JP7360087B2 - Security monitoring device and security monitoring method - Google Patents

Description

The present invention relates to a device for monitoring the security of various data sent and received via the Internet, for example, and a method for monitoring security used in the device.

2. Description of the Related Art Unified Threat Management devices, which integrate multiple different security functions into one piece of hardware and centralize network security management, are increasingly being used by businesses and the like. In integrated threat management devices (hereinafter referred to as UTM devices), it is also possible to dynamically change the security level depending on the usage scene regarding so-called virus checks to prevent computer virus infection. It is being done. Specifically, Patent Document 1, which will be described later, discloses a technology for dynamically switching the virus detection method in accordance with the category of content provided by the access destination, the file type of the content, etc. regarding a UTM device. .

JP2017-092755A

UTM devices are often installed at separate locations, such as the head office and branch offices of the same company, or between the company and its business partners, and at so-called bases where data is sent and received. In this case, the UTM device on the transmitting side performs a security check on the transmitted data, and the UTM device on the receiving side performs a security check on the received data (received transmitted data). In other words, since it is not possible to determine whether a trust relationship is maintained between UTM devices, a security check is performed on the same data sent and received on both the sending and receiving sides, and as a result, the same security check is performed twice. You will be killed.

In this way, when a security check is performed between the sending side and the receiving side for data to be sent and received, the security check also takes time, which may be a factor in the time it takes to send and receive data. In particular, when there is a large amount of data to be sent and received, the double security check may slow down the communication speed.

In view of the above, it is an object of the present invention to prevent redundant security checks on transmitted and received data between the transmitting side and the receiving side, and to prevent deterioration of communication speed.

In order to solve the above problem, the security monitoring device of the invention according to claim 1 includes:
a first connection allowing connection to a wide area network;
a second connection part that enables connection of the terminal device to its own device;
a transmission check means for performing a security check on transmission data transmitted through the wide area network in response to a request from a terminal device connected through the second connection unit;
an addition means for adding predetermined checked information to the transmission data that has been security checked by the transmission checking means; the addition means adds the checked information and includes version information of the transmission source device; Transmission processing means for transmitting the transmission data to the wide area network through the first connection unit and transmitting it to the other party.

According to the security monitoring device of the invention according to claim 1, predetermined checked information is added by the addition means to the transmission data that has been security checked by the transmission check means , and the transmission data includes: It contains version information of the sending device, and is sent to the destination by the sending processing means. As a result, the destination identifies whether predetermined checked information has been added to the received data (received transmitted data), and according to this identification result and the version information of the source device , It becomes possible to decide whether or not to perform a security check on received data.

According to this invention, on the receiving side, it is possible to appropriately determine whether or not received data has undergone a security check. This allows the receiving side to appropriately decide whether or not to perform a security check on the received data, and prevents double security checks on the sending and receiving data on the sending and receiving side. This can prevent deterioration in communication speed.

1 is a diagram for explaining a configuration example of a security monitoring system configured using a UTM device (security monitoring device) according to an embodiment; FIG. FIG. 2 is a block diagram for explaining a configuration example of a UTM device according to an embodiment. FIG. 2 is a diagram for explaining the configuration of a header portion of a TCP/IP packet. 2 is a flowchart for explaining the processing at the time of transmission performed by the UTM device according to the embodiment. FIG. 2 is a flowchart for explaining the processing at the time of reception performed by the UTM device according to the embodiment. FIG.

DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of a security monitoring device and a security monitoring system of the present invention will be described below with reference to the drawings. In the following description, an example will be explained in which data is transmitted and received by using VPN (Virtual Private Network) technology between the data transmitting side and the data receiving side. VPN technology is used, for example, in companies to interconnect bases such as a head office or multiple branches and to perform highly secure communications between the bases. VPN technology uses techniques such as encapsulation and encryption to realize secure point-to-point connections even on public networks such as the Internet.

[Security monitoring system configuration example]
FIG. 1 is a diagram for explaining a configuration example of a security monitoring system configured using a UTM device to which an embodiment of a security monitoring device and a security monitoring method according to the present invention is applied. In the example shown in FIG. 1, for simplicity of explanation, a UTM device 1A installed at site A and a UTM device 1B installed at site B are connected to network 4. It shows the case. That is, the UTM device 1A and the UTM device 1B are installed at separate locations, such as the head office and branch office of the same company, or between the company and a business partner, and are installed at base A and base B where data is sent and received. It is something that

The network 4 is mainly the Internet, but also includes a public switched telephone network and a LAN (Local Area Network) that connect the UTM devices 1A, 1B to the Internet. Note that the public switched telephone network includes not only the conventional telephone network but also the optical telephone network.

