JP2008060766A - Device, program and method for monitoring network, and quarantine system and secure gateway - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To allow a quarantine system to be added to an existing network without introducing a VLAN-compliant switch. <P>SOLUTION: An agent 3 is installed in an agent terminal 300, so as to perform control not to allow the agent terminal 300 to output an ARP Replay with respect to an ARP Request from another terminal. An SGW 100 detects the ARP Request to the terminal connected to a monitoring network and judges the quarantine of a transmission source terminal. When it is judged that the quarantine is already performed in the transmission source terminal as the result of the quarantine determination, the SGW 100 instructs the agent 3, which is installed in the agent terminal 300 being the destination of the ARP Request, to output the ARP Reply with respect to the ARP Request. The agent 3 which receives the instruction controls the agent terminal 300 to output the ARP Reply. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a quarantine system that detects and eliminates unauthorized terminals in a network system in which computers are connected via a network, for example.

  2. Description of the Related Art Conventionally, there is a quarantine system based on VLAN control using a switch (Switch) compatible with a Virtual Local Network (VLAN). However, in order to introduce a quarantine system based on VLAN control using an existing network VLAN compatible switch, a new VLAN compatible switch must be introduced. This not only requires introduction costs, but also has many risks, such as various setting changes related to the network and the risk of failure due to changes from the existing network.

Patent Document 1 describes a client security check method. In Patent Document 1, it is assumed that the client has some kind of security check tool. However, when an attacker connects a client to the network for the purpose of attack, this assumption is not satisfied, and there is a possibility that the client will be attacked before completion of quarantine.
JP 2005-293007 A

In a quarantine system based on VLAN control using a VLAN compatible switch, a VLAN compatible switch must be introduced. In addition, the network settings must be changed. Therefore, it is difficult to add a quarantine function to an existing network.
Further, in the client security check method described in Patent Document 1, an attack can be received before the quarantine of the connected client is completed. Therefore, another defense method that does not require the assumption that the client is equipped with some kind of security check tool is necessary before the quarantine of the connected client is completed.

The present invention enables, for example, adding a quarantine system to an existing network without introducing a new VLAN-compatible switch, and isolates only the terminal at the terminal level when the new terminal is an attack terminal For the purpose.
It is another object of the present invention to detect and eliminate unauthorized terminals even if the unauthorized terminal is not equipped with any security check tool, such as when the newly connected terminal is an unauthorized terminal.
Furthermore, it is intended to construct a quarantine system in which a quarantined terminal is not damaged even if the terminal starts an attack before it is determined that the terminal newly connected to the network is illegal. And

The network monitoring apparatus according to the present invention, for example, sends a connection request addressed to a transmission destination terminal that does not respond to the connection request even when a connection instruction is received from the transmission source terminal, unless a response instruction is issued, via the network. A connection request receiver that is received by the communication device;
A quarantine determination information storage unit that stores quarantine determination information indicating whether or not the terminal is quarantined in a storage device;
Based on the quarantine determination information stored in the quarantine determination information storage unit, a quarantine determination unit that determines whether or not the transmission source terminal is quarantined by the processing device;
When the said quarantine determination part determines that the said transmission origin terminal is quarantined, the response instruction | indication part which instruct | indicates by a processing apparatus to a transmission destination terminal so that it may respond to a connection request is provided.

  The network monitoring apparatus according to the present invention does not respond to a connection request from a transmission source terminal other than the transmission destination terminal specified by the response instruction unit. Therefore, unauthorized terminals can be detected and eliminated without using VLAN control. Moreover, since it is not necessary to use VLAN control, a quarantine function can be easily added to an existing network.

FIG. 1 is a diagram illustrating an example of an appearance of a quarantine system 1000 according to an embodiment.
In FIG. 1, a quarantine system 1000 includes a server A 910A, a server B 910B, a server C 910C, a PC (personal computer) A 909A, a PCB 909B, a PCC 909C, and the like. The PCA 909A, PCB 909B, and PCC 909C include hardware resources such as an LCD (liquid crystal) 901, a keyboard 902 (Key / Board: K / B), a mouse 903, and an FDD 904 (Flexible / Disc / Drive). Resources are connected by cables and signal lines.
Server A 910A, server B 910B, server C 910C, PCA 909A, PCB 909B, and PCC 909C are computers and are connected by a local area network 942 (LAN) and the Internet 940.
Here, the server A 910A is an example of the SGW 100 (secure gateway, network monitoring device). The PCA 909A, PCB 909B, PCC 909C, and server C 910C are examples of the agent terminal 300. The server B 910B is an example of the management server 200.

