JP2001014239A - Security system by multiplex system parallel operated computers - Google Patents

Abstract

PROBLEM TO BE SOLVED: To secure the security of systems to be simultaneously and parallel operated without altering the systems by making a monitoring system monitor the contents of inter-system communications with the other system and an illegal inter-system communication control from the other system and preventing the influence of an illegal intrusion and control when an illegality is detected except for the monitoring system. SOLUTION: A multiplex system parallel operation kernel 300 simultaneously and parallel operates plural systems on one computer. A system interruption control part 301 controls the interruption between respective systems and performs assigning or scheduling of processors. Besides, a system operation memory space managing part 302 manages the memories of respective systems and assigns memories for each of respective systems. When an illegal access is performed from one system to the multiplex system parallel operation kernels 300, the multiplex system parallel operation kernel 300 enables a general system itself to stop while using a system start/end control part 304.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a security system provided by a computer capable of simultaneously operating a plurality of systems on a single computer.

[0002] Particularly, in a network using a public line including the Internet, an intranet and an extranet as a backbone line, at least communication control security when a client on the public line accesses a specific site is included.

[0003]

2. Description of the Related Art Conventionally, one system generally operates on a single computer in order to centrally control hardware. Even when a plurality of systems are operated, the system is operated as a virtual computer as in JP-A-7-129419, and the base system of the virtual computer executes all hardware control / resource management. for that reason,
There was a high possibility that security could be easily broken by unauthorized intrusion / operation into the base system.

[0004] Particularly, in a network using a public line including the Internet, an intranet, and an extranet as a backbone line, communication control when a client on the public line accesses a specific site requires a single system or It has been common to use computing devices, such as a combination of single system devices, as security repeaters for communication control. That is, ensuring the security of the repeater computer was an important issue in the system.

[0005]

SUMMARY OF THE INVENTION The present invention utilizes an environment in which a plurality of systems are simultaneously operated in parallel on a single computer, and secures the security of the systems operating in parallel without modifying the systems themselves. I do. According to the present invention, the security of each other's systems is controlled by a unique multi-system parallel operation kernel that operates on the basis and a monitoring system that controls the multi-system parallel operation kernel, when one system is illegally invaded. But it provides security that does not affect other systems. Also, even if one system intrudes from the outside and attempts an unauthorized access via the kernel, when the monitoring system confirms the operation, the system that accessed the system is terminated, such as by terminating the system itself. It also aims to provide an environment that prevents the secondary effects of

In particular, in a network using public lines including the Internet, an intranet, and an extranet as a backbone line, which is dramatically increasing by utilizing the above-mentioned security, a client of the public line destination can access a specific site from a specific site. Provide communication control security function when accessing
At least one purpose. Specifically, the security is ensured by using a computer capable of simultaneously operating the plurality of systems in a repeater computer that is currently generally used in the communication control.

[0007]

Means for achieving the above object will be described with reference to FIG.

First, the present invention has means for operating a plurality of systems in parallel on a single computer. 3 in FIG.
A 00 multi-system parallel running kernel provides the means. Specifically, the 301 system interrupt control unit controls interrupts between the respective systems, and performs processor assignment and scheduling. Also, the 302 system operation memory space management unit manages the memory of each system and performs memory allocation for each system. That is, the multi-system parallel operation kernel (300) can completely control each system,
Kernel for multiple systems running in parallel from one system (3
In the case where unauthorized access is performed to (00), the general-purpose system itself can be stopped using the 304 system start / end control unit.

Secondly, there is a means for hiding hardware that exists on one computer and is independently managed for each system from other systems. The hardware allocation control unit 305 in FIG. 1 provides the means. A hardware allocation control unit (305) manages hardware (401 and 402) independently managed by each system and hardware (400) shared by the systems, and allocates each hardware to each system at startup. The above function makes it possible to separate and hide the hardware of one system from the other system.

