JP2002344474A - Method for constructing cug, method for preventing inflow of camouflaged packet into network and network with camouflaged packet inflow preventive mechanism - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent a packet, transmitted from an unauthorised member, from arriving at an access protection object even if the source address has been forged. SOLUTION: When a camouflaged packet using a source address within a camouflage preventive address range tries to enter a network 1 with camouflage preventive function, that packet is discarded at a forged packet inflow preventive section 11. Furthermore, in the network 1, only a user authenticated at an authentication address issuing section 12 can transmit a source address within a camouflage preventive address range. In this regard, correct use of a source address assigned to a user in authentication is recognized.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to a CUG (Closed User)
Group) about the construction method. CUGs are those that can be accessed only by specific members in the communication network (host machines and contents on the network)
Is a set of

[0002]

2. Description of the Related Art Conventionally, there have been the following methods for realizing CUG.

[0003] 1. It is assumed that an access from an authorized member is made without preparing a countermeasure for IP address spoofing.
Packets sent by unauthorized users by identifying registered addresses against the IP address of the packet's source and discarding packets on the route that are not sent by authorized members To prevent users from arriving at access protected objects.

[0004] 2. For each access protection target, an authentication connection (connection established through authentication) is established with a member permitted to communicate, and packets not using the authentication connection are discarded on the path. To prevent packets transmitted from unauthorized users from arriving at the access protection target.

[0005]

The above-described conventional method has the following problems.

In the method (1), access control may not function effectively due to spoofing of an IP address, and an IP packet transmitted from a user who is not permitted to communicate may reach an access protection target.

In the method (2), it is necessary to install and manage a device for establishing an authentication connection individually for each access protection target, and the burden on the access protection target administrator is large. In order to access a plurality of access protection targets, it is necessary for a user to establish a plurality of authentication connections and switch between them, which is a heavy burden.

An object of the present invention is to provide a method for preventing a spoofed packet from flowing into a network, wherein a packet transmitted from a member other than an authorized member cannot arrive at an access protection target even if a source address is spoofed. To provide a network.

Another object of the present invention is to enable a user to access a plurality of access protection targets to which the user is permitted by establishing only one authentication connection, and to individually connect with the user for each access protection target. An object of the present invention is to provide a method of constructing a CUG that does not need to manage an authentication connection.

[0010]

The present invention is realized by an apparatus (main apparatus) having the following four processing units.

[0011] installed at all the boundary points of connection with the outside,
Used as a connection relay point shared by multiple CUGs,
A spoofed packet inflow prevention unit that prevents inflow of packets having a specific range of addresses as source addresses.

Authenticating the user, user name, authentication means,
A different address is assigned to the user according to the access means, etc., and the communication between the user and the access protection target is relayed, so that the source address of the packet relayed toward the access protection target becomes the assigned address. An authentication address issuing unit for dynamically or statically determining whether a packet has been sent from a previously authorized user using a pre-authorized access method by a source address and a destination address of the packet. A filtering unit that implements access control by determining and passing or discarding a packet.

It should be noted that the present invention need not necessarily be implemented as a single device, and that the components of the main device may be distributed and installed as a wide area network.

The present invention provides an anti-spoofed network in which a spoofed packet inflow prevention unit is installed at all external boundary points in order to prevent address spoofing in a specific range (spoofed address range) on a certain network. . When a packet disguised as an address in the address range for disguise prevention as a source address attempts to flow into a network for which disguise prevention measures have been taken, the spoofed packet inflow prevention unit discards the packet. Further, inside the network in which the counterfeiting prevention measures have been taken, only the user authenticated by the authentication address issuing unit can transmit a packet in the forgery prevention address range as a source address.
At this time, it is confirmed that the source address assigned to the user at the time of authentication is used correctly by the user. By preventing the inflow of packets having the forgery prevention address range as the source address and using the addresses in the forgery prevention address range as the source address in conjunction with the user authentication, forgery prevention measures can be taken. It is possible to guarantee that addresses in the address range to be prevented from being forged are not forged on the already-completed network.