As shown in FIG. 1, one or more personal computers, in this example, n personal computers (indicated as PC in FIG. 1) 2A(1), 2A( 2),..., 2A(n) are connected. Similarly, for the UTM device 1B, one or more personal computers, in this example, n personal computers (indicated as PC in FIG. 1) 2B(1), 2B(2), . . . , 2B(n) are connected.

For example, between PC 2A (1) installed at base A and PC 2B (1) installed at base B, audio data, image data, etc. It is possible to send and receive text data, etc. In this way, for example, when transmitting and receiving data between PC 2A (1) installed at site A and PC 2B (1) installed at site B, conventionally, the UTM device on the sending side and A security check was also performed on the UTM device on the receiving side.

However, in this embodiment, when transmitted data that has been properly security checked by the UTM device on the transmitting side is received by the UTM device on the receiving side, the same security check is performed again on the UTM device on the receiving side. I try not to have anything to do. In other words, for data sent from PC 2A (1) installed at site A to PC 2B (1) installed at site B, after a security check is performed on the sending side UTM device 1A, the data is sent to the receiving side UTM device 1B. There will be no security check.

Similarly, for data sent from PC 2B (1) installed at site B to PC 2A (1) installed at site A, after a security check is performed by UTM device 1B on the sending side, the UTM device on the receiving side 1A does not perform security checks. By doing so, security checks are not performed twice, and inconveniences such as data transfer being delayed due to security checks are avoided.

Below, an example of the configuration of the UTM devices 1A and 1B that performs security checks will be described. Note that the UTM device 1A and the UTM device 1B are configured similarly and realize similar functions. Therefore, in the following description, the UTM device 1A and the UTM device 1B will be referred to as UTM device 1 without distinguishing between bases A and B, unless it is necessary to distinguish between them.

Also, PC2A(1), 2A(2),..., 2A(n) and PC2B(1), 2B(2),..., 2B(n) are configured in the same way and realize the same functions. It is. Therefore, in the following, PC2A(1), 2A(2), ..., 2A(n) and PC2B(1), 2B(2), ..., 2B(n) will be used unless it is necessary to distinguish between them. ) are written as PC2(1), 2(2), ..., 2(n) without distinguishing between bases A and B.

Further, the LAN 3A and the LAN 3B are configured similarly and realize similar functions. Therefore, in the following description, LAN3A and LAN3B will be referred to as LAN3 without distinguishing between bases A and B, unless it is necessary to distinguish between them. In this way, the LAN system formed at base A and the LAN system formed at base B are configured by similarly configured UTM devices and PCs connected through the LAN. That is, base A and base B have LAN systems that implement similar functions.

[Configuration example of UTM device 1]
FIG. 2 is a block diagram for explaining a configuration example of the UTM device 1. As shown in FIG. The UTM device 1 includes a connection end 101T to the network 4, a communication I/F (interface) 101, and a control unit 102. The communication I/F 101 converts data transmitted through the network 4 into data in a format that can be processed by itself, takes in the data, and supplies the data to the control unit 102 . Furthermore, the communication I/F 101 converts the data from the control unit 102 into data in a transmission format, and performs a process of transmitting the data to the intended destination via the network 4. Communication with the communication device connected to the network 4 is performed through the connection terminal 101T and the communication I/F 101.

Although not shown, the control unit 102 is a microprocessor configured by connecting a CPU (Central Processing Unit), ROM (Read Only Memory), RAM (Random Access Memory), nonvolatile memory, etc. via a bus. The control unit 102 realizes a function of controlling each part of the UTM device 1. The storage device 103 is a device unit consisting of a recording medium and its driver, such as an HDD (hard disk drive) or an SSD (solid state drive), and records, changes, and deletes various data on the recording medium. . The storage device 103 stores and holds necessary data and programs, and is also used as a work area to temporarily store intermediate data generated in various processes.