FIG. 2 is a diagram illustrating an example of hardware resources of the SGW 100, the management server 200, and the agent terminal 300 in the embodiment.
In FIG. 2, the SGW 100, the management server 200, and the agent terminal 300 include a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, a processing unit, a microprocessor, a microcomputer, and a processor) that executes a program. Yes. The CPU 911 is connected to the ROM 913, the RAM 914, the communication board 915, the LCD 901, the keyboard 902, the mouse 903, the FDD 904, and the magnetic disk device 920 via the bus 912, and controls these hardware devices. Instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card read / write device may be used.

The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device 984.
The communication board 915, the keyboard 902, the FDD 904, and the like are examples of the input device 982.

The communication board 915 is connected to the LAN 942 or the like. The communication board 915 is not limited to the LAN 942 and may be connected to the Internet 940, a WAN (wide area network) such as ISDN, or the like.
An operating system 921 (OS), a window system 922, a program group 923, and a file group 924 are stored in the magnetic disk device 920 or the ROM 913. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922.

The program group 923 stores programs for executing functions described as “network monitoring unit 110”, “management server processing unit 210”, and “terminal control unit 310” in the following description of the embodiment. Yes. The program is read and executed by the CPU 911.
In the file group 924, information, data, signal values, variable values, and parameters described as “determination” and “instruction” in the description of the embodiments described below are stored as items of “file” and “database”. Has been. The “file” and “database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, It is used for operations of the CPU 911 such as calculation / calculation / processing / output / printing / display. Information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during the operation of the CPU 911 for extraction, search, reference, comparison, calculation, calculation, processing, output, printing, and display. Is remembered.
In addition, the arrows in the flowcharts described in the following description of the embodiments mainly indicate input / output of data and signals, and the data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the compact disk, and the magnetic disk device. It is recorded on a recording medium such as a 920 magnetic disk, other optical disk, mini disk, or DVD (Digital Versatile Disc). Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, what is described as “to part” in the description of the embodiment described below may be “to circuit”, “to device”, “to device”, and “to means”. It may be “step”, “˜procedure”, “˜processing”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” described below. Alternatively, the procedure or method of “to part” described below is executed by a computer.

Embodiment 1 FIG.
In the first embodiment, a quarantine system 1000 that detects and eliminates unauthorized terminals without using a VLAN function will be described.

First, the configuration of the quarantine system 1000 according to the first embodiment will be described with reference to FIG.
The quarantine system 1000 is set (installed) on each terminal, the SGW 100 that protects the monitored network, the management server 200 that determines whether the terminal is a normal terminal that matches the security policy of the monitored network, And an agent 3 that guarantees that the terminal conforms to the security policy.
In FIG. 3, the unauthorized terminal 500 is an unquarantined terminal in which the agent 3 is not installed. The agent terminal 300 on which the other agent 3 is installed is a quarantined normal terminal.

The components of the quarantine system 1000 will be briefly described.
The SGW 100 monitors communication of a monitoring network that is a protection target network. The SGW 100 has a function of detecting an unquarantined terminal and making a quarantine determination, and a function of monitoring communication, transmitting communication of the quarantined terminal, and blocking communication of the unquarantined terminal. In FIG. 3, since the agent 3 is not installed in the unauthorized terminal 500 and is not quarantined, the SGW 100 blocks communication of the unauthorized terminal 500. On the other hand, the SGW 100 transmits the communication of the agent terminal 300 that is a normal terminal.
The agent 3 is installed in the terminal and monitors that the terminal is in a safe state. The agent 3 checks that the patch of the OS or the like, the definition file of the virus removal software, etc. are the latest, and notifies the management server 200. When the SGW 100 performs the quarantine determination, the agent 3 sends the agent 3 to the terminal. Has been installed on the SGW 100.
The management server 200 has a function of distributing necessary information to the SGW 100 and the agent 3 and a function of collecting and managing information from the SGW 100 and the agent 3.
The quarantine system 1000 is a system that uses the above components to prevent free communication even if a terminal is brought in from the outside.

