JP2008028740A - Communication control apparatus, communication control method, and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication control apparatus, a communication control method and a computer program, which conduct a communication control, based on a frame which is transmitted and received among a plurality of communication apparatuses. <P>SOLUTION: A network device 100 to relay the frame to be transmitted and received by the communication apparatuses 10 and 20 is provided with the communication control apparatus 110 inserted by an in-line. A controller 111 holds a transfer of the frame input through MACs 113 and 114 temporally, extracts a sequential data from the frame, delivers the extracted data and information regarding a connection to an inspection portion 112, and conducts a security inspection. When the inspection portion 112 judges that the data is not malicious, held data are transmitted to an original transmission destination. When it is malicious, the connection is disconnected by transmitting a reset signal to a transmission source and a transmission destination, or a content substitution to substitute the content of the data to be transmitted is conducted. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a communication control apparatus, a communication control method, and a computer program that perform communication control based on frames transmitted and received between a plurality of communication apparatuses.

  Conventionally, as a technique for ensuring the security of an internal network such as an in-company network or an in-house network, a technique of installing a firewall at the boundary with an external network is known (for example, see Patent Document 1).

  The firewall has a function of filtering IP packets based on preset filtering rules. The filtering rule is a set of header information such as a source IP packet, a destination IP packet, and a protocol, and a corresponding action (acceptance or rejection) for the header information.

  The firewall accepts or rejects the IP packet based on the content of the filtering rule that matches the header information of the IP packet, thereby enabling the internal network to be protected from inappropriate IP packet intrusion.

  However, since the firewall determines the action according to the filtering rule, the IP packet having header information corresponding to the acceptance has a problem that even an illegal IP packet cannot be prevented from intrusion. .

  In recent years, therefore, a network interception type intrusion detection system (IDS: Intrusion Detection System) branched and connected to the internal network downstream of the firewall has been proposed (for example, see Patent Document 2).

In this IDS, a database of attack patterns is held in advance, and an IP packet intercepted from the internal network is checked against the database to determine whether or not the IP packet is an attack. If it is determined that the intercepted packet is an IP packet that becomes an attack, the IDS notifies the administrator that the attack packet has entered.
JP 2001-313640 A JP 2002-342276 A

  However, in the intrusion detection system as described above, even if the intrusion of the attack packet is detected and notified to the administrator, the communication device on the internal network is attacked by the attack packet before the notification reaches the administrator. There is a problem that there is a possibility of being.

  The present invention has been made in view of such circumstances, and sequentially extracts data from frames transmitted and received between communication devices, and determines whether or not to perform communication control based on the extracted data. By adopting a configuration that transmits the extracted data when it is determined that communication control should not be performed, communication control is performed even for packets that pass through a firewall, and unauthorized access and the like can be prevented in advance. An object is to provide a communication control device, a communication control method, and a computer program.

  The communication control device according to the present invention is capable of connecting a plurality of communication devices, and controls communication based on a frame transmitted from one communication device to another communication device among the plurality of connected communication devices. An extraction unit that sequentially extracts data from the frame, and a determination unit that determines whether communication should be controlled based on the data extracted by the extraction unit, When the determination means determines that communication should not be controlled, the extracted data is transmitted to the other communication device.

  In the present invention, data should be extracted sequentially from frames transmitted and received between communication devices, whether or not communication should be controlled based on the extracted data, and communication should be controlled. By configuring the configuration to transmit the extracted data when it is determined that there is, communication control can be performed even for packets that pass through the firewall, so transmission of data related to unauthorized access is stopped. And unauthorized access can be prevented.

  The communication control device according to the present invention further includes an interface for connecting the inspection device in order to inspect the data extracted by the extraction means.

  In the present invention, since an interface for connecting an inspection device is provided, when inspecting the presence or absence of security or the like, dedicated hardware such as an FPGA (Field Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit) is used. A configured inspection apparatus can be connected and the inspection apparatus can be inspected.

  In the communication control apparatus according to the present invention, the determination unit includes a unit that determines whether or not the data is data that is an opportunity to be passed to any application in the other communication device, and is passed to the application. When it is determined that the data is a trigger for communication, it is determined that communication should be controlled.

  In the present invention, when data that triggers an arbitrary application installed in the destination communication device is detected, the communication device determines that the communication should be controlled. The transmission of attack codes that can cause problems is prevented in advance.