An authentication address issuing unit is provided at a boundary point or inside the forgery prevention network, and a user, an authentication unit, an access unit, and the like are determined in advance from the forgery prevention address range according to the result of authenticating the user. A different address is assigned to each item so that the assigned address can be used by the user. There are two ways to use the assigned address: (A) a method of translating the source address of an IP packet, (B) a method of relaying communication using the assigned address as the source address of a new packet, ( C) Tunneling (some IP
Create a new IP packet having the data portion after encrypting the packet if necessary) There is a method using a tunneling communication terminating device that uses the address assigned as the previous source address.

The anti-spoofed network is connected to an access protection target (a network, a host machine, or the like), and a filtering unit is provided on a communication path between an arbitrary transmission source machine and an access protection target resource. The filtering unit identifies the user name, the authentication means, the access means, etc. by using the IP address within the forgery prevention address range, passes the permitted communication packets, and discards the unauthorized communication packets. Even if the sender address of the packet sent from a member other than the member who has been disguised is unable to arrive at the access protection target.

Also, in the present invention, the user can access a plurality of permitted access protection targets only by establishing one authentication connection to the authentication address issuing unit. You do not need to have one for each target.

Corporate networks connected to the Internet are constantly exposed to the threat of unauthorized access. For this reason, measures have been introduced to allow access only to authorized members, but in the future, when dynamic cooperation with multiple companies is required, many authorized members will be frequently used. It is expected that the management cost for registering the user, the equipment cost for coping with various access means different for each user, the management cost thereof, and the like will be a large burden. Also, equipment costs, setting / operation costs, and the like for securing access means to a plurality of companies increase for the user. Depending on the access method,
In some cases, reconnection must be performed every time the communication destination is changed. Otherwise, the burden of establishing an “authentication connection” with a plurality of connection destinations is large.

Further, in the conventional method of permitting access on a network basis, there is a problem that members who can access the same network may perform illegal acts such as eavesdropping, falsification, and impersonation. There is a growing need for access control that can identify users and prevent eavesdropping, tampering, spoofing, etc., from members other than authorized members.

The present invention provides an apparatus for performing access control at a plurality of users and a plurality of access-protected relay points, thereby reducing the burden on an administrator of the access-protected resources and the user, and Secure access control can be provided.

[0021]

Next, embodiments of the present invention will be described with reference to the drawings.

Referring to FIG. 1, a network 1 with a spoofed packet inflow prevention function according to an embodiment of the present invention includes a spoofed address inflow prevention unit 11 installed at a boundary point with the outside,
It has a main unit including an authentication address issuing unit 12 having a PPTP (Point-to-Point Tunneling Protocol) server function and a filtering unit 13 installed for each access target as a transmission destination.

FIG. 2 is a flowchart showing the processing of the spoofed packet inflow prevention unit 11. First, in step 201, the process waits until a packet is received. Next, it is checked whether or not the transmission source of the packet received in step 202 is within a preset forgery prevention address range. If it is within the range, the packet is passed to step 203, and if not, the packet is discarded at step 204.

FIG. 3 is a flowchart showing the processing of the authentication address issuing unit 12. First, in step 301, the process waits until a packet is received. In step 302, it is checked whether an authentication connection corresponding to the packet exists. If there is, in step 303, the encrypted packet is restored. Next, in step 304, it is checked whether the source of the restored packet matches the address assigned to the corresponding authentication connection. If they match, the packet is delivered to the destination address in step 305, and if they do not match, the packet is discarded in step 306. If there is no authentication connection corresponding to the packet in step 302, it is checked in step 307 whether the packet is a packet requesting the establishment of an authentication connection. If the packet requires the establishment of an authentication connection, authentication is performed at step 308 with respect to the source of the packet. Next, in step 309, it is determined whether the authentication has been successful. If the authentication is successful, an authentication connection is established in step 310; if the authentication is unsuccessful, it is determined in step 312 whether or not authentication is to be tried again; if so, the process returns to step 308; In step 313, the packet is discarded. If it is determined in step 307 that the packet does not require the authentication connection, the packet is discarded in step 311.

