JP2011124797A - Network system, network apparatus, communication control method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform communication control so as to prohibit a PC which is not safe from accessing resources or areas which should be protected even while assuring an access route for collaterizing security of the PC. <P>SOLUTION: To the network system, a DHCP server, first network apparatus, second network apparatus to which a DHCP address which is not communicable with the first network apparatus is lent, and a router which lends a stateless address are connected, the first network apparatus determines whether a reception packet is in communication in the same link as that of self-apparatus from a transmission source address of the reception packet and a stateless or link local address of the self-apparatus, prohibits reception of the reception packet which is determined as the communication in the same link, the second network apparatus determines whether the transmission source address is a fixed address from the transmission source address of a transmission packet and the link local, stateless and DHCP addresses of the self-apparatus, and prohibits transmission of the transmission packet which is determined as the fixed address. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to the fields of network systems, network devices, communication control methods, and programs.

  Generally, a firewall is installed at the boundary between an in-house (intra-company) network and an external network such as the Internet, and the internal network cannot be easily accessed from the outside. In addition to such external access restrictions, there are many cases where certain security measures are taken based on the security policy of each company, even for access from the inside of the corporate network. It is common to take countermeasures against malicious unauthorized access from the inside.

  In recent years, the following cases have also become a problem. For example, there is a case where a personal computer (hereinafter referred to as a PC) infected with a virus or a worm is brought into the internal network without the knowledge of the employee who is permitted to connect to the internal network. Even if a PC is permitted to be connected, if a PC with a low security level is connected, in some cases, the PC becomes an infection source and affects the safety of the entire in-house network. This is because the PC terminal does not have a firewall installed, the latest update program has not been applied even if the firewall is installed, and it is not possible to manage it in the first place (for example, a notebook PC of an outsider) It is possible that there is.

  In recent years, therefore, NAP (Network Access Protection) has become known. NAP is a protocol that realizes the quarantine network mechanism, and implements a platform that checks the state of a PC and complies with predetermined requirements before a computer device accesses or communicates with the network. .

  For example, all PCs trying to access the network are connected to a special network area (for example, an inspection network) prepared for confirming the security status. This inspection network is logically separated from the in-house network. First, the PC confirms whether or not the state of the PC matches the security policy in the inspection network. Specifically, whether a personal firewall (software) is installed, whether the pattern file for detection is the latest, whether prohibited software is installed, and the latest OS patch (patch) is applied. It is confirmed whether or not Only PCs that pass the inspection can switch the connection and use the in-house network.

  On the other hand, for a PC that has been determined to have a problem, for example, after taking measures such as applying the latest correction program or updating the pattern file as necessary, whether or not the state of the PC meets the security policy again. Once confirmed, connection to the corporate network can be allowed.

  Here, the NAP can force the network to comply with the security policy while restricting the communication of the PC. However, there is no strict definition of a quarantine network, so there are various ways to actually achieve this. For example, in NAP, mechanisms such as 802.1x, IPsec (Security Architecture for Internet Protocol), VPN (Virtual Private Network), DHCP (Dynamic Host Configuration Protocol), etc. are prepared. A method of distributing connection destinations using a LAN switch, a method of switching connection destinations according to a personal firewall policy installed on a client, a method of changing an IP address distributed by a DHCP server to a PC, a method of distributing connection destinations by a gateway, Etc. are exemplified (see, for example, Patent Document 1).

In this specification, a NAP mechanism using DHCP is particularly taken up, and a quarantine network realization method using NAP DHCP is examined. This is a method of changing the IP address distributed to the PC by the DHCP server in accordance with the state (inspection result) of the PC. In this method, the operation of NAP DHCP is generally as follows.
(1) When the PC is connected to the inspection network, the PC makes an IP address acquisition request to the NAP-compatible DHCP server. Here, the IP address acquisition request packet includes information used to determine whether the PC is a safe device based on the NAP. The information used for determining whether or not the device is safe is, for example, information such as whether the above-described personal firewall is installed, the detection pattern file is the latest, or the like.
(2) The NAP-compatible DHCP server receives the above-mentioned IP address acquisition request packet, and checks the so-called security of the PC (for example, whether or not the firewall is installed). If there is no problem with the security of the PC, complete and valid address information (eg, address, subnet mask, gateway, DNS, etc.) is lent to the PC and connected to the in-house network.
(3) On the other hand, when there is a problem with the safety of the PC, the NAP-compatible DHCP server forcibly lends the limited address information to the PC. The address information lent here is an IP address and subnet mask that cannot be connected to the in-house network, unlike the address information lent when there is no problem with the PC.

  According to the above NAP DHCP operation, if there is a problem with the security of the PC as in (3), if the PC is forcibly configured with restricted address information, the PC Access to protected resources and areas is disabled.

  However, since a PC with security problems is determined not to be a secure device by a NAP-compatible DHCP server, access to an in-house network should be prohibited. The road to remediation servers and access to the Internet needs to be open so that it can be secured.

  In the quarantine network implementation method using NAP DHCP described above, a PC with security problems is only lent with an IP address that cannot be logically accessed in a restricted area such as an in-house network. The access route for securing was not considered much. For example, if an IP address such as 192.168.1.1//32 is lent to a PC having a safety problem, the PC cannot communicate with other devices.

  On the other hand, if you use a manually set fixed address or a stateless address assigned by a router for the purpose of securing access routes to ensure the safety of your PC, you can secure the access route, but this time, There is a problem that it is easy to access restricted areas such as an in-house network that should not be accessed.

  In other words, when realizing a quarantine network based on NAP DHCP, the network administrator assumes a DHCP address as an address to be lent to a connected PC, and designs and constructs a network consisting of restricted / unrestricted areas. is doing. However, if the connected PC uses an unexpected address (address other than DHCP) for the purpose of securing an access route for ensuring the safety of the PC, it can access an area that should not be accessed originally. There was a problem that unexpected situations would occur in network management. For this reason, if a PC with security problems can access a protected restricted area such as an in-house network, the PC becomes a source of virus infection and affects the safety of the entire in-house network. In other words, there is a possibility of spreading information such as confidential information.

