JP2003273936A - Firewall system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a packet filtering type firewall system which is easily operated. <P>SOLUTION: Each firewall device 102 performs packet filtering according to prescribed filtering rules, further monitors a packet which can be passed by the present filtering rules and, when the packet is judged to be refused, extracts a transmitting origin IP address from the header part of the packet and updates the filtering rules on the basis of extracted information. Furthermore, the transmitting origin IP address, etc., are recorded and periodically transmitted to a maintenance center server 101. The server 101 periodically processes the information transmitted from each device 102 statistically and transmits a refused IP address, etc., which is judged to be shared by a plurality of the devices 102 to each device 102. Each device 102 updates the filtering rules of itself, etc., on the basis of the information transmitted from the server 101. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

TECHNICAL FIELD The present invention relates to a firewall system for filtering packets between an external network and an internal network.

[0002]

2. Description of the Related Art Conventionally, a firewall has been known as a technique for ensuring network security. A firewall is placed between an external network such as the Internet and an internal network such as a corporate LAN, and controls whether or not to permit communication for each data based on a predetermined standard. It is a technology to prevent intrusion from the external network to the internal network.

There are various types of such firewalls, and one of them is a packet filtering type firewall. The packet filtering firewall controls whether or not to allow passage of each packet from the external network to the internal network (or from the internal network to the external network).
It is performed according to a predetermined filtering rule.

Generally, in the filtering rule, the source IP address, the destination IP address, the source port number,
The packet to be filtered is specified by the destination port number, the type of protocol, etc., and the action (passage, rejection, etc.) for the packet is specified.

[0005]

Such a filtering rule needs to be set in advance by the administrator, but the setting work requires some knowledge about the network and the like, which is difficult for general users. It was Also,
It was complicated for those who had such knowledge.

An object of the present invention is to provide a packet filtering type firewall system which is easy to operate.

[0007]

A firewall system according to the present invention is a firewall system in which a maintenance center server and a plurality of firewall devices are connected via a network.

In the first firewall system, each firewall device should filter the packet based on the filtering rule held by the firewall device, and reject the packet based on the packet received by itself. If it is determined that the packet should be rejected, the filtering rule is updated so that the packet can be rejected, and reject packet information regarding the packet determined to be rejected is transmitted to the maintenance center server. . The maintenance center server statistically processes the reject packet information sent from each firewall device, determines the reject packet identification information that should be shared by multiple firewall devices, and reject packet identification information that should be shared by multiple firewall devices. To each firewall device. And
Each firewall device updates the filtering rule based on the rejected packet identification information sent from the maintenance center server.

Further, in the second firewall system, each firewall device transmits its own operation mode information to the maintenance center server. The maintenance center server sends the reject packet identification information that matches the operation mode information sent from each firewall device,
Send to each firewall device. Then, each firewall device generates a filtering rule based on the refusal packet identification information sent from the maintenance center server, and filters the packet based on the filtering rule.

A firewall device according to the present invention includes a packet filtering unit for controlling whether or not a packet is permitted to pass based on a filtering rule, a packet for capturing a packet, and a packet for extracting necessary information from the captured packet. Based on the information captured by the capturing unit and the packet capturing unit, it is determined whether or not the captured packet is a packet to be rejected, and if it is determined to be a packet to be rejected, the filtering rule is applied from the packet. And a rule updating unit that updates the filtering rule based on the information extracted by the determining unit.

In this case, the determination section may determine whether or not the packet should be rejected, depending on whether or not the packet data includes a predetermined character string. It is also a packet that should be rejected depending on whether a predetermined number or more of mail packets have been received from the same source within a predetermined time and whether the packet is a packet related to a transfer mail. It may be determined whether or not there is. Further, whether or not the packet should be rejected may be determined depending on whether or not the same transmission source has accessed a plurality of predetermined ports within a predetermined time.

Further, when updating the filtering rule, the rule updating unit records information necessary for updating the filtering rule, a cause of the updating, and a time when the updating is performed. Of course, the firewall device may further include a data transmission unit that transmits the record to the maintenance center server via the external network.