FIG. 4 is a flowchart showing the processing of the filtering unit 13. First, in step 401, the process waits until a packet is received. It is determined whether the source of the packet received in step 402 is the dress assigned to the permitted member. If so, the packet is passed in step 403; otherwise, the packet is discarded in step 404.

Next, the flow from the generation of a packet in the transmission source machine 3 to the arrival at the access protected object 4 is shown in FIG.
This will be described with reference to FIG. Note that FIG. 5 describes a process for one packet. The processing of FIG. 5 is also performed individually on each of the packets that are continuously generated.

First, it is shown that the packet from the transmission source machine 3 used by the permitted member is correctly delivered to the access protected resource 4 (steps 501 to 52).
1). In performing the communication, the user authenticates the authentication address issuing unit 12 and establishes an authentication connection in order to perform the PPTP tunnel communication between the transmission source machine 3 and the authentication address issuing unit 12 (step). 504 ~
506). At this time, the authentication address issuing unit 12 uses the transmission source machine 3 to use a different authentication address for each of the user name, the authentication method, the access method, and the like as the transmission address of the packet transmitted by the transmission source machine 3. Assign (step 506). Since the address assignment is automatically performed between the authentication address issuing unit 12 and the PPTP client software installed in the transmission source machine 3, the user does not need to actually be aware of this address. . When transmitting a packet to the access protection target 4, the PPTP client software in the transmission source machine 3 automatically performs tunneling on the packet whose authentication address is the transmission source address, and sends the packet to the authentication address issuing unit 12. Send (Steps 507-51
3). The packet before encapsulation is extracted by the PPTP server function in the authentication address issuing unit 12 (steps 513 to 514). The authentication address issuance unit 12 confirms that the source address of the extracted packet matches the address stored in association with the user name at the time of assignment, thereby confirming the authentication address assigned to the user. (Step 5
15). The extracted packet is the access protection target 4
Is distributed in the network 1 toward the network, and the filtering unit 1 installed immediately before reaching the access protection target 4
In step 3 (step 518), it is confirmed that the authentication address assigned to the authorized member is a source address (step 519), and the packet passes through the filtering unit 13 (step 520) and arrives at the access protected resource 4 (step 520). Step 521).

Next, when a packet from a user is discarded because it is not an authorized member, there are five cases (case 1) to
(Case 5) will be described.

First, a case is attempted in which a packet is transmitted to the access-protected object 4 via the network for which anti-spoofing measures have been taken without using the authentication connection (steps 522 to 527, 518 to 519, 528). If the source address of the packet is within the forgery prevention address range, the packet is discarded by the forgery address inflow prevention unit 11 before flowing into the forgery prevention network 11 (case 1).
(Step 526). If the source address is out of the forgery prevention address range, the packet passes through the forgery prevention network (step 527), and immediately before arriving at the access protection target, the filtering unit 13 (step 518) determines that the source address is (Step 519), and the packet is discarded (Case 2) (Step 528).

When attempting to use the authentication connection, the authentication fails unless the user is registered in the authentication address issuing unit 12 (steps 505 and 529), and the authentication connection cannot be used (case 3) (step 53).
0). Here, the case where the authentication is a simple password method and the case where a third party successfully obtains the authentication password by a method such as illegally obtaining and using the authentication password are out of the scope of the measures of the present invention. .

When a third party forges a packet used in the authentication connection and transmits the packet to the authentication address issuing unit 12, the forged packet is not correctly transmitted through the authentication connection. The unit 12 fails to restore the packet to the state before the tunneling (step 514) (step 51).
5), discard the packet (Case 4) (step 53)
1). Whether or not restoration of a forged packet can be appropriately failed depends on the means of realizing the authentication connection.

When a user who has successfully authenticated transmits a packet using an IP address assigned to another user, the authentication address issuing unit 12 uses the address assigned to the authentication connection used by the user. It is confirmed that there is no packet (step 516), and the packet is discarded (case 5) (step 532). In the case of the embodiment described here, if the source address of the packet restored from the PPTP tunneling is not the IP address assigned to the user performing the tunnel communication, the packet is discarded.