  In addition, even if the network administrator intends to use a stateless address assigned by the router, for example, for the purpose of securing an access route for ensuring the safety of the PC, the original access is still possible. There is a problem that a restricted area such as an in-house network should not be easily accessed.

  Therefore, in the present invention, in view of the above problems, in order to ensure the effectiveness of NAP DHCP in the quarantine network, an access route for ensuring the safety of the PC is secured for the insecure PC. However, an object of the present invention is to provide a network system, a network device, a communication control method, and a program for performing communication control so as to prohibit access to resources and areas to be protected.

  In order to solve the above-mentioned problems, the network system according to the present invention lends a DHCP server, a first network device in a limited area, and a DHCP address that cannot communicate with the first network device from the DHCP server. A network system in which a second network device in an unrestricted area, a first network device, and a router that lends a stateless address to the second network device are connected via a network in the same link, The first network device has the same received packet as the own device from the receiving means for receiving the received packet, the source address of the received packet received by the receiving means, and the stateless address or link local address of the own device. Reception determination to determine whether communication is from within the link And a reception control unit for prohibiting reception of a received packet determined by the reception determination unit as communication from within the same link as the own device, wherein the second network device transmits a transmission packet. Transmission determination that determines whether the transmission source address is a fixed address by manual setting from the transmission source address of the transmission packet transmitted by the transmission unit and the link local address, stateless address, and DHCP address of the own device And transmission control means for prohibiting transmission of a transmission packet whose source address is determined to be the fixed address by the transmission determination means.

  In order to solve the above-described problem, a network device according to the present invention is connected to a DHCP server, a first network device, a router that lends a stateless address to the network device, and a network in the same link. A DHCP device that is lent from the DHCP server, a DHCP device that is able to communicate with a network device or a DHCP address that is unable to communicate with the first network device; A reception determination unit that determines whether or not the received packet is communication from within the same link as the own device, based on the source address of the received packet received by the receiving unit and the stateless address or link local address of the own device; From the same link as the own device A reception control unit that prohibits reception of a received packet determined to be a transmission, a transmission unit that transmits a transmission packet, a transmission source address of a transmission packet transmitted by the transmission unit, a link local address of the own device, a stateless address, and Transmission determination means for determining whether or not the transmission source address is a fixed address manually set from the DHCP address, and transmission of a transmission packet whose transmission source address is determined to be the fixed address by the transmission determination means is prohibited. Transmission control means.

  In addition, what applied the arbitrary combination of the component of this invention, expression, or a component to a method, an apparatus, a system, a computer program, a recording medium, etc. is also effective as an aspect of this invention.

  According to the present invention, in order to ensure the effectiveness of NAP DHCP in a quarantine network, an insecure PC should be protected while securing an access route for ensuring the safety of the PC. It is possible to provide a network system, a network device, a communication control method, and a program that perform communication control so as to prohibit access to resources and areas.

It is a network block diagram concerning this embodiment. It is a hardware block diagram which shows the main structures of one Embodiment of PC1 which concerns on this embodiment. It is a functional block diagram which shows the main functions of one Embodiment of PC1 and PC3 which concern on this embodiment. It is a functional block diagram which shows the main functions of one Embodiment of PC1 and PC3 which concern on this embodiment. An example of application of communication control according to the present embodiment to firewall settings will be described. The communication control result example (the 1) which concerns on embodiment is shown. The communication control result example (the 2) which concerns on embodiment is shown. It is a sequence diagram explaining the processing operation of each apparatus.

  The best mode for carrying out the present invention will be described below with reference to the drawings in each embodiment.

[Embodiment 1]
(Network configuration)
First, before describing specific contents of the present invention, a network configuration for carrying out the present invention will be described. FIG. 1 is a network configuration diagram according to the present embodiment. As shown in the figure, a PC 1, a NAP-compatible DHCP server 2, a PC 3, a repair server 4, the Internet 5, and a router 6 are connected on the network.

  PC1 is a PC newly connected to the network. As a process up to the connection, address information is lent according to the above-mentioned NAP DHCP. That is, since the security of the PC 1 is inspected by the NAP-compatible DHCP server 2 and, as a result, there is a problem with the security of the PC 1 (assuming that the OS patch is not the latest here), the predetermined address information (IP; 192.168.1.100/32) is forcibly lent. Therefore, the PC 1 cannot logically connect to the PC 3 in the restricted area, the repair server 4, and the Internet 5 with this address.

  On the other hand, the PC 3 is also a PC newly connected to the network. However, unlike the PC 1, the security of the PC 1 is checked by the NAP-compatible DHCP server 2, and as a result, there is no problem with the security of the PC 1, so that the address information (IP; 192.168. 1.101 / 24, GW; 192.168.1.1) are loaned. Therefore, PC1 is logically located within the restricted area at this address. Note that “/ 24”, “/ 32”, etc. are bit representations of the subnet mask, and are synonymous with “255.255.255.0” and “255.255.255.255” in decimal notation, respectively.

  The router 6 lends a so-called stateless address to each device on the network. Since the address of “2001: 1: 1” (IPv6) is also lent to the PC 1, the PC 1 can access the repair server 4 and the Internet 5 using this stateless address. ing. In other words, since an access route for ensuring the safety of the insecure PC 1 is secured, by accessing the repair server 4 and the Internet 5, measures for ensuring the safety of the PC 1 (here, the latest patch of the OS) Update). If the safety of the PC 1 is ensured, as described above, the address information (IP; 192.168.1.xxx/24, GW) lent to a safe device after the PC 1 status is confirmed again as described above. 192.168.1.1) can be allowed to connect to each device on the network.