In order to transmit data using VPN technology, the encryption unit 104 performs processing to encapsulate and encrypt data sent from its own device. Since the decryption unit 105 receives data using VPN technology, it decapsulates and decrypts the data received by its own machine, and makes the data available for use on its own machine. Perform processing to restore data. The UTM device 1 also includes a LAN I/F (interface) 106 and a LAN connection end 106T. PC2(1), 2(2), . . . 2(n) are connected to the LAM connection end 106T via the LAN3. The UTM device 1 communicates with each of the PCs 2(1), 2(2), . . . , 2(n) through the LAN I/F 106 and the LAN connection end 106T. Each of the PCs 2(1), 2(2), . . . , 2(n) is enabled to connect to the network 4 via the UTM device 1.

Note that in the UTM device 1, what kind of terminals are connected to the UTM device 1 through the LAN 3 is managed, for example, in the nonvolatile memory of the control unit 102 or in the storage device 103. Specifically, in the UTM device 1, information that can uniquely identify each terminal such as a terminal ID such as an IP (Internet Protocol) address and a MAC (Media Access Control address) address and information such as a port number are managed for each terminal. has been done.

The UTM device 1 includes a P2P countermeasure section 121, an HP (Home Page) access control section 122, a virus countermeasure section 123, an email countermeasure section 124, an IPS/IDS section 125, and a firewall as functional sections that perform security checks. 126. Furthermore, the UTM device 1 includes a transmission data check section 127 and a reception data check section 128 as functional sections that perform security checks.

The P2P countermeasure unit 121 realizes a function of prohibiting P2P connections with parties that have not taken security measures or with malicious parties. Note that "P2P" means "Peer to Peer" and means that equal parties directly connect and communicate with each other via the Internet. The function of the P2P countermeasure unit 121 realizes functions such as preventing one-on-one exchange of files such as images with a problematic party, and preventing virus infection from the party.

For example, by selecting a prespecified homepage category, the HP access control unit 122 realizes a function of prohibiting access to the homepage corresponding to the category. For example, by specifying categories such as illegal drugs (narcotics, etc.), adult-related sites, and gambling-related sites, it is possible to filter URLs to inappropriate sites such as drug-related sites, adult sites, and gambling sites.

The virus countermeasure unit 123 verifies the response of the web page (virus check). Specifically, the virus countermeasure unit 123 implements a function of monitoring communication when viewing a web page and verifying (checking) whether an image to be viewed or a file to be downloaded is contaminated with a virus.

Regarding received e-mails, the e-mail countermeasure unit 124 realizes a function of blocking e-mails with unnecessary advertisements or viruses attached. The IPS/IDS section 125 realizes functions of preventing inappropriate intrusion and notifying inappropriate intrusion. Here, IPS is an abbreviation for Intrusion Prevention System, and IDS is an abbreviation for Intrusion Detection System. The IPS/IDS unit 125 can defend against attacks by so-called malware such as worms and Trojan horses. The firewall unit 126 determines whether or not to supply data to the internal network based on data communication conditions and software used, and realizes a function to protect the own system from attacks and unauthorized access from external networks. .

The transmission data check unit 127 performs virus checks and other checks on the transmission data when transmitting audio data, image data, text data, etc. from the own device using an Internet telephone service or a data transfer function. Perform necessary checks. When the received data check unit 128 receives audio data, image data, text data, etc. using an Internet telephone service or a data transfer function, the received data check unit 128 performs virus checking and other checks on the received data. Perform necessary checks.

The checked information addition unit 131 adds predetermined checked information to the checked transmission data that has been security-checked by the transmission data checking unit 127, performs processing such as recalculating the checksum, and then finalizes the checked transmission data. form the transmission data. The transmission data processed by the checked information addition unit 131 is subjected to processing such as encryption in the encryption unit 104, and then sent to the network 4 through the communication I/F 101 and the connection end 101T under the control of the control unit 102. be done. Thereby, the transmission data is transmitted to the intended destination via the network 4.

On the other hand, data received through the connection terminal 101T and the communication I/F 101 (received data addressed to a PC under its own machine) is first subjected to processing such as decryption in the decryption unit 105, and then checked information identification. 132. The checked information identifying unit 132 identifies whether predetermined checked information is added to the received data supplied thereto. For received data that is identified by the checked information identification unit 132 as having predetermined checked information added, there is no need to perform the same security check again as at the time of transmission.

Therefore, the control unit 102 accepts received data that is identified by the checked information identifying unit 132 as having predetermined checked data added without performing a security check. The control unit 102 supplies the received data to a destination terminal (PC) such as PC2(1) connected to the LAN 3 through the LAN I/F 106 and the LAN connection end 106T.

