JP2005157421A - Network security maintenance method, connection permission server, and program for connection permission server - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To realize a high-security network by preventing a terminal or the like from being infected by a virus or the like when the terminal is connected to a network. <P>SOLUTION: A new connection terminal 110 at first performs connection settings to a network 200 for checking the state of a terminal when it detects a physical connection to a router 140, collects the software composition information of the terminal itself, and transmits the information thus collected to a connection permission server 210. The connection permission server 210 checks whether the new connection terminal 110 implements latest security measures based on the contents of the software composition information received. When the latest security measures are provided, the connection permission server 210 allows the connection of the new connection terminal 110 to a user network 100 by informing the new connection terminal 110 and the router 140 of the connection permission to the user network 100. When the latest security measures are not provided, the connection permission server 210 does not permit the new connection terminal 110 to be connected to the user network 100. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a technique for preventing the spread of viruses, worms, and the like to a network by restricting the connection of a terminal or the like to a network based on security measures.

  When connecting a terminal to a network, it is only necessary to physically insert the network connection cable into the terminal, and conventionally there has been no restriction on the connection. In addition, wireless LANs and modems permit connection to a network based on terminal authentication.

  As a security hole check, there is a product that installs anti-virus software inside the terminal, checks whether there is a virus in the hard disk or memory inside the terminal, and removes the virus if it exists. is there. The virus check is performed based on virus check information called a signature.

In addition, a method of performing communication after confirming the safety of a partner system that communicates via a network has already been proposed (see, for example, Patent Document 1). However, viruses and Trojan horses have been discovered such as “SQL Slammer” and “MS Blaster” that are infected only with the first packet sent, even if two-way communication is not established. Even if you use a means to confirm safety after establishing communication with the other party and exchanging safety-related information with each other, you will be infected with a virus before confirming safety. It will end up.
JP 2002-208986 A

  With the spread of portable terminals such as notebook computers and PDAs (Personal Digital Assistance) and the diversification of network connection methods, terminals that can be connected to a network are not only fixedly connected to a specific LAN but also temporarily It is often connected to other networks. When all of these terminals are fixedly connected to a specific LAN, it is generally possible to protect against unauthorized access from the outside at the connection point between the LAN and an external network by a firewall, etc. There are no worries about being infected with viruses or worms on networks with security measures. However, when the terminal is connected to another network, there is no similar protection, so it may be infected with a virus or worm, or a program such as a Trojan horse may be sent.

  When a terminal infected with a virus in this way is connected to a network other than the network that was connected when it was infected, this time, the virus that it was infected with is connected to the other network. There is a risk of infecting other terminals. Even in networks where unauthorized access from outside has been completely eliminated by security measures such as firewalls and IDS (Intrusion Detection System), a virus-infected terminal is connected directly, resulting in Viruses and other infections may spread within the network.

  An object of the present invention is to realize a high security network by solving the above-described problems and preventing infection by a virus or the like when connecting to a network such as a terminal.

  In order to achieve the above object, the present invention first connects a terminal newly connected to a network to a specific terminal state check network, and only the terminals whose safety has been confirmed in the terminal state check network, It is characterized by automatically changing the connection to a network that can be used normally.

  When a network connection interface that has a network switching function inside the terminal detects a physical connection to the network, the network connection interface performs settings for connecting to the network for checking the terminal status that has been set in advance. Instructs the software configuration information collection program in the terminal to collect information.

  The software configuration information collection program collects information (hereinafter also referred to as software configuration information) such as the names, versions, and security measures that are installed on the terminal itself, and stores it in the terminal status check network. The information is transmitted to the installed connection permission server. At this point, the terminal can communicate with only the connection permission server in the terminal state check network.

  When the connection-permitted server receives the software configuration information of the terminal from the software configuration information collection program in any terminal, it compares the received information with the latest security countermeasure information in its own server, and all the latest security countermeasures are available. Check whether or not is implemented. As a result of this check, it is possible to know whether or not the latest security measures have been implemented, and the connection permission server notifies the result to the software configuration information collection program on the terminal side.

  When the terminal-side software configuration information collection program receives notification that the latest security measures are being implemented, it notifies the network connection interface of that. The network connection interface that has received the notification that the latest security measures are being implemented rewrites the previous settings for connecting to the network for checking the terminal status to the settings for connecting to the network to be connected. Switch the network connection.

  However, in this method, since the software in the terminal switches the connection from the terminal status check network to the user network, if this switching unit is tampered with by someone, the terminal status is not checked first. May transmit data to the user network, that is, a terminal that does not have the latest security measures may connect to the user network.

  Therefore, a setting is made to allow communication from the terminal by notifying the other device (hub, router, switch, etc.) when the terminal is connected to the network that the latest security measures have been implemented. To do.

  By taking such a procedure, it is guaranteed that the latest security measures are always implemented for the terminals connected to the network. Therefore, even if a terminal connected to the user network is subjected to an unauthorized attack whose security measures are already known, it will not be affected by infection, but will attack or infect other terminals. Also disappear.