  In addition, as described above, the NAP-compatible DHCP server 2 is a DHCP server that lends address information in accordance with the safety inspection by the NAP and the inspection result. The repair server 4 is a server that repairs the safety of the PC. For example, the repair server 4 provides the latest patch of the OS to the PC 1.

  The quarantine network based on NAP DHCP as assumed by the network administrator has been described above. The PC 1 that is considered to have a security problem is allowed to use a predetermined DHCP address that is distributed to an unrestricted area, while lending a stateless address from the router 6 and accessing for security measures. To allow.

  FIG. 1 shows a configuration for explaining an embodiment of the present invention. For example, a NAP server and a DHCP server may be provided separately from the viewpoint of processing distribution, and other PCs, servers, etc. There may be multiple units.

(Overview)
Here, before describing a specific embodiment, an overview of the present embodiment and its concept will be first described.

  In general, the network address used in the network is automatically added to the device, “DHCP address” added by DHCP, “stateless address” assigned by the router, “fixed address” manually set by the user. There is a “link local address”. These network addresses can include both IPv4 and IPv6.

  In the network environment according to the present embodiment, a predetermined DHCP address has been lent to the PC 1, but since a stateless address is also lent so that the repair server 4 and the like can be accessed, the PC 1 uses the stateless address. Then, the PC 3 in the restricted area can be accessed. This is because the stateless address has a common prefix among devices in the same link (segment).

  Also, for example, if the user resets from a DHCP address to a fixed address (for example, IP; 192.168.1.xxx/24, etc.), from PC 1 to the restricted area PC 3 logically to the restricted area I can access.

  For example, if the PC 1 uses a link local address, the PC 3 in the restricted area can be accessed. This is because the link local address has a common prefix among devices in the same link (segment).

  Therefore, considering that such unexpected communication is protected by the PC 3 as the receiving side, the PC 3 (receiving side) of the PC 1 (transmitting side) is in communication with the communication from the PC 1 using the fixed address. It cannot be determined whether the address is from a DHCP address. This is because the DHCP address is lent by the NAP-compatible DHCP server 2. Therefore, communication using a fixed address cannot be blocked (or determined) on the receiving side. That is, in order to block communication using a fixed address, it is necessary to block on the transmitting side, not on the receiving side.

  On the other hand, the stateless address given by the router 6 has a common prefix for devices in the same link (segment). Therefore, since PC3 is common to its own prefix for communication from PC1 using a stateless address, it can be determined whether PC1 is a device in the same link. Similarly, the link local address is limited to communication within the same link, and has a fixed prefix. Therefore, since PC3 is common to its own prefix for communication from PC1 using the link local address, it can be determined whether PC1 is a device in the same link. That is, unlike the above-described fixed address, communication using a stateless address and a link local address can be blocked (or determined) on the receiving side.

  In general, since the firewall blocks a packet on the receiving side, in this embodiment, the PC 3 (receiving side) blocks communication from a stateless address or link local address having the same prefix as that of the firewall. Thereby, on the receiving side, communication within the same link can be limited to a DHCP address or a fixed address by manual setting.

  Of the communication using the DHCP address and the fixed address, the communication of the fixed address is prevented by the PC 1 (transmission side). This is because the transmission side can determine whether its own address is a DHCP address. This makes it possible to eliminate the use of fixed addresses, stateless addresses, and link local addresses that are not assumed by the administrator in the network.

  Based on the above, embodiments will be specifically described below. That is, as described above, in this embodiment, each device on the network (at least PC1 and PC3) has a firewall function, and the firewall function prohibits this when performing transmission using a fixed address. On the other hand, if reception is performed using a stateless address and a link local address, control is performed to prohibit this. Thus, by performing communication control in the quarantine network, the effectiveness of NAP DHCP can be made more reliable, and the quarantine network assumed by the administrator can be made more secure.

(hardware)
FIG. 2 is a hardware configuration diagram illustrating a main configuration of one embodiment of the PC 1 according to the present embodiment. Of course, the present invention is not limited to the PC 1 and the PC 3 can be configured by similar hardware. The PC 1 includes, as main components, a CPU 101, a ROM (Read Only Memory) 102, a RAM (Random Access Memory) 103, an auxiliary storage device 104, a storage medium reading device 105, an input device 106, a display device 107, and a communication device 108. It is the composition which includes. The following is a brief description.

  The CPU 101 is composed of a microprocessor and its peripheral circuits, and is a circuit that controls the entire PC 1. The ROM 102 is a memory that stores a predetermined control program (software component) executed by the CPU 101. The RAM 103 executes various control operations by the CPU 101 executing a predetermined control program (software component) stored in the ROM 102. This is a memory used as a work area (work area) when performing.

  The auxiliary storage device 104 is a device that stores various information including general-purpose OS, device information, and setting information related to a firewall, and an HDD (Hard Disk Drive) that is a nonvolatile storage device is used. In addition to the auxiliary storage device 104, the various types of information may be stored in a storage medium such as a CD-ROM (Compact Disk-ROM) and a DVD (Digital Versatile Disk), and other media. Various information stored in the storage medium can be read via a drive device such as the storage medium reader 105. Various information can be obtained by setting a recording medium in the storage medium reader 105 as necessary.

  The input device 106 is a device for the user to perform various input operations. The input device 106 includes a mouse, a keyboard, a touch panel switch provided so as to be superimposed on the display screen of the display device 107, and the like. The display device 107 includes, for example, an LCD (Liquid Crystal Display), a CRT (Cathode Ray Tube), and the like. The communication device 3 is a device that communicates with the managed device 3 and the device management terminal 2 via the network 5. Supports communication according to various network forms including wired and wireless networks.

(function)
FIG. 3 is a functional block diagram showing the main functions of one embodiment of the PC1 and PC3 according to this embodiment. The PC 1 is configured to include a communication unit 111, a transmission determination unit 112, a transmission control unit 113, and own address information 114 as main functions. The PC 3 includes a communication unit 311, a reception determination unit 312, a reception control unit 313, and own address information 314 as main functions. Briefly described below.

