JP2005175825A - Encrypted packet filtering device, program thereof, and host device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve conveniences for users in an encrypted packet filtering device, and to prevent performance from deteriorating while achieving finer access control. <P>SOLUTION: In the negotiation of the encrypted session between host devices 1 and 2 via a firewall 3 (the encrypted packet filtering device), an SPI for identifying the encrypted session is replaced with the transmission source/destination IP address of a data packet to which the encrypted session is applied, a transmission source/destination port number, and IDs(a host ID, a user ID, and the like) at transmission and reception sides. The firewall 3 monitors the negotiation, and controls passage by the transmission source/destination IP address added to the encrypted packet, a protocol number, and the SPI without decoding the encrypted data packet actually replaced in the encrypted session when the encrypted session is permitted. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention monitors an encrypted packet filtering device that filters encrypted packets exchanged between host devices connected to a communication network, a program thereof, and the contents of negotiations performed to establish an encrypted session. The present invention also relates to a host device connected via a communication network to an encrypted packet filtering device that controls the passage of the encrypted session.

A conventional packet filtering device (for example, a firewall) mainly includes a “source IP address”, a “destination IP address”, and a TCP / UDP (Transmission Control Protocol / User Datagram Protocol) header included in an IP (Internet Protocol) header. In general, access control is performed based on each of the information of “source port” and “destination port” included.
Further, whether or not an IP packet can pass is determined based on five pieces of information of “source IP address”, “destination IP address”, “protocol”, “source port”, and “destination port”.

By the way, when IPsec (IP Security Protocol), which is a standard technology for encrypting IP communication, is used, in order to prevent the third party from knowing the service used by the user in addition to the data portion. The payload portion of the IP packet needs to be encrypted including the TCP / UDP header.
In other words, since the “source port” and “destination port” included in the TCP / UDP header of the IPsec packet are encrypted, the packet filtering device determines what service the user is using. Can not do it. For this reason, the encrypted packet filtering device normally permits only a limited range (such as communication between bases of the same organization) to pass IPsec communication.

Since IPsec is standardly implemented in IPv6 (Internet Protocol version 6), and in addition to the recent high interest in security, communication that requires encryption is increasing between terminals such as IP phones. Interest in using IPsec is increasing. Therefore, there is a need for a technology that restricts the types of packets that are encrypted with IPsec and pass through the packet filtering device according to the security policy of the organization while permitting IPsec communication with the packet filtering device.
Incidentally, as a method for filtering encrypted packets, there is a method in which a packet filtering device decrypts and checks information necessary for filtering encrypted packets (see, for example, Patent Document 1).
JP-A-11-203222 (paragraphs “0008” to “0011”, FIG. 1)

  However, since the decoding process takes time, a delay occurs in the transmission of the data packet, resulting in a decrease in performance. For this reason, it is necessary to take care to prevent additional encryption processing from occurring in the data packet.

The present invention has been made in view of the above circumstances, and monitors the contents of negotiation for establishing an encrypted session and determines whether to permit the encrypted session based on the contents. Therefore, an object of the present invention is to provide an encrypted packet filtering device, a program thereof, and a host device, which can pass an IPsec packet that could not be permitted so far, depending on the contents of the negotiation.
In addition, by performing access control using only the identifier of the encrypted session assigned to the encrypted packet without decrypting the actual data packet, the time required for filtering processing does not affect the communication. Another object of the present invention is to provide an encrypted packet filtering device, a program for the same, and a host device.

  In order to solve the above-described problems, the present invention is an encrypted packet filtering device that performs filtering of encrypted packets exchanged between host devices connected to a communication network, and is performed to establish an encrypted session. The contents of the negotiation between the host devices are monitored to determine whether or not to permit the encryption session, and based on the result, the passage of encrypted packets exchanged in the encryption session between the host devices is controlled. And an encrypted packet filtering means.

According to the present invention, the encrypted packet filtering means monitors the content of the negotiation for establishing the encrypted session between the host devices, determines whether to permit the encrypted session, and determines the content of the negotiation. If there is no problem, the encrypted packet carried in the encrypted session is allowed to pass. Specifically, since an encrypted session identifier is added to the encrypted packet, only the encrypted packet to which the permitted encrypted session identifier is added is controlled to pass.
As a result, IPsec packets that could not be allowed to pass can be passed depending on the contents of the negotiation, and it is possible to improve the convenience of the user and realize fine-grained access control while preventing performance degradation. A packet filtering device can be provided.