Thirdly, there is provided means for controlling communication between a plurality of systems operating in parallel on one computer.
303 in the 300 multiplex system parallel operation kernel of FIG.
The inter-system internal communication control unit provides the means. 30
The three-system internal communication control unit independently provides a function of communicating between systems without communication to the outside of a computer such as a network, and can also provide a function of restricting access to communication between systems as necessary. .

[0011] By using the above means, security that one system operating on one computer does not affect other systems can be realized without remodeling the system itself. It can be used as a repeater system that provides an advanced communication control security function when accessing inside.

[0012]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS One embodiment of the present invention will be described with reference to the drawings.

FIG. 1 is a diagram for explaining the system configuration of the present invention. 100 is one computer. 201, 20
Reference numeral 2 denotes a system operating on the computer (100), and at least an operating system (O
S) is computer control software including middle software. Reference numeral 300 denotes a multi-system parallel operation kernel operating on the computer (100), and the system (201, 2).
02) on a single computer. In the multi-system parallel operation kernel (300), 301 system interrupt control unit, 302 system operation memory space management unit, 303 inter-system internal communication control unit, 3
04 system start / end control unit. Also, in the multi-system parallel operation kernel (300), there is one function of a 305 hardware allocation control unit that manages hardware existing in the computer and enables hardware allocation for each system. Reference numeral 401 denotes hardware in the computer (100) managed by the system 1 (201), and reference numeral 402 denotes hardware in the computer (100) managed by the general-purpose system 2 (202). On the other hand, 400 is hardware commonly used by all the systems existing in the computer (100). In this embodiment, for simplicity of description, two systems operate in one computer (100). However, a plurality of these systems can exist.

Multi-system parallel operation kernel (300)
Starts when the computer (100) is started, and prepares an environment for operating a plurality of systems (201, 202). The 302 system operation memory space management unit allocates a necessary memory space for each system, and each system can be loaded on the allocated memory space.
In addition, the 301 system interrupt control unit allocates a processor used by each system at the time of startup. Of course, this assignment is for the case where a plurality of processors exist in the computer (100). If there is only one processor, the system interrupt control unit (301) manages the interrupt scheduling of the processors after startup, and Control is performed to pass the processing to each system accordingly.

As described above, a plurality of systems can be operated on a single computer at the same time in parallel and independently, and without any change or modification of the system itself.

The hardware allocation control unit (305) also includes:
It functions as a part of the multi-system parallel operation kernel (300) when the computer (100) is started, and allocates hardware (401, 402) that each system independently manages and hardware (400) that is shared and used. When the hardware information is acquired from the system (201, 202) accessible to the user after the startup, the system 1 management hardware (401) and the system common management hardware (400) are transmitted from the system 1 (201). 2 (202), the system 2 management hardware (402) and the system common management hardware (400) can be obtained. That is, hardware information not managed by the own system, system 1 (2
01), the system 2 management hardware (402) and the system 2 (202)
The information 1) cannot even be detected.

By utilizing the functions described above,
It is possible to realize a plurality of completely independent computer environments on one computer.

Multi-system parallel operation kernel (300)
Mediates and controls internal communication between a plurality of systems operating thereon. This is realized by the 303 system internal communication control unit. Since the internal communication does not transmit information to the outside at all, the content of the communication is less likely to be eavesdropped and the security is high as compared with the case where communication is actually performed between a plurality of computers. Also, since the communication interface is only visible from the system, the multi-system parallel operation kernel (3.
Unless the structure of (00) is known, there is little possibility that the contents of the communication will be decrypted. Further, if necessary, it is possible to set an access restriction by communication between the systems. For example, when communication is performed between the system 1 (201) and the system 2 (202), communication of only the request and the response from the system 2 (202) is permitted, and the communication request from the system 1 (201) is ignored. It is also possible to make various settings. If the above-mentioned access restriction is set, the system 2 (201) will inform that the access restriction is illegal or that an unauthorized intruder performs an illegal operation / control on the system 1 (201). If detected on the (202) side, 3
04 The computer (10
It is also possible to end or restart the system 1 (201) while the system (0) is running.

