JP2003264595A - Packet repeater device, packet repeater system, and decoy guiding system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a packet repeater system whose security property against any illegal access is improved by transmitting an illegal access packet or any suspicious packet to a decoy network. <P>SOLUTION: This packet repeater system is provided with a packet relay part 2 for relaying a packet between networks 20 and 30 and a decoy guiding part 3 for transmitting the packet from the network 20 to a decoy network 40. The packet relay part 2 is provided with a filtering part 5 for deciding whether to discard or decoy-guide the packet from the network 20 by using a filtering table 6 and an intrusion detecting part for updating the filtering table 6 by monitoring the packet from the network 20. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a packet relay device and an Otori guidance system, and more particularly to linking an intrusion detection function and a network relay function and guiding a packet from an external network to the Otori network. And a packet relay system and an Otori guidance system using the same.

[0002]

2. Description of the Related Art FIG. 13 is a diagram showing the configuration and operation of a conventional intrusion detection system. In the figure, 1 is a packet relay device, 20 is an external network, 21 is an external terminal device, 30 is an internal network, 31 is an internal terminal device, 5
Reference numeral 0 is an administrator terminal, and 51 is an analysis device.

The packet relay device 1 is connected to the external network 20 and the internal network 30 and relays packets to be communicated between the both networks.
That is, the packet from the external terminal device 21 to the internal terminal device 31 is received from the external network 20 and sent to the internal network 30. In addition, a packet from the internal terminal device 31 to the external terminal device 21 is transmitted to the internal network 30.
Received from the network and sent to the external network 20.

Access from the external network 20 to the internal network 30 may be restricted. For example, there is a case where only a person authenticated by the ID code and the password can access the internal terminal device 31. In such a case, a packet from an attacker who attempts to illegally access the internal network 30 from the external network 20, that is, an illegal access packet may be sent.

In order to protect the internal network from such unauthorized access, in general, the packet relay device 1 is
It has a filtering function to detect unauthorized access packets. Such a packet relay device determines an unauthorized access packet from the external network 20 by using the filtering table in which the source or destination information of the unauthorized access packet is defined, and if it can determine that the packet is an unauthorized access packet, The packet is not sent to the internal network 30.

In the packet relay device having such a filtering function, the content of the filtering table is important, and in order to enhance the security of the internal network 30, a unified policy (communication is blocked if specific data is received). Unauthorized access can be eliminated by setting an extreme policy such as
It becomes difficult to ensure network availability. Therefore, at the time of operation, the network administrator needs to determine whether or not each suspected packet suspected of unauthorized access is an unauthorized access packet and update the filtering table.

The analysis device 51 monitors the packet relay device 1 and the internal network 30 and records communication data to collect information that is a clue for detecting unauthorized access from the external network 20 to the internal network 30. . The collected information is analyzed by the analysis device 51 and the administrator terminal device 5 of the network administrator.
0 is notified.

The network administrator uses the administrator terminal device 5
By using 0, the filtering table of the packet relay device 1 can be set and updated. Based on the analysis result by the analysis device 51, the network administrator makes a final judgment as to whether or not the packet is an unauthorized access packet and a packet suspected of being an unauthorized access, changes the filtering table, and restarts the unauthorized access. To prevent.

[0009]

The conventional intrusion detection system is configured as described above and managed by the network administrator. However, since such network management work can be performed only by specialists having specialized knowledge, there is a problem that a large work load is concentrated on some of the managers.

Further, the packet relay device uses an IDS (Intr
In some cases, it has an intrusion detection function called usion Detection System). If the IDS is used, the unauthorized access packet can be identified by the pattern matching of the packet data. However, if it cannot be determined that the packet is an unauthorized access packet only by pattern matching in packet units, there is a problem that the unauthorized access packet is sent to the internal network. Further, since it takes time for the IDS to detect an unauthorized access packet, when the packet communication volume is large,
There is also a problem that it is not possible to make a judgment for all packets.

The present invention has been made in view of the above circumstances, and is a packet relay device having a security function, wherein an unauthorized access packet or a packet suspected of the unauthorized access packet is transmitted to the Ottori network to thereby perform an unauthorized access. It is an object of the present invention to provide a packet relay device which improves security against the above or automates handling of unauthorized access. Another object of the present invention is to provide a packet relay device that secures the bandwidth of a communication path by sending a packet to the Ottori network when the amount of communication increases.

It is another object of the present invention to provide a packet relay system having a security function, in which the bandwidth of the relay route is controlled by using two relay routes and the security is improved.

It is another object of the present invention to provide an Otori guidance system including a packet relay device having a security function and an Otori terminal device in which an unauthorized access packet or a packet suspected of being unauthorized is guided via an Otori network. Further, another object of the present invention is to provide an Otori guidance system in which the security level is changed, the network is audited, or illegal access is dealt with in real time.