  Further, in the present invention, the encrypted packet filtering means receives a negotiation request from the transmission source host device, and returns an encrypted packet filtering device presence message to the transmission source host device. A discovery response unit, a terminal authentication unit that performs mutual authentication between the transmission source host device, and a filter management unit that permits passage of a negotiation message of the transmission source host device when the authentication is successful. A negotiation encryption session construction unit that establishes a negotiation encryption session with the adjacent host device or other encrypted packet filtering device, and negotiation between the host devices using the established negotiation encryption session. Supervise content A negotiation content determination unit that determines whether or not to permit the encrypted session based on an access policy, and an encryption that allows passage of encrypted packets exchanged between the host devices through the permitted encrypted session. And a protocol filtering unit.

In the present invention, whether the negotiation content determination unit permits an encryption session based on one or more pieces of information among the address information, port number information, host identification information, or user identification information of the negotiated host device. The encryption protocol filtering unit exchanges the identifier of the encrypted session attached to the encrypted packet exchanged in the encrypted session in the negotiation of the encrypted session permitted by the negotiation message monitoring unit. Determining whether the encrypted packet is allowed to pass or not based on whether or not the encrypted session identifier matches.
It is characterized by that.

  In order to solve the above-described problems, the present invention monitors encrypted contents performed to establish an encrypted session and controls the passage of encrypted packets exchanged in the encrypted session. A negotiation request message transmission unit that transmits a negotiation request message to another host device that wants to establish an encrypted session, and the encrypted packet filtering device or the other A reply packet receiving unit that receives a reply packet from the host device, and when the reply packet received by the reply packet receiving unit is a message from the encrypted packet filtering device, Negosi A negotiation encryption session construction unit for constructing an encryption session for negotiation, and when the reply packet received by the reply packet reception unit is a negotiation request response message, A negotiation unit that performs negotiation with another host device, and an encryption communication unit that performs encrypted communication with the other host device according to the contents of the negotiation when the negotiation is successful. Features.

  According to the present invention, as a result of transmitting the negotiation request message, the presence of the encrypted packet filtering device existing between the host devices is automatically found by checking the reply packet transmitted from the encrypted packet filtering device, Construct an encrypted session for negotiation. Then, when negotiation using the negotiation encryption session is successful, encrypted communication between the host devices according to the contents of the negotiation becomes possible.

  In order to solve the above-described problems, the present invention is a program used for an encrypted packet filtering device for filtering encrypted packets exchanged between host devices connected to a communication network, and establishes an encrypted session. The encrypted packet exchanged in the encrypted session between the host devices based on the result of monitoring the contents of the negotiation between the host devices to determine whether to permit the encrypted session And a process for controlling the passage of the computer.

  According to the present invention, the use port number of the IP packet that is encrypted and exchanged in the encryption session between the host devices via the encryption packet filtering device is negotiated in advance, and this use port number is encrypted in the encrypted packet filtering device. Thus, encrypted packets can be appropriately filtered. For this reason, IPsec packets that could not be allowed to pass can be passed through the encrypted packet filtering device depending on the contents of the negotiation, and the convenience of the user in the encrypted packet filtering device is improved. . Furthermore, since the encrypted packet filtering device confirms the port number at the time of negotiation, there is no need to decrypt the encrypted packet in the encrypted session, and access control can be performed using only the session identifier assigned to the encrypted packet. Therefore, the filtering process of the encrypted packet filtering device does not affect the communication speed.

  Further, according to the present invention, in the negotiation of the encrypted session, in addition to the transmission source / destination IP address and the transmission source / destination port number of the packet carried in the encryption session, the IDs of the transmission side and the reception side (host ID, user By exchanging ID, etc., access control finer than that of a conventional encrypted packet filtering device can be performed based on such information.

Hereinafter, an embodiment of an encrypted packet filtering apparatus according to the present invention will be described in detail with reference to the drawings.
FIG. 1 is a diagram cited for explaining the communication connection environment of the encrypted packet filtering apparatus of the present invention. In FIG. 1, reference numeral 1 (2) denotes a host device prepared as an initiator or a responder. Here, a mobile terminal is illustrated, and is connected to the server 4 via a communication network such as the Internet 5 and the firewall 3 on which the encrypted packet filtering device of the present invention is mounted. An outline of the operation is as follows.