Next, an operation when the quarantine system 1000 detects an unquarantined terminal will be described based on FIG. FIG. 4 is a diagram illustrating an operation when the quarantine system 1000 illustrated in FIG. 3 detects an unquarantined terminal.
When the quarantine system 1000 detects an unquarantined terminal, the quarantine determination is performed by the following operation.
1. The terminal starts communication. The SGW 100 picks up this communication and determines whether the terminal is quarantined or not quarantined (1). When the SGW 100 determines that the terminal is not quarantined, the SGW 100 requests the management server 200 for a quarantine process. The management server 200 inquires of the terminal whether the agent 3 is installed and the patch information (2). Here, the management server 200 makes an inquiry to the terminal via the SGW 100, but may make an inquiry directly to the terminal.
2. The agent 3 installed in the terminal notifies the management server 200 of necessary information (3, 4).
3. The management server 200 notifies the SGW 100 of the quarantine result (5).
4). The SWG 1 transmits or discards the communication according to the quarantine result. In FIG. 4, the SGW 100 discards the communication with the unauthorized terminal 500 and transmits the communication with the agent terminal 300 (6).
The SGW 100 stores terminals that have been quarantined once, and the terminals stored thereafter are transparently relayed by the SGW 100.

  In the above description, the SGW 100 performs the quarantine determination by picking up the communication started by the terminal. Prior to communication, a terminal normally broadcasts an ARP (Address Resolution Protocol) Request and attempts to resolve a destination MAC (Media Access Control) address. Therefore, the SGW 100 can start the above-described quarantine determination by picking up this ARP request.

Here, the switch used in the quarantine system 1000 according to Embodiment 1 does not have a VLAN function. However, when the operation of the above-described quarantine system 1000 is simply performed, the switch does not have a VLAN function, which is harmful. Therefore, first, a problem caused by the fact that the switch does not have a VLAN function will be described, and then a method for solving this problem will be described.
5 and 6, each terminal is connected by a switch 4. When a certain system is constructed from the beginning as a quarantine system, the switch 4 generally has a VLAN function. The reason for this is to separate unquarantined terminals and quarantined terminals. Since the switch 4 has a VLAN function, even if the newly connected terminal is an attack terminal (illegal terminal 500), the VLAN is different from the agent terminal 300 which is a quarantined terminal, and the attack terminal is connected. However, the agent terminal 300 is not damaged.
On the other hand, if an attempt is made to construct the quarantine system 1000 as it is in an environment without a VLAN function, the quarantined terminal and the newly connected terminal exist in the same network, and therefore communication is established regardless of whether or not the terminal is a quarantined terminal. End up.

  As shown in FIGS. 5 and 6, when a terminal newly connected to the network is an attack terminal, it is conceivable to transmit a large amount of ARP Requests in order to search for a terminal existing in the network. Since the terminal connected to the same switch 4 returns ARP Reply to this ARP Request, its existence is known to the attacking terminal. As a result, the attack of the attacking terminal is not only established, but also demarcated by the switch 4, so it is impossible to know from the SGW 100 that the attack is being performed internally.

  Further, even if it can be determined that the attacking terminal is connected to the network, since it does not have a VLAN function, isolation by VLAN is impossible. For this reason, it is impossible to isolate only the attacking terminal, and all the terminals below the switch 4 including the normal agent terminal 300 are isolated. That is, the normal agent terminal 300 below the switch 4 is isolated from the other networks even though it is normal. Further, even if the agent 3 can determine that the monitored agent terminal 300 is attacked, it may be difficult to notify the agent 3 because it is under attack. Therefore, there is a risk that damage will spread.

There is such an adverse effect by not having the VLAN function. Therefore, a method for solving the adverse effects caused by not having the VLAN function described above will be described next.
The agent 3 and the SGW 100 perform the following operation to solve the above problem.