  The communication unit 111 of the PC 1 has a function of transmitting and receiving a packet, and transmits a transmission packet particularly when the device is a transmission side (transmission unit).

  The transmission determination unit 112 determines whether or not the transmission source address is a manually set address from the transmission source address of the transmission packet transmitted by the communication unit 111 and the link local address, stateless address, and DHCP address of the own device. It has a function. For example, when the DHCP address is changed to a fixed address manually set by the user, the source address of the transmission packet transmitted by the communication unit 111 is different from the link local address, stateless address, and DHCP address of the own device. Thus, it can be determined whether or not the transmission source address is a fixed address by manual setting, that is, whether or not it has been changed to a fixed address by manual setting. This point will be described later again.

  The transmission control unit 113 has a function of controlling the communication unit 111 to prohibit transmission of transmission packets in which the transmission determination unit 112 determines that the transmission source address is a fixed address by manual setting. That is, when the address is changed to a fixed address by manual setting, communication using the fixed address can be prohibited. That is, access (transmission) using a fixed address can be prevented from PC1 to PC3. This will be described later again.

  The own address information 114 is address information of the own device stored in the storage unit or the like. For example, a DHCP address lent from the NAP-compatible DHCP server 2, a stateless address lent from the router 6, and a link local address automatically set by the own device are stored as the own address information 114. For example, even when the DHCP address is changed to a fixed address by user manual setting, the DHCP address before the change is stored and maintained. This is because it is used for determination by the transmission determination unit 112.

  The communication unit 311 of the PC 3 has a function of transmitting and receiving packets. In particular, when the device is a receiving side, it receives a received packet (receiving unit).

  The reception determination unit 312 determines whether or not the received packet is communicated from within the same link as the own device from the transmission source address of the received packet received by the communication unit 311 and the stateless address or link local address of the own device. It has a function. For example, when the received packet is received by the communication unit 311, the transmission source address of the received received packet is determined based on whether the prefix is different from the stateless address and link local address of the own device. It is possible to determine whether communication is performed from the same link as the own device. This will be described later again.

  The reception control unit 313 has a function of controlling the communication unit 311 and prohibiting reception of a reception packet determined by the reception determination unit 312 as communication within the same link as the own device. That is, for example, a received packet with a stateless address or a link local address can prohibit (reject) communication from within the same link as its own device, and therefore communication within the same link can be limited to a DHCP address or a fixed address. That is, it is possible to prevent access (reception) from the PC 1 to the PC 3 using the stateless address or the link local address. This will be described later again.

  The own address information 314 is address information of the own device stored in a storage unit or the like. In the case of the PC 3, for example, the DHCP address lent from the NAP-compatible DHCP server 2, the stateless address lent from the router 6, and the link local address automatically set by the own device are stored as the own address information 114.

  These functions are actually realized by a computer by a program executed by the CPU 101.

  Here, since it is not known whether PC1 and PC3 are located in the restricted area or the non-restricted area before connecting to the network, in the following embodiments, the functions related to the transmitting side and the receiving side It is assumed that both of the above functional units are included. That is, PC1 and PC3 can have a similar firewall function (described later). The function blocks showing the main functions shown in FIG. 3 can be said to indicate the functions required for each of the transmission side and the reception side, and therefore are located in either the restricted area or the non-restricted area by the NAP-compatible DHCP server 2. After that, as shown in FIG. 3, the PC 1 located in the non-restricted area has the above-described functional units related to the transmitting side, and the PC 3 located in the restricted area has the above-described functional units related to the receiving side. Can be configured.

  FIG. 4 is a functional block diagram showing main functions of one embodiment of the PC1 and PC3 according to the present embodiment. That is, the PC 1 and the PC 3 are configured to have both the above-described functional units related to the transmitting side and the above-described functional units related to the receiving side. Hereinafter, description will be made based on the functional configuration shown in FIG.

(Example of communication control)
FIG. 5 shows an example in which communication control according to the present embodiment is applied to firewall settings. That is, this is an application example in which the functional units related to the transmission side and the functional units related to the reception side shown in FIG. 4 are realized as firewall functions.

  The firewall setting in FIG. 5 includes setting items of “filter name”, “transmission source”, “direction”, “transmission destination”, and “control content”, and these setting items define each filter rule. “Filter name” is a name given to each filter rule. “Transmission source” indicates the condition of the transmission source. “Direction” indicates a transmission / reception direction to which the filter rule is applied. “Destination” has a value of a destination address or the like, but “any” (anything) is input in this embodiment. “Control content” indicates communication control content and filter rules applied when the conditions defined by “transmission source”, “direction”, and “transmission destination” are satisfied. This will be specifically described below.

  First, the transmission filter will be described. “Transmission filter 1” is set as transmission source: DHCP, direction: transmission, transmission destination: any, control content: permission. In other words, “transmission filter 1” performs filtering at the time of packet transmission. The transmission source address is the DHCP address of the own device, the communication direction is the transmission direction, the transmission destination is any (anything), and these conditions are satisfied. For satisfying communication, this means that communication is permitted.

  The “transmission filter 2” is set as transmission source: stateless, direction: transmission, transmission destination: any, control content: permission. In other words, the “transmission filter 2” performs a transmission filter. The transmission source address is the stateless address of the own device, the communication direction is the transmission direction, the transmission destination is any (anything), and communication that satisfies these conditions Means that communication is permitted.

  “Transmission filter 3” is set as transmission source: link local, direction: transmission, transmission destination: any, control content: permission. In other words, the “transmission filter 3” performs a transmission filter. The transmission source address is the link local address of the own device, the communication direction is the transmission direction, the transmission destination is any (anything), and these conditions are satisfied. About communication, it means that communication is permitted.