  When the mobile terminal 1 remotely accesses the server 4 of the information center, the mobile terminal 1 discovers the presence of the firewall 3 from the reply of the firewall 3 to the negotiation request to the server 4. Then, user authentication is performed in the firewall 3. If authenticated, mutual authentication between the end of the mobile terminal 1 and the server 4 by the key exchange protocol (IKE: Internet Key Exchange) and negotiation of IPsec parameters are performed. At this time, the firewall 3 checks the contents of the IKE negotiation (port number, user ID, etc.), and if the contents can be passed, the SPI (Security Parameter Index) value assigned to the IP packet is internally stored. Record. Here, the SPI is a 32-bit attached to an IPsec packet to identify SA (Security Association: a relationship in which information such as authentication and encryption algorithm used is shared between hosts performing security communication). It is an identifier and is used as an identifier (session ID) of an encrypted session. When IPsec communication between the mobile terminal 1 and the server 4 is performed, the firewall 3 filters the IPsec packet by any one of the source and destination IP addresses, the protocol number, and the SPI value, or any combination thereof. I do. The firewall 3 notifies the mobile terminal 1 and the server 4 of the fact that the content of the IKE negotiation is not permitted to pass.

  FIG. 10 shows a format of an IPsec encrypted packet using ESP (Encapsulating Security Payload). IPsec has ESP and AH (Authentication Header) security protocol types. ESP is a security protocol that provides IP packet encryption and message authentication functions, and AH is a security protocol that provides IP packet message authentication functions. As shown in FIG. 10, an IPsec encrypted packet using ESP is composed of the IP header of the IPSec packet, the ESP header, the TCP / UDP header and payload (data portion) of the original IP packet, and ESP authentication data. . Each ESP header includes a 32-bit SPI field and a sequence number field. Then, the TCP / UDP header and payload of the original IP packet become the encryption range.

In addition, the functions provided by IKE include Phase 1 and Phase 2. The functions provided in phase 1 are negotiation of parameters used in IKE SA (encryption session for encrypting the negotiation content), setup of encryption keys used in IKA SA, and partner authentication. Also, the functions provided in phase 2 are the negotiation of parameters used in IPsec SA (encrypted session for encrypting data with IPsec) and the setup of encryption keys used in IPsec. The SA is unidirectional, and two SAs are required when performing bidirectional communication. The SA is identified by three pieces of information: an end point IP address, a security protocol type (AH or ESP), and an SPI.
In phase 1 of the IKE, first, an IKE SA parameter proposal is transmitted from the initiator to the responder, and the IKE SA parameter selection is returned from the responder. Subsequently, key information used in the IKA SA is exchanged between the initiator and the responder. Furthermore, the initiator and the responder encrypt and exchange data contents such as their own ID (initiator IDii, responder IDir) and authentication information (signature, certificate) with the key generated from the exchanged key information. In IDii and IDir, mutual IDs such as a host name (FQDN: Fully-Qualified Domain Name) and a user name (USER_FQDN) are exchanged.
In IKE phase 2, first, the initiator encrypts the data content such as the IPsec SA proposal and its own key information used in IPsec using the key generated in phase 1 and transmits it. The responder encrypts the data contents such as its own key information used in IPsec by selecting the IPSec SA parameter and returns it after encrypting it. At this time, the IP address and port number of the IP packet to which IPsec is applied are also designated (initiator IDci, responder IDcr).
The format of IDii (IDir) and IDci (IDcr) exchanged in phase 1 and phase 2 is also shown in FIG.

FIG. 2 is a diagram cited for explaining the connection sequence of the encrypted packet filtering apparatus shown in FIG.
In FIG. 2, one of the mobile terminals 1 (2) shown in FIG. 1 is the host device 1 (initiator) and the other is the host device 2 (responder), and the encrypted packet filtering device that mediates the data communication between them is a firewall (FW). ) 3. An outline of the flow of the connection sequence will be described below with reference to FIG.

When the host apparatus 1 transmits an encryption session establishment request packet (negotiation request message) to the host apparatus 2, the following connection sequence is started.
At this time, the firewall 3 serving as a communication path detects the encrypted session establishment request packet and returns it to the host device 1 (message with FW). As a result, the host device 1 can detect the presence of the firewall 3. Then, the host device 1 performs partner authentication with the firewall 3 (IKE phase 1). If the partner authentication is successful, the firewall 3 is set to allow the negotiation packet from the host device 1 to pass (S21: discovery / authentication of FW).