In addition, when the filtering rule is added, the rule updating unit records the time when the addition is made, and deletes the added filtering rule after a predetermined time has passed from the time. Good.

Further, the firewall device further comprises a data receiving unit for receiving the refusal packet identification information sent from the maintenance center server, and the rule updating unit, based on the refusal packet identification information, the filtering rule. May be updated.

Further, when the judging unit judges whether the packet is a packet to be rejected or not depending on whether the packet data includes a predetermined character string, the firewall device performs maintenance. The rule updating unit updates the filtering rule based on the refusal packet identification information, the data receiving unit receiving the refusal packet identification information sent from the center server. Whether or not the packet should be rejected may be determined based on the rejection character string included in the packet identification information.

A program for generating a filtering rule for packet filtering according to the present invention is a computer, which captures a packet and extracts necessary information from the captured packet, packet capturing means, and information extracted by the packet capturing means. Based on the above, it is determined whether the captured packet is a packet that should be rejected, and if it is determined that the packet is a packet that should be rejected, a determination unit that extracts information necessary for generating a filtering rule from the packet , And a program for functioning as filtering rule generation means for generating the filtering rule based on the information extracted by the determination means.

The maintenance center server according to the present invention includes a data receiving unit for receiving the reject packet information sent from the firewall device, a recording unit for recording the received reject packet information, and statistics for the recorded reject packet information. A statistical processing unit that performs processing, a database that stores deny packet identification information generated from the statistically processed information, and a data transmission unit that transmits the deny packet identification information stored in the database to a firewall device. It is characterized by having.

In this case, the information sent from the firewall device may include the operation mode information of the firewall device, and the maintenance center server may use the operation mode information based on the operation mode information. A selection unit for selecting the refusal packet identification information stored in the database and passing it to the data transmission unit may be further provided.

[0019]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described in detail below with reference to the drawings.

FIG. 1 is a diagram showing the overall configuration of a firewall system according to the present invention.

As shown in the figure, this system comprises a maintenance center server 101, a plurality of firewall devices 102 (102a to 102c), and a plurality of control terminal devices 103 (103a to 103c).

The maintenance center server 101 and the firewall device 102 are both connected to the Internet 104. In addition, each firewall device 102
Are internal networks 105 (105a-1
05c).

Further, each firewall device 102 is
It is connected to each control terminal device 103 via a serial cable. The control terminal device 103 is for performing various settings of the firewall device 102 and checking the state of the firewall device 102.

Each firewall device 102 performs packet filtering between the Internet 104, which is an external network, and the internal network 105.
Each firewall device 102 performs packet filtering according to a predetermined filtering rule. Further, the current filtering rule monitors a packet that can be passed and determines whether it is desirable to pass the packet. If it is determined that passing is not desired, information necessary to generate a filtering rule from the packet (for example,
The sender IP address) is extracted, and the filtering rule is updated so that the packet can be rejected (blocked) based on the extracted information.

Information necessary for generating the filtering rule includes a source IP address (or domain name), a source port number, a destination IP address (or domain name), a destination port number, a protocol type, etc. However, in the following, for simplicity, the source IP address is used to represent the information necessary for generating the filtering rule.

In the present embodiment, each firewall device 102 responds to currently passable packets by
Three types of judgment are performed.

First of all, each firewall device 1
02 determines whether or not the packet data (application layer data) includes a predetermined character string (rejection character string). Then, the packet including the rejection character string is determined to be a packet to be rejected.

By making such a determination, for example, in the LAN environment of an educational institution, H including a character string (obscene language, discriminatory language, etc.) that the child does not want to see.
It is possible to prevent the TML file or the like from being displayed on the terminal device used by the child.

Second, each firewall device 102
Determines whether the packet is a packet related to spam mail. Spam mail refers to electronic mail such as advertisement mail that is unilaterally sent to an unspecified number of users, and in many cases, unauthorized relay of electronic mail is used. Since it is desirable to reject packets related to such spam mails, each firewall device 102 determines whether or not the packets are packets related to spam mails. Details of the process of determining whether the packet is a spam mail-related packet will be described later.