  In the communication control apparatus according to the present invention, the frame includes a plurality of segments assigned consecutive sequence numbers, and the extraction unit extracts data from each segment, and extracts the extracted data. Means for storing in association with the sequence number assigned to the original segment, and determining whether or not a series of byte strings that can be passed to the application is completed as a result of storing the data based on the sequence number Means for determining that the byte sequence is completed, the determination means determines that communication should be controlled.

  In the present invention, the data extracted from each segment is stored in association with the sequence number assigned to the segment of the extraction source, and the stored result is passed to the application installed in the destination communication device. It is determined whether or not a series of byte sequences that can be completed, and if it is determined that the byte sequence is completed, communication control is performed by managing the sequence number of the segment in order to determine that communication should be controlled. It is determined whether it should be.

  The communication control apparatus according to the present invention is characterized by comprising means for transmitting a signal for requesting blocking of access to the other communication apparatus when the determination means determines to control communication.

  In the present invention, when it is determined that communication should be controlled, a signal requesting to block access is transmitted to the destination communication device, so that data relating to unauthorized access is delivered to the communication device. Communication is interrupted before.

  The communication control apparatus according to the present invention comprises means for transmitting a signal requesting to block access to the one communication apparatus and the other communication apparatus when the determination means determines that communication should be controlled. It is characterized by.

  In the present invention, when it is determined that communication should be controlled, a signal requesting to block access is transmitted to both the transmission source and the transmission destination, so that data relating to unauthorized access is received by the communication device. Communication is securely interrupted before being passed.

  In the communication control device according to the present invention, when the determination means determines that communication should be controlled, a means for replacing part or all of the extracted data with other data, and the replaced data for the other communication apparatus Means for transmitting to.

  In the present invention, when it is determined that the communication should be controlled, a part or all of the extracted data is replaced with other data, and the replaced data is transmitted. Unauthorized access is prevented without doing so.

  The communication control method according to the present invention is a method of performing communication control based on a frame transmitted from one communication device to another communication device, and sequentially extracts data from the frame, and based on the extracted data It is determined whether or not the communication should be controlled, and when it is determined that the communication should not be controlled, the extracted data is transmitted to another communication device.

  In the present invention, data should be extracted sequentially from frames transmitted and received between communication devices, whether or not communication should be controlled based on the extracted data, and communication should be controlled. By configuring the configuration to transmit the extracted data when it is determined that there is, communication control can be performed even for packets that pass through the firewall, so transmission of data related to unauthorized access is stopped. And unauthorized access can be prevented.

  A computer program according to the present invention is a computer program for causing a computer to perform communication control based on a frame transmitted from one communication device to another communication device, and causing the computer to sequentially extract data from the frame. A step, causing the computer to determine whether to control communication based on the extracted data; and, if it is determined that the computer should not control communication, the extracted data to other communication And transmitting to the apparatus.

  In the present invention, data should be extracted sequentially from frames transmitted and received between communication devices, whether or not communication should be controlled based on the extracted data, and communication should be controlled. By configuring the configuration to transmit the extracted data when it is determined that there is, communication control can be performed even for packets that pass through the firewall, so transmission of data related to unauthorized access is stopped. And unauthorized access can be prevented.

  The computer program according to the present invention includes a step of causing a computer to determine whether or not the data is data that triggers an arbitrary application in the other communication device.

  In the present invention, it is determined that communication should be controlled when data that triggers an arbitrary application installed in the destination communication device is detected. The transmission of attack codes that can cause problems is prevented in advance.

  In the computer program according to the present invention, the frame is composed of a plurality of segments with consecutive sequence numbers, and data is extracted from each segment, and the computer extracts the extracted data from the source. Based on the sequence number, a step of storing in association with a sequence number assigned to a segment and whether or not a series of byte sequences that can be passed to the application are completed as a result of storing the data in a computer And a step of making a judgment.

  In the present invention, the data extracted from each segment is stored in association with the sequence number assigned to the segment of the extraction source, and the stored result is passed to the application installed in the destination communication device. It is determined whether or not a series of byte sequences that can be completed, and if it is determined that the byte sequence is completed, communication control is performed by managing the sequence number of the segment in order to determine that communication should be controlled. It is determined whether it should be.

  The computer program according to the present invention includes a step of causing a computer to transmit a signal requesting to block access when it is determined that the computer should control communication.

  In the present invention, when it is determined that communication should be controlled, a signal requesting to block access is transmitted to the destination communication device, so that data relating to unauthorized access is delivered to the communication device. Communication is interrupted before.