If the checked information identification unit 132 identifies received data as not having predetermined checked information added, there is a high possibility that a security check was not performed at the time of transmission. Therefore, the received data is supplied to the received data check section 128 under the control of the control section 102. This allows the received data checking section 128 to appropriately check the received data for which the predetermined received information is not added.

A security check is performed in the received data checking unit 128, and the received data that is determined to be free of problems is sent to the other party, such as the PC 2 (1) connected to the LAN 3, by the control unit 102 through the LAN I/F 106 and the LAN connection end 106T. is supplied to the terminal. Incidentally, as a result of the security check, received data with a problem such as a virus confirmed will be discarded.

In this way, the UTM device 1 is equipped with a plurality of different security functions in one piece of hardware, making it possible to comprehensively deal with threats occurring in the communication environment. Furthermore, as described above, the transmission data to be transmitted from the own device to the other party can be subjected to a security check and can be sent with predetermined checked information indicating that the security check has been completed added thereto. As a result, the security check can be omitted for received data for which the transmission destination (other party) can identify (recognize) that there is already checked information. Of course, if the other party's UTM device is capable of adding predetermined checked information in the same way as the own device, then the own device can also identify (recognize) that there is checked information. Security checks can be omitted for received data.

[Specific example of how checked information is added]
In the security monitoring system of this embodiment, as explained using FIG. 1, data is transmitted mainly through the network 4, which is the Internet. Therefore, data is sent and received as TCP/IP packets. For this reason, predetermined checked information is added to the empty area of the header of the TCP/IP packet. Note that TCP is an abbreviation for "Transmission Control Protocol," and IP is an abbreviation for "Internet Protocol." FIG. 3 is a diagram for explaining the structure of a header portion of a TCP/IP packet. As shown in FIG. 3, in a TCP/IP packet, 24 bytes from the 0th byte to the 23rd byte are the header part, and the 24th and subsequent bytes are the payload part (data body part).

In the header section shown in Figure 3, the "source port number" is the source port number, the "destination port number" is the destination (destination) port number, and the "sequence number" is the transmitted data. This indicates the order of Furthermore, the "acknowledgment response number" is the sequence number and data size received from the other party. "Data offset" is a value indicating the length of the header section, and "reservation" is an area prepared for future expansion. The "control flag" is composed of six bits: "URG", "ACK", "PSH", "RST", "SYN", and "FIN". "Window size" is used to notify the receiving side of the amount of data that can be received at one time. The "checksum" contains a value used to check for errors in the header section and data section. The "urgent pointer" is an area used when the control flag "URG" is "1".

In "option + padding part", "option" is used to improve performance in TCP communication. "Padding" is used to adjust the last 2-byte field to a 32-bit integer in order to make the length of the header part 24 bytes. In this embodiment, the checked information adding unit 131 adds predetermined checked information to the option+padding section of the 20th to 23rd bytes. The predetermined checked information can be expressed using a maximum of 4 bytes, such as information originating from the manufacturer of the UTM device 1 such as "SAXA", information indicating checked (Check OK) such as "CKOK", etc. Enter your information. Of course, the checked information shown here is just an example, and various predetermined checked information can be used.

In this way, by using a predetermined area (field) in the header portion of a TCP/IP packet, it is possible to add checked information and send the data to the destination without affecting the data to be sent. Since the part to which the checked information is added is predetermined, the recipient party can determine whether or not the checked information is added by checking the relevant part of the received data (received transmission data). It becomes possible to identify it reliably.

[Summary of processing performed in UTM1]
The processing performed by the UTM device 1 of the embodiment having the above-described configuration will be summarized with reference to a flowchart. As described above, in the UTM device 1, the P2P countermeasure section 121, the HP access control section 122, the virus countermeasure section 123, the mail countermeasure section 124, the IPS/IDS section 125, and the firewall section 126 function to perform various security measures. processing is performed. In addition to the processes performed by these parts, the UTM device 1 performs a security check on the transmitted data when transmitting data from itself, and when it receives data, A configuration is provided to perform a security check on received data. However, as described above, the UTM device 1 of this embodiment is characterized in that security checks are not performed twice on the transmitting side and the receiving side. Hereinafter, the processing performed by the UTM device 1 will be explained separately at the time of transmission and at the time of reception.