[0014]

A packet relay apparatus according to the present invention as set forth in claim 1 is a packet relay section for relaying a packet between a first network and a second network, and a second network from the first network. And an Otori guidance unit for transmitting a packet transmitted to the OTRI network to another Otori network different from the first and second networks.

The packet relay unit uses a filtering table that stores the source or destination information of the packet to be discarded or the packet to be guided, and uses the filtering table from the first network to the second network. The packet transmitted from the first network to the second network by monitoring the packet processing unit that determines whether to discard the packet or guide the packet based on the source or destination information of the packet transmitted by , And an intrusion detection unit that detects an unauthorized access packet attempting to illegally access the second network and updates the filtering table.

In the packet relay device according to the second aspect of the present invention, the Otori network has the same address system as the second network, and the Otori terminal device is connected. Further, the Otori guidance unit is configured to send the packet to the Otori terminal device to which the first address information that matches the destination address information of the Otori-guided packet is assigned.

In the packet relay device according to the third aspect of the present invention, the intrusion detection unit has the second network from the first network.
Is configured to detect unauthorized access packets by comparing packets transmitted to the network with predetermined pattern data of unauthorized access packets.

In the packet relay device according to the present invention as set forth in claim 4, the Otori guiding unit sends the packet transmitted from the Otori terminal device to the first network to the packet relay unit, and the packet relay unit, It is configured to send a packet from the Otori terminal to the first network.

According to a fifth aspect of the packet relay apparatus of the present invention, the Otori guidance unit is constituted by a general-purpose computer connected to the Otori network, and the packet relay unit is connected via the general-purpose data bus to the packet relay unit. The unit is configured to convert the frame format of the packet transmitted from the Otori network received from the Otori induction unit to the first network and transmitting the packet to the first network. It

In the packet relay device according to the sixth aspect of the present invention, the Otori guiding unit guides the packet transmitted from the Otori terminal device to the first network based on the destination information of the packet. It is configured to determine a packet having a destination other than the source of the packet, change the source information of the determined packet to the second address assigned to the Otori terminal device, and send the packet to the packet relay unit. .

In the packet relay device according to the present invention as set forth in claim 7, the packet relay unit discriminates the packet having the second address as the destination information from the packets transmitted from the first network, and performs the Otori induction. The unit is configured to change the destination information of the determined packet to the first address and send it to the Otori network.

A packet relay system according to an eighth aspect of the present invention comprises a first and a second packet relay device,
It is configured by a packet monitoring device that monitors packets. A port for the first network of the first packet relay device is connected to the first network, a port for the first network of the second packet relay device is connected to the second network, and the first and second The ports for the second network of the second packet relay device are connected to each other to form a first path through which a normal packet is transmitted, and the ports for the Otori networks of the first and second packet relay devices are connected to each other. A second route for transmitting a packet to be guided by the first packet relay device is formed as a monitoring route, and the packet monitoring device is provided on the second route.

According to a ninth aspect of the present invention, there is provided an Otori guidance system, a packet relay device connected to the first network and the second network, and first and second packet relay devices.
And an Otori terminal device connected to the packet relay device via an Otori network different from the above network.

The above packet relay device relays a packet between the first network and the second network, and a packet relay unit for relaying the packet from the first network to the second network. Two
And an Otori guidance unit for sending to another Otori network.

The packet relay unit uses the filtering table that stores the source or destination information of the packet to be discarded or the packet to be guided, and uses the filtering table from the first network to the second network. The packet transmitted from the first network to the second network by monitoring the packet processing unit that determines whether to discard the packet or guide the packet based on the source or destination information of the packet transmitted by , And an intrusion detection unit that detects an unauthorized access packet attempting to illegally access the second network and updates the filtering table.

In the Otori guidance system according to the tenth aspect of the present invention, when the packet relay device has a communication amount from the first network to the second network exceeding a predetermined threshold value, the packet relay device transmits the packet from the first network. A packet is sent to the Ottori terminal device, and the Ottori terminal device records the packet from the packet relay device and transmits it to the second network after reducing the communication volume from the first network to the second network. Is composed of.

In the Otori guidance system according to the eleventh aspect of the present invention, the Otori terminal device analyzes the packet information of the Otori-guided packet, and based on the analysis result, the Otori-guided packet It is configured to send to a network or a surrogate terminal.

According to the twelfth aspect of the present invention, the packet relay device sends the packet transmitted from the first network to the second network to the second network and the otori terminal device. ,
The Otori terminal device is configured to analyze the packet information of the Otori-guided packet and audit the second network based on the analysis result.

In the Otori guidance system according to the thirteenth aspect of the present invention, the Otori terminal device analyzes the packet information of the Otori-guided packet, and based on the analysis result, sends the session reset packet to the first network. Is configured to be delivered to

[0030]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiment 1. 1 is a block diagram showing a configuration example of an Otori guidance system according to a first embodiment of the present invention. In the figure, 1 is an Otori guidance device, 2
Is a packet relay unit, 3 is an Otori guidance unit, 4 is an intrusion detection unit, 5 is a filtering processing unit, 6 is a filtering table, 7 is an internal bus, 20 is an external network, 21
Is an external terminal device, 30 is an internal network, 31 is an internal terminal device, 40 is an Otori network, and 41 is an Otori terminal device.