First, the operation of the agent 3 will be described.
The agent 3 installed in the agent terminal 300 controls the agent terminal 300 to perform the following operation.
(1) The agent terminal 300 does not return an ARP Reply to all ARP Requests unless there is guidance (instruction) from the SGW 100. Further, the agent terminal 300 does not update the ARP cache even if it receives the ARP request.
(2) The agent terminal 300 outputs ARP Reply only when there is ARP guidance from the SGW 100.
(3) The agent terminal 300 receives only the ARP Reply for the ARP Request issued by the agent terminal 300.

As for (1) above, it is also possible to output an ARP Reply to an ARP Request from other than the subnet to which the agent terminal 300 belongs. However, the attacker usually spoofs the address of the attacking terminal. Therefore, here, it is assumed that ARP Reply is not returned for all ARP Requests.
Further, the ARP cache of the agent terminal 300 is updated by receiving the ARP Reply in the normal ARP protocol stack.

Next, the operation of the SGW 100 will be described.
First, the outline | summary of operation | movement of SGW100 is demonstrated. After receiving the ARP request, the SGW 100 holds this until it is determined whether or not the output source of the ARP request is a normal terminal. If the SGW 100 determines that the output source of the ARP Request is a normal terminal, the SGW 100 guides the terminal of the transmission destination of the ARP Request to output the ARP Reply. When the SGW 100 determines that the output source of the ARP request is an unauthorized terminal, the SGW 100 discards the ARP request, and thereafter, no terminal outputs the ARP reply to the output source terminal.

Next, the operation of the SGW 100 will be described in detail.
(1) It has a correspondence table of IP (Internet Protocol) addresses and MAC addresses for all quarantined agent terminals 300 in the monitoring (protection target) network. This table is called an ARP resolution table. The SGW 100 updates the ARP resolution table after the quarantine determination. That is, when the SGW 100 determines that the terminal is the normal agent terminal 300, the SGW 100 adds the IP address and the MAC address to the ARP resolution table.
(2) When the transmission source terminal receives an ARP request having an address other than that of the monitoring network from the monitoring network, the ARP request is discarded with the transmission source terminal as an unauthorized terminal.
(3) When both the transmission source terminal and the transmission destination terminal receive the ARP Request that is the address of the monitoring network from the monitoring network (3.1) When both the transmission source terminal and the transmission destination terminal are quarantined , The destination terminal is guided to output ARP Reply. Here, whether or not the terminal has been quarantined can be determined based on the ARP resolution table.
(3.2) When the transmission destination terminal is quarantined but the transmission source terminal is not quarantined, the management server 200 is requested to perform a quarantine process. As a result of the quarantine process by the management server 200, when it is determined that the transmission source terminal is a normal terminal, the transmission destination terminal is guided to output ARP Reply.
(3.3) In cases other than the above (3.1) and (3.2), the ARP Request is discarded. That is, the destination terminal is not guided to output ARP Reply. That is, the destination terminal does not output ARP Reply.
(4) When the transmission source terminal receives the ARP request of the external network from the monitoring network and the transmission destination terminal receives the ARP request of the external network (4.1) When the transmission source terminal is a quarantined terminal, the ARP request is relayed . If the transmission source terminal is an unquarantined terminal, the management server 200 is requested to perform a quarantine process. As a result of the quarantine process by the management server 200, when it is determined that the transmission source terminal is a normal terminal, the transmission destination terminal is guided to output ARP Reply.
(4.2) In cases other than the above (4.1), the ARP Request is discarded as in the case of (3.3).
(5) When ARP Request is received from outside the monitoring network (5.1) When the transmission destination terminal is quarantined, the transmission destination terminal is guided to output ARP Reply. The ARP Reply that is output from the destination terminal and goes out is simply relayed by the SGW 100.
(5.2) In cases other than (5.1) above, the ARP Request is discarded as in (3.3).

  That is, the agent 3 installed in the terminal controls the terminal so that the ARP Reply is not returned even if the terminal receives the ARP Request. Then, when the SGW 100 works on the agent 3 installed in the terminal, the terminal generates an ARP Reply.