  The computer program according to the present invention includes a step of causing the computer to transmit a signal requesting to block access to the one communication device and the other communication device when it is determined that the communication should be controlled. Features.

  In the present invention, when it is determined that communication should be controlled, a signal requesting to block access is transmitted to both the transmission source and the transmission destination, so that data relating to unauthorized access is received by the communication device. Communication is securely interrupted before being passed.

  When it is determined that the computer should control communication, the computer program according to the present invention replaces a part or all of the extracted data with other data, and the computer replaces the replaced data with the data. And transmitting to another communication device.

  In the present invention, when it is determined that the communication should be controlled, a part or all of the extracted data is replaced with other data, and the replaced data is transmitted. Unauthorized access is prevented without doing so.

  In the case of the present invention, data should be extracted sequentially from frames transmitted and received between communication devices, it should be determined whether communication should be controlled based on the extracted data, and communication should be controlled. The data extracted when it is determined to be transmitted is transmitted. Therefore, even if the packet passes through the firewall, transmission of data related to unauthorized access can be stopped, and unauthorized access can be prevented in advance. In particular, since the communication control device according to the present invention can be inserted inline on any communication path, it can be used without changing the existing network configuration and settings.

  In the case of the present invention, since the interface for connecting the inspection apparatus is provided, when inspecting the presence or absence of security, an inspection apparatus constituted by dedicated hardware such as FPGA and ASIC is connected and connected to the inspection apparatus. You can request an inspection. In addition, it is not necessary for the inspection apparatus to deal with duplication, omission, and order reversal when extracting data from the frame and reconstructing, and the inspection apparatus can be independently developed. Therefore, when a new inspection method is found in the future, the entire configuration can be easily updated. Further, in the inspection apparatus, it can be performed by a program for processing a normal data file.

  In the case of the present invention, it is determined that communication should be controlled when data that triggers an arbitrary application installed in a destination communication device is detected. Therefore, it is possible to prevent transmission of an attack code that causes an application in the communication apparatus to crash and cause a malfunction.

  In the case of the present invention, the data extracted from each segment is stored in association with the sequence number assigned to the segment of the extraction source, and as a result of the storage, it can be passed to the application installed in the destination communication device. It is determined whether or not a series of possible byte strings has been completed. If it is determined that the byte string has been completed, it is determined that communication should be controlled. Therefore, it is possible to determine whether or not the communication should be controlled by managing the sequence number of the segment.

  In the case of the present invention, when it is determined that the communication should be controlled, a signal requesting to block access is transmitted to the destination communication device. Therefore, communication can be cut off before transferring data related to unauthorized access, and damage caused by unauthorized access can be minimized.

  In the case of the present invention, when it is determined that the communication should be controlled, a signal requesting to block access is transmitted to both the transmission source and the transmission destination. Therefore, when it is determined that communication control should be performed with the first packet at the time of connection establishment, communication can be blocked before the connection is established. Further, the communication partner can be shown to the frame transmission source as if it were in a closed state, so that the communication can be surely cut off.

  According to the present invention, when it is determined that communication should be controlled, a part or all of the extracted data is replaced with other data, and the replaced data is transmitted. Therefore, unauthorized access or the like can be prevented without blocking communication, and can be used in situations where it is not desirable to block communication. Further, since part or all of the data is replaced with other data, harmful information can be rendered harmless or information leakage can be prevented.

Hereinafter, the present invention will be specifically described with reference to the drawings showing embodiments thereof.
Embodiment 1 FIG.
FIG. 1 is a schematic diagram illustrating a schematic configuration of a communication control system according to the present embodiment. In the figure, reference numeral 10 denotes a communication device connected to an external network N1 such as the Internet network, and 20 denotes a communication device connected to an internal network N2 such as a corporate network or an organization network. The communication devices 10 and 20 may be any devices provided with communication means, and include, for example, personal computers, telephones, information appliances, game machines and the like.

  The external network N1 and the internal network N2 are connected by a network device 100 that incorporates a communication control apparatus 110 according to the present invention. The network device 100 is a device for relaying frames transmitted and received on a communication network such as a switch or a router.

  In addition to the CPU 101 and the forwarding engine 102, the network device 100 includes a PHY 103 and a MAC 104 on the external network N1 side, and a PHY 106 and a MAC 105 on the internal network N2 side. In FIG. 1, for the sake of simplification, a set of PHY 106 and MAC 105 is provided on the internal network N2 side. However, a plurality of sets of PHY and MAC may be provided so that a plurality of communication devices can be connected. Of course.