As can be understood from the above description, by adopting the configuration as shown in FIG. 1, even if an unauthorized intruder performs an illegal operation / control on a system operating on a computer, the security is always maintained. A high response is possible.

Next, an example of use of the present invention will be described with reference to FIGS. However, this is merely an example of use, and it is possible to achieve various security effects by adopting a similar configuration.

FIG. 2 is a diagram showing a network in which a public line including the Internet, an intranet, and an extranet, which is currently generally used, is used as a backbone line when a client on the public line accesses a specific site. FIG. 3 is a diagram illustrating a configuration of communication control.

The configuration of FIG. 2 will be described. 10
00 is an external client computer. Reference numeral 1001 denotes interface hardware for performing communication with the external client computer (1000). A common example is a LAN board /
Cards, modems, and the like. A system 1002 operates on the external client computer (1000). 100
Reference numeral 3 denotes client software that operates on the system (1002). A public line 2000 is a communication path for a request / reply packet of the client software (1003). Reference numeral 3000 denotes a specific site to which the client software (1003) sends a request / reply packet. An example is a network site closed on the company's internal network, said site being a public line
(2000) and the access point of the internal network in the enterprise. 3100 is a specific site (300
0) and a specific site (300)
This is a security network located in the middle of the internal network in 0), and is generally called a boundary network. Reference numeral 3110 denotes an information device which is located between the public line (2000) and the boundary network (3100) and performs filtering of communication packets passing through each other's network, and is generally called an external router. Reference numeral 3111 denotes an external router (3110), which is an external <-> boundary communication control unit that actually provides a packet filtering function. Reference numeral 3120 denotes a boundary server computer which is on the boundary network (3100) and checks the validity of communication from the client software (1003) and performs authentication. 3121 is a boundary server computer (3
120) Interface hardware for performing the communication. Reference numeral 3122 denotes a system operating on the boundary server computer (3120). Reference numeral 3123 denotes server software operating on the system (3122), and is called a boundary server. Reference numeral 3124 denotes a client designation processing corresponding unit for performing, on the boundary server (3123), validity confirmation and authentication of communication from the client software (1003), and transmitting a processing packet to the internal network of the specific site (3000) if necessary. 3200 is an internal network within the specific site (3000). 3210 is a boundary network (310
0) and an internal network (3200), which is an information device for filtering communication packets that pass through each other's network, and is generally called an internal router. Reference numeral 3211 denotes an external router (3210), which is an internal <-> boundary communication control unit which actually provides a packet filtering function. Reference numeral 3220 denotes an internal network which executes processing such as a client in the internal network (3200) and a processing from the client designation processing corresponding unit (3124) on the boundary server computer (3120). Server calculator. 3230 is an internal network
Internal client computer in (3200). In the present invention, a computer is written with a very small configuration for simplicity of description, but there are many devices that play the same role in actual cases.

Next, a communication processing flow when the external client computer (1000) accesses the internal network (3200) in the specific site (3000) will be described with reference to FIG. The process starts at 4000. At 4001,
The client software (1003) on the external client computer (1000) issues a processing request packet to the specific site (3000). The final destination of the processing request packet is an internal server computer (3220) or an internal client computer (3220) on the internal network (3200).
30), the packet request actually issued is sent to the boundary server computer (31) on the boundary network (3100).
20). At 4002, the external client computer (1
000) issued by the public line (200
0) to the external router (3110). 40
03, the external <-> boundary communication control unit (3111) in the external router (3110) performs packet filtering, determines the destination and packet type, and confirms the validity of the processing request packet to the boundary server computer ( 3120). Here, if the validity of the packet is incorrect, the process is terminated (4010).

