JP2002094509A - Diagnosis/monitor policy generator, security diagnosis/ monitor system, method and recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a security diagnosis/monitor method for which an exclusive system manager having sophisticated expert intelligence is not required and which can be managed easily by a general user. SOLUTION: The security diagnosis/monitor method includes a step where a network configuration definition representing a computer network configuration is entered, a step where a diagnostic policy is generated on the basis of the entered network configuration definition and a step where the security is diagnosed on the basis of the generated diagnostic policy.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to a diagnosis / monitoring policy creation device, a security diagnosis / monitoring system, a method, and a storage medium.

[0002]

2. Description of the Related Art Generally, information systems using a computer network have become widespread. This type of information system
By diagnosing the presence or absence of a security hole and taking appropriate measures, confidentiality, preservation, and maintenance of usefulness of information are realized.

[0003] Here, information is all electronic data transmitted and received via a computer network, and means all of document data, image data, audio data, programs and the like. Confidentiality means that information is disclosed only to authorized users,
It is a function that keeps the contents and existence unknown to outsiders, and is important in terms of privacy protection and rights protection. Security is a function that maintains the integrity of information and prevents it from being edited or tampered with secretly. Maintaining usefulness is a function that keeps information and computers available to legitimate users at the right time and with the right performance, and requires measures against unauthorized attempts to prevent usability of legitimate users. It is said.

As a method of diagnosing a security hole which is a prerequisite for realizing these, a known attack that threatens confidentiality / maintenance / maintainability is made into a database, and a pseudo attack based on the database is executed to execute security of the information system. There is a method using a software tool called a scanner for finding holes.

[0005] When executing the scanner,
Of the hundreds of inspection items, it is necessary to set which items are to be inspected and in which priority. This setting is called a diagnostic policy setting, and the diagnostic policy (idea) behind this setting is called a diagnostic policy.

On the other hand, in the information system, apart from the above-described security hole diagnosis, “security monitoring” is performed in which the status is constantly monitored, an attack is detected and notified to a manager, or the attack is directly blocked. You may be asked.

[0007] While security diagnosis is an indirect defense against an attack on an information system by detecting and responding to an attack on the information system through regular or irregular diagnosis, security monitoring always monitors the state of the system and prevents the attack. It differs from diagnosis in that it detects early and directly protects.

In security monitoring, a known attack is stored in a database, and an intrusion detection system (intrusion detection system) for detecting an attack is performed by comparing the state of a network packet or a system log with the database and checking the database.
A tool called a ction system (hereinafter referred to as IDS) is used.

[0009] Even when the IDS is executed, it is necessary to set in advance which of the hundreds of inspection items should be inspected in which priority order. This setting is called a monitoring policy setting, and the monitoring policy (idea) behind this setting
Is called a monitoring policy.

Next, the above-described security diagnosis / monitoring will be described from the viewpoints of a system administrator, its education, and work labor.

(1) Normally, a dedicated system administrator is required to maintain an information system safely and effectively.
It is necessary to collect a huge amount of security hole information frequently and keep the software updated to the latest version.

Further, it is necessary that the system administrator has a high degree of specialty. This is because, although the security diagnosis / monitoring is efficiently performed by the diagnosis / monitoring tool, it is an advanced method to determine the priority and the order to be dealt with by looking at a large number of diagnostic / monitoring messages output from the tool. This is because specialty is required.

(2) It is considered that appropriate information provision is necessary to obtain such a high degree of specialty. For example, from the viewpoint of strengthening the security of an OS such as UNIX (registered trademark), information is provided to an administrator regarding settings at the time of installation, and an educational effect is obtained through a process of strengthening security on a host-by-host basis. Software already exists. Software having such educational effects helps reduce excessive demands on system administrators and realizes efficient operation management.

[0014] However, there is software for educating security enhancement that targets only a single host, but there is no software that targets the entire network system.

(3) This is because the security diagnosis for the entire network system is different depending on the network configuration (arrangement and connection structure), the system and the purpose of use of each computer, and the security policy. Due to difficulties. Actually, security diagnosis of the entire network system is performed manually by a person having specialized knowledge for each network configuration and its contents.

Here, the network configuration indicates a connection relationship between one or more subnets and one or more hosts.

