changed to other values.

  Furthermore, it is also possible to adopt a network configuration using one layer 3 switch provided with the functions of the router 14 and the layer 2 switch 15 together.

  Further, there is a possibility that the configuration of the table shown in FIG. 3 or 4 can be changed.

  Furthermore, there is a possibility that the order of the operations described in the above embodiments can be changed.

  For example, if necessary, the warning page W1 may be transmitted to each normal terminal at the same time as or before the isolation of the infected terminal 19 into the isolation VLAN.

  In the present invention, the following four variations (V1) to (V4) can be used as a method for realizing substantially the same function as that of the above embodiment.

(V1) Agent software type (V2) Adapter type (V3) Object software type (V4) IDS type Among these, the outline of (V1)-(V3) is shown in FIG.

  In FIG. 18, the part PT1 corresponds to the variation (V1), the part PT2 corresponds to the variation (V2), and the part PT3 corresponds to the variation (V3).

  FIG. 18 does not indicate that these variations (V1) to (V3) need to coexist in one security system 40. It is possible to coexist, but it is natural that any one variation may be unified.

  Further, WFS (Work Flow Server) 57 and 58 are functions unique to these variations, and have a function corresponding to the quarantine notification server 16 and a function corresponding to the recovery server 17, and are semi-automatic by the user of each communication terminal. Can be restored.

  In the variation (V1), each communication terminal (for example, 64) is equipped with a predetermined agent software AG1, and the agent software AG1 serves as a main body to realize each function.

  The agent software AG1 has a function corresponding to the attack sign determination unit 21 and a function corresponding to the firewall function unit 27, and when detecting that the communication terminal 64 is infected with a computer virus, the agent software AG1 Block all but the specific traffic required for 64 recovery. Thereby, it is possible to prevent a computer virus from attacking an external communication terminal (such as a server).

  If the agent AG1 cannot detect an attack caused by a computer virus, the attack packet is received by the IDS 59 via the mirror tap 48, and the attack is detected by the IDS 59. In any case, when an attack (infection) is detected, the redirect GW 56 supplies all packets from the communication terminal 64 to the WFS 57. As shown in FIG. 18, the packet transmitted from each communication terminal (for example, 64) before reaching the proxy servers 52 and 53 must have a network configuration via the redirect GW 56, so that the computer virus is infected. It is also possible to prevent the communication terminal 64 being in communication with any communication terminal in the security system 40.

  The function of the mirror tap 48 is the same as that of a repeater type hub except that waveform shaping is not performed.

  When the IDS 59 detects an attack or when the agent software AG1 detects that the communication terminal 64 is infected with a computer virus, the manager 60 is notified of this, and the manager 60 controls the redirect GW 56, thereby All packets transmitted from the communication terminal 64 are supplied to the WFS 57.

  In the variation (V2), instead of the agent software AG1, the adapter device (eg, 63) blocks a packet transmitted to the outside due to an attack by a computer virus infected with a communication terminal (eg, 66). The point may be the same as the variation (V1).

  In the variation (V3), object software BJ1 is installed in each communication terminal (for example, 68) instead of the agent software AG1.

  The function of the object software BJ1 may be basically the same as that of the agent software AG1. However, since the object software AG1 is realized in the form of a Java (registered trademark) script or Java applet, there are many functional restrictions compared to the agent software AG1, but the development is easy and the installation is not time-consuming. There is.

  Note that the IDS type of the variation (V4) does not implement any special function in each communication terminal. When the IDS detects a packet for an attack, it instructs the redirect GW 56 to All subsequent packets transmitted from the communication terminal that can be specified by the transmission source IP address are supplied to the WFS 57. With this IDS type, there is a possibility that infection will spread inside the security system 40 depending on the network configuration, but it is possible to prevent the spread of infection to the outside such as the Internet 41.

  Further, the present invention is naturally applicable to communication protocols other than those used in the above embodiment.

  As an example, there is a possibility that the IPX protocol or the like can be used as a communication protocol of the network layer.

  In the above description, most of the functions realized in hardware can be realized in software, and almost all the functions realized in software can be realized in hardware.

  For example, when an unauthorized function corresponding to the computer virus or the like is incorporated in a communication device (for example, a personal computer) in hardware, the unauthorized function is removed or lost by communication with a recovery server. Although it is considered difficult, it is possible to isolate a personal computer with an unauthorized function or to alert other personal computers.