  “Transmission filter 4” is set as follows: transmission source: other than the above, direction: transmission, transmission destination: any, control content: block. In other words, the “transmission filter 4” performs transmission filtering, the transmission source address is other than the above (other than DHCP, stateless, link local), the communication direction is the transmission direction, and the transmission destination is any (anything is acceptable). For communication satisfying these conditions, this means that communication is blocked (not permitted).

  Summarizing the above transmission filters 1 to 4, it is a filter that functions at the time of packet transmission, and permits transmission by DHCP, stateless, link-local, and blocks transmission by others (for example, fixed addresses). .

  Next, the reception filter will be described. “Reception filter 1” is set as transmission destination: any, direction: reception, transmission source: the same prefix as the own device, and control content: block. In other words, “Reception Filter 1” is a filter for receiving a packet. The transmission destination is “any” (anything is acceptable), the communication direction is the reception direction, and the address of the transmission source is an address with the same prefix as the own device. For communication that satisfies the conditions, this means that communication is blocked.

  "Reception filter 2" is set as transmission destination: any, direction: reception, transmission source: link local, control content: block. In other words, “Reception Filter 2” performs filtering at the time of packet reception, the transmission destination is any (anything), the communication direction is the reception direction, and the transmission source address is the link local address. Means to block communication. The link local address is an address used only in an environment that does not go through a router, and the address includes the network number of the subnet. Specifically, IPv6 is characterized in that the first 64 bits corresponding to the network number are fixed to “fe80: 0: 0: 0”.

  “Reception filter 3” is set such that transmission destination: any, direction: reception, transmission source: other than the above, control content: permission. In other words, “Reception filter 3” performs filtering at the time of packet reception, the transmission destination is any (anything), the communication direction is the reception direction, and the transmission source address is other than the above (the same prefix address as the own device, Link local address), and communication that satisfies these conditions means that communication is permitted.

  Summarizing the above reception filters 1 to 3, it is a filter that functions at the time of packet reception, blocks reception by the same prefix address and link local address as the own device, and transmits by other (for example, DHCP address, fixed address) Will be allowed.

  The conditions regarding “transmission source” and “transmission destination” can be determined by referring to the transmission source address and the transmission destination address in the transmission / reception packet. Further, whether the address is the address of the own device, the address of the same prefix as the own device, or the like can be determined by referring to the above-described own address information 144 (314).

  Such a firewall setting can be applied to the firewall function of PC1 and PC3. And according to such a firewall setting, “communication using the stateless address and link local address in the same link” is prohibited when it becomes the receiving side, so the communication in the same link is set to the DHCP address or the fixed address. It can be limited. Further, since “communication using a fixed address” is prohibited at the transmission side, communication within the same link can be limited to communication using a DHCP address.

  As a result, access from PC 1 in the non-restricted area to PC 3 in the restricted area can be limited to communication using a DHCP address that can be controlled by the administrator. On the other hand, regarding the use of the stateless address and link local address, by prohibiting communication within the same link, access from the PC 1 in the non-restricted area to the PC 3 in the restricted area is prohibited, but communication outside the same link, for example, Access to the repair server 4 can be secured.

(Example of communication control results)
FIG. 6 shows a communication control result example (part 1) according to the embodiment. With reference to FIGS. 1 and 5 again, the communication control result based on the firewall setting of FIG. 5 in the network configuration of FIG. 1 will be described.

  (A) PC1 → PC3: When accessing from PC1 to PC3, a communication control result for each address to be used is shown. That is, this is a case where communication is performed from a device in the non-restricted area to a device in the restricted area. “Source address used” indicates the type of address used by the PC 1 (source), “direction seen from the destination” indicates the communication direction, and “control result” indicates the firewall setting. The communication control result at that time is shown (the same applies hereinafter).

  When PC1 uses the DHCP address to access PC3, since it is an invalid address, communication is effectively blocked as an invalid address. This is because the DHCP address of the PC 1 is “192.168.1.100/32”, and the PC 3 cannot be accessed. In this respect, it can be said that the administrator is designed to lend a DHCP address that cannot be accessed to the PC 3 to the DHCP address of the PC 1 that is considered unsafe.

  When the PC 1 accesses the PC 3 using the stateless address, the communication is blocked by the reception filter 1 of the PC 3.

  When PC1 accesses PC3 using a fixed address, communication is blocked by transmission filter 4 of PC1.

  When PC1 accesses PC3 using a link local address, communication is blocked by reception filter 2 of PC3.

  Thus, access from the non-restricted area (for example, PC1) to the restricted area (for example, PC3) is prohibited.

  (B) PC3 → PC1: When accessing from PC3 to PC1, a communication control result for each address to be used is shown. That is, this is a case where communication is performed from a device in the restricted area to a device in the non-restricted area.

  When the PC 3 accesses the PC 1 using the DHCP address, the communication is passed (permitted). However, in this case, for example, since the DHCP address of PC3 is “192.168.1.50/24” and the DHCP address of PC1 is “192.168.1.100/32”, PC1 can access PC1, but PC1 responds Cannot be performed. Therefore, it is practically not used in the case of TCP communication, but can be used in the case of UDP communication.

  When the PC 3 accesses the PC 1 using the stateless address, the communication is blocked by the reception filter 1 of the PC 1.

  When the PC 3 accesses the PC 1 using a fixed address, the communication is blocked by the transmission filter 4 of the PC 3.

  When the PC 3 accesses the PC 1 using the link local address, the communication is blocked by the reception filter 2 of the PC 1.

  As described above, the access from the restricted area (for example, PC3) to the non-restricted area (for example, PC1) is permitted by using the DHCP address, and the access by other addresses is prohibited.

  Needless to say, communication between PCs in the restricted area is possible by using a DHCP address.

  FIG. 7 illustrates a communication control result example (part 2) according to the embodiment. With reference to FIGS. 1 and 5 again, the communication control result based on the firewall setting of FIG. 5 in the network configuration of FIG. 1 will be described. In FIG. 7, communication control results from the PC 1 and PC 3 to the outside of the router 6 such as the repair server 4 will be described.