A normal diagnostic tool executes a simulated attack on the assumption of the position of an attacker. Therefore, when a plurality of positions of an attacker are assumed, the execution is required a plurality of times. Often based on administrator experience.

(4) In the case where the network configuration is frequently changed, it is necessary for the system administrator to always perform appropriate security diagnosis / monitoring.
Monitoring policy needs to be updated. For this reason, it is considered desirable to reduce the effort of updating the diagnosis / monitoring policy.

(5) On the other hand, the message output of the diagnostic / monitoring tool is expressed in Japanese by a human being arranged manually. For example, a procedure is performed in which the diagnosis / monitoring side creates a diagnosis / monitoring policy reflecting the specialty of the system and creates a comprehensive diagnosis report based on the policy.

[0020]

However, the conventional diagnosis / monitoring system has room for improvement as shown in the following (1 ') to (5'). (1 ′) Since there are few people with advanced expertise, it is considered preferable that the diagnostic / monitoring tool has contents that can be easily handled without advanced expertise.

(2 ') There is no software for educating security enhancement for the entire network system.

(3 ') The security diagnosis of the entire network system is performed manually by a person having specialized knowledge for each network configuration and its contents.
It would be desirable to be able to diagnose without specialized knowledge.

(4 ') It is considered desirable to reduce the labor of many operations required for proper diagnosis / monitoring when the network configuration is frequently changed.

(5 ') It is desired that the human resources required for preparing the comprehensive diagnosis report be reduced.

The present invention has been made in view of the above circumstances, and eliminates the need for a dedicated system administrator having a high level of specialty, and realizes a diagnostic / monitoring policy creating apparatus that can be easily managed by general users. , A security diagnosis / monitoring system, a method and a storage medium.

It is another object of the present invention to provide a diagnostic / monitoring policy creating device, a security diagnostic / monitoring system, a method, and a storage medium that can realize an educational effect while using.

It is another object of the present invention to provide a diagnosis / monitoring policy creating apparatus, a security diagnosis / monitoring system, a method, and a storage medium that can facilitate security diagnosis / monitoring for a network configuration.

Another object of the present invention is to provide a diagnostic / monitoring policy creating apparatus, a security diagnostic / monitoring system, a method and a storage medium which can reduce the effort of updating the diagnostic / monitoring policy when the network configuration is frequently changed. Is to provide.

Another object of the present invention is to provide a diagnostic / monitoring policy creating apparatus, a security diagnostic / monitoring system, a method, and a method capable of comprehensively analyzing the security state of the entire use system, unlike the diagnostic report for a specific attack route. It is to provide a storage medium.

[0030]

According to a first aspect of the present invention, there is provided a diagnostic policy creating apparatus and a diagnostic policy creating apparatus used in a security diagnostic system for diagnosing security of a computer network and computers connected thereto based on a diagnostic policy. A method, comprising: input means for inputting a network configuration definition representing a configuration of the computer network; and diagnostic policy creation means for creating the diagnostic policy based on the network configuration definition input by the input means. ing.

This eliminates the need for a system administrator having specialized knowledge to create a diagnosis policy, and makes it possible to perform security diagnosis more easily than before. In other words, a dedicated system administrator having a high level of specialty is not required, and easiness that can be managed by general users can be realized.

Further, since the relationship between the system design, the network configuration definition, and the diagnostic policy is mechanically constructed,
Reading the created diagnostic policy has educational effects on system administrators. That is, the educational effect can be realized while using.

According to a second aspect of the present invention, there is provided a security diagnosis system and a security diagnosis method for diagnosing security of a computer network and computers connected thereto, wherein input means for inputting a network configuration definition representing the configuration of the computer network. Diagnostic policy creating means for creating a diagnostic policy based on the network configuration definition input by the input means, and security diagnostic means for diagnosing the security based on the diagnostic policy created by the diagnostic policy creating means And

Accordingly, security diagnosis for the network configuration can be easily performed. In addition, a dedicated system administrator having specialized knowledge is not required, and easiness that general users can manage can be realized.

Further, even when the network configuration is frequently changed, the labor for updating the diagnostic policy can be reduced.
For example, it is possible to reduce human resources and trial and error required each time a security diagnosis is performed on a changed network configuration.