Third, each firewall device 102
Determines whether the packet is a packet related to port scanning. In general, many services used on the Internet operate on a server as TCP or UDP services, and TCP or UDP have a service identifier called a port number. The port scan is, for example, to try to connect from the first port in order to check what service is running on the server to be scanned. Since it is desirable to reject the packet related to such a port scan, each firewall device 102 is also preferable.
Determines whether the packet is a packet related to port scanning. Details of the process of determining whether the packet is related to the port scan will be described later.

If each firewall device 102 determines that the packet should be rejected as a result of the above determination, it extracts the source IP address of the packet, and based on the extracted source IP address, the relevant source IP address is extracted. Source IP
Update your filtering rules to allow packets from the address to be denied. Further, at that time, the source IP
The address, update cause (rejection character string detection / spam mail detection / port scan detection), update time, etc. are recorded, and the record (rejection packet information) is periodically transmitted to the maintenance center server 101.

The maintenance center server 101 records the information sent from each firewall device 102,
The recorded information is statistically processed on a regular basis. Then, as a result of the statistical processing, reject packet identification information (for example, a source IP address to be rejected) that is determined to be shared by the plurality of firewall devices 102 is transmitted to each firewall device 102.

Upon receiving the refusal packet identification information sent from the maintenance center server 101, each firewall device 102 updates its own filtering rule and the like based on the information.

Since the present firewall system performs such an operation, each firewall device 102
To some extent, it will be possible to autonomously protect packets that cannot be handled by the current filtering rules. Also, a certain firewall device 102a
In the above, the source IP address determined as the source of the packet to be rejected is the other firewall device 102.
b and 102c, the other firewall devices 102b and 102c can update the filtering rule to reject undesired packets even if they are not detected by themselves, and pass undesired packets. It is possible to prevent it.

Further, each firewall device 102 is
It has information called a category as one of its own operation mode information. The category is the control terminal device 10.
An administrator can set (change) using 3.

The category is, for example, the type of the internal network 105 to which the firewall device 102 is connected (eg, “educational institution”, “corporation”, “individual”) and the security level (eg, “high”, “medium”). , "Low")
A predetermined identifier (for example, 0000
~ Any of 9999).

Further, each firewall device 102 is
As its own operation mode information, it has information of "whether to check for spam mail" and "whether to check for port scan", and these also control terminal device 1
You can use 03 to set (change).

When the operation mode information is set or changed, each firewall device 102 transmits the operation mode information to the maintenance center server 101. At this time, if the above-mentioned reject packet information or the like exists, this is also transmitted at the same time.

When the maintenance center server 101 receives the operation mode information sent from each firewall device 102, based on the sent operation mode information, the refusal packet identification information according to the operation mode (this embodiment). In (1), the reject character string and reject sender IP address) are selected and sent back to each firewall device 102.

Each firewall device 102 generates a filtering rule based on the refusal packet identification information sent from the maintenance center server 101, and determines the refusal character string.

Since the present firewall system performs such an operation, only by selecting a desired operation mode, it is possible to automatically set an appropriate filtering rule and deny character string to the own firewall device 102. This reduces the burden on the administrator of each firewall device 102.

Next, the details of each constituent element of the present firewall system that performs the above-described operation will be described.

First, details of the firewall device 102 will be described.

FIG. 2 is a diagram showing a hardware configuration example of the firewall device 102. As shown in the figure,
The firewall device 102 includes a CPU 201, a main memory 202, a ROM 203, a PC card interface unit 204, and a serial interface unit 205.
And network interface units 206 and 207.

CPU 201, main memory 202, RO
The M203, the PC card interface unit 204, the serial interface unit 205, and the network interface units 206 and 207 are connected to the bus 208, respectively. A flash ATA card 209 is connected to the PC card interface unit 204. The serial interface unit 205 includes the control terminal device 103.
And the network interface unit 206 is connected to
The network interface unit 207 is connected to the external network (Internet 104) and is connected to the internal network 105.

The CPU 201 is the firewall device 1.
This is a central processing unit that executes and controls various processes performed by 02. The main memory 202 is a main storage device that stores various programs and data used by the CPU 201. R
The OM 203 is a storage device that stores the BIOS and the like used by the CPU 201.