  (C) PC1 → Repair server 4: When accessing the repair server 4 from PC1, the communication control result for each address used is shown. That is, this is a case where communication is performed from a device in an unrestricted area to a device in an area outside the router 6.

  When the PC 1 accesses the repair server 4 using the DHCP address, since it is an invalid address, the communication is effectively blocked as an invalid address. This is because the DHCP address of the PC 1 is “192.168.1.100/32”, and the PC 3 cannot be accessed. In this respect, it can be said that the administrator is designed to lend a DHCP address that cannot be accessed to the PC 3 to the DHCP address of the PC 1 that is considered unsafe.

  When the PC 1 accesses the repair server 4 using the stateless address, the communication is passed. As described above, the router 6 also lends the address “2001 :: 1” (IPv6) to the PC 1, and the PC 1 uses this stateless address to the repair server 4 and the Internet 5. It is possible to access. In other words, since an access route for ensuring the safety of the unsafe PC 1 is secured, it is possible to take measures to ensure the safety of the PC 1 by accessing the repair server 4 and the Internet 5.

  When the PC 1 accesses the repair server 4 using a fixed address, communication is blocked by the transmission filter 4 of the PC 1.

  When PC1 accesses PC3 using a link local address, it is blocked due to an invalid address. This is because the link local address is used only for intra-link communication.

  As described above, access from the non-restricted area (for example, PC 1) to the outside area (for example, the repair server 4) beyond the router 6 can be passed only when the stateless address is used.

  (D) Repair server 4 → PC1: When accessing the PC 1 from the repair server 4, a communication control result for each address to be used is shown.

  If the repair server 4 accesses the PC 1 using the DHCP address, the communication is passed. In this case, however, the repair server 4 can access the PC 1 but cannot respond to it. Therefore, it is practically not used in the case of TCP communication, but can be used in the case of UDP communication.

  When the repair server 4 accesses the PC 1 using the stateless address, the communication is passed. For example, when the PC 1 accesses the repair server 4 using a stateless address for the purpose of ensuring safety, it can be used as a response communication.

  (E) PC3 → repair server 4: When accessing the repair server 4 from the PC3, a communication control result for each address to be used is shown. That is, this is a case where communication is performed from a device in the restricted area to a device in an area outside the router 6.

  If the PC 3 accesses the repair server 4 using the DHCP address, the communication is passed.

  When the PC 3 accesses the repair server 4 using the stateless address, the communication is passed.

  When the PC 3 accesses the repair server 4 using a fixed address, the communication is blocked by the transmission filter 4 of the PC 3.

  When PC3 accesses PC3 using a link local address, it is blocked due to an invalid address. This is because the link local address is used only for intra-link communication.

  As described above, access from the restricted area (for example, the PC 3) to the outside area (for example, the repair server 4) beyond the router 6 can be passed only when the DHCP and the stateless address are used.

  (F) Repair server 4 → PC3: When accessing the PC 3 from the repair server 4, it indicates a communication control result for each address used.

  If the repair server 4 accesses the PC 3 using the DHCP address, the communication is passed.

  When the repair server 4 accesses the PC 3 using the stateless address, the communication is passed.

The communication control result based on the firewall setting according to the embodiment has been described above.
(A) Communication from the unrestricted area to the restricted area is blocked.
(B) Communication from a restricted area to a non-restricted area passes through communication using a DHCP address.
(C), (d) The communication from the non-restricted area to the outside area beyond the router 6 passes through the use of the stateless address.
(E), (f) The communication from the restricted area to the outside area beyond the router 6 passes the communication using the DHCP and the stateless address.

  In rare cases, different types of addresses coincide by chance, and communication between different types may be realized. For example, if the stateless address of PC1 has the same prefix as the DHCP address of PC3 (in the case of IPv6), PC1 can access the DHCP address of PC3 using the stateless address. However, in this case, communication is blocked by the reception filter 1 of the PC 3. In this embodiment, further reference is avoided, but for such a rare case, the administrator can avoid it as much as possible by paying attention to this point when designing the network.

(sequence)
Next, the processing operation of each device centering on PC1 and PC3 will be described. FIG. 8 is a sequence diagram for explaining the processing operation of each device. The sequence diagram of FIG. 8 shows the processing operation of each device when the PC 1 is newly connected to the network. This will be described below.

(1) Initial Setting Operation First, when the PC 1 is connected to the network, it sets a link local address to itself (S801). As described above, for example, in IPv6, an address in which the first 64 bits corresponding to the network number are fixed to “fe80: 0: 0: 0” is used, and the latter 64 bits are used using the MAC address of the own device. What is necessary is just to determine a link local address.

  The NAP-compatible DHCP server 2 receives the IP address acquisition request packet from the PC 1 and checks the security of the PC 1 (not shown). The IP address acquisition request packet includes information used for determining whether the PC is a safe device based on the NAP. Here, it is assumed that the PC 1 has a security problem, and the NAP-compatible DHCP server 2 forcibly lends predetermined address information (IP; 192.168.1.100/32) as a DHCP address to the PC 1 (S802). . The address information lent here is an IP address and subnet mask that cannot be connected to the PC 3 in the restricted area, unlike the address information lent when there is no problem with the PC. The PC 1 sets the distributed DHCP address in its own device (S803).

  The router 6 receives the IP address acquisition request packet from the PC 1 and lends predetermined address information (IP; 2001 :: 100, GW; 2001 :: 1) as a stateless address to the PC 1 (S804). . The PC 1 sets the distributed stateless address in its own device (S805).

  Note that the PC 1 stores the link local address, DHCP address, and stateless address of its own device as its own address information 114 (S806).

(2) Communication Operation The communication unit 111 of the PC 1 prepares for transmission in order to transmit a transmission packet to the PC 1 (S811). In preparation for transmission, a transmission packet to be transmitted is generated.