Next, the host apparatus 1 establishes (IKE phase 1) an encryption session (negotiation encryption session) for negotiating an encryption session with the firewall 3 using IKE or the like (S22). : Construction of an encryption session for negotiation). The host device 1 again sends an encryption session establishment request packet (negotiation request message) to the host device 2. At this time, if there is another (second) firewall 3 in the communication path with the host device 2, the S21 described above between the host device 1 and the second firewall 3 is also the first and second. The sequence of S22 is repeated with the third firewall 3 (S23, S24).
Subsequently, the host device 1 again sends an encryption session establishment request packet (negotiation request message) to the host device 2. Here, since both firewalls 3 are allowed to pass negotiation packets from the host device 1, they reach the host device 2. Then, the host device 2 returns a response (negotiation request response message) to the encryption session establishment request packet to the host device 1, and performs partner authentication in the same manner as in S21 described above. Further, a negotiation encryption session is established between the second firewall 3 and the host device 2 in the same manner as S22 described above (S25: discovery / authentication of FW, S26: construction of encryption session). In this way, an encryption session for negotiation is set up between adjacent hosts or firewalls.

Next, the host device 1 communicates with the host device 2 through the already established encrypted session for negotiation (the host device 1-1, the first firewall 3, between the firewalls 3, and the second firewall 3-the host device 2). IKE negotiations are performed between them.
At this time, normally, the contents of the negotiation (source / destination IP address, source / destination port number, etc. of the packet carried in the encryption session) are encrypted so that the contents of the negotiation are not known to a third party. However, according to the present invention, since the entire negotiation is automatically encrypted on the network by the already established encryption session for negotiation, the data content of the negotiation itself is encrypted. Send it without converting. That is, the contents of the negotiation are as follows: between the host device 1 and the first firewall 3, between the first and second firewalls 3, and between the second firewall 3 and the host device 2, the adjacent host devices 1, 2 or firewall 3. Encrypt the negotiation using the encryption session for negotiation set up between the two. As a result, the contents of the negotiation are encrypted on the communication path, but are decrypted on the firewall 3, so that the contents of the negotiation can be confirmed on the firewall 3 (S27, S28 unencrypted phase). 1, 2).
Note that the source / destination IP address and source / destination port number of an IP packet carried by IPsec SA are described in the ID payload in IKE version 1.

The firewall 3 confirms the details of the negotiation of the encryption session (checks the source / destination address, source / destination port number, session identifier, etc. used in the encryption session) and does not allow the content of the negotiation to be permitted by the firewall 3 If it is, the subsequent communication between the host devices 1 and 2 is blocked. Alternatively, the host device 1 and 2 are notified of the content permitted to pass, and the negotiation is resumed.
On the other hand, if the content of the negotiation is permitted by the firewall 3, the session identifier (SPI) used in the encrypted session and the valid period of the encrypted session are recorded and exchanged between the hosts. The encrypted packet to which the identifier is added is allowed to pass during the valid period, and encrypted communication by IPsec SA is performed (S29, S30: IPsec SA encrypted communication).

The conventional firewall 3 cannot determine what service is being used because the port number of the original IP packet to which IPsec is applied is encrypted. However, according to the present invention, the encrypted packet can be appropriately filtered by the firewall 3 from the use port number negotiated in advance. For this reason, an IPsec packet that could not be allowed to pass can be passed through the firewall 3 depending on the contents of the negotiation, and the convenience of the user in the firewall 3 is improved.
Further, in the negotiation of the encryption session, in addition to the source / destination IP address and the source / destination port number of the packet carried in the encryption session, IDs (host ID, user ID, etc.) of the transmission side and the reception side Since they are exchanged, it is possible to control access more finely than the conventional firewall based on such information. Furthermore, in the firewall of the present invention, it is not necessary to decrypt the actual data packet in order to confirm the port number, and it is possible to perform access control only with the session identifier (SPI) given to the encrypted packet. Therefore, the time required for the filtering process of the firewall 3 does not affect the communication.

FIG. 3 shows the internal configuration of the host device 1 and FIG. 4 shows the internal configuration of the firewall 3 (encrypted packet filtering device) with the functions expanded.
As shown in FIG. 3, the host device 1 includes a negotiation request message transmission unit 11, a reply packet reception unit 12, a FW discovery unit 13, a FW authentication unit 14, a negotiation encrypted session construction unit 15, It comprises a negotiation unit 16 and an encrypted communication unit 17.