According to a third aspect of the present invention, there is provided a monitoring policy creating apparatus and a monitoring policy creating method used in a security monitoring system for monitoring security of a computer network and computers connected thereto based on a monitoring policy. Input means for inputting a network configuration definition representing the configuration of the computer network, based on the network configuration definition input by the input means,
Monitoring policy creating means for creating the monitoring policy;
It has.

This eliminates the need to create a monitoring policy by a system administrator having specialized knowledge, and makes it possible to perform security monitoring more easily than before. Further, since the relationship between the system design, the network configuration definition, and the monitoring policy is mechanically constructed, there is an educational effect for the system administrator by reading the created monitoring policy.

According to a fourth aspect of the present invention, there is provided a security monitoring system for monitoring security of a computer network and a computer connected to the computer network, wherein input means for inputting a network configuration definition representing a configuration of the computer network; Monitoring policy creation means for creating a monitoring policy based on the network configuration definition input by the means; and security monitoring means for monitoring the security based on the monitoring policy created by the monitoring policy creation means. ing.

Thus, security monitoring for the network configuration can be easily performed. In addition, a dedicated system administrator having specialized knowledge is not required, and easiness that general users can manage can be realized.

Further, even when the network configuration is frequently changed, the labor for updating the diagnostic policy can be reduced. For example, it is possible to reduce human resources and trial and error required each time security monitoring is performed on a changed network configuration.

The fifth invention is a network configuration definition creating method for creating a network configuration definition used for creating a diagnostic policy and / or a monitoring policy, wherein a network configuration component is displayed on a screen and a pointing device operation is performed. And a step of creating a network configuration definition based on the edited screen.

Thus, the network configuration (host type, application, importance, connection method, etc.) can be changed from the terminal to the GUI.
By inputting and answering the questions, you can interactively set the network configuration definition. The set configuration definition and the policy created by it can be used for subsequent security diagnosis / monitoring, and efficient security diagnosis / Monitoring techniques can be provided. In addition, a dedicated system administrator having a high level of specialty is not required, and easiness that can be managed by general users can be realized.

According to a sixth aspect of the present invention, there is provided a comprehensive security analysis method for analyzing a security state of a computer network and computers connected thereto, wherein the computer network and the connected computers are analyzed based on a diagnostic policy. Diagnosing security, and for the computer network and the connected computer,
Monitoring security based on a monitoring policy, based on the result of the diagnosis and the result of the monitoring,
Analyzing the security state of the computer network.

Thus, unlike the diagnosis report for a specific attack route, a comprehensive analysis of security diagnosis for the entire used system can be performed. It also saves the human resources needed to create a diagnostic summary that can be understood by non-experts.

Each of the above inventions may be a computer-readable storage medium storing a program for realizing the function. In this case, each invention can be realized by a computer in which a program is installed from a storage medium.

[0046]

DESCRIPTION OF THE PREFERRED EMBODIMENTS One embodiment of the present invention will be described below with reference to the drawings. FIG. 1 is a schematic diagram showing a configuration example of a security diagnosis / monitoring system according to an embodiment of the present invention. The security diagnosis / monitoring system 10 has a computer with a function related to network configuration definition and a diagnosis / monitoring policy creation function, and is implemented by installing a program for implementing each function from a storage medium into the computer. ing.

This security diagnosis / monitoring system 10
Specifically, the network configuration definition storage unit 11, the pointing device 12, the network configuration definition editing unit 13, the network configuration display unit 14, the diagnostic policy creating unit 15D, the diagnostic policy storage unit 16D, the security diagnostic unit 17D, the diagnostic result Display unit 18D, monitoring policy creation unit 15M, monitoring policy storage unit 16M, security monitoring unit 17M, monitoring result display unit 18M, comprehensive analysis unit 19
It has.

The network configuration storage 11 stores network configuration information. The information of the network configuration definition includes component information for defining the network configuration, and a network configuration definition defined by the arrangement of the component information and key input.

The component information is image information indicating elements of the network configuration. For example, as shown in FIG. 2, for example, a firewall (FW), a DMZ (DMZ), a router 1
(Rt1), public server (PSv), host 1 (H
1), host 2 (H2), backbone server BSv, Internet (Net), intranet (Itr), and network segment 1 (Nsg).

