JP6193147B2 - Firewall device control device and program - Google Patents

Description

  The present invention relates to a control device that efficiently creates rules used by a firewall device and sets the rules in the firewall device.

  As described in Patent Document 1, in order to communicate securely between networks having different security policies, a firewall device is generally installed at the boundary of the security policy. Rules indicating communication using a specific protocol permitted in two terminals (or sub-networks) or rules using a specific protocol not permitted in two terminals (or sub-networks) are set in the firewall device. , Allow communication or block communication according to the set rules. Naturally, if this rule is not properly set, communication that should be permitted cannot be performed, or communication that is not permitted is performed.

US 2013/0254871 Specification

  Therefore, the firewall device is usually set by a network administrator who manages the entire network configuration in response to a request from each terminal or application user. As a result, the risk of incorrect settings can be reduced, but it is not possible to quickly set necessary rules or change necessary rules.

  The present invention provides a control device for a firewall device that can safely set rules in the firewall device without being a network administrator who manages the entire network configuration.

According to an aspect of the present invention, the control device is permitted to each subnetwork address of a plurality of subnetworks, user account information associated with each subnetwork, and each subnetwork. Information indicating a communication protocol, holding means for holding, and a user accessing using account information, a terminal of a subnetwork associated with the account information is a communication source or communication destination, comprising a first editing means for a rule indicating the communication by the communication protocol that is allowed for the sub-network edited to the user, and setting means for setting a rule that the edited one or more users to the firewall device, wherein the control device , Based on the communication source and communication destination of the rule edited by the one or more users, Characterized in that it further comprises a generating means for generating a rule set to each of the number of the firewall device.

  Even if it is not a network administrator who manages the entire network configuration, it is possible to safely set rules in the firewall device.

The system block diagram by one Embodiment. The figure which shows the communication permitted in one Embodiment. The figure which shows the display screen of the control apparatus by one Embodiment. The figure which shows the display screen of the control apparatus by one Embodiment. FIG. 5 is a diagram illustrating aggregated rules according to one embodiment. The system block diagram by one Embodiment. FIG. 5 is a diagram illustrating aggregated rules according to one embodiment. The figure which shows the rule set to each firewall apparatus by one Embodiment. The figure which shows the control system of the control apparatus by one Embodiment. The schematic block diagram of the control apparatus by one Embodiment.

  Hereinafter, exemplary embodiments of the present invention will be described with reference to the drawings. In addition, each following embodiment is an illustration and does not limit the range of this invention to the content of embodiment. In the following drawings, components that are not necessary for the description of the embodiments are omitted from the drawings.

<First embodiment>
FIG. 1 is a system configuration diagram used for explaining the present embodiment. According to FIG. 1, for example, in a wide area network such as the Internet or a wide area Ethernet network, an office network of a company, a terminal # 6 and a terminal # 7, and a subnet D and a subnet E which are sub-networks including one or more terminals Is connected. Further, the office network has three sub-networks, subnets A, B, and C. Subnet A has two terminals # 1 and # 2, and subnet B has two terminals # 3 and # 4. Subnet C has one terminal # 5. The office network is connected to a wide area network through a firewall device, and the firewall apparatus controls communication between a terminal of the office network and a terminal or subnet on the wide area network based on a set rule. The office network is provided with a control device for setting rules for the firewall device.

  FIG. 2 shows communication permitted in this embodiment. It should be noted that communication other than that shown in FIG. The table in FIG. 2 is also a rule set in the firewall apparatus in FIG. Usually, a network in a company is divided into sub-networks corresponding to departments and business contents (in FIG. 1, it is divided into three subnets A to C), and an administrator exists for each sub-network. However, the administrator of the subnetwork usually does not know the configuration of the entire network, and the rule setting for the firewall device manages the configuration of the entire network in response to a request from the administrator of the subnetwork. The network administrator who was going to do. In this embodiment, by using a control device, a sub-network administrator who does not know the configuration of the entire network can set rules for the firewall device.