  At this time, the transmission determination unit 112 performs fixed address determination. The transmission determination unit 112 includes a transmission source address of a transmission packet transmitted by the communication unit 111, a stateless address (IP: 2001 :: 100 here) and a DHCP address (IP: 192.168.1.100/32 here) of the own device. From this, it is determined whether or not the transmission source address is a fixed address by manual setting. The link local address, the DHCP address, and the stateless address are acquired from the own address information 114, and a match with the transmission source address of the transmission packet is determined. If they do not match, it is determined as a fixed address.

  For example, when the DHCP address is changed to a fixed address (for example, IP; 192.168.1.100/24) manually set by the user, the source address of the transmission packet is 192.168.1.100, and the link local address (fe80: 0: 0: 0:..., Which is different from the stateless address and DHCP address.

  If it is determined that the address is a fixed address, the transmission control unit 113 controls the communication unit 111 to prohibit transmission of the transmission packet (S813).

  On the other hand, when it is determined that the address is not a fixed address, the transmission control unit 113 controls the communication unit 111 to transmit the transmission packet (S814). Then, the transmission packet reaches the PC 3.

  When the transmission packet arrives, the communication unit 311 of the PC 3 provisionally receives the transmission packet as a reception packet (S821).

  At this time, the reception determination unit 312 determines whether or not the communication is in-link (S822). The reception determination unit 312 determines from the transmission source address of the received packet and the stateless address (IP: 2001 :: 100 here) or link local address (fe80: 0: 0: 0:...) Of the own device. Then, it is determined whether the received packet is communication from within the same link as the own device. The stateless address and the link local address are acquired from the own address information 314, and it is determined whether the prefix of the transmission source address of the received packet matches. If they match, it is determined as intra-link communication.

  When it is determined that the communication is within the link, the reception control unit 313 controls the communication unit 311 to prohibit reception of the received packet (S823). That is, the received packet is discarded.

  On the other hand, when it is determined that the communication is not intra-link communication, the reception control unit 313 controls the communication unit 311 to receive the received packet (S824). Then, reception processing is performed according to the received packet.

[Embodiment 2]
In the present embodiment, an address called AutoIP is applied to the present invention instead of the DHCP address described in the first embodiment. AutoIP is an IP address automatic assignment function similar to DHCP. If the IP address cannot be obtained when the device is connected to the network, such as when there is no DHCP server or when the DHCP server cannot be found, the device itself is in the range of 169.254.0.0 to 169.254.255.255. It is an address that is automatically assigned so as not to overlap with the address.

AutoIP is assumed for small closed networks. Routers cannot be exceeded. As an operation up to the AutoIP address determination, for example, in IPv4, an arbitrary address is selected from the range of 169.254.0.0/16, and an ARP request is broadcast to the address to confirm whether the same address exists on the network. . If so, select another address again and repeat the ARP request.
Therefore, the DHCP address of the first embodiment can be applied by replacing it with AutoIP. For example, instead of the DHCP address that is the basis of the determination in the transmission determination unit 112 (FIG. 3), it is applied to the automatically set AutoIP address until the DHCP address is acquired. After obtaining the DHCP address, the DHCP address is returned to the original DHCP.

  According to this configuration, until the DHCP address is acquired, communication from the unrestricted area to the restricted area is blocked and access from the restricted area to the unrestricted area is allowed to pass with respect to communication using the AutoIP address. it can.

[Embodiment 3]
In a Windows (registered trademark) network, a list of PCs, servers, or shared folders existing on the network is displayed. This list is managed by a computer on the network called a master browser, and a machine on the network can use a network sharing service or the like by requesting the list from the master browser. In other words, the master browser is first accessed during NBT (NetBIOS over TCP / IP) name resolution in the link, and returns an address for the name of the device in the link.

  The master browser is selected from any computer on the network. However, referring to FIG. 1 again, if, for example, PC3 in the restricted area is selected as the master browser, for example, PC1 in the non-restricted area. Cannot access the PC 3, cannot request a list, and cannot use a network sharing service or the like. On the other hand, when the PC 1 in the non-restricted area is selected as the master browser, a list can be requested from the restricted area and the non-restricted area, and a network sharing service or the like can be used.

  NBT (NetBIOS over TCP / IP) is broadcast when a new device is added to the network, and is used to send a master browser change request (request announcement). In response to the request announcement, each device on the network transmits a local announcement in which the priority of its own device is returned, so that whether a new device becomes a new master browser is determined.

  Therefore, when a local announcement is returned in response to the request announcement, each device on the network determines whether the DHCP address is valid (for example, the netmask is not / 32), and the own device is in the restricted area. Determine if it is within. If the netmask is not / 32, the device is determined to be in the restricted area, and if the netmask is / 32, the device is determined to be in the non-restricted area. And since a priority (priority value) can be put into a local announcement, if an own apparatus is in a restriction | limiting area, the local announcement which lowered the priority of master browser selection will be transmitted. If the device itself is in an unrestricted area, a normal local announcement is transmitted.

  In this way, it is possible to access the restricted area from the restricted area, and by using the access from the restricted area to the restricted area, and placing the master browser in the restricted area, NBT from both areas to the appropriate area Name resolution is possible.

(Summary)
As described above, in the network according to the present embodiment, the NAP-compatible DHCP server 2, the PC 3 in the restricted area, and the DHCP address that cannot communicate with the PC 3 are lent from the NAP-compatible DHCP server 2. A PC 1 in the area and a router 6 that lends a stateless address to devices on the network are connected via a network in the same link.

  When at least the PC 3 as the receiving side receives the received packet, whether or not the received packet is communication from within the same link as the own device from the source address of the received packet and the stateless address or link local address of the own device And the reception of the received packet determined to be communication from within the same link as the own device is prohibited.