  According to the present invention, since a terminal newly connected to a specific network has the latest security measures (patch, virus check, etc.), the terminal is infected with a virus or a Trojan horse is installed. And no attempt is made to infect other terminals in the connected network. That is, a virus or the like does not spread in the network by a terminal newly connected from the outside.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a diagram illustrating an example of connection to a network using a VLAN according to an embodiment of the present invention. In FIG. 1, a user network 100 is a network in which normal communication is performed, and a terminal state check network 200 is a network for security check of a newly connected terminal 110 connected to the user network 100. The user network 100 and the terminal status check network 200 are configured as different VLANs (Virtual LANs), and one terminal cannot use both networks simultaneously.

  It is assumed that the terminal 120 and the terminal 130 are connected to the user network 100 (VLAN_ID = # 1) in advance. The newly connected terminal 110 is connected to the user network 100 via the router 140. After connecting to the user network 100, it is possible to communicate with the terminal 120 and the terminal 130. Each terminal connected to the user network 100 can communicate with an external network 300 such as the Internet via the router 150. Here, VLAN_ID is an identifier for identifying each VLAN.

  Connected to the terminal state check network 200 (VLAN_ID = # 2) is a connection permission server 210 that confirms whether the newly connected terminal 110 is implementing the latest security measures.

  FIG. 2 is a diagram illustrating a configuration example of a new connection terminal according to the present embodiment. The new connection terminal 110 includes a network interface 111, a software configuration information collection unit 112, a connection permission server communication unit 113, and a network setting information storage unit 114.

  FIG. 3 is a new connection processing flowchart in the new connection terminal of the present embodiment. When the new connection terminal 110 detects that it is connected to the network, that is, the cable is connected to the network interface 111 (step S10), it refers to the network setting information stored in advance in the network setting information storage unit 114. , Setting for communication with the connection permission server 210, that is, setting for connection to the network (terminal state check network 200) with VLAN_ID = # 2 is made in the network interface 111 and the connection permission server communication unit 113 (step S11). As a result, the new connection terminal 110 can communicate with the connection permission server 210 via the terminal state check network 200.

  Next, the software configuration information collection unit 112 collects information (software configuration information) such as the name, version, security measures being taken, and setting status of the software in the newly connected terminal 110 (step S12), and permits connection. The server communication unit 113 transmits the collected software configuration information to the connection permission server 210 via the network interface 111 (step S13). Note that the collection of software configuration information by the software configuration information collection unit 112 can be performed by a generally known method, and therefore a detailed description of the collection method is omitted here.

  When the connection permission server communication unit 113 receives the check result from the connection permission server 210 (step S14), the connection permission server communication unit 113 checks whether or not the check result is connection permission (step S15). The setting information (including VLAN_ID = # 1) necessary for communication in the user network 100 received together with the information is reflected on the network interface 111 (step S16). Thus, the connection of the new connection terminal 110 to the user network 100 is completed.

  FIG. 4 is a diagram showing a configuration example of the connection permission server in the present embodiment. As shown in FIG. 4, the connection permission server 210 includes a network interface 211, a software configuration information receiving unit 212, a terminal setting transmission unit 213, and a security information database (DB) 214.

  FIG. 5 is a connection permission processing flowchart in the connection permission server of the present embodiment. The connection permission server 210 waits for software configuration information to be sent from the new connection terminal 110. When the software configuration information receiving unit 212 receives the software configuration information from the new connection terminal 110 (step S20), the content is compared with the content of the security information DB 214 (step S21), and the new connection terminal 110 updates the latest security. It is confirmed whether a countermeasure is implemented (step S22).

  Here, the security information DB 214 will be described. FIG. 6 is a diagram showing an example of the security information DB in the present embodiment. As shown in the example of FIG. 6, the security information DB 214 includes software names (in the figure, Windows XP, Word 2002 is a trademark of Microsoft Corporation), version, list of patches to be applied, macro execution level, anti-virus It keeps the latest status of necessary items for each software such as software signature list and virus check status. Information about similar items is collected from the newly connected terminal 110 for each software, and compared with the contents of the security information DB 214.

  In step S22 of FIG. 5, if the latest security measure has not been implemented in the newly connected terminal 110, a connection rejection is transmitted from the terminal setting transmission unit 213 to the newly connected terminal 110 via the network interface 211. (Step S23), and the process ends.

  In step S22, when it is confirmed that the latest security measure is implemented in the newly connected terminal 110, the terminal setting transmission unit 213 sends the connection permission information to the newly connected terminal 110 via the network interface 211. Network connection information (information for connecting to the user network 100) is transmitted (step S24).

  Next, the terminal setting transmission unit 213 performs setting to permit communication of the newly connected terminal 110 to the router 140 via the network interface 211 (step S25). As a result, the communication setting for the newly connected terminal 110 and the router 140 which is the network connection point of the terminal is completed, and the newly connected terminal 110 can start communication with the terminal 120 and the terminal 130.