  Hereinafter, it will be described how the sub-network administrator sets rules for the firewall device based on the display screen of the control device shown in FIG. 3 and FIG. First, as advance preparation, a network administrator who manages the configuration of the entire network assigns subnetwork addresses of each subnetwork, in this example, subnets A, B, and C, and registers them in the control device. Further, the network administrator issues an account used when each of the administrators of subnets A, B, and C accesses the control device, and registers it in the control device. Further, the network administrator receives an application to be used from the administrators of the subnets A, B, and C, that is, a communication protocol in advance, and registers the applied protocol in association with the subnet. For example, as shown in FIG. 2, since the terminals # 1 and # 2 in the subnet A use HTTP, SSH, and Ping, the administrator in the subnet A sends HTTP, SSH, and Ping to the network administrator. Notify them to register with the control device.

  FIG. 3 is an example of a screen displayed when the administrator of subnet A logs on to the control device for the first time. In FIG. 3, 192.168.1.0/24 is assigned as a subnetwork address to the subnet A by the network administrator, and HTTP, SSH, and Ping are permitted as applications (protocols) permitted to be used. Registered by the network administrator.

  For example, an administrator of subnet A presses a “terminal edit” button to register a terminal in subnet A and its address. For example, as shown in FIG. 1, there are terminal # 1 and terminal # 2 in subnet A, the administrator of subnet A assigns address 192.168.1.1 to terminal # 1, and address 192 is assigned to terminal # 1. .168.1.2 is assigned. In this case, the administrator of the subnet A presses the “terminal edit” button to register the terminals # 1 and # 2 and their addresses, and as shown in FIG. Will be displayed. In this way, the administrator of subnet A can add or delete terminals in subnet A without depending on the network administrator.

  Furthermore, the administrator of the subnet A can edit a rule for communication between a terminal in the subnet A and other terminals by pressing a “rule editing” button. For example, among the rules shown in FIG. 2, the administrator of subnet A registers the one related to subnet A in the control device. The window on the right side of FIG. 4 shows the rules registered by the administrator of subnet A. As described above, the administrator of the subnet A can add or delete the rules related to the terminals in the subnet A without depending on the network administrator. The rules that can be set by the administrator of subnet A are limited to those in which the terminal of subnet A is related to the transmission source or the transmission destination. Note that the subnet A terminal is limited to a terminal registered in the control device displayed in the upper left window. In addition, permitted applications (protocols) are limited to those displayed in the lower left window. In the present embodiment, communication that is not set in the rule is not permitted, and communication that is set in the rule is permitted. However, communication that is not permitted in the rule may be set. Even when the non-permission is set, either the transmission destination or the transmission source of the rule is limited to the one related to the terminal of the subnet A. In the rule of FIG. 4, for ease of understanding, the terminal name is displayed instead of the address for the transmission source address and the transmission destination address, but the address is actually displayed.

When the administrator of the subnet sets a rule, the control device sets the set rule in the firewall device. For example, when the administrators of subnets A, B, and C set the rules, the control device sets the rules shown in FIG. 2 in the firewall device. The control device can aggregate the rules shown in FIG. 2 according to the aggregation standard so that the rule matching process can be performed at high speed. Aggregation criteria are
(1) “Same application” and “Same source address”
(2) “Same application” and “Same recipient address”
(3) “Same source address” and “Same destination address”
Any combination of one or more of the above can be used. Further, since the communication between the terminal # 4 and the terminal # 5 in FIG. 2 is communication within the same office network and does not pass through the firewall device, the control device, for example, manages a network topology (see FIG. The network topology information can be acquired from the network topology information, and rules that do not pass through the firewall device among the rules set by the subnet administrator can be deleted. FIG. 5 shows a rule when the rule related to communication that does not pass through the firewall device is deleted from the rules of FIG. 2 and is aggregated according to the aggregation condition.

  In addition, communication such as HTTP, in which sessions are frequently created, can improve performance by setting the rule application order to the higher side (the side on which matching processing is performed first). Therefore, for example, by receiving a hit count indicating the number of packets conforming to the rule from the firewall device, the rule application order can be changed.