The network configuration definition is character information indicating the network configuration when each component information is arranged as shown in FIG. 3 to form a network configuration.
As shown in (a) to (i), items such as a name, a type, the number of connections, a connection destination, a use, and a confidential level are defined for each component, and a network configuration is defined as a definition file. It is stored in the definition storage unit 11.

The pointing device 12 is an input device such as a mouse, and has a function of instructing the network configuration definition editing unit 13 to select and arrange each component of the network configuration definition storage unit 11 by operation of a system administrator. I have.

The network configuration definition editing unit 13 has a function of setting information on the network configuration definition in the network configuration storage unit 11 by operating the keyboard and the pointing device 12, and a network configuration definition in the network configuration storage unit 11. Has a function of displaying the information on the network configuration display unit 14 and a function of receiving and displaying the information when the security diagnosis unit 17D or the security monitoring unit 17M detects an error in the network configuration definition.

However, the network configuration definition editing unit 13
May have a function of comparing the image information of the arrangement shown in FIG. 3 with the character information shown in FIG. 4 and detecting an input error regarding the arrangement such as a connection destination and the number of connections based on the mismatch.

The network configuration display section 14 is a display such as a CRT having a graphic display function.
The signal received from the network configuration definition editing unit 13 is displayed.

The diagnostic policy creating section 15D has a function of creating a diagnostic policy based on the network configuration definition in the network configuration storing section 11, and storing the obtained diagnostic policy in the diagnostic policy storing section 16D7.

Here, the diagnosis policy is shown in FIG.
As shown in (c), for each component, the items such as the name, whether the validity of the applet is checked, whether the operation of the daemon is checked, whether the pseudo-attack is executed, the number of times, and the location are described. It is configured. Such a diagnostic policy is created based on the knowledge database. For example, the number of items may be adjusted according to the confidential level in the network configuration definition.

The security diagnosis section 17D executes a security diagnosis (pseudo attack) of the network configuration shown in FIG. 3 based on the diagnosis policy in the diagnosis policy storage section 16D, and displays the diagnosis result on the diagnosis result display section 18D9. It has a function.

The monitoring policy creation unit 15M has a function of creating a monitoring policy based on the network configuration definition in the network configuration storage unit 11, and storing the obtained monitoring policy in the monitoring policy storage unit 16M11.

Here, the monitoring policy is shown in FIGS.
As shown in the example in (e), for each part, the items such as name, detection target (host / network), presence / absence of mail bomb check, presence / absence of command check, presence / absence of attack check, and the like are described. It is configured. Similarly, the monitoring policy is created based on the knowledge database, and the number of items can be adjusted according to the security level in the network configuration definition.

The security monitoring unit 17M executes the security monitoring of the network configuration shown in FIG. 3 for a relatively long time based on the monitoring policy in the monitoring policy storage unit 16M, and displays the monitoring result on the monitoring result display unit 18M13. Have.

The comprehensive analysis section 19 is composed of the security diagnosis section 1
It has a function of analyzing a diagnosis result by 7D and a monitoring result by the security monitoring unit 17M, and outputting a comprehensive analysis report 20.

The comprehensive analysis report 20 has a function of prompting the system administrator to review and change the network configuration as needed, and a function of prompting the system administrator to re-edit the network configuration definition as needed.

The security diagnosis / monitoring system 10 described above may be (i) installed as software on each host and operated in the background, or (ii) operated as a network as an independent device. , And may be disconnected after diagnosis. Alternatively, (iii) the general analysis unit 19 may be provided as a manager only at one location, and the other security diagnosis unit 17D and security monitoring unit 17M may be provided individually as agents.

Next, the operation of the security diagnosis / monitoring system configured as described above will be described with reference to the flowchart of FIG. Now, in the security diagnosis / monitoring system, at the start of execution, the network configuration definition editing unit 13 is started, and in response to the operation of the system administrator,
Information of the network configuration storage 11 is displayed on the network configuration display 14.

The system administrator operates a keyboard (not shown) and the pointing device 12 while looking at the network configuration display section 14 to input a network configuration definition (ST1).

At this time, the network configuration definition editing unit 13
Makes the information input by the system administrator inside the system reflected in the network configuration storage 11 or causes the information in the network configuration storage 11 to be displayed on the network configuration display 14.