According to this method, since the terminal does not return an ARP reply unless instructed by the SGW 100, it is possible to solve the above-described adverse effects caused by not having the VLAN function. In addition, even if the terminal starts an attack before it is determined that the terminal newly connected to the network is illegal, the terminal of the monitoring network is not damaged.
Further, the agent 3 does not need to have information as in the ARP resolution table. Therefore, the processing load on the agent 3 is light. Further, since the agent 3 does not have information like the ARP resolution table, there is no trouble of redistributing the change information to the agent 3 many times when the ARP resolution table is changed due to increase / decrease of quarantined terminals.

  Next, an example of functions and processing of the quarantine system 1000 that realizes the operations of the SGW 100, the management server 200, and the agent 3 described above will be described in detail with reference to FIGS.

FIG. 7 is a functional block diagram illustrating functions of the quarantine system 1000 according to the first embodiment. The quarantine system 1000 includes an SGW 100, a management server 200, and an agent terminal 300.
The SGW 100 includes a network monitoring unit 110, a display device A 986A, a processing device A 980A, an input device A 982A, a storage device A 984A, and a communication device A 988A. The network monitoring unit 110 includes a connection request reception unit 112, a network determination unit 114, an address determination unit 116, a quarantine determination information storage unit 118, a quarantine determination unit 120, a quarantine processing instruction unit 122, a quarantine processing result reception unit 124, and a quarantine processing result. A determination unit 126 and a response instruction unit 128 are provided.
The management server 200 includes a management server processing unit 210, a processing device B 980B, an input device B 982B, a storage device B 984B, and a communication device B 988B. The management server processing unit 210 includes a quarantine processing execution unit 212 and a quarantine processing result transmission unit 214.
The agent terminal 300 includes a terminal control unit 310, a processing device C980C, an input device C982C, a storage device C984C, and a communication device C988C. The terminal control unit 310 is the agent 3 described above.

  FIG. 8 is a flowchart showing network monitoring processing that is an operation of SGW 100 according to the first embodiment. The network monitoring process realizes the operation of the SGW 100 described above.

  First, in the connection request reception process (S110), the connection request reception unit 112 receives an ARP Request, which is a connection request addressed from the transmission source terminal to the transmission destination terminal, by the communication device A 988A via the network. Here, the transmission destination terminal also receives the ARP request. However, as described above, if the destination terminal is the agent terminal 300 in which the agent 3 is installed, the destination terminal is instructed to respond even if it receives a connection request under the control of the agent 3 (terminal control unit 310). Do not respond to connection requests unless

Next, in the network determination process (S120), the network determination unit 114 determines whether or not the ARP Request is transmitted from a terminal connected to the monitoring network by the processing device A 980A. That is, the network determination unit 114 determines whether the transmission source terminal is an internal terminal or an external terminal of the monitoring network. Further, the network determination unit 114 determines whether the transmission destination terminal that is the destination terminal of the ARP request is an internal terminal or an external terminal of the monitoring network.
When the transmission source terminal is an internal terminal and the transmission destination terminal is an internal terminal, the network determination unit 114 proceeds to (S130). When the transmission source terminal is an internal terminal and the transmission destination terminal is an external terminal, the network determination unit 114 proceeds to (S131). When the transmission source terminal is an external terminal and the transmission destination terminal is an internal terminal, the network determination unit 114 proceeds to (S142). Here, there is no influence on the monitoring network with respect to the ARP Request in which the transmission source terminal is an external terminal and the transmission destination terminal is an external terminal. For this reason, the ARP Request whose destination terminal is an external terminal is not received by the SGW 100 or is not particularly processed even if it is received.