The PC card interface section 204 controls data exchange between the flash ATA card 209 and the bus 208. The serial interface unit 205 includes the control terminal device 103 and the bus 20.
It controls the exchange of data with the device 8. The network interface unit 206 controls data exchange between the external network and the bus 208. The network interface unit 207 controls the exchange of data between the internal network and the bus 208.

The flash ATA card 209 is a CPU
A recording medium on which various programs and data such as an operating system (OS) used by 201 are recorded. In this embodiment, the flash ATA is used.
The entire storage area of the card is encrypted in sector units. That is, when the OS or the BIOS of the firewall device 102 reads from or writes to the flash ATA card 209 in sector units, it performs predetermined decoding / encoding on sector data. By performing such processing, for example, the firewall device 102
General personal computer such as AT compatible (P
Even if it is realized based on C), flash A
The information recorded on the TA card 209 is the same as the other PC
It is possible to prevent the data from being read.

FIG. 3 is a diagram showing a software configuration example of the firewall device 102. As shown in the figure,
The firewall device 102 includes a packet filtering unit 301, a bucket capturing unit 302, and a determining unit 303.
To 305, a filtering rule control unit 306, a data transmission unit 307, and a data reception unit 308.
Each unit 301 to 308 is basically realized by the CPU 201 executing a program loaded in the main memory 202.

The packet filtering section 301 has a TC
Receives IP packets in the P / IP protocol,
It controls whether or not to pass the received packet according to the contents of the header of the packet. The packet filtering unit 301 holds a filtering rule and determines whether to pass the received packet according to this filtering rule.

The filtering rule control unit 306 controls the filtering rules by adding new rules to the filtering rules held by the packet filtering unit 301 or deleting certain rules from the filtering rules.

The packet capturing unit 302 captures the packet that has passed through the packet filtering unit 301, analyzes the packet, extracts necessary data, and determines the determination unit 3
Pass to 03-305. The packet capturing unit 302 also
A captured packet record table is held to keep a record of captured packets.

FIG. 4 is a diagram showing an example of the structure of the captured packet recording table.

As shown in the figure, the captured packet recording table includes a "source" field 401, a "destination" field 402, a "protocol" field 403, and
A “reception time” field 404 is provided.

The "source" field 401 stores the IP address (and, if necessary, port number) of the source of the packet. In the “Destination” field 402,
The IP address of the destination of the packet (and the port number if necessary) is stored. Protocol field 4
Information indicating the protocol type of the packet is stored in 03. The “reception time” field 404 stores the time when the packet is received.

The packet capturing unit 302 sequentially analyzes the header portion of the captured packet and determines what kind of packet the packet is. Then, for a packet including application layer data (for example, the contents of an HTML file), the data portion is replaced with TCP / I.
It is sent to the determination unit 303 together with the P header. Further, with respect to the packet related to the electronic mail, the mail header is extracted and sent to the determination unit 304 together with the TCP / IP header. Further, the TCP / IP header is sent to the determination unit 305 for the packet for accessing the port. Each of the determination units 303 to 305 determines whether the captured packet is a packet to be rejected, based on the information passed from the packet capturing unit 302.

Next, the judgment units 303 to 305 for judging whether or not the captured packet is a packet to be rejected will be described. In this embodiment, three types of determination units 303 to 305 are provided.

First, the judging section 303 will be described.

The determining unit 303 determines whether or not the packet is a packet to be rejected, depending on whether or not the application layer level data included in the packet includes a preset character string. Therefore, the determination unit 303 holds a list of character strings to be rejected (rejected character string list).

In the reject character string list, the one corresponding to the category set by the administrator at the start of operation of the firewall device 102 is the maintenance center server 1.
It is downloaded from 01. The refusal character string list at the start of operation may be stored in the flash ATA card 209 in advance and used.

Further, the administrator can add a desired character string to the reject character string list for each site where each firewall device 102 is installed. Then, this reject character string list is periodically (for example, once every three days),
It is sent to the maintenance center server 101 together with other information. Further, the reject character string list is sent to the maintenance center server 101 together with other information even when the operation mode information of each firewall device 102 such as a category is changed.