The negotiation request message transmission unit 11 has a function of transmitting a negotiation request message to the host device 2 that wants to establish an encrypted session, and the reply packet reception unit 12 receives a reply packet from the firewall 3 or the host device 2. Has function. The FW discovery unit 13 can detect the presence of the firewall 3 on the communication path by receiving a reply (a message with FW) from the firewall 3.
When the reply packet received by the reply packet receiver 12 is a message with FW from the firewall 3, the FW authenticator 14 performs mutual authentication with the firewall 3 based on the address of the firewall 3 included in the message. With the ability to do. The negotiation encryption session construction unit 15 has a function of constructing a negotiation encryption session with the firewall 3 when the FW authentication unit 14 succeeds in mutual authentication.

  Further, the negotiation unit 16 confirms the existence of a firewall between the host apparatuses 1 and 2 when the reply packet received by the reply packet receiver 12 is a negotiation request reply message. It has the function of continuing to execute negotiations for encrypting data contents when they exist, without encryption of data contents using. The encrypted communication unit 17 has a function of performing encrypted communication by IPsec according to the contents of the negotiation when the negotiation by the negotiation unit 16 is successful.

On the other hand, as shown in FIG. 4, the firewall 3 includes a FW discovery response unit 31, a host authentication unit 32, a filter management unit 33, a negotiation message monitoring unit 34, a negotiation encrypted session construction unit 35, The negotiation content determination unit 36, the encryption protocol filtering unit 37, and the access policy DB 38 are included.
It should be noted that a negotiation response message is returned to the host device 1 as a transmission source, and a negotiation unit that negotiates with the host device 1 and encryption that performs encrypted communication according to the contents of the negotiation when the negotiation is successful The communication unit is not shown. The negotiation unit and the encrypted communication unit have the same functions except that the communication partner is different from that shown in FIG.
Note that the firewall 3 shown here monitors the contents of the negotiation between the host devices 1 and 2 performed to establish an encrypted session, determines whether or not to allow the passage of the encrypted session, Only functional blocks that operate as encrypted packet filtering means for controlling the passage of encrypted packets exchanged in an encrypted session based on the result are extracted and shown.

The FW discovery response unit 31 has a function of receiving a negotiation request message from the host device 1 as a transmission source and transmitting a FW presence message including its own address to the host device 1. 1 has a function of receiving an authentication request from 1 and performing mutual authentication.
In addition, when the authentication by the host authentication unit 32 is successful, the filter management unit 33 permits passage of the negotiation message and the response message transmitted from the host device 1 based on the access policy stored in the access policy DB 38. Has function. The access policy can be set by one or any combination of information such as a source / destination IP address, a source / destination port number, a host ID, and a user ID.

On the other hand, the negotiation message monitoring unit 34 has a function of acquiring the address of the host device 2 that is the transmission source or other firewall 3 when the negotiation request response message or the message with FW passes, and the negotiation encrypted session construction unit 35 Based on this address, it has a function of constructing an encryption session for negotiation with the host device 2 or other firewall 3 as a transmission source.
Also, the negotiation content determination unit 36 checks the parameters of the negotiation using the encryption session for negotiation, compares it with the access policy registered in the access policy DB 38 in advance, and determines whether the communication is permitted between the ends. Has a function to determine whether or not. If it is determined that passage is permitted, the encryption protocol filtering unit 37 is notified of the source IP address, destination IP address, security protocol type, SPI, and the like of the encrypted packet that is permitted to pass. Further, the filter management unit 33 has a function of returning the setting so as not to allow the negotiation protocol that has been allowed to pass. The encryption protocol filtering unit 37 has a function of permitting the passage of the encrypted packet based on the condition notified from the negotiation content determination unit 36.
The host device 2 has the same functions as the FW discovery response unit 31, the negotiation message monitoring unit 34, the negotiation unit, and the encrypted communication unit of the firewall 3.