First, a case where the transmission source terminal is an internal terminal and the transmission destination terminal is an internal terminal will be described. The above-described operation of the SGW 100 corresponds to the process (3).
First, before the above-described operation (3) of the SGW 100, the above-described operation (2) of the SGW 100 is performed in the address determination process (S130). In the address determination process (S130), the address determination unit 116 determines whether or not the address of the transmission source terminal included in the ARP Request is an address of the monitoring network. If the address determination unit 116 determines that the address included in the ARP request is not an internal address of the monitoring network, the address determination unit 116 determines that the transmission source terminal is an unauthorized terminal, and discards the received ARP request. That is, when the network determination unit 114 determines that the transmission source terminal is an internal terminal, that is, when the network determination unit 114 determines that the ARP request is transmitted from a terminal connected to the monitoring network, the ARP request is set. If the included address is an address outside the monitoring network, the source terminal is determined to be an unauthorized terminal, and the received ARP Request is discarded.
Next, in the quarantine determination process (S140), the quarantine determination unit 120 determines, based on the ARP resolution table (an example of quarantine determination information), whether or not the transmission source terminal and the transmission destination terminal have been quarantined by the processing device A 980A. . When it is determined that the transmission source terminal is quarantined and the transmission destination terminal is quarantined, the quarantine determination unit 120 proceeds to (S180). If it is determined that the transmission destination terminal is quarantined but the transmission source terminal is not quarantined, the quarantine determination unit 120 proceeds to (S150). In other cases, the quarantine determination unit 120 discards the received ARP request.
Next, in the quarantine process instruction process (S150), the quarantine process instruction unit 122 instructs the management server 200 of the quarantine process of the transmission source terminal by the processing device A 980A. The operation of the management server 200 that has received the quarantine processing instruction will be described later.
Next, in the quarantine process result receiving process (S160), the quarantine process result receiving unit 124 is the result of the quarantine process result transmitting unit 214 of the management server 200 described later performing the quarantine process instructed by the quarantine process instruction unit 122. A quarantine processing result indicating whether or not the transmission source terminal is an unauthorized terminal is received from the management server 200 by the communication device A988A.
In the quarantine process result determination process (S170), the quarantine process result determination unit 126 determines whether or not the quarantine process result received by the quarantine process result reception unit 124 indicates that the transmission source terminal is an unauthorized terminal. Judgment by When it is determined that the quarantine processing result indicates that the transmission source terminal is an unauthorized terminal, the quarantine processing result determination unit 126 discards the received ARP Request. When it is determined that the quarantine processing result does not indicate that the transmission source terminal is an unauthorized terminal, the quarantine processing result determination unit 126 proceeds to (S180).
Then, in the response instruction process (S180), the response instruction unit 128 instructs the transmission destination terminal by the processing device A 980A to respond to the ARP request (output the ARP reply). Here, the destination terminal is limited to the agent terminal 300 in which the agent 3 is installed by the above processing. The agent 3 (terminal control unit 310) installed in the transmission destination terminal controls to respond to the ARP request when the response instruction unit 128 is instructed to respond to the ARP request. That is, the transmission destination terminal outputs an ARP reply to the transmission source terminal by receiving an instruction from the response instruction unit 128 under the control of the agent 3 (terminal control unit 310).

Next, a case where the transmission source terminal is an internal terminal and the transmission destination terminal is an external terminal will be described. The above-described operation of the SGW 100 corresponds to the process (4).
First, before the operation (4) of the SGW 100 described above, the operation (2) of the SGW 100 described above is performed in the address determination process (S131). (S131) is the same as (S130) described above.
Next, in the quarantine determination process (S141), the quarantine determination unit 120 determines, based on the ARP resolution table, whether or not the transmission source terminal has been quarantined by the processing device A 980A. When it is determined that the transmission source terminal is quarantined, the quarantine determination unit 120 proceeds to (S181). When it is determined that the transmission source terminal is not quarantined, the quarantine determination unit 120 proceeds to (S151).
(S151) to (S171) are the same as (S150) to (S170) described above.
In the response instruction process (S181), the response instruction unit 128 transmits the ARP request. That is, the response instruction unit 128 transmits an ARP request to the transmission destination terminal.

Next, a case where the transmission source terminal is an external terminal and the transmission destination terminal is an internal terminal will be described. The above-described operation of the SGW 100 corresponds to the process (5).
In the quarantine determination process (S142), the quarantine determination unit 120 determines, based on the ARP resolution table, whether or not the transmission source terminal is quarantined by the processing device A 980A. When it is determined that the transmission destination terminal is quarantined, the quarantine determination unit 120 proceeds to (S182). If it is determined that the source terminal is not quarantined, there is a possibility that an unauthorized terminal that has not yet been detected is hidden inside the monitoring network, and an external terminal that tries to contact the unauthorized terminal May have transmitted an ARP Request. Therefore, the quarantine determination unit 120 discards the received ARP request.
(S182) is the same as (S180).