FIG. 5 is a flow chart showing the flow of the judgment processing of the judgment unit 303.

As shown in the figure, the determining unit 303 first determines whether or not the reject character string in the reject character string list exists in the data of the TCP / IP packet passed from the packet capturing unit 302. A determination is made (S501).

As a result, if the rejected character string is not included (S501: NO), the process is terminated.

On the other hand, if the rejection character string is included (S501: YES), the packet is determined to be rejected, and the source IP address is extracted from the header of the packet (S502). . Then, the determination unit 303 passes the extracted source IP address, the reject character string included in the packet, and the identifier representing the determination unit 303 to the filtering rule control unit 306 (S503), and the processing ends. To do.

As described above, the determination processing in the determination unit 303 is performed.

Next, the judging section 304 will be described.

The judging unit 304 judges whether the captured packet is a packet related to spam mail.
Specifically, the determination unit 304 records the mail header and the TCP / IP header sequentially passed from the packet capturing unit 302, and outputs a predetermined number or more of mail packets from the same source within a predetermined time. When the mail is received and the mail is a transfer mail, it is determined that the mail packet is a packet related to spam mail.

FIG. 6 is a flow chart showing the flow of the judgment processing of the judgment unit 304.

As shown in the figure, the determination unit 304 first determines, based on the TCP / IP header passed from the packet capturing unit 302, a predetermined number or more of mail packets from the same source within a predetermined time. Is received (S601).

As a result, if a predetermined number or more of mail packets have not been received from the same sender within a predetermined time (S601: NO), the process is terminated as it is.

On the other hand, from the same source, within a predetermined time,
If a predetermined number or more of mail packets have been received (S601: YES), then it is determined based on the mail header whether the mail is a transfer mail (S602). Whether the mail is a transfer mail or not is determined by, for example, whether the mail header includes a predetermined number or more of “Received:” lines.

As a result, if the mail is not a transfer mail (S602: NO), the process is terminated.

On the other hand, if the mail is a transfer mail (S60)
2: YES), the captured packet is determined to be a packet that should be rejected, and the source IP
The address is extracted (S603). Then, the determination unit 30
4 passes the extracted source IP address and the identifier representing the determination unit 304 to the filtering rule control unit 306 (S604), and ends the processing.

The determination processing in the determination unit 304 is performed as described above.

Next, the judgment section 305 will be described.

The judging section 305 judges whether or not the captured packet is a packet related to the port scan. Specifically, the determination unit 305 holds a list of port numbers that are not normally used (rejected port number list), and further records the TCP / IP headers sequentially passed from the packet capturing unit 302. If the same source accesses a plurality (more than a predetermined number) of ports included in the denied port number list within a predetermined time, it is determined that the packet is related to the port scan.

FIG. 7 is a flow chart showing the flow of the judgment processing of the judgment unit 305.

As shown in the figure, the packet capturing unit 302
When the TCP / IP header is received from the determination unit 305
First, it is determined whether the packet is a packet related to port scan (S701).

As a result, when it is determined that the packet is not related to the port scan (S701: NO), the process is terminated.

On the other hand, when it is determined that the packet is related to the port scan (S701: YES), the source IP address is extracted from the header part of the packet (S702). Then, the determination unit 305 passes the extracted source IP address and the identifier representing the determination unit 305 to the filtering rule control unit 306 (S703),
The process ends.

The determination processing in the determination unit 305 is performed as described above.

When the transmission source IP address or the like to be rejected is passed from each of the determination units 303 to 305, the filtering rule control unit 306 allows the packet filtering unit 3 to reject the packet from the transmission source IP address.
The filtering rule held by 01 is updated.

Further, the filtering rule control unit 306
Is sent to the maintenance center server 101, the information passed from each determination unit 303 to 305 (source I to be rejected
(P address, etc.) are recorded sequentially.