The Otori guidance device 1 includes an external network 2
0 and the internal network 30, and is a packet relay device that relays a packet between both networks.
That is, the packet from the external terminal device 21 to the internal terminal device 31 is received from the external network 20 and sent to the internal network 30. In addition, a packet from the internal terminal device 31 to the external terminal device 21 is transmitted to the internal network 30.
Received from the network and sent to the external network 20.

Usually, two or more terminal devices are connected to each of the networks 20, 30 and 40, but they are omitted in the figure. In particular, the external network 20 may be a network that accommodates an unspecified number of terminal devices such as the Internet. Otori Network 4
0 is a separate network that is not connected to the internal network 30 (except through the Otori induction device 1),
The Otori terminal device 41 is connected.

The Otori guidance device 1 includes an external network 2
0 and the packet relay unit 2 connected to the internal network 30 and the Otori guiding unit 3 connected to the Otori network 40. The packet relay unit 2 and the Otori guiding unit 3 are connected via the internal bus 7. . The packet relay unit 2 further includes an intrusion detection unit 4, a filtering processing unit 5, and a filtering table 6.

The Otori guidance unit 3, the intrusion detection unit 4, and the filtering processing unit 5 can communicate with each other via the internal bus 7 which is a path other than the network path (external network 20, internal network 30). Further, the Otori guidance unit 3 and the intrusion detection unit 4 are hidden from the user who uses the network relay function.

The intrusion detection unit 4 carries out stealth monitoring of packets from the external network 20 to obtain DoS (Denial).
of service), scanning, and other network-level attacks (unauthorized access) are detected. For example, the unauthorized access packet is detected by comparing the packet data to be monitored with an unauthorized packet pattern given in advance. This pattern matching can be performed not only on a packet basis but also on a series of packets specified by source or destination information.

The filtering processing unit 5 relays the packet transmitted from the external network 20 to the internal network 30 and guides it to the Otori network 40.
One of the discarding processes (filtering process) is being performed. This processing is performed based on the filtering table. For example, an unauthorized access packet that attempts to gain unauthorized access to the internal network 30 is discarded, a suspected packet suspected of unauthorized access is guided to the Otori network 40, and other normal The packet is sent to the internal network 30.

The filtering table 6 stores data defining the filtering process, and includes information about the source or destination included in the packet header,
The filtering process for the packet is associated. For example, packet transmission source or transmission destination information is stored as a packet to be discarded and a packet to be guided, and a packet whose transmission source or transmission destination information matches the filtering table 6 is discarded or While being guided, other packets are relayed to the network. The filtering table 6 is updated based on the detection result of the intrusion detection unit 4.

The Otori guidance section 3 is connected via the internal bus 7.
The packet to be guided by the Otori is received from the filtering processing unit 5, and is transmitted to the Otori terminal device 41 on the Otori network 40.

Next, the operation will be described. The packet transmitted from the external terminal device 21 to the internal terminal device 31 is received by the Otori guidance device 1 via the external network 20. This received packet is input to the filtering processing unit 5 of the packet relay unit 2 and also to the intrusion detection unit 4. The intrusion detection unit 4 intercepts the communication at the entrance of the packet relay unit 2 in the promiscuous mode and the stealth mode.

Based on the filtering table 6, the filtering processing unit 5 having received the packet sends information about the source or destination, for example, the source IP (Internet Protocol).
l) Address, destination IP address, source TCP (Tra
nsmission Control Protocol) port number, destination TC
P port number, sender UDP (User Datagram Protoco
l) Check the port number or destination UDP port number.

As a result, the packet designated for discard in the filtering table 6 is discarded by the filtering processing unit 5, and the packet designated for Otori induction is the Otori site (the Otori terminal device 41 of the Otori network 40). ), And neither is sent to the internal network 30. On the other hand, a packet for which discarding or guidance is not specified is sent to the internal network 30.

FIG. 2 is a diagram showing an example of a packet flow in the Otori guidance system of FIG. The packet transmitted from the external network 20 to the internal network 30 is based on the filtering table 6,
It is discarded, guided to the Ottori network 40, or relayed to the internal network 30.

On the other hand, the intrusion detection unit 4 that intercepts the packet
Performs pattern matching according to a predetermined unauthorized access pattern to determine whether the intercepted packet is an unauthorized access packet. When an unauthorized access packet is received, the sender or destination information and the filtering process (discard or inducement) associated with it are determined according to a predetermined policy (type of unauthorized access and the countermeasure against it), and the internal The filtering processing unit 5 is notified via the bus 7 and the filtering table 6 is updated.