At 4004, the boundary server computer (3120)
The processing request packet that has arrived at the boundary server computer (31
20), is sent to the boundary server (3123), and the client designation processing corresponding unit (3124) confirms the contents of the packet and authenticates the sender, and when the validity is confirmed,
In order to newly send the packet to the internal network (3200) from the client designation processing unit (3124), packet conversion and necessary authentication processing are performed, and the packet is transmitted to the internal router (3210). Here, if the validity of the packet contents is incorrect or if the authentication of the sender fails, the process ends (4010). At 4005, the internal router (32
The packet filtering of the internal <-> boundary communication control unit (3211) in 10) is performed, the converted packet type is determined, and the destination is confirmed. Sent to

On the other hand, if the packet type is invalid or the destination confirmation fails, the process is terminated (4010). 400
In step 6, the packet arriving at the internal network (3200) is sent to the internal server computer (322
0) and the internal client computer (3230) to execute the processing request. The above is the external client computer
(1000) is a series of communication processing flow when accessing the internal network (3200) in the specific site (3000).

Here, the problem of security in the configuration of FIG. 2 will be described.

Generally, packets flowing through the public line (2000) or the network of a specific site (3100, 3200) are subjected to content encryption and the like, and are designed to be relatively safe even if wiretapping occurs. Have been. However,
A boundary server existing on the boundary network (3100)
System (3122) that operates as the base of (3123)
Is generally composed of a distribution OS and middle software, and its internal structure and the like are easily analyzed. In addition, the role of the boundary server (3123) is to process information from the outside and to transmit information to the outside.
The security level of the external router (3110) is often set lower than that of (10). Therefore, it is easy for an external unauthorized intruder to attempt unauthorized intrusion into the boundary server computer (3120) on the boundary network (3100) or to send an unauthorized analysis program.

When an unauthorized intrusion or an unauthorized program is sent, analysis and falsification of the contents of the processing request packet to be sent and analysis and falsification of the packet sent to the internal network are executed. Eventually, intrusion into an internal network such as within a company is permitted, and leakage of confidential information and the like and transmission of a virus or the like are performed, which often causes serious damage. Of course, as a countermeasure, a boundary network (3100)
System (3122) on the boundary server computer (3120)
Can be operated as a unique system.
However, in this case, it is necessary to prepare a completely unique application such as a server operating on the system, and the versatility is significantly reduced.

To solve the above security problem, a boundary server computer on a boundary network (3100)
FIG. 4 shows a configuration diagram when the system configuration of the present invention described in FIG. 1 is applied to (3120).

The configuration of FIG. 4 will be described. 10
00, 1001, 1002, 1003, 2000, 30
00, 3100, 3110, 3111, 3120, 31
21, 3122, 3122, 3123, 3124, 32
00, 3210, 3211, 3220 and 3230 are shown in FIG.
This is the same as the configuration described in. Reference numeral 300 denotes the multi-system parallel operation kernel described with reference to FIG. Reference numeral 3125 denotes a client-designated processing request storage unit which is a storage area for temporarily storing a processing request packet from the external client (1000). 3126 is a boundary server computer (312
Interface hardware for performing communication with the internal server computer (3220) on (0). 3127 is for monitoring the contents of the client designated processing request storage unit and the system (31).
22) Monitoring system for monitoring unauthorized operation / intrusion. 332
1 is interface hardware for performing communication with the internal server computer (3220). Reference numeral 3222 denotes a system that operates on the internal server computer (3220). Reference numeral 3223 denotes server software that operates on the system (3222), and is called an internal server. 3224 is a monitoring system
(3127) A client designation processing request acquisition unit that acquires a processing request packet from the external client (1000) from the client designation processing request storage unit (3125) according to the instruction of (3127). Reference numeral 3225 denotes a client-designated processing internal network corresponding unit for receiving a processing request packet from the client-specified processing request acquisition unit and sending the processing request packet to a designated computer in the internal network. Reference numeral 3226 denotes a boundary server computer (3120) on the internal server computer (3220).
Interface hardware to communicate with the Three
Reference numeral 300 denotes the communication interface hardware (3326) of the internal server computer (3220) and the boundary server computer (31
20) A dedicated gateway LAN which is a network connecting the communication interface hardware (3126).