  As described above, in the present embodiment, the control device can restrict and permit the rules that can be registered by the administrator of each subnet to only the rules for the terminals corresponding to the sub-network addresses managed by the administrator registered in advance. Communication is limited to applications that have been applied for in advance. With this configuration, the firewall device can be set safely without knowing the configuration of the entire network.

<Second embodiment>
Next, the second embodiment will be described focusing on the differences from the first embodiment. FIG. 6 is a system configuration diagram for explaining the present embodiment. The difference from the first embodiment shown in FIG. 1 is that all terminals and subnets belong to the same company, that is, are managed by the same network administrator, and each site is connected via a firewall device. Connecting to a wide area network. Specifically, the terminals # 6 and # 7 in FIG. 1 are installed in the office B, and the subnets D and E are sub-networks configured in the data center. In order to distinguish from the office B, the office network in FIG. 1 is an office A network. The office B network is connected to the wide area network via the firewall apparatus # 2, and the data center network is configured to be connected to the wide area network via the firewall apparatus # 3. The firewall apparatus in FIG. 1 is designated as firewall apparatus # 1 in order to distinguish it from other firewall apparatuses. In the present embodiment, the control device sets rules for the firewall devices # 1, # 2, and # 3.

  FIG. 7 shows aggregated rules set in this embodiment. The difference from FIG. 2 is that terminal # 7 pings subnets D and E.

  Conventionally, a network administrator determines which rule should be set for which firewall device from the network topology. Therefore, the conventional firewall device is generally operated in the “trust but verify” model. Specifically, the rule is set in the firewall device nearest to the device designated as the transmission destination of the rule. Therefore, in this model, for example, the rule for HTTP communication from the terminal # 1 to the subnet D in FIG. 7 is set in the firewall apparatus # 3.

  However, in this embodiment, the administrator of each subnetwork does not grasp the network topology. Therefore, in the present embodiment, the firewall device is operated in the “zero trust” model. Specifically, the rule is set for each of the device designated as the transmission destination of the rule and the nearest firewall device of the device designated as the transmission source. It is also possible to set rules for all firewall devices through which communication passes. Therefore, for example, the rules for HTTP communication from the terminal # 1 to the subnet D in FIG. 7 are set in the firewall devices # 1 and # 3, respectively. As a result, security can be maintained even if a failure or the like occurs in one of the firewall devices.

  Therefore, as described in the first embodiment, the control device according to the present embodiment is created from the transmission destination and transmission source of the rules in FIG. Create a rule to be set for each firewall device. 8A to 8C show rules set in the firewall devices # 1 and # 3, respectively. For example, the rule set for the firewall apparatus # 1 shown in FIG. 8A is obtained by extracting a rule whose destination or transmission source is a terminal or subnetwork under the firewall apparatus # 1 from the rules of FIG. Generated.

  As described above, according to this embodiment, the control device sets each rule in the firewall device nearest to the rule transmission destination and the transmission source terminal. With this configuration, it is possible to perform settings that ensure security without knowing the configuration of the entire network.

  Hereinafter, the operation and configuration of the control device according to the first embodiment and the second embodiment will be described. FIG. 9 is a diagram illustrating a control system of the control device. As already described, rules created by the administrator of each subnet using the control device are set in each firewall device. In addition, the control device can receive the rule hit count from each firewall device, and can determine the rule application order based on the hit count. Furthermore, the control device can receive topology information from a network management system that manages the topology of the entire network, and can delete a rule for communication that does not pass through the firewall device based on the topology information.