For example, when a packet suspected of unauthorized access is detected, the packet is added to the target of Otori guidance, and when it is detected to be an unauthorized access packet, it is added to the target of discard. It On the contrary, when the target of the Otori induction or discard is detected to be the normal access packet, it is excluded from these targets. Such a policy is arbitrarily determined in advance and is given to the intrusion detection unit 4.

According to the present embodiment, the intrusion detection unit 4 detects an unauthorized access packet from the external network 20 and automatically updates the filtering table 6, so that the filtering policy is automatically set dynamically. Can be changed. Therefore, it is possible to realize countermeasures in response to an unauthorized access packet in real time and improve security.

Further, among the packets from the external network 20 to the internal network 30, by guiding the packet suspected of unauthorized access to the Otori terminal device 41, the unauthorized access to the internal network 30 can be prevented in advance. it can.

Embodiment 2. FIG. 3 is a block diagram showing a configuration example of the Otori guidance system according to the second embodiment of the present invention. 8 in the figure is a personal computer, 9
Is an add-in board, 10 is a PCI (Peripheral Compone)
nts Interconnect) bus, 11 is a PCI interface unit, and 12 is a TCP / IP interface unit.
It should be noted that blocks corresponding to the blocks shown in FIG.

The personal computer 8 includes an Otori guidance unit 3, a PCI interface unit 11, and a TCP / I unit.
The P interface unit 12 is included. Otori guidance unit 3
Is configured as software to be executed on a general-purpose personal computer, and the PCI interface unit 1
1 is connected to the PCI bus 10 to communicate with the add-in board 9, and is also connected to the Ottori network 40 via the TCP / IP interface 12.
It is possible to communicate with the Otori terminal device 41. The personal computer 8 constitutes an Otori guidance device together with the add-in board 9.

The add-in board 9 is a device for packet relay that is connected to the personal computer 8 via the PCI bus 10 and is incorporated in the housing of the personal computer 8. The add-in board 9 includes an intrusion detection unit 4, a filtering processing unit 5, and a filtering table 6, and the intrusion detection unit 4 and the filtering processing unit 5 are connected to the PCI bus 10. The PCI bus 10 corresponds to the internal bus 7 of FIG. 1, and the add-in board 9 corresponds to the packet relay unit 2 of FIG.

The internal network 30 and the Otori network 40 are only connected by the PCI bus via the personal computer 8 and the add-in board 9, and the two are completely separated as a network. Therefore, the environment of the Otori network 40 (for example, network setting information such as an IP address) can be brought as close as possible to the environment of the internal network 30. That is, the same protocol and address system as the internal network 30 are adopted for the Otori network 40, and the same I as the terminal device 31 on the internal network 30 is adopted.
The P address can be assigned to the Ottori terminal device 41 on the Ottori network 40.

External network 2 attempting unauthorized access
There is a possibility that the user (attacker) on 0 can obtain various information accessible from the Otori terminal device 41 by communicating with the Otori terminal device 41. For this reason, if the environments of both networks 30 and 40 are brought close to each other, it is possible to make it difficult for an attacker to notice that the illegal access packet is guided to the otorisite.

Next, the operation will be described. FIG. 4 shows FIG.
It is a figure showing an example of operation at the time of normal operation of the Otori guidance system. The flow of packets during normal operation is the same as in the first embodiment.
Done through. That is, the external network 20
The packets from No. 1 to No. 3 are input to the filtering processing unit 5, and the packets not subject to the discard and the Otori guidance are sent to the internal network 30. The intrusion detection unit 4 intercepts the packet at the entrance of the add-in board 9 and determines whether it is an unauthorized access. If an unauthorized access is found, a PC is used to prevent the subsequent unauthorized access.
The filtering table 6 is updated via the I-bus to automatically change the relay policy.

FIG. 5 is a diagram showing an example of the operation when the packet is guided by the filtering processing unit in the Otori guidance system of FIG. The filtering processing unit 5, which has received the packet from the external network 20, follows the filtering table 6 to indicate source or destination information, for example, source IP address, destination IP address, source TCP port number, destination TC.
P port number, source UDP port number or destination U
Check DP port number. As a result, if the packet is designated as Otori guidance, the packet is transferred to the personal computer 8 through the PCI bus 10 in order to guide it to the Otori terminal device 41. The Otori guidance unit 3 as a program on the personal computer determines the type of the packet, converts it into a packet format that can be received by the Otori terminal device 41, and then sends the packet to the Otori network 40.

It should be noted that the intrusion detection unit 4 is the external network 2
When an unauthorized access from 0 is detected, the intrusion detection unit 4 sends a notification of attack detection to the filtering processing unit 5, and the filtering processing unit 5 temporarily blocks the communication to the internal network 30. At this time, as described above,
Since the filtering table 6 is updated, the packets of the same type received thereafter are guided to the Otori terminal device 41 by the filtering processing unit 5.