The feature of this configuration is that the boundary server computer (31
20), the multi-system operation kernel (3) described in FIG.
00) has just been adopted. The multi-system operation kernel (300) loads the monitoring system (3127) in addition to the conventional system (3122) when the boundary server computer (3120) is started. These are described in FIG.
This is realized by a system interrupt control unit (301) and a system memory space management unit (302). Each system operates on one computer, but the system (31
22) is a monitoring system for the boundary network (3100).
(3127) is connected to the dedicated gateway LAN (3300),
Each is connected to a completely different network. In terms of hardware, the communication interface hardware (3121, 3126) managed by each system is configured so as not to detect hardware information of another system. This is realized by the hardware allocation control unit (305) described with reference to FIG. In other words, an environment in which computers having completely different security levels are independently mixed on one computer is configured.

The monitoring system (3127) periodically sends the system (3127) via the multi-system parallel kernel (300).
22) Monitor the side. For this reason, the multi-system parallel kernel (300) permits access to the communication request and the response from the monitoring system (3127), but the opposite system.
A setting is made so that the communication request from (3122) is not accepted. This is realized by the inter-system internal communication control unit described with reference to FIG. If the external client (100
If the system (3122) side is receiving the processing request packet from (0), the monitoring system (3127)
Sends an instruction to the internal server computer (3220) via the dedicated gateway LAN (3300),
220) acquires the processing request packet, and finally sends the processing request packet to the designated computer in the internal network.

In the case where an unauthorized person has entered the system (3122) on the boundary server computer (3120) or an unauthorized program has been sent, the monitoring system (3127) detects this and a multi-system parallel kernel (3127). In the case where an unauthorized access is attempted to the system (300), the multi-system parallel operation kernel (300) detects and notifies the monitoring system (3127), and the system is instructed by the monitoring system (3127).
The end / reboot of the (3122) side is executed, and the notification is sent to the administrator. This is realized by the system start / stop control unit (304) described in FIG.

FIG. 5 illustrates a communication processing flow when the external client computer (1000) using the configuration of FIG. 4 accesses the internal network (3200) in the specific site (3000). The processing until the processing request packet is sent to the boundary server computer (3120) is the same as that in FIG. 3, and the subsequent description will be made here. 5000
Starts the process. 5001, the boundary server computer
The processing request packet arriving at (3120) is sent to the boundary server (3123) in the boundary server computer (3120), and the client specification processing corresponding unit (3124) confirms the packet contents and authenticates the sender. When the validity is confirmed, it is stored in the client specification processing request storage unit (3125) from the client specification processing corresponding unit (3124). Here, if the validity of the packet content is invalid or if the authentication of the sender fails, the processing is terminated (501).
0). At 5002, the monitoring system (3127) checks the client-specified processing request storage unit (3125) via the multi-system parallel operation kernel (300), and if there is a processing request packet, checks the packet contents and checks the valid packet. If so, the dedicated gateway LAN (330
0), it issues a packet acquisition instruction to the client designation processing request acquisition unit on the internal server (3223). Again, if the validity of the content is incorrect, terminate the process
(5010). In 5003, the client designation processing request acquisition unit sends the client designation processing request storage unit (312).
From 5), a processing packet is acquired, and the packet is sent to the client-designated processing internal network corresponding unit (3225). In 5004, the client designation processing internal network corresponding unit (3225) finally executes an internal server computer (3220) or an internal client computer.
(3230), and the processing request is executed. The above is a series of communication processing flows when the external client computer (1000) accesses the internal network (3200) in the specific site (3000) when the system configuration of the present patent is used.

The description of one embodiment of the present invention has been completed.