  The CPU 101 sets an optimal communication path after checking the received frame, and notifies the forwarding engine 102 of the set information. The forwarding engine 102 refers to the information notified from the CPU 101 and the header information of the received frame, and determines the output destination of the received frame.

  When the network device 100 receives a frame through the PHY 103 on the external network N1 side or the PHY 106 on the internal network side, the communication control device 110 inserted inline performs communication control based on the frame.

  The communication control device 110 is connected between the MAC 105 and the PHY 106 on the internal network N2 side, and includes a control unit 111, an inspection unit 112, and MACs 113 and 114.

  The control unit 111 temporarily holds the transfer of the frame input through the MAC 113 or 114, sequentially extracts data from the frame, passes the extracted data and information on the connection to the inspection unit 112, and requests an inspection. Do. The control unit 111 will be described in detail later.

  The inspecting unit 112 mainly inspects data security. As the inspection method, an existing inspection method can be used, and any inspection method developed in the future can be used. As an example of the inspection method, there can be mentioned the fraud determination method proposed by the applicant of the present application in Japanese Patent Application No. 2005-502932 and Japanese Patent Application No. 2005-502935. Since the inspection target of the inspection unit 112 is data extracted by the control unit 111, it can be inspected by a program that processes a normal data file.

  Next, details of the control unit 111 will be described. FIG. 2 is a schematic diagram illustrating details of a frame input to the control unit 111, and FIG. 3 is a block diagram illustrating an internal configuration of the control unit 111. For example, when communication is performed between the communication device 10 and the communication device 20 using TCP, as illustrated in FIG. 2A, the received frame includes a header portion including a MAC header, an IP header, and a TCP header. It consists of data other than the header. The control unit 111 extracts data other than the header from the received frame in order to make an inspection request to the inspection unit 112. Similarly, when communication is performed between the communication device 10 and the communication device 20 by UDP, as illustrated in FIG. 2B, the received frame includes a header portion including a MAC header, an IP header, and a UDP header. , Composed of data other than the header. The control unit 111 extracts data other than the header from the received frame in order to make an inspection request to the inspection unit 112. When it is verified that there is an error when referring to the header portion, the control unit 111 extracts the entire received frame as target data for the inspection request in order to make an inspection request to the inspection unit 112.

  As shown in FIG. 3, the received frame is input to the frame receiving unit 11 in the control unit 111. The frame reception unit 11 stores the input frame in the buffer memory 14 and performs a process of writing management information to the buffer management table 15 and the frame management table 16. At the same time, frame type determination, header check, and checksum check are performed, and it is determined to which block the frame is to be transferred according to the frame type and header error.

  The table manager 12 manages the processing queue of the frame that each processing unit should perform next. In addition, the buffer management table 15 and the frame management table 16 are vacantly managed, and writing to and reading from each table are performed.

  The buffer memory interface 13 performs writing to the buffer memory 14 and reading from the buffer memory 14.

  The fragment processing unit 17 manages the assembly of the IP fragment based on the IP SA, IP DA, Protocol, and ID information of the fragmented IP frame. The management information is held in the fragment management table 20, and new information is appropriately set and updated according to the received frame information. It is only the TCP or UDP frame that assembles the fragments. Only the fragmented TCP frame is checked here. Further, the identity check of the overlapping portion of the IP fragment may be performed.

  The connection management unit 18 manages TCP connection management and the order of frames for rearranging TCP frames in order of sequence numbers and reconstructing them. The management information is held in the connection management table 21, and new information is appropriately set and updated according to the received frame information. Further, an identity check is performed on the overlapping portion of the TCP frame.

  The management manager 19 performs vacancy management of the fragment management table 20 and the connection management table 21, and accesses these tables to write and read data.

  The inspection unit interface 22 generates the header information for the inspection request according to the frame format in which the received frame is determined in the previous process and the inspection request form, and extracts the frame data from the buffer memory 14. The inspection request data is transmitted to 112. Further, the inspection result transmitted from the inspection unit 112 is reflected in the frame management table 16 and the connection management table 21 to determine the frame processing.

  The frame transmission unit 23 performs frame transmission, RST replacement, and discarding according to the inspection result by the inspection unit 112. In addition, the management information on the frame management table 16 and the buffer management table 15 of the frame subjected to transmission and RST replacement is released.