On the other hand, when the Otori terminal device 41 transmits a packet to the external terminal device 21 (attacker) on the external network 20, the packet from the Otori terminal device 41 is transmitted via the Otori network 40 to the personal computer 8. Entered in. TCP / I for the packet
The Otori guidance unit 3 received via the P interface 12 issues a packet transfer request to the add-in board 9 via the PCI bus 10. The filtering processing unit 5 that has received the packet transfer request via the PCI bus 10.
Converts the received packet data into an Ethernet (registered trademark) frame format (Ethernet framing) and sends it to the external network 20.

In the present embodiment, the Otori guidance section 3 is realized by software on the personal computer 8,
Since the add-in board 9 as a packet relay device is connected to the computer by the PCI bus 10, P
If the CI driver is developed, an Otori guidance system can be constructed using an existing personal computer.

Further, the packet from the Otori terminal device 41 is sent to the external network 20 and the internal network 3
Since it is made to appear as a packet from the terminal device 31 on 0, it becomes difficult to notice that the user (attacker) of the external network 20 trying to make an unauthorized access is being tricked.

In particular, the protocol and address system of the Otori network 40 is made the same as that of the internal network 30, and the illegal access packet induced by the Otori is the destination information (that is, the terminal device 31 on the internal network).
By sending the same address information to the Ottori terminal device 41 on the Ottori network 40,
It is possible to make it difficult to notice the Otori induction.

Third Embodiment In the second embodiment, the case where the packet is transmitted from the Otori terminal device 41 to the attacker on the external network 20 has been described, but in the present embodiment, the Otori terminal device 41 and the external network 20 are transmitted.
A case where packet communication is performed with a terminal device other than the above attacker will be described.

Each Otori terminal device 41 includes the Otori guiding unit 3
Assigns a virtual IP address at startup. The otori guidance unit 3 stores the virtual addresses assigned to the respective otori terminal devices 41 in association with the original IP addresses, notifies the filtering process unit 5 of the virtual addresses, and sets these addresses as the destinations. When the packet is received, the otori guidance unit 3 is requested to transfer the packet.

First, the Otori terminal device 41 is a terminal device on the external network 20 other than the attacker, for example, DNS.
A case of transmitting a packet to (Domain Name Server) will be described.

FIG. 6 is an explanatory diagram showing the operation when a packet is transmitted from the Otori terminal device 41 according to the third embodiment of the present invention to an external terminal device other than the attacker. The Otori terminal device 41 has an original IP used for guiding the Otori.
It is assumed that “10.255.0.1” is assigned as the address and “10.0.0.1” is assigned as the virtual address. It is also assumed that the IP address "wxyz" is assigned to the external terminal device other than the attacker.

The Otori guidance device 1 has the Otori terminal device 41.
When the packet from is received, the Otori guidance unit 3 examines the destination (destination: dst) address of the packet to determine whether it is addressed to the attacker. As a result, when it is not addressed to the attacker, the Otori guidance unit 3 sets the source (src) address of the packet “10.0.0.1” to the virtual address assigned to the Otori terminal device 41 at startup ”. Change to 10.255.0.1 ”. At this time, IP
The checksum of the packet needs to be recalculated and changed. The packet whose source address is changed in this way is sent to the filtering processing unit 5 via the PCI interface and sent from the Otori guidance device 1 to the external network 20 such as the Internet.

Next, a terminal device on the external network 20 other than the attacker, for example, DNS to Otori terminal device 41.
On the other hand, a case where a packet is transmitted will be described.

FIG. 7 is an explanatory diagram showing the operation when a packet is transmitted from an external terminal device other than the attacker to the Otori terminal device 41. As in FIG. 6, the Otori terminal device 4
It is assumed that "1.255.0.1" is assigned as the original IP address and "10.0.0.1" is assigned as the virtual address for the first item. It is also assumed that the IP address "wxyz" is assigned to the external terminal device other than the attacker.

The Otori guidance device 1 uses the external network 20.
When the packet is received from the filtering processing unit 5
Indicates that the destination address of the received packet is the virtual address notified in advance from the Otori guidance unit 3 "10.255.0.
1 "is checked. As a result, if the packet is addressed to a virtual address, the packet is transferred to the Otori guiding unit 3. The Otori guiding unit 3 uses the original IP address as the destination information of the transferred packet. The address is changed to “10.0.0.1” and the checksum is recalculated and changed.The packet whose destination address is changed in this way is sent to the Ottori network 40 via the TCP / IP interface 12 and the Ottori terminal It is received by the device 41.

Fourth Embodiment In the first to third embodiments, the operation in which the filtering processing unit 5 makes a determination based on the received packet and transmits the packet to the Ottori terminal device 41 based on the determination result has been described. In the Otori guidance system of Nos. 1 and 3, the operation for guiding all or part of the communication packet to the Otori terminal device 41 when packet communication exceeding a predetermined amount occurs will be described.

FIG. 8 is an explanatory diagram showing an example of the operation of the Otori guidance system according to the fourth embodiment of the present invention.
During normal operation, packets received from the external network 20 are relayed directly to the internal network 30, except for packets for which discard or Otori guidance is specified.