At first, as shown in FIG. 2, the components constituting the network configuration are individually displayed on the network configuration display section 14, but the pointing device 12
3, a network configuration in which the components are connected to each other is constructed, and a network configuration definition (connection destination for each name, number of connections) corresponding to the connection is created in the system as shown in FIG. You.

Further, the information of the configuration definition that is unknown from the connection of the parts such as the use (purpose, use method) of each element (host, network, etc.) and the confidential level (importance) by the keyboard by the operation of the system administrator. Is also entered as part of the network configuration definition.

A GUI is used for this input, and a network configuration definition can be set interactively by answering questions. After setting the network configuration definition, the network configuration editing unit 13 creates a definition file representing the network configuration definition (ST2),
It is stored in the network configuration definition storage unit 11.

Next, the diagnostic policy creating unit 15D analyzes the definition file in the network configuration definition storing unit 11, creates a diagnostic policy, and creates a diagnostic policy storing unit 16D.
(ST3).

The security diagnosis unit 17D executes the security diagnosis of the network configuration as shown in FIG. 3 based on the diagnosis policy in the diagnosis policy storage unit 16D (ST4), and displays the diagnosis result on the diagnosis result display unit 18D. (ST5).

At this time, the security diagnosis unit 17D
It is determined whether the network configuration definition in the definition file is correct compared to the actual network configuration (ST6). If it is incorrect, the fact is displayed and the information is transmitted to the network configuration definition editing unit 13.

This supports the system administrator to promptly re-enter an appropriate network configuration definition.

Next, the monitoring policy creating section 15M analyzes the definition file in the network configuration definition storing section 11, creates a monitoring policy, and creates a monitoring policy storing section 16M.
(ST7).

The security monitoring unit 17M executes security monitoring of the network configuration as shown in FIG. 3 based on the monitoring policy in the monitoring policy storage unit 16M (ST8), and displays the monitoring result on the monitoring result display unit 18M. (ST9).

At this time, the security monitoring unit 17M
It is determined whether the network configuration definition in the definition file is correct compared to the actual network configuration (ST10),
If incorrect, a message to that effect is displayed and the information is transmitted to the network configuration definition editing unit 13. This supports quick re-input of the network configuration definition, as described above.

Next, the general analysis section 19 proceeds to step ST5.
Is analyzed and the monitoring result of step ST9 is analyzed, and a comprehensive analysis report 20 is output. The system administrator determines whether or not the comprehensive analysis report 20 is good (ST11).

If the judgment result is good, the diagnosis / monitoring process ends. However, if the diagnosis result requires any countermeasure, the system administrator reviews the network configuration and changes the connection and settings if necessary. (ST12), ST
Return to 1.

As described above, the security diagnosis / monitoring system operates while alternately repeating the comprehensive analysis and the design / construction of the network configuration.

As described above, according to the present embodiment, a network configuration definition representing the configuration of a computer network is input, and a diagnosis / monitoring policy is created based on the network configuration definition. This eliminates the need for a user to create a diagnosis / monitoring policy, and makes security diagnosis / monitoring easier than before. In other words, a dedicated system administrator having a high level of specialty is not required, and easiness that can be managed by general users can be realized.

Further, since the relationship between the system design, the network configuration definition and the diagnosis / monitoring policy is mechanically constructed, there is an educational effect for the system administrator by reading the created diagnosis / monitoring policy. That is, the educational effect can be realized while using.

Further, since the security diagnosis / monitoring is performed based on the diagnosis / monitoring policy created as described above, the security diagnosis / monitoring for the network configuration can be easily performed.

Further, even when the network configuration is frequently changed, the labor for updating the diagnostic policy can be reduced.
For example, it is possible to reduce human resources and trial and error required each time a security diagnosis is performed on a changed network configuration.

When the network configuration definition is created, the components of the network configuration are displayed on the screen, the arrangement and connection relation of the components are edited according to the operation of the pointing device, and based on the edited screen, Create a network configuration definition.

Thus, the network configuration (host type, application, importance, connection method, etc.) can be changed from the terminal to the GUI.
, And answering the questions, you can interactively set the network configuration definition. Also,
The set configuration definition and the policy created by it can be used for subsequent security diagnosis / monitoring.
An efficient security diagnosis / monitoring technique can be provided.