In the present embodiment, the filtering rule added by the filtering rule control unit 306 can be set to be temporary or permanent. For spam mails and port scans, for example, it may be sufficient to temporarily reject the packet from the sender. Permanently reject the packet from the sender with a single unauthorized access. This may be inconvenient.

In order to cope with such a case, in the present embodiment, the transmission source I that each of the determination units 303 to 305 has determined to be rejected is determined.
A packet from the P address can be set to be temporarily rejected or permanently rejected. When the denial IP address or the like is notified from the determination unit set to the temporary denial, the time when the filtering rule is added is recorded based on the denial IP address in association with the denial IP address. Every time, after the addition, when a predetermined time has elapsed, the filtering rule is deleted. With such a configuration, for example, basically, when there is a temporary spam mail or port scan from the sender who wants to secure communication, the packet from the sender is temporarily rejected. Thus, it is possible to basically avoid the inconvenience of permanently rejecting a packet from a source that wants to secure communication while achieving the necessary protection.

The filtering rule control unit 306
Shows the rejection IP even when the filtering rule is deleted
Record in correspondence with the address. In this way, by recording the time when the filtering rule is deleted, if additions and deletions are repeated frequently, what was supposed to be a temporary refusal is automatically changed to a permanent refusal. It is also possible to control so.

Finally, the data transmitter 307 and the data receiver 308 will be described.

The data transmission unit 307 is for transmitting necessary information to the maintenance center server 101.
The information transmitted to the maintenance center server 101 includes the deny IP address, the deny character string, the filtering rule addition time and the filtering rule deletion time, which are held in the filtering rule control unit 306, and the deny characters held by the determination unit 303. There is a column list, operation mode information of the firewall device 102, and the like.

The data receiving unit 308 receives the reject packet identification information (reject character string and reject IP address) transmitted from the maintenance center server 101, passes the reject character string to the judging unit 303, and filters the reject IP address. It is passed to the rule control unit 306.

Since the firewall device 102 has the above-mentioned configuration, it automatically achieves the necessary protection by automatically updating the filtering rule when an unwanted packet is detected. Also, it becomes possible to exchange necessary data with the maintenance center server 101.

Next, details of the maintenance center server 101 will be described.

FIG. 8 is a diagram showing a hardware configuration example of the maintenance center server 101. As shown in the figure,
The maintenance center server 101 includes a CPU 801, a main memory 802, and a hard disk interface unit 8
10, a hard disk device 811, and a network interface unit 806.

The CPU 801, the main memory 802, the hard disk interface unit 810, and the network interface unit 806 are each connected to the bus 808. In addition, the hard disk interface unit 81
A hard disk device 811 is connected to 0.
The network interface unit 806 is connected to an external network (Internet 104).

The CPU 801 is the maintenance center server 1
This is a central processing unit that executes and controls various processes performed by 01. The main memory 802 is a main storage device that stores various programs and data used by the CPU 801. The hard disk drive 811 uses O used by the CPU 801.
It is an auxiliary recording device that stores various programs such as S and other data.

Hard disk interface 810
Controls the exchange of data between the hard disk drive 811 and the bus 808. The network interface unit 806 includes an external network and a bus 80.
It controls the exchange of data with the device 8.

FIG. 9 is a diagram showing a software configuration example of the maintenance center server 101.

As shown in the figure, the maintenance center server 101 includes a data receiving section 901, a recording section 902, a statistical processing section 903, a reject packet identification information database 904, a transmission data selecting section 905, and a data transmission section. Part 9
06 and. Each of the parts 901 to 906 is basically a C
It is realized by the PU 801 executing the program loaded in the main memory 802.

The data receiving unit 901 receives the information sent from each firewall device 102. The information sent from each firewall device 102 includes the current operation mode information of each firewall device 102 and the reject packet information regarding the packet determined to be rejected by each firewall device 102 (held by the filtering rule control unit 306). Information), a refusal character string list currently used by each firewall device 102 (held by the determination unit 303), and the like.

The reject packet information sent from each firewall device 102 is recorded in the recording unit 902. The recording unit 902 includes a plurality of firewall devices 1
The reject packet information sent from 02 is sequentially recorded. The statistical processing unit 903 statistically processes the reject packet information recorded in the recording unit 902 periodically (for example, once a day) to determine reject packet identification information to be shared by the plurality of firewall devices 102. It is stored in the reject packet identification information database 904.