FIG. 5 is a flowchart cited for explaining the operation of the host device 1 shown in FIG.
The operation of the host device 1 shown in FIG. 3 will be described in detail below with reference to the flowchart shown in FIG.
First, the host device 1 activates the negotiation request message transmission unit 11 and transmits a negotiation request message (the first packet of IKE) to the other party who wants to establish an encrypted session (S501). On the other hand, when there is a reply from the firewall 3 present on the communication path or the host device 2 as the communication partner, the reply packet receiving unit 12 receives the FW presence message or the negotiation request reply message (S502).

Here, if the message is a reply message from the firewall 3 (message with FW) (Yes in S503), the FW discovery unit 13 detects the intervention of the firewall 3, and the firewall included in the message with FW with respect to the FW authentication unit 14 3 is notified and the mutual authentication process by the FW authentication unit 14 is started.
After the mutual authentication with the firewall 3 by the FW authentication unit 14 (S504), if the authentication is successful (S505 Yes), it is checked whether the firewall 3 has already been discovered (S506). The encrypted encryption session construction unit 15 is activated to notify the address of the firewall 3, and the negotiation encrypted session is constructed.
If the firewall 3 has already been found, the process returns to the firewall discovery process.

On the other hand, if it is confirmed in the processing of S503 that the reply partner is not the firewall 3 but the host device 2 of the communication partner, the processing is transferred to the negotiation unit 16, and whether the firewall 3 is interposed in the negotiation unit 16 or not. It is checked whether or not (S507), and if it exists (S507Yse), the negotiation is continued without encrypting the data contents (S508). Here, the encryption is automatically performed in the encryption session for negotiation established with the firewall 3.
If there is no firewall 3 in between (No in S507), the normal data content is subsequently encrypted (S509). If the negotiation is successful (S510 Yes), the encrypted communication unit 17 performs the negotiation. Encrypted communication according to the contents.

6 is a flowchart of the firewall 3 or the host device 2, and FIGS. 7 to 9 are flowcharts cited for explaining the operation of the firewall 3. In addition, part of the processing procedure of the encrypted packet filtering program of the present invention is also shown.
The operation of the encryption protocol filtering device (firewall 3) of the present invention shown in FIG. 4 will be described in detail below with reference to the flowcharts shown in FIGS.

In the flowchart shown in FIG. 6, first, the FW discovery response unit 31 of the firewall 3 receives a negotiation request message from the host device 1 (S601), determines whether the received packet is addressed to itself (S602), If it is addressed, it further checks whether it has a negotiation function and an encrypted communication function (S603).
Here, if it is a packet addressed to itself and it has a negotiation function and an encrypted communication function, it starts a negotiation unit (not shown) and sends a negotiation request response message to the host device 1 of the transmission source. A reply is made and the negotiation is continued (S604). Here, when the negotiation is successful (S605 Yes), encrypted communication according to the contents of the negotiation is performed by an encrypted communication unit (not shown).

If the packet is not addressed to itself in the check in S602, a message with FW including its own address is transmitted (S606). If it is determined in S603 that the device itself does not have a negotiation function or an encrypted communication function, an error message is transmitted to both host apparatuses 1 and communication is interrupted.
Further, although the above-described operation has been described as being executed by the firewall 3, it may be performed by the host device 2 that is the communication partner.

Next, in the flowchart shown in FIG. 7, the firewall 3 receives an authentication request from the host device 1 by the host authentication unit 32 (S701), and performs mutual authentication such as IKE phase 1 with the host device 1 ( S702).
If the authentication is successful (S703 Yes), the host authentication unit 32 requests the filter management unit 33 to allow the access message to allow the negotiation message and the response message transmitted from the authenticated host device 1 to pass. . Upon receiving the request, the filter management unit 33 permits the access of the negotiation message and the response message transmitted from the authenticated host device 1 using the access policy (S704).

FIG. 8 and FIG. 9 show details of the filtering process in the firewall 3.
First, in the flowchart shown in FIG. 8, when the negotiation request response message or the FW presence message passes through the firewall 3 (S801), the negotiation message monitoring unit 34 determines whether the passed message is the negotiation request response message or the FW presence message. Is checked (S802).
If the message is a negotiation request response message, the negotiation message monitoring unit 34 acquires the transmission source IP address of the negotiation request response message (S803), and has already received a message with FW for the transmission source IP address. It is checked whether or not (S804). If the result is NO, the obtained encrypted address is notified to the negotiation encrypted session construction unit 35 and a construction request for the encrypted session is made. As a result, the negotiation encryption session construction unit 35 that has received the request establishes the negotiation encryption session based on the received address, and performs the operation shown in FIG. 9 (S805). In S804, if a message with FW for the source IP address has already been received, the operation shown in FIG. 9 is performed as it is.