It is the schematic which shows the internal structural example of the isolation | separation notification server used with the security system concerning embodiment. It is the schematic which shows the example of whole structure of the security system concerning embodiment. It is the schematic which shows the structural example of the MAC address table used by embodiment. It is the schematic which shows the structural example of the policy table used by embodiment. It is a sequence diagram which shows the operation example of embodiment. It is operation | movement explanatory drawing which shows the operation example of embodiment. It is operation | movement explanatory drawing which shows the operation example of embodiment. It is operation | movement explanatory drawing which shows the operation example of embodiment. It is operation | movement explanatory drawing which shows the operation example of embodiment. It is operation | movement explanatory drawing which shows the operation example of embodiment. It is operation | movement explanatory drawing which shows the operation example of embodiment. It is operation | movement explanatory drawing which shows the operation example of embodiment. It is operation | movement explanatory drawing which shows the operation example of embodiment. It is operation | movement explanatory drawing which shows the operation example of embodiment. It is operation | movement explanatory drawing which shows the operation example of embodiment. It is operation | movement explanatory drawing which shows the operation example of embodiment. It is operation | movement explanatory drawing which shows the operation example of embodiment. It is the schematic which shows the example of whole structure of other embodiment.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10 ... Security system, 11-13 ... Network, 14 ... Router, 15 ... Layer 2 switch, 16 ... Quarantine notification server, 17 ... Recovery server, 18-20 ... Communication terminal, 21 ... Attack sign determination part, 22 ... Database part , 23 ... Warning page generation / insertion unit, 24 ... Control unit, 25 ... Web notification processing unit, 26 ... Fixed DNS response unit, 27 ... Firewall function unit, 28 ... DNAT redirect processing unit, 29 ... Promiscuous port, 30-32 ... transmission / reception unit, PK9 ... packet.

Claims (6)

In a communication system that increases the security of each communication device in a network including a plurality of communication devices,
Any communication device in the network operates an unauthorized function unit having an unauthorized access function or detects that the unauthorized function unit is present and transmits a detection signal. An unauthorized function detector to
When the unauthorized function detecting unit transmits a detection signal, the unauthorized function communication device is isolated, and an isolation executing unit that forcibly disables communication with another communication device;
A communication system, comprising: a warning promoting unit that transmits a warning signal indicating that a detection signal has been transmitted to another communication device when the unauthorized function detection unit transmits a detection signal, and that prompts the user to be alert. The communication system of claim 1.
When the unauthorized function unit is an unauthorized program, a communication device for recovery is provided so that at least the unauthorized program is not executed on the unauthorized function communication device by communicating with the unauthorized function communication device after isolation. A communication system characterized by the above. The communication system of claim 2,
One or a plurality of layer 2 relay apparatuses that perform a relay process in layer 2 and have a VLAN function;
One or a plurality of layer 3 relay devices that perform relay processing in layer 3, and at least one of the layer 3 relay devices is other than the restoration communication device, the unauthorized function communication device, and the unauthorized function communication device When intervening between the three communication devices, and between the unauthorized function communication device and the layer 3 relay device, the layer 2 relay device,
The layer 2 relay device also sends a copy packet, which is a copy of a packet sent for relay from a copy source port that is a port connected to the layer 3 relay device, from a predetermined copy destination port,
The unauthorized function detection unit is connected to the copy destination port,
When the isolation execution unit receives the detection signal from the unauthorized function detection unit, the isolation execution unit rewrites the contents of the layer 2 address table installed for the layer 2 relay device to perform relay processing at layer 2 to reconfigure the VLAN. Perform the quarantine by changing the settings,
A plurality of logical ports are set in one physical port connected to the copy source port of the layer 3 relay apparatus, and one of the logical ports is an unauthorized function communication apparatus when the isolation is not performed. Is used to communicate with another communication device, and another logical port is used for the unauthorized function communication device to communicate with the recovery communication device during the isolation. system. The communication system of claim 1.
The warning promotion unit
A communication system, wherein a self-warning signal indicating that the detection signal has been transmitted for the unauthorized function communication device is transmitted to the isolated unauthorized function communication device. In a communication method for improving the security of each communication device in a network including a plurality of communication devices,
The unauthorized function detection unit detects that any communication device in the network operates an unauthorized function unit having an unauthorized access function or is an unauthorized function communication device in which the unauthorized function unit exists. Send a detection signal,
When the unauthorized function detection unit transmits a detection signal, the isolation execution unit isolates the unauthorized function communication device, forcibly making it impossible to communicate with other communication devices,
When the unauthorized function detection unit transmits a detection signal, the warning promotion unit transmits a warning signal indicating that the detection signal has been transmitted to another communication device to prompt the warning. In a communication program for improving the security of each communication device in a network including a plurality of communication devices,
Any communication device in the network operates an unauthorized function unit having an unauthorized access function or detects that the unauthorized function unit is present and transmits a detection signal. An unauthorized function detection function,
When the unauthorized function detection function detection signal is transmitted, the unauthorized function communication device is isolated, and the isolation execution function forcibly making it impossible to communicate with other communication devices,
A communication program that realizes a warning promotion function that transmits a warning signal indicating that a detection signal has been transmitted to another communication device when the unauthorized function detection function transmits a detection signal, and promotes warning .

Images