FIG. 10 is a diagram showing a configuration example of the reject packet identification information database 904.

As shown in the figure, this database 904
Is the "category" field 1001 and "data type"
Field 1002 and "Data" field 1003
And a “cause” field 1004.

In the "Category" field 1001, an identifier (for example, 0000 to 9999) for identifying a category is set.
Is stored).

In the "data type" field 1002,
Information indicating the type of data stored in the “data” field 1003 is stored. Specifically, information indicating whether it is a "rejection character string" or a "rejection IP address" is stored.

A "data" field 1003 stores a reject character string or a reject IP address corresponding to the type of data indicated in the "data type" field 1002.

The "cause" field 1004 stores information indicating why the IP address stored in the "data" field is the IP address to be rejected. Specifically, "spam mail"
Is it supposed to be rejected as something related to
Information indicating whether or not to be rejected as being related to the “port scan” is stored.

The transmission data selection section 905 displays "category".
Using the field 1001 and the “cause” field 1004, the reject packet identification information matching the operation mode information sent from each firewall device 102 is read from the reject packet identification information database 904.
Then, if necessary, the read refusal packet identification information is compared with the refusal packet information and the refusal character string list sent from each firewall device 102, and the difference between them, that is, each firewall device 102 has The rejected packet identification information that has not been selected is selected and passed to the data transmission unit 906.

The data transmission unit 906 uses the rejection packet identification information passed from the transmission data selection unit 905, using the transmission source information (transmission source IP address, etc.) passed from the data reception unit 901, to generate the rejection packet information this time. And the like are sent back to the firewall device 102.

The maintenance center server 101 periodically checks whether or not the host having the IP address included in the “data” field 1003 of the reject packet identification information database 904 is operating (existing). If it is determined that the reject packet identification information database 904 is not in operation (existing), the reject packet identification information database 904 is maintained, for example.

Since the maintenance center server 101 has the above-mentioned configuration, each firewall device 1
It is possible to exchange the necessary data with 02.

[0111]

As described in detail above, according to the present invention, it is possible to provide a packet filtering type firewall system which is easy to operate.

[Brief description of drawings]

FIG. 1 is a diagram showing an overall configuration of a firewall system according to the present invention.

FIG. 2 is a diagram showing a hardware configuration example of a firewall device 102.

FIG. 3 is a diagram showing a software configuration example of a firewall device 102.

FIG. 4 is a diagram showing a configuration example of a captured packet recording table.

FIG. 5 is a flowchart showing a flow of determination processing of determination section 303.

FIG. 6 is a flowchart showing a flow of determination processing of determination section 304.

FIG. 7 is a flowchart showing a flow of determination processing of a determination unit 305.

FIG. 8 is a diagram showing a hardware configuration example of a maintenance center server 101.

9 is a diagram showing a software configuration example of the maintenance center server 101. FIG.

FIG. 10: Rejected packet identification information database 904
It is a figure which shows the structural example.

[Explanation of symbols] 101 maintenance center server 102a-102c Firewall device 103a-103c Controlling terminal device 104 Internet 105a-105c Internal network 201 CPU 202 main memory 203 ROM 204 PC card interface 205 Serial interface section 206, 207 Network interface section 208 bus 209 Flash ATA card 301 Packet filtering unit 302 Bucket capture unit 303-305 Judgment unit 306 Filtering rule control unit 307 data transmitter 308 Data receiver 801 CPU 802 main memory 806 Network interface section 808 bus 810 Hard disk interface section 811 hard disk drive 901 Data receiver 902 recording section 903 Statistics processing unit 904 Rejected packet identification information database 905 Transmission data selection unit 906 data transmitter

   ─────────────────────────────────────────────────── ─── Continued front page    F term (reference) 5B089 GA04 GA11 JB16 KA17 KB13                       MC08                 5K030 GA15 HA08 HD08 JA10 KX24                       LC14 LC15 MC07

Claims (13)