  On the other hand, when at least the PC 1 as the transmission side transmits a transmission packet, the transmission source address is determined from a link local address, a stateless address, and a DHCP address of the own device, and the transmission source address is a fixed address by manual setting. Whether or not the transmission source address is determined to be the fixed address is prohibited.

  According to this configuration, the PC 3 (reception side) blocks communication from the stateless address or link local address of the same prefix as that of itself. Therefore, on the reception side, communication within the same link is set to the DHCP address or manually set. It can be limited to those with a fixed address. Of the communication using the DHCP address and the fixed address, the communication of the fixed address is prevented by the PC 1 (transmission side).

  This makes it possible to eliminate the use of fixed addresses, stateless addresses, and link local addresses that are not assumed by the administrator in the network. Specifically, access from the PC 1 in the non-restricted area to the PC 3 in the restricted area can be limited to communication using a DHCP address that can be controlled by the administrator. On the other hand, regarding the use of the stateless address and the link local address, by prohibiting communication within the same link, access from the PC 1 in the non-restricted area to the PC 3 in the restricted area is prohibited, but the PC 1 uses the stateless address. As a result, it is possible to secure communication outside the same link (communication beyond the router), for example, access to the repair server 4 for the purpose of security recovery measures.

  As described above, according to the present invention, in order to ensure the effectiveness of NAP DHCP in a quarantine network, it is possible to protect an insecure PC while securing an access route for ensuring the safety of the PC. It is possible to provide a network system, a network device, a communication control method, and a program that perform communication control so as to prohibit access to resources and areas that should be performed.

  Note that the present invention is not limited to such specific embodiments, and various modifications and changes can be made within the scope of the gist of the present invention described in the claims. The PC1, PC3, etc. can be applied to all network devices, for example, mobile terminals and image forming apparatuses.

1 PC
2 NAP compatible DHCP server 3 PC
4 Repair server 5 Internet 6 Router 101 CPU
102 ROM
103 RAM
104 Auxiliary storage device 105 Storage medium reader 106 Input device 107 Display device 108 Communication device 111 Communication unit 112 Transmission determination unit 113 Transmission control unit 114 Own address information 311 Communication unit 312 Reception determination unit 313 Reception control unit 314 Self address information

JP 2008-154012 A

Claims (7)

A DHCP server;
A first network device in the restricted area;
A second network device in an unrestricted area in which a DHCP address that cannot be communicated with the first network device is lent from the DHCP server;
A router that lends a stateless address to the first network device and the second network device;
Is a network system connected through a network in the same link,
The first network device is:
A receiving means for receiving a received packet;
A reception determination unit for determining whether the received packet is communication from within the same link as the own device, from a transmission source address of the received packet received by the receiving unit and a stateless address or a link local address of the own device;
A reception control means for prohibiting reception of a received packet determined by the reception determination means as communication from within the same link as the own device;
Have
The second network device is
A transmission means for transmitting a transmission packet;
A transmission determination means for determining whether the transmission source address is a fixed address by manual setting from the transmission source address of the transmission packet transmitted by the transmission means and the link local address, stateless address, and DHCP address of the own device;
A transmission control means for prohibiting transmission of a transmission packet whose transmission source address is determined to be the fixed address by the transmission determination means;
A network system comprising: When the second network device cannot lend a DHCP address from the DHCP server, the second network device sets an AutoIP address in its own device instead of the DHCP address,
The transmission determination unit determines whether the transmission source address is a fixed address by manual setting from the transmission source address of the transmission packet transmitted by the transmission unit and the link local address, stateless address, and AutoIP address of the own device. To do,
The network system according to claim 1, further comprising: The first network device in the restricted area responds to the received master browser change request with a local announcement with a reduced priority for determining the master browser.
The network system according to claim 1 or 2, characterized by comprising: The DHCP server, and the first network device and the second network device are NAP compatible devices,
The second network device is lent from the DHCP server a DHCP address that is incapable of communication with the first network device as a result of a predetermined security check by the NAP-compatible DHCP server.
The network system according to any one of claims 1 to 3, further comprising: A DHCP server, a first network device, a router that lends a stateless address to the network device, and a network within the same link;
A DHCP device that is lent from the DHCP server a DHCP address that can communicate with the first network device or a DHCP address that cannot communicate with the first network device,
A receiving means for receiving a received packet;
A reception determination unit for determining whether the received packet is communication from within the same link as the own device, from a transmission source address of the received packet received by the receiving unit and a stateless address or a link local address of the own device;
A reception control means for prohibiting reception of a received packet determined by the reception determination means as communication from within the same link as the own device;
A transmission means for transmitting a transmission packet;
A transmission determination means for determining whether the transmission source address is a fixed address by manual setting from the transmission source address of the transmission packet transmitted by the transmission means and the link local address, stateless address, and DHCP address of the own device;
A transmission control means for prohibiting transmission of a transmission packet whose transmission source address is determined to be the fixed address by the transmission determination means;
A network device characterized by comprising: A DHCP server, a first network device, a router that lends a stateless address to the network device, and a network within the same link;
A communication control method in a network device that is lent from the DHCP server, a DHCP address that enables communication with the first network device or a DHCP address that cannot communicate with the first network device,
A receiving procedure for receiving a received packet;
A reception determination procedure for determining whether the received packet is communication from within the same link as the own device, from the transmission source address of the received packet received by the reception procedure and the stateless address or link local address of the own device;
A reception control procedure for prohibiting reception of a received packet determined to be communication from within the same link as the own device by the reception determination procedure;
A transmission procedure for transmitting a transmission packet;
A transmission determination procedure for determining whether the transmission source address is a fixed address by manual setting from the transmission source address of the transmission packet transmitted by the transmission procedure and the link local address, stateless address, and DHCP address of the own device;
A transmission control procedure for prohibiting transmission of a transmission packet whose transmission source address is determined to be the fixed address by the transmission determination procedure;
A communication control method characterized by comprising:   A program for causing a computer to execute the communication control method according to claim 6.

Images