  In addition, before each of (S180), (S181), and (S182), the quarantine determination information storage unit 118 stores a pair of the IP address and MAC address of the terminal indicating whether or not the terminal has been quarantined in the ARP resolution table. You may add the processing to do.

FIG. 9 is a flowchart showing a management server process that is an operation of the management server 200 according to the first embodiment. The management server process is executed when the SGW 100 instructs the management server 200 to perform a quarantine process in (S150) and (S151) of the network monitoring process.
First, in the quarantine execution process (S210), the quarantine process execution unit 212 receives an instruction from the quarantine process instruction unit 122 of the SGW 100, and determines whether the terminal is an unauthorized terminal that does not match the security policy of the monitoring network. Judgment by Here, the quarantine processing execution unit 212 receives information indicating whether the agent 3 is installed from a terminal or the like, OS patch version information, and the like, and determines whether the terminal is an unauthorized terminal.
Next, in the quarantine process result transmission process (S220), the quarantine process result transmission unit 214 transmits the quarantine process result, which is the result determined by the quarantine process execution unit 212, using the communication device B 988B.

Next, an example of the operation of the SGW 100 will be specifically described with reference to FIGS. Here, particularly, two cases in which a terminal inside the monitoring network may be attacked will be described.
First, based on FIG. 10, an operation in the case where an unquarantined terminal that is unknown whether normal or illegal is connected to the monitoring network and accesses a terminal inside the monitoring network will be described. That is, this is a case where the transmission source terminal is an internal terminal and the transmission destination terminal is an internal terminal, and corresponds to the process (3) in the operation of the SGW 100 described above.

  First, as shown in FIG. 10A, when an unquarantined terminal connected to the monitoring network starts access to a terminal inside the monitoring network, first, in order to know the MAC address of the other party, an ARP Request is sent. Is output. Here, for example, it is assumed that terminal A is trying to access terminal B. The terminal A transmits an ARP request to the terminal B. However, since the ARP request is broadcast to the same network (monitoring network), the terminal A reaches the SGW 100. The SGW 100 receives this ARP request (S110). As described above, the transmission source terminal A is a terminal inside the monitoring network (S120). Next, the SGW 100 confirms that the IP address of the transmission source terminal A included in the received ARP Request is an address of the monitoring network (S130). Here, it is assumed that the IP address of the transmission source terminal A included in the ARP Request is the address of the monitoring network. Next, the SGW 100 knows from the ARP resolution table that the transmission source terminal A is a new terminal (unquarantined terminal) (S140). However, at this stage, the terminal A cannot determine whether or not the terminal is equipped with the agent 3.

  Then, next, as shown in FIG. 10B, the SGW 100 transmits ARP Request information to the management server 200 for the terminal A detected as a new terminal, and instructs the quarantine process (S150). Then, the SGW 100 obtains a quarantine result from the management server 200 (S160).

Then, as shown in FIG. 10C, when it is determined that the terminal A is a normal terminal on which the agent 3 is installed (OK in S170), the pair of the MAC address and the IP address of the terminal A is set in the ARP resolution table. To store. Thereafter, the terminal B that is the destination is guided so as to respond to the ARP Request output by the terminal A. ARP Reply can be induced by the MAC address and IP address of terminal A (S180).
On the other hand, when it is determined that the terminal A is an unauthorized terminal (NG in S170), the SGW 100 does not guide the ARP Reply to the terminal B. Also, the terminal B does not spontaneously return an ARP Reply. Therefore, ARP Reply is not sent from terminal B to terminal A, and terminal A cannot know the presence of terminal B. Therefore, the terminal B can escape the attack from the terminal A or the like.

  Next, based on FIG. 11, an operation when an ARP Request arrives at a terminal inside the monitoring network from outside the monitoring network will be described. That is, this is a case where the transmission source terminal is an external terminal and the transmission destination terminal is an internal terminal, and corresponds to the process (5) in the operation of the SGW 100 described above.