<Processing during transmission by UTM device 1>
FIG. 4 is a flowchart for explaining the processing performed by the UTM device 1 when transmitting data. Transmission data (packet data) from the subordinate PCs 2(1), . . . , etc. connected through the LANI/F 106 and the LAN connection end 106T is supplied to the transmission data checking unit 127 under the control of the control unit 102. The transmission data checking section 127 performs a virus check and other necessary checks on the transmission data supplied to it (step S101). As a result of the security check in step S101, transmission data for which it is confirmed that there is a problem such as a virus that may affect the destination is not transmitted.

In step S101, the transmission data subjected to the security check is supplied to the checked information adding unit 131 under the control of the control unit 102, and checked information is added here (step S102). As explained using FIG. 3, the process of step S102 is a process of adding predetermined checked information to the option+padding part of the header part of the TCP/IP packet that is the transmission data. Thereafter, the checked information adding unit 131 recalculates the checksum and adds it to the checksum area of the header section (step S103).

The transmission data whose checksum has been recalculated and reattached in step S103 is supplied to the encryption unit 104 under the control of the control unit 102, where it is subjected to encapsulation processing and encryption processing using a predetermined method. (Step S104). In step S104, the transmission data (packet data) subjected to processing such as encryption is sent to the network 4 through the communication I/F 101 and the connection end 101T under the control of the control unit 102 (step S105), and Sent to the other party.

In this way, the UTM device 1 performs security checks on the transmission data (packet data) sent from its own device, adds predetermined checked data, re-adds a checksum, and performs processing such as encryption. and send it to the intended recipient.

<Processing at the time of reception by UTM device 1>
FIG. 5 is a flowchart for explaining the processing performed by the UTM device 1 when receiving data. Received data to the PC 2 (1), etc. under the own machine, which is received through the connection end 101T to the network 4 and the communication I/F 101, is first supplied to the decryption unit 105 under the control of the control unit 102. , Here, decryption processing and decapsulation processing are performed (step S201). The received data subjected to processing such as decryption in step S201 is supplied to the checked information identification unit 132 under the control of the control unit 102.

The checked information identifying unit 132 checks the options in the header part and the information in the padding part of the received data (packet data) supplied thereto, and identifies whether or not predetermined checked information is added (step S202). The identification result in step S202 is notified to the control unit 102, so the control unit 102 determines whether checked information is added (or not) (step S203).

In the determination process of step S203, if it is determined that there is checked information, it has been confirmed that the received data (packet data) has already undergone a security check, so the control unit 102 accepts this ( Step S204). The process in step S204 is a process in which the received data is processed in the own device. The control unit 102 processes the received data received in step S204 so as to supply it to the intended destination, such as PC2(1), etc., through the LAN I/F 106 and the LAN connection terminal 106T.

In the determination process of step S203, if it is determined that there is no checked information, there is a high possibility that the received data has not been security checked. In this case, the control unit 102 supplies the received data to the received data checking unit 128, and performs a security check consisting of a virus check and other necessary checks (step S205). After that, the control unit 102 receives the received data that has been security checked by the received data checking unit 128 (step S204). As described above, the process in step S204 is a process in which the received data is processed in the own device. The control unit 102 processes the received data received in step S204 so as to supply it to the intended destination, such as PC2(1), etc., through the LAN I/F 106 and the LAN connection terminal 106T.

In this manner, the UTM device 1 identifies whether predetermined checked information is added to the received data (packet data) received by the UTM device 1. When it is determined that predetermined checked information has been added, the received data is accepted and processed without performing a security check. However, if it cannot be determined that predetermined checked information has been added, the received data is subjected to a security check and then accepted and processed.

This prevents security checks on received data from being performed on both the sending and receiving sides, and prevents the inconvenience of slow communication speeds caused by security checks being performed on the receiving side. can. That is, data can be sent and received quickly. Of course, the received data checking unit 128 can perform a security check on received data that is likely to have not been subjected to a security check, so the security of data communication is not compromised.

[Effects of embodiment]
According to the UTM device of the embodiment described above, when a security check is performed on transmission data, predetermined checked information can be added to the transmission data. Also, when receiving data, it is recognized whether predetermined checked information has been added to the received data (received transmitted data), and if it is recognized that the information has been added, the security check on the received data is omitted. can do. In other words, instead of a static response that does not involve changing the data being sent and received, the system is configured to add checked information to the data being sent and received, and take a dynamic response that identifies the need for security checks. .