  Hereinafter, a procedure of processing executed by the communication control apparatus 110 will be described. 4 and 5 are flowcharts for explaining the procedure of processing executed by the communication control apparatus 110. FIG. When the communication control apparatus 110 receives a frame transmitted from the outside of the network device 100 through the MAC 113 or 114 at the frame receiving unit 11 (step S11), the frame is held in the buffer memory 14 (step S12). At this time, the table manager 12 writes management information to the buffer management table 15 and the frame management table 16.

  The control unit 111 determines whether or not the IP packet has no error as a result of frame type determination, header check, and checksum check in the frame receiving unit 11 (step S13). If it is determined that the IP packet includes an error (S13: NO), the inspection unit 112 is requested to inspect the entire received frame (step S14). And a process is performed according to the test result by the test | inspection part 112 (step S15). Here, the processes to be executed are frame transmission, discard, reset replacement, and data replacement.

  On the other hand, if it is determined in step S13 that the packet is an error-free IP packet (S13: YES), the table manager 12 determines whether the IP packet has been fragmented by receiving processing in the frame receiving unit 11. (Step S16). If it is determined that it is fragmented (S16: YES), fragment processing described later is performed (step S17).

  It is determined whether all fragments have been collected as a result of the fragment processing (step S18). If it is determined that all the fragments are not collected (S18: NO), it is determined whether or not the received frame is discarded (step S19). When the received frame is not discarded (S19: NO), the received frame is transmitted by outputting the received frame read from the buffer memory 14 to the MAC 113 or 114 from the frame transmitting unit 23 (step S20). If the received frame is discarded (S20: YES), the process according to this flowchart is terminated.

  If it is determined in step S16 that the IP packet is not fragmented (S16: NO), or if it is determined in step S18 that all fragments have been collected (S18: YES), the table manager 12 determines that the communication protocol is It is determined whether it is TCP (step S21). Whether it is TCP or not can be determined by checking the header of the IP packet.

  When it is determined that the communication protocol is TCP (S21: YES), TCP segment processing described later is performed (step S22), and it is determined whether or not a stream fragment is extracted (step S24).

  FIG. 6 is a schematic diagram showing how stream fragments are generated. In general, communication packets transmitted between two devices may be lost, duplicated, or reordered. TCP is a protocol that provides a reliable stream delivery service on an unreliable network, and guarantees that the receiving application receives the sequence of bytes (stream) sent by the sending application. . In such a reliable stream delivery service, the data received on the receiving side is rearranged in order without overlapping, so that the data is not necessarily delivered to the application every time the packet arrives. When a series of consecutive byte strings is obtained from the end of the data immediately before being passed to the receiving application by receiving a certain packet, these byte strings can be passed to the receiving application. In this specification, this series of byte strings is defined as a data stream fragment.

  Therefore, as shown in FIG. 6A, when data “ccaaacc” is received in a situation where data “aaaaaaaaa” is passed to the application, the data cannot be passed to the application. No data stream fragmentation occurs. Next, when data “bbbbbbbbb” continuous to “aaaaaaaaa” and “cccccccc” is received, a continuous series of byte sequences that can be passed to the application is obtained by receiving the packet, so that a data stream fragment is generated. become.

  When it is determined that a stream fragment has been extracted by referring to the registration status of the connection management table 21 (S23: YES), a TCP stream inspection request is made through the inspection unit interface 22 (step S24), and the inspection by the inspection unit 112 is performed. Processing is executed according to the result (step S25). Here, the processes to be executed are frame transmission, discard, reset replacement, and content replacement. If stream fragments are not extracted (S23: NO), the process proceeds to step S19.

  If it is determined in step S21 that the communication protocol is not TCP (S21: NO), the table manager 12 determines whether or not the communication protocol is UDP (step S26). When it is determined that the communication protocol is UDP (S26: YES), a UDP inspection request is made through the inspection unit interface 22 (step S27), and processing is executed according to the inspection result by the inspection unit 112 (S25). On the other hand, if it is determined that the communication protocol is not UDP (S26: NO), the process proceeds to step S14, an inspection request is made for the entire frame (S14), and a process according to the inspection result is executed (S15).