[0036]

The present invention utilizes an environment in which a plurality of systems are simultaneously operated in parallel on a single computer, and secures the security of the systems operating simultaneously in parallel without modifying the systems themselves. Also, even if one system is illegally invaded, the intruded system itself is terminated /
By performing a reboot, it is possible to prevent secondary effects on other systems and to ensure security without affecting other systems.

In particular, in a network using a public line including the Internet, an intranet, and an extranet as a backbone line, in the communication control when a client on the public line accesses a specific site, the communication control repeater is used. Security can be ensured.

[Brief description of the drawings]

FIG. 1 is a system configuration diagram of the present invention.

FIG. 2 is a configuration diagram of current communication control over a public line.

FIG. 3 is a flow chart of a current communication control process over a public line.

FIG. 4 is a configuration diagram when the present invention is used for communication control over a public line.

FIG. 5 is a flowchart of communication control processing across public lines according to the present invention.

[Explanation of symbols]

100: Computer, 201: System 1, 202: System 2, 300 ... Multi-system parallel operation kernel, 301
... System interrupt control unit 302, System operation memory space management unit 303 Inter-system internal communication control unit 304
... System startup / end control unit, 305: Hardware allocation control unit, 400: System shared management hardware, 40
1 ... System 1 management hardware, 402 ... System 2
Management hardware.

 ──────────────────────────────────────────────────続 き Continuing from the front page (72) Inventor Osamu Oshima 1099 Ozenji Temple, Aso-ku, Kawasaki City, Kanagawa Prefecture Inside System Development Laboratory, Hitachi, Ltd. F-term (reference) in Hitachi, Ltd. Software Division 5B017 AA01 BA06 BA07 BB03 CA15 CA16 5B085 AE06 BG07 5B089 GA21 HA10 JB16 JB22 KA17 KB13 KC52 KC58 ME12

Claims (8)

[Claims] 1. A computer system in which a plurality of systems are simultaneously operated in parallel on a single computer. In an environment in which a monitoring system, which is at least one system, is mainly used and information is exchanged with another system by inter-system communication, The monitoring system monitors at least the content of the inter-system communication with another system, authentication information, and unauthorized inter-system communication control from the other system. A security system based on a multi-system parallel operation computer, wherein when the monitoring system detects that the operation has been performed, at least the monitoring system is not affected by unauthorized intrusion and control. 2. The security system according to claim 1, wherein a plurality of system operating environments operating on one computer operate in completely independent environments. 3. A system according to claim 1, wherein a plurality of systems operating on one computer can allocate hardware existing on one computer at the time of starting the computer as hardware managed by each computer. A security system based on a multi-system parallel operation computer. 4. The communication system according to claim 1, wherein communication between a plurality of systems operating on one computer is possible by communication between systems in the device, and access restriction is set for communication between systems in the device. Characterized in that it is possible,
A security system based on a multi-system parallel operation computer. 5. The system according to claim 1, wherein when an unauthorized intrusion or unauthorized control is performed in one system, only the system in which the unauthorized intrusion and control has been performed is terminated and reset without resetting a power supply of an apparatus. A security system based on a multi-system parallel operation computer, which does not affect other systems. 6. A computer in which a plurality of systems according to claim 1 operate at the same time in parallel as one relay computer for a system that performs communication control via a public line, and one of said plurality of systems is used as a relay computer. It becomes a surveillance system and monitors other systems, the surveillance system provides an environment connected to the internal line, the other system provides an environment connected to the external public line,
By using the features of Claims 1, 2, 3, 4, and 5, the provided environment can be used when at least an unauthorized intrusion, control, or attack from outside is performed on a system connected to a public line. However, a security system using a multi-system parallel operation computer characterized in that a secure environment can be provided in an internal line without being affected by the unauthorized intrusion, control, and attack. 7. The security system according to claim 6, wherein the public line includes at least the Internet, an intranet, and an extranet. 8. The security system according to claim 6, wherein the relay computer according to claim 6 includes at least a firewall and a packet converter.