  FIG. 10 shows a configuration diagram of a control device according to an embodiment. The subnet information management unit holds information indicating the correspondence between each subnet and the subnetwork address, and this information is set by the network administrator. The subnet administrator information management unit manages, for each subnetwork, information such as a user ID and a password used when the subnetwork administrator accesses the control device. Based on the user ID used by the accessed administrator, the control device determines which subnetwork information is restricted to allow the administrator to edit rules and terminals. For each subnet, the permitted application information management unit holds information about communication protocols permitted to the sub-network, that is, information about the application, and this information is set by the network administrator based on an application from the sub-network administrator. . The terminal information editing unit provides the subnetwork administrator with a function for the subnetwork administrator to register the relationship between the terminal and its address. The rule information editing unit provides the subnetwork administrator with a function for the subnetwork administrator to register the rule. The rule information aggregating unit aggregates the rules individually registered by the administrator of each subnetwork according to the aggregation condition. The rule information aggregating unit also deletes rules that do not pass through the firewall system from among the rules set based on the topology information. For example, the setting processing unit sets the aggregated rules in the firewall device. When there are a plurality of firewall devices, as described in the second embodiment, the setting processing unit determines a rule to be set for each firewall device from the transmission destination and the transmission source of the rules. The input / output unit provides a user interface function when a network administrator or a subnet administrator uses the control device.

  The control device according to the present invention can be realized by a program that causes a computer to operate as the control device. These computer programs can be stored in a computer-readable storage medium or distributed via a network. The firewall device controlled by the control device is not limited to a physical device, and may be a virtual firewall device.

Claims (9)

Holding means for holding addresses of each sub-network of a plurality of sub-networks, user account information associated with each of the sub-networks, and information indicating a communication protocol permitted for each of the sub-networks When,
A rule indicating communication by a communication protocol permitted to the subnetwork, which is performed by a terminal of a subnetwork associated with the account information as a communication source or a communication destination for a user who has accessed using the account information. First editing means for allowing the user to edit;
A setting means for setting rules edited by one or more users in the firewall device;
A control device comprising:
The control device further includes a generation unit that generates a rule to be set for each of a plurality of firewall devices based on a communication source and a communication destination of a rule edited by the one or more users. .   2. The apparatus according to claim 1, further comprising second editing means for allowing a user who has accessed using account information to edit the address of a subnetwork terminal associated with the account information. The control device described. The generation unit sets the setting target firewall device by extracting, from the rules edited by the one or more users, a rule whose communication source and communication destination terminals are terminals under the setting target firewall device. control device according to claim 1 or 2, characterized in that to generate the rules. The control device according one or more rules that the user has edited, to any one of claims 1 to 3, characterized in that characterized in that it further comprises an aggregate unit that aggregate according to a predetermined aggregation criteria . The predetermined aggregation criteria include aggregating rules having the same rule communication protocol and the same source terminal into one rule, and the rule communication protocol being the same and a destination terminal. Including at least one of aggregating the same rule into one rule and aggregating the same source terminal and the same destination terminal into one rule. The control device according to claim 4 , wherein The topology information is acquired from a device that manages topology information of the plurality of sub-networks, and a rule indicating communication that does not pass through a firewall device is deleted from rules edited by the one or more users based on the acquired topology information. control device according to any one of claims 1 5, characterized in that it characterized in that it further comprises a deleting means for. Holding means for holding addresses of each sub-network of a plurality of sub-networks, user account information associated with each of the sub-networks, and information indicating a communication protocol permitted for each of the sub-networks When,
A rule indicating communication by a communication protocol permitted to the subnetwork, which is performed by a terminal of a subnetwork associated with the account information as a communication source or a communication destination for a user who has accessed using the account information. First editing means for allowing the user to edit;
A setting means for setting rules edited by one or more users in the firewall device;
The topology information is acquired from a device that manages topology information of the plurality of sub-networks, and a rule indicating communication that does not pass through a firewall device is deleted from rules edited by the one or more users based on the acquired topology information. Delete means to
A control device comprising:   It further comprises determination means for acquiring information indicating the number of packets conforming to the rules set in the firewall apparatus from the firewall apparatus, and determining an application order of the rules based on the acquired information indicating the number of packets. The control apparatus according to claim 1, wherein the control apparatus is characterized in that:   A program that causes a computer to function as the control device according to any one of claims 1 to 8.

Images