  In step S15 and step S25 of the flowchart described above, if the inspection result is not desirable, that is, if an attack code against the transmission destination is detected, it is detected that there is a risk of leakage of information managed by the transmission destination. In this embodiment, any one of (1) forward RST replacement, (2) reverse RST replacement, (3) forward content replacement, and (4) packet discarding is performed. , Suppress the occurrence of problems at the destination.

  FIG. 7 is an explanatory diagram for explaining forward RST replacement and backward RST replacement. In the forward RST replacement, when malicious data is detected, a reset signal is transmitted to the destination of the data, and the connection is disconnected before passing the data to the application. On the other hand, in the reverse direction RST replacement, when it can be confirmed that the connection is malicious by the first packet at the time of establishing the connection, that is, the packet in which the SYN flag is set, the communication is disconnected before the connection is established. In the reverse direction RST replacement, since the communication partner can appear as if it is in a closed state to the transmission source, the disconnection of the connection is ensured.

  The example shown in FIG. 7 will be described. (A) The communication device 10 connected to the external network N1 transmits a TCP packet to the communication device 20 connected to the internal network. When relaying the packet, the communication control apparatus 110 in the network device 100 checks the TCP stream. (B) When malicious data is detected, forward RST replacement is performed, and a reset signal is transmitted to the communication device 20 that is the communication destination. Further, a predetermined time after detecting malicious data is transmitted by transmitting a reset signal to both access (d) from the communication device 10 and access (f) from the communication device 20 (e , G), securely connect the connection. When the TCP packet transmitted from the communication device 10 is received after a predetermined time has elapsed, the communication control device 110 in the network device 100 performs the inspection again. When malicious data is not detected, the data is transmitted to the communication device 20.

  FIG. 8 is an explanatory diagram for explaining forward content replacement. Replace a specific byte sequence with another byte sequence of equal length. In the example illustrated in FIG. 8, the lower-order bits of the received data are replaced with “xxx” determined in advance. As described above, since the data whose contents are replaced is transmitted, harmful information can be made harmless, information leakage can be prevented, and it can be used in a situation where it is not desirable to disconnect the connection.

  FIG. 9 is a flowchart for explaining the procedure of fragment processing. The fragment processing unit 17 determines whether or not the fragmented IP packet is a fragment of the reconstructed IP packet (step S31). If it is determined that it is not a fragment of the reconfigured IP packet (S31: NO), it is registered in the fragment management table 20 (step S37), the reconfiguration list is initialized (step S38), and not shown in the figure. A timer is started (step S39). Then, the process proceeds to step S34 described later.

  If it is determined in step S31 that it is a fragment of a reconstructed IP packet (S31: YES), it is determined whether or not the IP packet has already been completed (step S32). If it is determined that the IP packet is not completed (S32: NO), it is determined whether or not a predetermined time has elapsed since the timer was started, thereby determining whether or not a timeout has occurred (step S33). . If it is determined that the IP packet has already been completed (S32: YES) and if it is determined that a time-out has occurred (S33: YES), the received frame is discarded (step S36), and the processing according to this flowchart ends. To do.

  If it is determined that the time-out has not occurred (S33: NO), the insertion position in the reconfiguration list is determined (step S34), and it is determined whether or not there is a contradiction in the overlapping portion of the data (step S35). If it is determined that there is a contradiction in the overlapped portion of data (S35: YES), the received frame is discarded (S36), and the processing according to this flowchart is terminated. If it is determined that there is no contradiction in the overlapping portion of data (S35: NO), the processing according to this flowchart is terminated without discarding the received frame.

  FIG. 10 is a flowchart for explaining the procedure of TCP segment processing. When a packet conforming to TCP is received, it is first determined whether or not the TCP segment is connection-managed (step S41). If it is determined that the TCP segment is not managed by the connection (S41: NO), it is determined whether or not the segment is a connection start segment (step S44). If it is determined that the segment is not a connection start segment (S44: NO), the process proceeds to step S14 in the flowchart shown in FIG.

  If it is determined in step S41 that the TCP segment is connection-managed (S41: YES) or if it is determined in step S44 that the TCP segment is a connection start (S44: YES), registration in the connection management table 21 (Step S42), and the queuing list is initialized (step S43).

  Then, by referring to the registered contents of the connection management table 21, it is determined whether or not it has the next expected sequence number (step S45). Next, when it is determined that the sequence number is expected (S45: YES), data to be a stream fragment is specified (step S46). That is, when the TCP segment data is continuous with the queued data, the data obtained by concatenating the queued data is defined as a stream fragment, and when the TCP segment data is not continuous, the TCP segment data is defined as a stream fragment. To do. If there is no data, the stream fragment is empty. After specifying data to be stream fragments, the next expected sequence number is updated (step S47).