This makes it possible to reliably prevent similar security checks from being performed on both the sending and receiving sides. Therefore, on the receiving side, it is possible to prevent the reception of received data from being delayed due to security checks being performed on the received data, prevent deterioration of communication speed, and send and receive data appropriately and quickly. It can be performed.

This is especially true when communicating using VPN technology, or when transmitting and receiving large amounts of data such as voice data, image data, text data, etc. using Internet telephone services or data transfer functions. The effects of invention are significant.

Furthermore, since the checksum is recalculated and reattached to the transmitted data to which predetermined checked information has been added, the reliability check of the data is not affected. Further, since the transmission data to which predetermined checked information is added is encrypted and transmitted, it is possible to prevent malicious addition or deletion of the predetermined checked information.

[Modified example]
In addition, in the embodiment described above, it has been explained that transmission and reception is performed using the VPN technology between the UTM device 1A and the UTM device 1B. However, it is not limited to this. The present invention can also be applied to cases where data is sent and received without using VPN technology. If VPN technology is not used, there is no need to encapsulate or encrypt data to be sent and received. Therefore, on the transmitting side, the process of step S104 shown in FIG. 4 can be omitted. Furthermore, on the receiving side, the process of step S201 can be omitted. Even if processing such as encryption, decryption, etc. is not performed in this way, measures are taken to ensure the reliability of the data being sent and received, such as checksums, so there is no need to encrypt the data. The present invention is also effective when transmitting and receiving data.

Further, in the embodiments described above, the case where the security monitoring device according to the present invention is applied to a UTM device has been described as an example, but the present invention is not limited to this. The security monitoring device according to the present invention can be applied to various network devices such as routers, which are provided between a wide area network including the Internet and a LAN formed in a company or the like.

Further, in the above-described embodiment, the predetermined checked information is added to the header portion of the TCP/IP packet, but the present invention is not limited to this. Predetermined checked information can be added to areas that do not affect the actual data to be transmitted, such as headers and footers of transmission data that is transmitted and received using various protocols.

Furthermore, even if checked information is added, for example, if the version information of the source device is added to the TCP/IP packet, if the version information is old, a security check will be performed on the received data. It is also possible to take measures such as doing the following. That is, it may be determined whether or not to perform a security check on received data on the receiving side, taking into account both whether or not checked information is added and the version of the sending device.

[others]
As can be seen from the description of the embodiments described above, the function of the first connection unit in the claims is realized by the connection end 101T to the network 4 and the communication I/F 101, and the function of the second connection unit is realized by the LANI /F106 and LAN connection end 106T are realized. Further, the function of the checking means at the time of transmission in the claims is realized by the transmission data checking section 127, and the function of the adding means in the claims is realized by the checked information adding section 131. Further, the transmission processing means in the claims is realized by the cooperation of the control unit 102 and the communication I/F 101.

Further, the function of the reception processing means in the claims is realized by the cooperation of the control unit 102 and the communication I/F 101, and the function of the identification means in the claims is realized by the checked information identification unit 132. Further, the function of the reception check control means in the claims is realized by the control unit 102.

Further, the method described using the flowcharts of FIGS. 4 and 5 is an embodiment of the security check method according to the present invention. Furthermore, the security monitoring device of the present invention can be realized by creating a program that executes the processes shown in the flowcharts of FIGS. 4 and 5, and installing the program in a network device such as a UTM device to make it executable.

Further, the functions of the transmission data checking unit 127, the reception data checking unit 128, the checked information adding unit 131, and the checked information identifying unit 132 can be realized by a program executed in the control unit 102 of the UTM device 1, for example. . That is, the functions of the transmission data check section 127, the reception data check section 128, the checked information addition section 131, and the checked information identification section 132 can also be realized as functions of the control section 102 by a program.