On the other hand, when communication exceeding a predetermined threshold value occurs, the filtering processing section 5 causes all or some of the communication (for example, a specific source IP address, a specific destination IP address, a specific destination IP address, a specific destination IP address, Source TCP
A port number, a specific transmission destination TCP port number, a specific transmission source UDP port number or a specific transmission destination UDP port number) is guided to the Ottori terminal device 41 to secure the original bandwidth of the communication path. At this time, the Otori terminal device 41 stores the guided packet as log information.

Upon receiving the notification from the filtering processing unit 5 that the communication amount has decreased, the Ottori terminal device 41 converts the accumulated log information into packets and transfers the packets to the filtering processing unit 5. The filtering processing unit 5 sends these packets to the internal network 30.

According to this embodiment, a predetermined communication packet is temporarily stored in the Ottori terminal device 41, so that a band for specific communication can be secured and the load of the network can be dispersed.

Embodiment 5. In the first to fourth embodiments, the Otori guidance system for guiding the packet from the external network to the Otori terminal device has been described. In the present embodiment, the packet relay used as the Otori guidance device in these Otori guidance systems. A case where two devices are linked to operate as a packet relay system will be described.

FIG. 9 is a diagram showing a configuration example of a packet relay system according to the fifth embodiment of the present invention. In the figure, 1A and 1B are packet relay devices, 13 is a packet relay system, 14 is a packet monitoring device (sniffer), 15 is a normal route, and 16 is a monitoring route.

Two identical packet relay devices 1A, 1B
1 is a packet relay device shown as an Otori guidance device in FIGS. 1 and 3, and in the present embodiment, the packet relay system 13 is configured by two packet relay devices 1A and 1B and a packet monitoring device 14. I am configuring.

The packet relay system 13 is connected to the external network 20 and the internal network 30 and relays packets between the external network 20 and the internal network 30. The packet relay device 1A is used to connect to the external network 20, the packet relay device 1B is used to connect to the internal network 30, and both packet relay devices 1A and 1B are connected in the packet relay system 13. .

That is, in the packet relay device 1A on the external network side, the external network port in FIGS. 1 and 3 is connected to the external network 20, and the packet relay device 1B on the internal network side is the external network in FIGS. Port for internal network 30
It is connected to the. In addition, the packet relay devices 1A and 1B
1, the ports for the internal network in FIGS. 1 and 3 are connected to each other to form a normal route 15 for relay packets, and the ports for the Otori network are connected to each other to form a monitoring route 16 for communication packets.

The packet monitoring device 14 is provided on the monitoring route between the packet relay devices 1A and 1B and monitors the content of the packet passing through the route. The Otori guiding unit 3 in FIGS. 1 and 3 configuring each of the packet relay devices 1A and 1B serves as a monitoring route guiding unit that changes the route of the packet to the monitoring route 16, and the packet monitoring device 14 targets only the guided packet. The data is checked in detail to determine whether it is an unauthorized access packet.

Next, the operation will be described. During normal operation, all packets are assigned to the normal route 15,
The monitoring route 16 is not used, and the normal route 15 is used.
The packet is relayed via. That is, the packet from the external network 20 is output to the normal route 15 by the packet relay device 1A and the packet relay device 1B.
Is sent to the internal network 30 via. Similarly, a packet from the internal network 30 is output to the normal route 15 by the packet relay device 1B, and is output to the external network 20 via the packet relay device 1A.

When a packet with a sign of unauthorized access is detected, the monitoring route 16 is assigned to the packet. That is, the packet relay devices 1A, 1
The filtering processing unit 5 of B determines the packet to be guided to the monitoring route 16 based on the source or destination information. For example, a specific source IP address, a specific destination IP address, a specific source TCP port number, a specific destination TCP port number, a specific source UDP port number, or a specific destination UDP port number The packet to be specified is specified by the filtering table. In this way, the determined packet is output to the monitoring route 16 via the monitoring route guiding unit (the Otori guiding unit) of the packet relay devices 1A and 1B, and becomes the monitoring target of the packet monitoring device 14.

Generally, when the packet monitoring device 14 tries to check the packet data in detail, the load on the packet monitoring device 14 increases and the time required for the processing becomes long. Therefore, when the packet communication volume is large, it becomes impossible to check all the packets in real time.

According to the present embodiment, a specific packet,
For example, the route for guiding only the packet suspected of unauthorized access to the monitoring route 16 is controlled. For this reason, the packet monitoring device 14 can reliably perform accurate packet monitoring by monitoring only the packets on the monitoring route 16 whose bandwidth is limited. In addition, it is possible to physically monitor without being noticed by an unauthorized access person.

Sixth Embodiment In the first to fourth embodiments, the Otori guidance device that guides the packet from the external network to the Otori terminal device has been described. Then, the Otori guidance system that changes the security level according to the packet will be described.