[Claims] 1. A firewall system in which a maintenance center server and a plurality of firewall devices are connected via a network, each firewall device filtering packets based on its own filtering rules. At the same time, based on the packet received by itself, it is determined whether the packet should be rejected. If it is determined that the packet should be rejected, the filtering rule is updated so that the packet can be rejected. Deny packet information related to the packet that is determined to be sent is sent to the maintenance center server, and the maintenance center server statistically processes the denied packet information sent from each firewall device, and the denied packet to be shared by multiple firewall devices. Determine the identification information The feature is that the reject packet identification information that should be shared by multiple firewall devices is sent to each firewall device, and each firewall device updates the filtering rule based on the reject packet identification information sent from the maintenance center server. And a firewall system. 2. A firewall system in which a maintenance center server and a plurality of firewall devices are connected via a network, each firewall device transmitting its own operation mode information to the maintenance center server, The server sends the refusal packet identification information matching the operation mode information sent from each firewall device to each firewall device, and each firewall device is based on the refusal packet identification information sent from the maintenance center server. A firewall system which generates a filtering rule and filters packets based on the filtering rule. 3. A packet filtering unit that controls whether or not a packet is allowed to pass based on a filtering rule, a packet capturing unit that captures a packet and extracts necessary information from the captured packet, and the packet. Based on the information extracted by the capturing unit, it is determined whether the captured packet is a packet that should be rejected. If it is determined that the packet should be rejected, it is necessary to generate a filtering rule from the packet. And a rule updating unit that updates the filtering rule based on the information extracted by the determining unit. 4. The determination unit determines whether or not the packet is a packet to be rejected, based on whether or not the packet data includes a predetermined character string. Firewall device described in. 5. The determination unit determines whether or not a predetermined number or more of mail packets are received from the same sender within a predetermined time, and whether or not the packet is a packet related to a transfer mail. The firewall device according to claim 3, wherein it is determined whether or not the packet is a packet to be rejected. 6. The determining unit determines whether or not the packet is a packet to be rejected, based on whether or not the same source has accessed a plurality of predetermined ports within a predetermined time. The firewall device according to claim 3. 7. When updating the filtering rule, the rule updating unit records information necessary for updating the filtering rule, a cause of the updating, and a time when the updating is performed, and records the recording. 7. The firewall device according to claim 3, further comprising a data transmission unit that transmits the data to a maintenance center server via an external network. 8. The rule updating unit, when a filtering rule is added, records the time at which the addition was made, and deletes the added filtering rule after a predetermined time has elapsed from that time. The firewall device according to any one of claims 3 to 6. 9. A data receiving unit for receiving refusal packet identification information sent from a maintenance center server, wherein the rule updating unit updates the filtering rule based on the refusal packet identification information. The firewall device according to any one of claims 3 to 8, which is characterized. 10. A data receiving unit for receiving refusal packet identification information sent from a maintenance center server, wherein the rule updating unit updates the filtering rule based on the refusal packet identification information, The firewall device according to claim 4, wherein the determination unit determines whether or not the packet is a packet to be rejected based on a rejection character string included in the rejection packet identification information. 11. A program for generating a filtering rule for packet filtering, the packet capturing means capturing a packet by a computer, and extracting necessary information from the captured packet, the information being extracted by the packet capturing means. Based on the determination, whether or not the captured packet is a packet to be rejected, and when it is determined to be a packet to be rejected, a determination unit that extracts information necessary to generate a filtering rule from the packet, And a program for functioning as filtering rule generation means for generating the filtering rule based on the information extracted by the determination means. 12. A data receiving section for receiving reject packet information sent from a firewall device, a recording section for recording the reject packet information received, and a statistical processing section for statistically processing the recorded reject packet information. A database for storing rejected packet identification information generated from the statistically processed information, and a data transmission unit for transmitting the rejected packet identification information stored in the database to a firewall device. Maintenance center server. 13. The information sent from the firewall device includes operation mode information of the firewall device, and selects reject packet identification information stored in the database based on the operation mode information. The selection unit to be passed to the data transmission unit is further provided.
Maintenance center server described in.