  FIG. 7 is a diagram showing an example of connection to a network using VPN in the embodiment of the present invention. In the example illustrated in FIG. 7, unlike the example illustrated in FIG. 1, the connection permission server 210 exists in the external network 300.

  In order to allow the newly connected terminal 110 to communicate only with the connection permission server 210 existing in the external network 300 in a state in which the newly connected terminal 110 cannot communicate with the terminal 120 and the terminal 130, the terminal state check network 200 ′ Virtual Private Network). In VPN, since only a predetermined terminal can be connected, data transmitted from the newly connected terminal 110 passes through the router 140, the user network 100, and the router 150. A device cannot be infected with a virus.

  Even when VPN is used in such a network configuration, the configuration of new connection terminal 110 and connection permission server 210 and the processing procedure are the same as those described above (the case described with reference to FIGS. 1 to 6).

  The processing performed by the connection permission server 210 in the above embodiment can be realized by a computer and a software program, and the program can be provided by being recorded on a computer-readable recording medium. Is also possible.

It is a figure which shows the example of a connection to the network using VLAN in embodiment of this invention. It is a figure which shows the structural example of the newly connected terminal in this Embodiment. It is a new connection process flowchart in the new connection terminal of this Embodiment. It is a figure which shows the structural example of the connection permission server in this Embodiment. It is a connection permission process flowchart in the connection permission server of this Embodiment. It is a figure which shows the example of security information DB in this Embodiment. It is a figure which shows the example of a connection to the network using VPN in embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 User network 110 New connection terminal 111 Network interface 112 Software configuration information collection part 113 Connection permission server communication part 114 Network setting information storage part 120,130 Terminal 140,150 Router 200,200 'Terminal state check network 210 Connection permission server 211 Network interface 212 Software configuration information reception unit 213 Terminal setting transmission unit 214 Security information DB
300 External network

Claims (6)

Using a terminal status check network for a terminal newly connected to the user network, and a connection permission server connected to the terminal status check network for checking the implementation status of security measures for the newly connected terminal, A network security maintenance method for maintaining user network security,
Connecting a newly connected terminal to the terminal status check network under a state in which the terminal cannot be communicated with a terminal already connected to the user network;
A process in which the newly connected terminal collects software configuration information indicating a configuration state of the software program inside the terminal;
Transmitting software configuration information from the newly connected terminal to the connection permission server;
Only when the connection permission server confirms from the contents of the received software configuration information whether the newly connected terminal is implementing the latest security measures, and only when the latest security measures are being implemented. , Allowing the newly connected terminal to connect to the user network, and disabling connection to the user network if the latest security measures are not implemented. Network security maintenance method. In the network security maintenance method according to claim 1,
When the connection permission server permits connection of the newly connected terminal to the user network, the connection permission server notifies the newly connected terminal of permission to connect to the user network and connects the newly connected terminal. A process of notifying connection equipment to the user network to the opposite device when the terminal to be connected is connected to the user network;
A process of setting connection to the user network in a network connection interface of the newly connected terminal and setting to allow communication from the newly connected terminal to the opposite device via the user network A network security maintenance method characterized by comprising: In the network security maintenance method according to claim 1 or 2,
The network security maintenance method, wherein the terminal status check network and the user network are configured as different VLANs. In the network security maintenance method according to claim 1 or 2,
The network security maintenance method, wherein the terminal status check network is established as a VPN for performing communication between the newly connected terminal and the connection permission server. Connection permission to maintain the security of the user network by checking the implementation status of the security measures of the terminal newly connected to the user network, connected to the terminal status check network logically separated from the user network A server,
An interface for connecting the connection permission server to the terminal status check network;
Security information storage means for holding up-to-date information on items necessary for security for each software program installed in the terminal;
Software configuration for receiving software configuration information indicating the configuration status of the software program collected in the terminal by the newly connected terminal from the terminal newly connected to the user network via the terminal status check network Information receiving means;
By comparing the contents of the received software configuration information with the information stored in the security information storage means, it is confirmed whether or not the newly connected terminal is implementing the latest security measures. Allow connection of the newly connected terminal to the user network only when countermeasures are implemented, and disallow connection to the user network when the latest security measures are not implemented. And a terminal setting transmission means for performing the notification. Connection permission to maintain the security of the user network by checking the implementation status of the security measures of the terminal newly connected to the user network, connected to the terminal status check network logically separated from the user network A server program for allowing a connection to be executed by a server computer,
Processing for receiving software configuration information indicating a configuration state of a software program collected in the terminal by the newly connected terminal from the terminal newly connected to the user network via the terminal status check network; ,
The newly connected terminal is checked by comparing the contents of the received software configuration information with the latest information on the items necessary for security for each software program stored in advance in a predetermined security information storage means. Check if the latest security measures are implemented, and only if the latest security measures are implemented, allow the newly connected terminal to connect to the user network and update the latest security measures. If not, a process for notifying connection to the user network is not permitted.
A connection permission server program to be executed by a computer.

Images