Further, as a comprehensive security analysis,
Diagnosing security for the computer network and the connected computer based on the diagnostic policy; monitoring security for the computer network and the connected computer based on the monitoring policy; Analyzing the security state of the computer network based on the result of the monitoring.

As a result, unlike the diagnosis report for a specific attack route, it is possible to perform a comprehensive analysis of the security diagnosis for the entire used system. It also saves the human resources needed to create a diagnostic summary that can be understood by non-experts.

Note that the method described in the above embodiment can be implemented as a magnetic disk (floppy (registered trademark) disk,
Hard disk, etc.), optical disk (CD-ROM, D
VD, etc.), a magneto-optical disk (MO), and a storage medium such as a semiconductor memory. The storage medium may be in any form as long as it can store a program and can be read by a computer.

Further, when distributing by storing in a storage medium,
For example, (a) a set of the network configuration storage 11 and the diagnostic policy creation unit 15D, (b) a set of the network configuration storage 11 and the monitoring policy creation 15M, and (c) a network configuration storage 11 and the configuration edit The functions are divided into a set of a unit 13, (d) a set of a network configuration storage 11, a configuration editing unit 13, a diagnostic policy creation unit 15 D, and a monitoring policy creation unit 15 M, and (e) only a comprehensive analysis unit 19. Each is easy to distribute independently.

Also, an OS (Operating System) running on the computer based on instructions of a program installed in the computer from the storage medium,
MW for database management software, network software, etc.
(Middleware) or the like may execute a part of each process for realizing the present embodiment.

Further, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted via a LAN, the Internet, or the like is downloaded and stored or temporarily stored.

Further, the number of storage media is not limited to one, and the case where the processing in this embodiment is executed from a plurality of media is also included in the storage media of the present invention, and any media configuration may be used.

The computer according to the present invention executes each processing in the present embodiment based on a program stored in a storage medium. An apparatus such as a personal computer and a plurality of apparatuses are connected to a network. Any configuration such as a system described above may be used.

The computer in the present invention is
It is not limited to a personal computer, but also includes a processing device, a microcomputer, and the like included in an information processing device, and generically refers to a device and a device capable of realizing the functions of the present invention by a program.

The present invention is not limited to the above embodiments, and can be variously modified at the stage of implementation without departing from the scope of the invention. In addition, the embodiments may be implemented in appropriate combinations as much as possible, in which case the combined effects can be obtained. Further, the above embodiments include inventions at various stages, and various inventions can be extracted by appropriate combinations of a plurality of disclosed configuration requirements. For example, if an invention is extracted by omitting some constituent elements from all the constituent elements described in the embodiment, when implementing the extracted invention, the omitted part is appropriately supplemented by a well-known common technique. It is something to be done.

In addition, the present invention can be variously modified and implemented without departing from the gist thereof.

[0097]

As described above, according to the present invention, a dedicated system administrator having a high level of specialty is not required, and simplicity that can be managed by general users can be realized. Also,
Educational effect can be realized while using. Further, security diagnosis / monitoring for the network configuration can be facilitated. Also, if your network configuration changes frequently,
The effort of updating the diagnosis / monitoring policy can be reduced. In addition, unlike diagnostic reports for specific attack vectors,
Comprehensive analysis of the security status of the entire system in use.

[Brief description of the drawings]

FIG. 1 is a schematic diagram showing a configuration example of a security diagnosis / monitoring system according to an embodiment of the present invention;

FIG. 2 is a schematic diagram for explaining component information in the embodiment.

FIG. 3 is a schematic diagram illustrating a network configuration according to the embodiment;

FIG. 4 is a schematic diagram for explaining a network configuration definition in the embodiment.

FIG. 5 is an exemplary view for explaining a diagnostic policy in the embodiment.