  On the other hand, when a message with FW is received in the check of S802, the negotiation message monitoring unit 34 acquires the IP address of the firewall 3 included in the message with FW (S806), and already has FW for the source IP address. It is checked whether or not a message has been received (S807). If the answer is NO, the negotiation encryption session construction unit 35 is activated to construct a negotiation encryption session with the firewall 3 that has transmitted the message with FW, and the process ends (S808). If it is determined in S807 that a message with FW for the transmission source IP address has already been received, the process ends.

Subsequently, in the flowchart illustrated in FIG. 9, the negotiation content determination unit 36 monitors the negotiation passing through the negotiation encryption session, and transmits the transmission source / destination IP address, transmission source / address of the negotiation packet that passes through the encryption session. The destination port number, both-end ID (user ID or host ID) for constructing the encrypted session, the session ID (SPI) of the encrypted session, and the expiration date of the encrypted session are acquired. Then, the source / destination IP address, the source / destination port number of the packet to be negotiated, the both-end ID (user ID or host ID) for constructing the encryption session are checked, and the access policy registered in the access policy DB 38 (S809). If it is not permitted by the access policy (No in S810), an error notification is sent to both host apparatuses 1 and 2. On the other hand, if it is confirmed that the access policy permits (S810 Yes), the security protocol applied to the IPsec protocol established between the host devices 1 and 2 indicated by the negotiation content is sent to the encryption protocol filtering unit 37. Protocol number, source / destination IP address, SPI value, and expiration date are notified (S811).
In addition, the encryption protocol filtering unit 37 checks the expiration date (S812). If it is within the expiration date, the encrypted protocol packet of the IPsec communication having the notified protocol number, source / destination IP address, and SPI value is sent. Passing is permitted (S813), and if it has expired, if it has the notified protocol number, source / destination IP address, and SPI value, it is rejected (S814).

  The negotiation content determination unit 36 notifies the encryption protocol filtering unit 37 of the protocol number, the source / destination IP address, the SPI value, and the expiration date of the encryption protocol. After the negotiation is completed, the negotiation content determination unit 36 notifies the filter management unit 33. Request that the negotiation protocol pass permission setting be restored. Receiving this, the filter management unit 33 updates the access policy DB 38 so as to restore the negotiation protocol pass permission setting (S815).

As described above, the present invention monitors the contents of the negotiation for establishing an encrypted session, and determines whether to allow the passage of the encrypted session based on the contents. IPsec packets that could not be allowed to pass can be allowed to pass depending on the contents of the negotiation, which improves user convenience and prevents performance degradation while realizing fine access control. .
In the conventional firewall 3, since the port number of the original packet to which IPsec is applied is encrypted, it is impossible to determine what service is being used. Therefore, it becomes possible to appropriately filter the encrypted packet from the use port number negotiated in advance, so that the IPsec packet that could not be allowed to pass through the firewall 3 depending on the content of the negotiation. Will be able to. Further, in the negotiation of the encryption session, the IDs (host ID, user ID, etc.) of the transmission side and the reception side are also provided in addition to the transmission source / destination IP address and transmission source / destination port number of the packet carried in the encryption session. Since they are exchanged, it is possible to control access more finely than the conventional firewall based on such information. In addition, according to the present invention, there is no need to decrypt the actual data packet in order to confirm the port number, and the source / destination IP address, protocol number, and encrypted packet of the encrypted packet are assigned to the encrypted packet. Since access control can be performed only with the session identifier (SPI), the time required for the filtering process of the firewall 3 does not affect the communication.

  The procedure executed by each of the host device 1, the host device 2 and the firewall 3 shown in FIG. 3 is recorded on a computer-readable recording medium, and the program recorded on the recording medium is stored in the computer. The encrypted packet filtering apparatus of the present invention can be realized by being read and executed by the system. The computer system here includes an OS and hardware such as peripheral devices.

Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.
The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

  The embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes design and the like within the scope not departing from the gist of the present invention.