FIG. 10 is a diagram showing an example of the configuration and operation of the Otori guidance system according to the sixth embodiment of the present invention. In the figure, 1 is a packet relay device, 20 is an external network, 30 is an internal network, 41 is an Otori terminal device, and 42 is a substitute terminal device.

During normal operation, packets from the external network 20 are relayed directly to the internal network 30. Certain communication (specific source IP address, specific destination IP address, specific source TCP port number, specific destination TCP port number, specific source UD
P port number or specific destination UDP port number) is guided by the packet relay device 1 to the Otori terminal device 41.

The Otori terminal device 41 analyzes the packet information of the received packet in detail, and determines whether or not the packet is an unauthorized access packet. As a result, when the possibility of an unauthorized access packet is low, the packet is relayed to the internal network 30 as in the fourth embodiment.

On the other hand, when there is a high possibility that the packet is an unauthorized access packet, it is guided to the substitute terminal device 42.
As a result, the type of communication (source IP address, destination IP address, source TCP port number, destination TCP
Port number, source UDP port number or destination UD
(Classified by P port number), it is possible to change the level of security management.

Seventh Embodiment FIG. 11 is a diagram showing an example of the configuration and operation of the Otori guidance system according to the seventh embodiment of the present invention. In the figure, 1 is a packet relay device, 2
0 is an external network, 30 is an internal network, 41
Is an Otori terminal device, and 43 is a network inspection device.

During normal operation, packets from the external network 20 are directly relayed to the internal network 30, and all communication packets are copied and sent to the Otori terminal device 41. In the Ottori terminal device 41 that received the packet, the received packet information is analyzed, and if the number of communications exceeding a specific threshold value has occurred,
The communication information is a specific source IP address, a specific destination IP address, a specific source TCP port number, a specific destination TCP port number, a specific source UDP port number or a specific destination UDP port number. Designated and used for auditing the internal network 30. Specifically, a similar packet is generated from the inspection program on the network inspection device 43, and the durability of the internal network 30 is measured.

Eighth Embodiment FIG. 12 is a diagram showing an example of the configuration and operation of the Otori guidance system according to the eighth embodiment of the present invention. The Ottori terminal device 41 includes an intrusion detection unit (not shown). For example, host type IDS
(Intrusion detection program) is installed in advance. Otori terminal device 4 that has detected an unauthorized access packet
1 immediately sends a session reset packet,
The session between the external network 20 and the internal network 30 is disconnected.

Next, the operation will be described. During normal operation, packets from the external network 20 are directly relayed to the internal network 30, and all communications are copied and transmitted to the Otori terminal device 41. When the packet received from the packet relay device is an unauthorized access, the Otori terminal device 41 specifies the source IP address, the destination IP address, the source TCP port number, and the destination TCP port number for the session. Then, by transmitting the session reset packet and disconnecting the session, it is possible to deal with the unauthorized access in real time.

[0091]

According to the present invention, there is provided a packet relay device capable of improving security against unauthorized access, automating countermeasures against unauthorized access, or securing a band of a communication path when the amount of communication increases. Can be provided. Further, it is possible to provide a packet relay system in which the bandwidth in the relay route is controlled using two relay routes and the security is improved. Further, it is possible to provide an Otori guidance system that improves security, changes the security level, audits the network, or deals with unauthorized access in real time.

[Brief description of drawings]

FIG. 1 is a block diagram showing a configuration example of an Otori guidance system according to a first embodiment of the present invention.

FIG. 2 is a diagram showing an example of a packet flow in the Otori guidance system of FIG.

FIG. 3 is a block diagram showing a configuration example of an Otori guidance system according to a second embodiment of the present invention.

FIG. 4 is a diagram showing an example of an operation of the Otori guidance system of FIG. 3 during normal operation.

5 is a diagram showing an example of an operation when a packet is guided by the filtering processing unit in the Otori guidance system of FIG.

FIG. 6 is an explanatory diagram showing an operation when a packet is transmitted from an Otori terminal device to an external terminal device other than an attacker according to the third embodiment of the present invention.

FIG. 7 is an explanatory diagram showing an operation when a packet is transmitted from an external terminal device other than an attacker to the Otori terminal device 41.

FIG. 8 is an explanatory diagram showing an example of an operation of the Otori guidance system according to the fourth embodiment of the present invention.

FIG. 9 is a diagram showing a configuration example of a packet relay system according to a fifth embodiment of the present invention.

FIG. 10 is a diagram showing an example of a configuration and an operation of an Otori guidance system according to a sixth embodiment of the present invention.

FIG. 11 is a diagram showing an example of a configuration and an operation of an Otori guidance system according to a seventh embodiment of the present invention.

FIG. 12 is a diagram showing an example of a configuration and an operation of an Otori guidance system according to an eighth embodiment of the present invention.

FIG. 13 is a diagram showing the configuration and operation of a conventional intrusion detection system.