FIG. 6 is an exemplary view for explaining a monitoring policy according to the embodiment;

FIG. 7 is a view for explaining the operation in the embodiment;

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 10 ... Security diagnosis / monitoring system 11 ... Network configuration definition storage unit 12 ... Pointing device 13 ... Network configuration definition editing unit 14 ... Network configuration display unit 15D diagnosis policy creation unit 16D ... diagnosis policy storage unit 17D ... security diagnosis unit 18D ... diagnosis Result display unit 15M monitoring policy creation unit 16M monitoring policy storage unit 17M security monitoring unit 18M monitoring result display unit 19 comprehensive analysis unit 20 comprehensive analysis report Firewall (FW) Router 1 (Rt1) Public server (PSv) Host 1 (H1) Host 2 (H2) Backbone server BSv Internet (Net) Intranet (Itr) Network segment 1 (Nsg)

Claims (12)

[Claims] 1. A diagnostic policy creating apparatus used in a security diagnostic system for diagnosing security based on a diagnostic policy for a computer network and computers connected to the computer network, the network configuration definition representing a configuration of the computer network. And a diagnostic policy creating unit that creates the diagnostic policy based on the network configuration definition input by the input unit. 2. A security diagnosis system for diagnosing security of a computer network and computers connected thereto, comprising: an input unit for inputting a network configuration definition representing a configuration of the computer network; Diagnostic policy creating means for creating a diagnostic policy based on the network configuration definition, and security diagnostic means for diagnosing the security based on the diagnostic policy created by the diagnostic policy creating means. And security diagnostic system. 3. A monitoring policy creation device used in a security monitoring system that monitors security of a computer network and computers connected thereto based on a monitoring policy, wherein the network configuration definition represents a configuration of the computer network. And a monitoring policy creation unit that creates the monitoring policy based on the network configuration definition input by the input unit. 4. A security monitoring system for monitoring security of a computer network and computers connected thereto, comprising: an input unit for inputting a network configuration definition representing a configuration of the computer network; Monitoring policy creating means for creating a monitoring policy based on the network configuration definition, and security monitoring means for monitoring the security based on the monitoring policy created by the monitoring policy creating means. And security monitoring system. 5. A diagnostic policy creation method used in a security diagnostic system for diagnosing security of a computer network and a computer connected thereto based on a diagnostic policy, comprising: a network configuration definition representing a configuration of the computer network. And a step of generating the diagnostic policy based on the input network configuration definition. 6. A security diagnosis method for diagnosing security of a computer network and a computer connected to the computer network, comprising: inputting a network configuration definition representing a configuration of the computer network; A security diagnosis method comprising: creating a diagnosis policy based on the above; and diagnosing the security based on the created diagnosis policy. 7. A monitoring policy creation method used in a security monitoring system that monitors security of a computer network and computers connected thereto based on a monitoring policy, wherein the network configuration definition represents a configuration of the computer network. And a step of creating the monitoring policy based on the input network configuration definition. 8. A security monitoring method for monitoring security of a computer network and a computer connected to the computer network, comprising: a step of inputting a network configuration definition representing a configuration of the computer network; A security monitoring method, comprising: creating a monitoring policy based on a network configuration definition; and monitoring the security based on the created monitoring policy. 9. A network configuration definition creating method for creating a network configuration definition used for creating a diagnosis policy and / or a monitoring policy, comprising displaying a network configuration component on a screen, and operating the pointing device in response to an operation of a pointing device. A method for creating a network configuration definition, comprising: a step of editing the arrangement and connection relationship of parts; and a step of creating a network configuration definition based on the edited screen. 10. A comprehensive security analysis method for analyzing a security state of a computer network and a computer connected to the computer network, wherein a security is diagnosed for the computer network and the connected computer based on a diagnosis policy. Monitoring the security of the computer network and the connected computer based on a monitoring policy; analyzing the security state of the computer network based on the result of the diagnosis and the result of the monitoring And a comprehensive security analysis method. 11. A computer-readable storage medium for use in a diagnostic policy creation device for creating a diagnostic policy for a computer network and computers connected thereto, wherein the computer of the diagnostic policy creation device includes: A computer-readable storage medium storing a program for realizing: input means for inputting a network configuration definition representing a network configuration; and diagnostic policy creation means for creating the diagnostic policy based on the network configuration definition input by the input means. Possible storage medium. 12. A computer-readable storage medium used in a monitoring policy creation device for creating a monitoring policy for a computer network and computers connected thereto, wherein the computer of the monitoring policy creation device includes: A computer-readable storage medium storing a program for realizing: input means for inputting a network configuration definition representing a network configuration; and monitoring policy creation means for creating the monitoring policy based on the network configuration definition input by the input means. Possible storage medium.