It is the figure quoted in order to demonstrate the communication connection environment of the encryption packet filtering apparatus of this invention. It is the figure quoted in order to demonstrate the connection sequence of the encryption packet filtering apparatus shown in FIG. It is the block diagram which expanded and showed the function of the internal structure of the host apparatus used by this invention embodiment. It is the block diagram which expanded and showed the internal structure of the firewall used by embodiment of this invention. It is a flowchart which shows operation | movement of the host apparatus used by this invention embodiment. It is a flowchart which shows operation | movement of the firewall used by embodiment of this invention. It is a flowchart which shows operation | movement of the firewall used by embodiment of this invention. It is a flowchart which shows operation | movement of the firewall used by embodiment of this invention. It is a flowchart which shows operation | movement of the firewall used by embodiment of this invention. It is a figure which shows an example of the format of the encryption packet to which IPsec was applied.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 (2) ... Host apparatus (mobile terminal), 3 ... Firewall (encryption packet filtering apparatus), 4 ... Server, 5 ... Internet, 11 ... Negotiation request message transmission part, 12 ... Reply packet reception part, 13 ... FW discovery , 14 ... FW (Fire War) authentication unit, 15 ... Negotiation encrypted session construction unit, 16 ... Negotiation unit, 17 ... Encrypted communication unit, 31 ... FW discovery response unit, 32 ... Host authentication unit, 33 ... Filter Management unit 34 ... Negotiation message monitoring unit 35 ... Negotiation encrypted session construction unit 36 ... Negotiation content determination unit 37 ... Encryption protocol filtering unit 38 ... Access policy DB

Claims (5)

An encrypted packet filtering device that performs filtering of encrypted packets exchanged between host devices connected to a communication network,
The contents of the negotiation between the host devices performed to establish an encrypted session are monitored to determine whether to allow the encrypted session, and based on the result, exchange is performed in the encrypted session between the host devices. Encrypted packet filtering means for controlling the passage of encrypted packets to be transmitted,
An encrypted packet filtering device comprising: The encrypted packet filtering means includes:
An encrypted packet filtering device discovery response unit that receives a negotiation request from the host device of the transmission source and returns an encrypted packet filtering device presence message to the host device of the transmission source;
A terminal authentication unit that performs mutual authentication with the host device of the transmission source;
A filter management unit that, when the authentication is successful, allows the transmission of the negotiation message of the host device of the transmission source;
A negotiated encrypted session constructing unit for constructing a negotiated encrypted session with the adjacent host device or other encrypted packet filtering device;
A negotiation content determination unit that monitors the content of the negotiation between the host devices using the encrypted encryption session for negotiation and determines whether or not to permit the encrypted session based on an access policy;
An encryption protocol filtering unit that allows passage of encrypted packets exchanged between the host devices through an allowed encryption session;
The encrypted packet filtering apparatus according to claim 1, further comprising: The negotiation content determination unit determines whether to permit an encryption session based on one or more pieces of information among address information, port number information, host identification information, or user identification information of the host device to be negotiated,
The encryption protocol filtering unit is configured such that an encrypted session identifier assigned to an encrypted packet exchanged in an encrypted session is an encrypted session exchanged in an encrypted session negotiation permitted by the negotiation message monitoring unit. Determining whether the encrypted packet is allowed to pass or not based on whether the identifier matches the identifier;
The encrypted packet filtering apparatus according to claim 2, wherein: A host device connected via a communication network to an encrypted packet filtering device that monitors the contents of a negotiation performed to establish an encrypted session and controls the passage of encrypted packets exchanged in the encrypted session. There,
A negotiation request message transmission unit that transmits a negotiation request message to another host device that wants to establish an encrypted session;
A reply packet receiving unit for receiving a reply packet from the encrypted packet filtering device or the other host device;
Negotiated encryption session constructing unit for constructing a negotiated encrypted session with the encrypted packet filtering device when the reply packet received by the reply packet receiving unit is a message from the encrypted packet filtering device When,
When the reply packet received by the reply packet receiving unit is a negotiation request reply message, a negotiation unit that performs negotiation with the other host device using the constructed encryption session for negotiation,
An encrypted communication unit that performs encrypted communication with the other host device according to the content of the negotiation when the negotiation is successful;
A host device comprising: A program used for an encrypted packet filtering device for filtering encrypted packets exchanged between host devices connected to a communication network,
The contents of the negotiation between the host devices performed to establish an encrypted session are monitored to determine whether to allow the encrypted session, and based on the result, exchange is performed in the encrypted session between the host devices. Process that controls the passage of encrypted packets,
Encrypted packet filtering program that causes a computer to execute.

Images