In FIG. 2, Step 204 corresponds to Step 526 in FIG. 5, and Step 203 is Step 512.
And 527. Step 300 in FIG.
Corresponds to step 514 in FIG. 5, step 304 corresponds to step 516, step 305 corresponds to step 517,
Step 308 is to Step 504, Step 309 is to Step 505, Step 310 is Step 506
Step 312 corresponds to step 529. FIG.
Step 402 corresponds to Step 519 in FIG. 5, Step 304 corresponds to Step 520 and Step 40
4 corresponds to step 528.

In the above embodiment, a case has been described in which PPTP is used as an access means for realizing an authentication connection.
A method using c or L2TP can be considered. The authentication method used when establishing these authentication connections is also based on a user ID and a password, fingerprint authentication,
There is also a method of using a certificate issued by a CA authority. By assigning different addresses to the same user depending on which access unit or authentication unit is used, access control that specifies the access unit or authentication unit can be realized.

[0035]

As described above, according to the present invention, a packet transmitted from a member other than an authorized member cannot arrive at the access protection target even if the source address is forged, and the user can simply receive the packet. Establishing only one authentication connection has the effect that the user can access a plurality of permitted access protections.

[Brief description of the drawings]

FIG. 1 is a configuration diagram of a network with a spoofed packet inflow prevention function according to an embodiment of the present invention.

FIG. 2 is a flowchart showing a process of a spoofed packet inflow prevention unit 11;

FIG. 3 is a flowchart showing processing of an authentication address issuing unit 12;

FIG. 4 is a flowchart showing a process of a filtering unit 13;

FIG. 5 is a flowchart showing processing when a packet is delivered to an access protection target.

[Explanation of symbols]

DESCRIPTION OF SYMBOLS 1 Network with prevention function of forged packet inflow 2 External network 3 Source machine 4 Access protection target 11 Forged packet inflow prevention unit 12 Authentication address issuing unit 13 Filtering unit 201-204, 301-313, 401-4045
01-521 steps

 ──────────────────────────────────────────────────続 き Continued on the front page F term (reference) 5K030 GA15 HA08 HC01 HC13 HD03 HD06 JA11 KA04 LC13 5K033 AA08 CB01 CC01 DA01 DB18 DB20 EC03

Claims (8)

[Claims] 1. A plurality of CUGs for providing connection relay points shared by a plurality of CUGs and for controlling access between the CUGs.
How to control multiple membership to UG. 2. On a network in which address spoofing is not possible, which is realized by blocking the inflow of a packet having a specific address as a source address, a user issues a different address according to an object to be identified. A CUG construction method in which a packet is assigned as a source address, and access control according to an IP address is individually performed for each access protection target on a path between the access protection target and the transmission source machine. 3. The CUG construction method according to claim 2, wherein different addresses are assigned to different authentication means, and an allowed authentication method can be designated for each access protection target. 4. The CUG construction method according to claim 2, wherein different addresses are assigned to different access means, and a permitted access method can be designated for each access protection target. 5. A packet having a specific range of addresses as a transmission source is prohibited from flowing into a network, and only a connection that has been authenticated by a user can use, as a transmission source, a specific range of addresses whose transmission is prohibited. To prevent spoofed packets from entering the network. 6. Authenticating a user, assigning a different address according to a target to be identified as a source address of a packet issued by the user, relaying communication between the user and the access protection target, and directing the user to the access protection target. The method according to claim 5, wherein the source address of the relayed packet is the assigned address. 7. It is installed at all the connection boundary points with the outside,
A spoofed packet inflow prevention unit that prevents the inflow of packets having a specific range of addresses as the source address into the network, and a different address depending on the object to be authenticated and identified as the source address of the packet issued by the user Assigning, relaying the communication between the user and the access protection target, and providing an authentication address issuing unit that causes the source address of the packet relayed toward the access protection target to be the allocated source address. Network with a function to prevent spoofed packet inflow. 8. A method for determining whether a packet has been sent from a pre-authorized user using a pre-authorized access method based on a source address and a destination address of the packet, and passing the packet. 8. The network according to claim 7, further comprising a filtering unit for discarding.