[Explanation of symbols]

1 Otori guidance device (packet relay device), 1A, 1B
Packet relay device, 2 packet relay unit, 3 Otori guidance unit, 4 intrusion detection unit, 5 filtering processing unit,
6 filtering table, 7 internal bus, 8 personal computer, 9 add-in board, 10 PC
I bus, 11 PCI interface, 12 TC
P / IP interface unit, 13 packet relay system, 14 packet monitoring device, 15 normal route, 1
6 monitoring routes, 20 external network, 21 external terminal device, 30 internal network, 31 internal terminal device, 40 Otori network, 41 Otori terminal device, 42 vicarious terminal device, 43 network inspection device, 50 administrator terminal device, 51 analysis device

Claims (13)

[Claims] 1. A packet relay unit for relaying a packet between a first network and a second network;
A packet sent from the second network to the second network, and an Otori guiding unit for sending the packet to the Otori network different from the first and second networks. A filtering table storing the source or destination information of the packet to be guided, and using the filtering table, based on the source or destination information of the packet transmitted from the first network to the second network, Unauthorized access packet that monitors the packet transmitted from the first network to the second network and tries to access the second network illegally by monitoring a filtering processing unit that determines whether to discard the packet or induce an Otori. Intrusion detection to detect and update the filtering table Packet relay apparatus characterized by having a part. 2. The Otori network has the same address system as that of the second network, and is connected to an Otori terminal device, and the Otori guiding unit matches the destination address information of the Otori-guided packet. The packet relay device according to claim 1, wherein the packet is transmitted to the Otori terminal device to which the address information 1 is assigned. 3. The intrusion detection unit detects an unauthorized access packet by comparing a packet transmitted from the first network to the second network with pattern data of a predetermined unauthorized access packet. The packet relay device according to claim 1. 4. The Otori guidance unit sends the packet transmitted from the Otori terminal device to the first network to the packet relay unit, and the packet relay unit transmits the packet from the Otori terminal device to the first network. The data is transmitted to
Alternatively, the packet relay device described in 2. 5. The Otori guidance unit is composed of a general-purpose computer connected to an Otori network, and is connected to a packet relay unit via a general-purpose data bus of the Otori network. 5. The packet relay device according to claim 4, wherein a packet format transmitted from the network to the first network is converted into a frame format of the second network and sent to the first network. . 6. The packet transmitted to the first network from the Otori terminal device, wherein the Otori guidance unit has a destination other than the source of the Otori-guided packet based on the destination information. 3. The packet relay device according to claim 2, wherein the packet transmission source information of the determined packet is changed to the second address assigned to the Otori terminal device, and the packet is transmitted to the packet relay unit. 7. The packet relay unit discriminates a packet transmitted from the first network and having a second address as destination information, and the Otori guidance unit discriminates the destination of the discriminated packet. 7. The packet relay device according to claim 6, wherein the information is changed to the first address and transmitted to the Otori network. 8. The first and second packet relay devices according to claim 4 and a packet monitoring device for monitoring a packet, wherein the first network port of the first packet relay device is the first Connected to the second network, the port for the first network of the second packet relay device is connected to the second network, and the ports for the second network of the first and second packet relay devices are connected to each other. , Forming a first path through which a normal packet is transmitted, and ports of the first and second packet relay devices for the Otori network are connected to each other, and a first path is provided as a monitoring path.
And a packet monitoring device is provided on the second route, the packet relay device forming a second route through which a packet to be guided by the packet relay device is transmitted. 9. A packet relay device connected to the first network and the second network, and an Otori terminal device connected to the packet relay device via an Otori network different from the first and second networks. And a packet relay device that relays packets between the first network and the second network, and a packet transmitted from the first network to the second network to the first and second networks. And a filtering table for storing the source or destination information of the packet to be discarded or the packet to be guided by the Otori, Send from the first network to the second network using the table. Based on the source or destination information of the received packet, a filtering processing unit that determines discard or Otori guidance of the packet, and monitors the packet transmitted from the first network to the second network, An Otori guidance system comprising: an intrusion detection unit that detects an unauthorized access packet attempting to illegally access the second network and updates a filtering table. 10. The packet relay device sends a packet from the first network to an Ottori terminal device when the amount of communication from the first network to the second network exceeds a predetermined threshold value. 10. The terminal device according to claim 9, wherein the terminal device records the packet from the packet relay device, and transmits the packet to the second network after reducing the communication amount from the first network to the second network. Otori guidance system. 11. The Otori terminal device analyzes packet information of the Otori-guided packet, and transmits the Otori-guided packet to a second network or a substitute terminal device based on the analysis result. The Otori guidance system according to claim 9 characterized by things. 12. The packet relay device sends the packet transmitted from the first network to the second network to the second network and the Otori terminal device, and the Otori terminal device receives the Otori-guided packet. 10. The Otori guidance system according to claim 9, wherein the packet information of the second network is analyzed, and the second network is inspected based on the analysis result. 13. The Ottori terminal device analyzes packet information of the Otori-guided packet, and sends a session reset packet to the first network based on the analysis result. 9. The Otori guidance system according to item 9.