  On the other hand, if it is determined in step S45 that it does not have the next sequence number (S45: NO), the data of the TCP segment is added to the queuing list, and it is determined whether or not there is a contradiction in the overlapping portion of the data. (Step S49). If it is determined that there is a contradiction in the overlapping portion of the data (S49: YES), the received frame is discarded (step S50), and the processing according to this flowchart is terminated. If it is determined that there is no contradiction in the overlapping portion of data (S49: NO), the processing according to this flowchart is terminated.

Embodiment 2. FIG.
In the first embodiment, a dedicated hardware (inspection unit 112) is provided in the communication control apparatus 110 in order to perform security inspection of received frames. However, the entire network device such as a switch and a router is controlled. It is good also as a structure which makes CPU to perform the inspection.

  FIG. 11 is a schematic diagram illustrating a schematic configuration of the communication control system according to the present embodiment. As in the first embodiment, the network device 200 including the communication control device 210 according to the present invention includes the communication device 10 connected to the external network N1 and the communication device connected to N2 connected to the internal network N2. 20 is connected.

  In addition to the CPU 201 and the forwarding engine 202, the network device 200 includes a PHY 203 and MAC 204 on the external network N1 side, and a PHY 206 and MAC 205 on the internal network N2 side. In FIG. 11, for the sake of simplification, a set of PHY 206 and MAC 205 is provided on the internal network N2 side. However, a plurality of sets of PHY and MAC may be provided so that a plurality of communication devices can be connected. Of course.

  When the network device 200 receives a frame through the PHY 203 on the external network N1 side or the PHY 206 on the internal network side, the communication control device 210 inserted inline performs communication control based on the frame. When the communication control apparatus 210 performs a security check on a stream fragment or the like, unlike the first embodiment, the communication control apparatus 210 makes a check request to the CPU 201 of the network device 200 in the present embodiment. Note that the internal configuration of the control unit 211 is exactly the same as that described in the first embodiment, and a description thereof will be omitted.

Embodiment 3
In the first embodiment and the second embodiment, the network device is inserted in-line, but it may be configured as dedicated hardware.

  FIG. 12 is a block diagram illustrating the internal configuration of the communication control apparatus according to the present embodiment. The communication control device 300 illustrated in FIG. 12 includes a control unit 301, an inspection unit 302, a reception-side PHY 305a and MAC 306a, and a transmission-side PHY 305b and MAC 306b.

  The control unit 301 temporarily holds the transfer of the frame received through the PHY 305a and the MAC 306a, sequentially extracts data from the frame, passes the extracted data and information on the connection to the inspection unit 302, and makes an inspection request. .

  If the inspection result is not desirable, as in the first embodiment, the frame is discarded, the reset is replaced, the contents are replaced, and the connection is disconnected before the data is passed to the application causing the failure. Or prevent information leakage.

  Note that such a communication control device 300 may be incorporated in an information processing apparatus such as a personal computer, and a part of the security inspection may be inspected by a CPU included in the information processing apparatus.

Embodiment 4 FIG.
In the above-described embodiments, the inspection is performed by hardware processing, but the determination processing may be performed by software processing.

  FIG. 13 is a block diagram illustrating the internal configuration of the information processing apparatus in which the computer program of the present invention is installed. In the figure, reference numeral 400 denotes an information processing apparatus such as a personal computer. The information processing apparatus 400 includes a CPU 401, a memory 403, a hard disk 404, a network card 405, and a network card 406, and these hardware are connected to each other via a bus 402.

  The hard disk 404 is preinstalled with the computer of the present invention, and the CPU 401 loads the program onto the memory 403 and executes it, thereby causing the entire apparatus to function as the communication control apparatus according to the present invention.

  The determination procedure is exactly the same as that shown in the first embodiment. For example, the transfer of the frame received through the network card 405 is temporarily suspended, the data is extracted sequentially from the frame, and the extracted data Information related to the connection is passed to the CPU 401 to make an inspection request.