1, 1A, 1B...UTM device, 101T...Connection end to network 4, 101...Communication I/F, 102...Control unit, 103...Storage device, 104...Encryption unit, 105...Decryption unit, 106...LANI /F, 106T...LAN connection end, 121...P2P countermeasure section, 122...HP access control section, 123...virus countermeasure section, 124...email countermeasure section, 125...IPS/IDS section, 126...firewall section, 127...transmission data Check unit, 128...Received data check unit, 131...Checked information addition unit, 132...Checked information identification unit, 2, 2A(1) to 2A(n), 2B(1) to 2B(n)...PC, 3, 3A, 3B...LAN

Claims (6)

a first connection allowing connection to a wide area network;
a second connection part that enables connection of the terminal device to its own device;
a transmission check means for performing a security check on transmission data transmitted through the wide area network in response to a request from a terminal device connected through the second connection unit;
an addition means for adding predetermined checked information to the transmission data that has been security checked by the transmission checking means; the addition means adds the checked information and includes version information of the transmission source device; A security monitoring device comprising: transmission processing means for transmitting the transmission data to the wide area network through the first connection unit and transmitting it to a destination. a first connection allowing connection to a wide area network;
a second connection part that enables connection of the terminal device to its own device;
reception processing means for receiving transmission data addressed to a terminal device connected through the second connection unit through the first connection unit;
Identification means for identifying whether predetermined checked information is added to the received data received through the reception processing means;
When the identification means identifies that the checked information has been added, the received data is updated in consideration of the version information of the source device included in the received data received through the reception processing means. A security monitoring device comprising: check control means for controlling whether or not to perform a security check at the time of reception. a first connection allowing connection to a wide area network;
a second connection part that enables connection of the terminal device to its own device;
a transmission check means for performing a security check on transmission data transmitted through the wide area network in response to a request from a terminal device connected through the second connection unit;
an addition means for adding predetermined checked information to the transmission data that has been security checked by the transmission checking means; the addition means adds the checked information and includes version information of the transmission source device; Transmission processing means for transmitting the transmission data to the wide area network through the first connection unit and transmitting it to a destination;
reception processing means for receiving transmission data addressed to a terminal device connected through the second connection unit through the first connection unit;
Identification means for identifying whether or not the predetermined checked information is added to the received data received through the reception processing means;
When the identification means identifies that the checked information has been added, the received data is added in consideration of the version information of the transmission source device included in the received data received through the reception processing means. A security monitoring device comprising: check control means for controlling whether or not to perform a security check on the received data. A security monitoring method used in a security monitoring device comprising a first connection unit that allows connection to a wide area network and a second connection unit that allows connection of a terminal device to its own device, the method comprising:
a transmission checking step in which the transmission checking means performs a security check on transmission data to be transmitted through the wide area network in response to a request from a terminal device connected through the second connection unit;
an addition step in which the addition means adds predetermined checked information to the transmission data that has been security checked in the transmission check; the transmission processing means adds the checked information in the addition step and transmits the data ; A security monitoring method comprising: a transmission processing step of transmitting the transmission data including version information of the original device to the wide area network through the first connection unit and transmitting it to the other party. A security monitoring method used in a security monitoring device comprising a first connection unit that allows connection to a wide area network and a second connection unit that allows connection of a terminal device to its own device, the method comprising:
The security monitoring method according to claim 4,
a reception processing step in which the reception processing means receives transmission data addressed to a terminal device connected through the second connection unit through the first connection unit;
an identification step in which the identification means identifies whether or not the predetermined checked information is added to the received data received in the reception processing step;
When it is identified in the identification step that the checked information is added, a reception checking means takes into account the version information of the transmission source device included in the reception data received in the reception processing step. and a check control step at the time of reception for controlling whether or not to perform a security check on the received data. A security monitoring method used in a security monitoring device comprising a first connection unit that allows connection to a wide area network and a second connection unit that allows connection of a terminal device to its own device, the method comprising:
a transmission checking step in which a transmission checking means performs a security check on transmission data transmitted through the wide area network in response to a request from a terminal device connected through the second connection unit;
an addition step in which the addition means adds predetermined checked information to the transmission data that has been security checked in the transmission check step; a transmission processing means adds the checked information in the addition step ; a transmission processing step of transmitting the transmission data including version information of the transmission source device to the wide area network through the first connection unit and transmitting it to the destination;
a reception processing step in which the reception processing means receives transmission data addressed to a terminal device connected through the second connection unit through the first connection unit;
an identification step in which the identification means identifies whether or not the predetermined checked information is added to the received data received through the reception processing step;
When it is identified in the identification step that the checked information is added, check control is performed at the time of reception in consideration of the version information of the transmission source device included in the reception data received in the reception processing step. A security monitoring method characterized by comprising: a reception check control step in which the means controls whether or not to perform a security check on the received data.

Images