It is a schematic diagram explaining the schematic structure of the communication control system which concerns on this Embodiment. It is a schematic diagram which shows the detail of the flame | frame input into a control part. It is a block diagram explaining the internal structure of a control part. It is a flowchart explaining the procedure of the process which a communication control apparatus performs. It is a flowchart explaining the procedure of the process which a communication control apparatus performs. It is a schematic diagram which shows the mode of the production | generation of a stream fragment | piece. It is explanatory drawing explaining forward RST substitution and reverse RST substitution. It is explanatory drawing explaining forward content replacement. It is a flowchart explaining the procedure of a fragment process. It is a flowchart explaining the procedure of a TCP segment process. It is a schematic diagram explaining the schematic structure of the communication control system which concerns on this Embodiment. It is a block diagram explaining the internal structure of the communication control apparatus which concerns on this Embodiment. It is a block diagram explaining the internal structure of the information processing apparatus in which the computer program of this invention was installed.

Explanation of symbols

10, 20 Communication device
100 Network device 101 CPU
102 Forwarding engine 103,106 PHY
104,05 MAC
110 communication control device 111 control unit 112 inspection unit 113, 114 MAC
N1 external network N2 internal network

Claims (14)

In a device capable of connecting a plurality of communication devices and performing communication control based on a frame transmitted from one communication device to another communication device among the plurality of connected communication devices,
Extracting means for sequentially extracting data from the frame; and determining means for determining whether or not to control communication based on the data extracted by the extracting means, the determining means communicating A communication control device, wherein when it is determined that the control should not be performed, the extracted data is transmitted to the other communication device.   The communication control apparatus according to claim 1, further comprising an interface for connecting an inspection apparatus to inspect the data extracted by the extraction unit.   The determination means includes means for determining whether the data is data that triggers an arbitrary application in the other communication device, and determines that the data is data that triggers the application. 3. The communication control apparatus according to claim 1, wherein the communication control apparatus determines that the communication should be controlled.   The frame is composed of a plurality of segments assigned consecutive sequence numbers, and the extracting means extracts data from each segment, and the extracted data is sequence numbers assigned to the source segment. And means for determining whether or not a series of byte sequences that can be passed to the application is completed as a result of storing the data, based on the sequence number. 4. The communication control apparatus according to claim 3, wherein when it is determined that the communication is completed, the determination unit determines that communication should be controlled.   5. The method according to claim 1, further comprising means for transmitting a signal for requesting blocking of access to the other communication device when the determination means determines that communication should be controlled. The communication control apparatus according to one.   2. The apparatus according to claim 1, further comprising means for transmitting a signal requesting to block access to the one communication apparatus and the other communication apparatus when the determination means determines that communication should be controlled. Item 5. The communication control device according to any one of items 4 to 6.   A means for replacing part or all of the extracted data with other data, and a means for transmitting the replaced data to the other communication device when the determination means determines that the communication should be controlled; The communication control apparatus according to any one of claims 1 to 4, wherein the communication control apparatus is characterized in that: In a method of performing communication control based on a frame transmitted from one communication device to another communication device,
If data is sequentially extracted from the frame, it is determined whether communication should be controlled based on the extracted data, and if it is determined that communication should not be controlled, the extracted data is transferred to another communication device. A communication control method characterized by transmitting. In a computer program for causing a computer to perform communication control based on a frame transmitted from one communication device to another communication device,
Having the computer sequentially extract data from the frame, causing the computer to determine whether to control communication based on the extracted data, and not allowing the computer to control communication. And a step of transmitting the extracted data to another communication device when it is determined.   The computer program according to claim 9, further comprising a step of causing the computer to determine whether or not the data is data that triggers an arbitrary application in the other communication device.   The frame is composed of a plurality of segments assigned consecutive sequence numbers, and data is extracted from each segment, and the computer extracts the extracted data to the sequence number assigned to the source segment. Storing in association with each other, and causing the computer to determine, based on the sequence number, whether or not a series of byte sequences that can be passed to the application is completed as a result of storing the data. The computer program according to claim 10, wherein the computer program is characterized.   12. The method according to claim 9, further comprising a step of causing the computer to transmit a signal requesting to block access to the other communication device when it is determined that the communication should be controlled. The computer program according to one.   10. The method according to claim 9, further comprising a step of causing the computer to transmit a signal requesting to block access to the one communication apparatus and another communication apparatus when it is determined that the communication should be controlled. Item 12. The computer program according to Item 11.   When it is determined that the computer should control the communication, a step of replacing part or all of the extracted data with other data, and a step of causing the computer to transmit the replaced data to the other communication device The computer program according to claim 9, further comprising:

Images