The SGW 100 receives the ARP request (1) (S110). As described above, the transmission source terminal is a terminal outside the monitoring network (S120). Here, it can be determined from the source IP address of the ARP request that the source of the received ARP request is outside the monitoring network. Therefore, the SGW 100 determines whether or not the destination terminal is quarantined (S142). Whether or not the transmission destination terminal is quarantined can be determined by referring to the ARP resolution table and determining whether or not the MAC address of the transmission destination terminal exists in the ARP resolution table. If the destination terminal is quarantined (YES in S142), the agent 3 is guided to output the ARP Reply to the destination terminal in the SGW 100 monitoring network (3) (S182). The ARP Reply that is output from the destination terminal and goes out is simply relayed by the SGW 100 (4).
On the other hand, with reference to the ARP resolution table for the destination terminal, if there is no destination MAC address in the ARP resolution table, it is determined that the destination terminal has not been quarantined (NO in S142). In other words, in this case, there is a possibility that an unauthorized terminal that has not yet been detected is hidden inside the monitoring network, and that an external terminal that wants to communicate with the unauthorized terminal transmits an ARP Request. It is done. Therefore, the SGW 100 discards the received ARP request.

According to the quarantine system 1000 according to the first embodiment, it is possible to detect and eliminate unauthorized terminals without using VLAN control.
Moreover, since it is not necessary to use VLAN control, a quarantine function can be easily added to an existing network.
Furthermore, the agent 3 installed in each terminal does not need to have information such as an ARP resolution table. Therefore, the processing load on each terminal is light, and it is not necessary to redistribute the change information of the ARP resolution table to each terminal, so that no network load is applied.
Furthermore, even if the terminal receives the ARP Request, the terminal does not output the ARP Reply until it is guided from the SGW 100. Therefore, even if the terminal starts an attack before it is determined that the terminal newly connected to the network is illegal, there is no damage.

Summarizing the quarantine system 1000 according to the first embodiment, in the quarantine system 1000 that detects and eliminates unauthorized terminals, is the SGW 100 for protecting the monitoring network and whether the terminal is a normal terminal that matches the security policy of the monitoring network? A management server 200 that determines whether or not, and an agent 3 that is set in each terminal and guarantees that the terminal conforms to the security policy.
The agent 3 has a mechanism for preventing the terminal from responding to the ARP Request, and a mechanism for causing the terminal to output the ARP Reply that is induced only when being guided from the SGW 100.
When the SGW 100 receives an ARP Request, if it is from an unquarantined terminal, it first performs a quarantine determination, and if the quarantine result of the sender of the ARP Request is normal, it is set as the destination of the ARP Request. And a mechanism for guiding the agent 3 to output ARP Reply.
In addition, the quarantine system 1000 according to the first embodiment is characterized in that it is possible to prevent an unquarantined terminal from starting an attack during the quarantine determination period of the unquarantined terminal.
Furthermore, the quarantine system 1000 according to the first embodiment is an add-on type quarantine network system that allows a quarantine function to be easily added to a switch network that does not assume a quarantine network and does not have a VLAN function. It is characterized by.

Embodiment 2. FIG.
In the second embodiment, a method of guiding an unauthorized terminal to a decoy network and analyzing the behavior of the unauthorized terminal will be described.

An operation for guiding an unauthorized terminal to the decoy network will be described with reference to FIG. FIG. 12 shows a quarantine system 1000 in which a decoy terminal 71 is connected to the quarantine system 1000 shown in FIG.
A decoy terminal 71 of the decoy network 7 is connected to the switch 4 in advance. For example, when it is determined that the terminal A is an unauthorized terminal in the quarantine process illustrated in FIG. 10B, the ARP request is discarded when it is determined that the transmission source terminal is an unauthorized terminal. However, instead of discarding the ARP request, the decoy terminal 71 is guided so that the response instruction unit 128 returns an ARP reply to the ARP request. Thereby, the unauthorized terminal starts communication with the decoy terminal 71 thereafter. As described above, it is possible to invite an unauthorized terminal to the decoy network 7 and analyze the behavior of the unauthorized terminal.

  That is, the quarantine system 1000 according to the second embodiment is characterized in that it is possible to isolate unquarantined terminals in units of terminals.

Embodiment 3 FIG.
In the third embodiment, a method for realizing the gratuitous ARP that prevents the use of duplicate addresses in the same network in the quarantine system 1000 described in the above embodiment will be described.

  Depending on the type of OS installed in the terminal, in order to prevent the use of duplicate addresses in the same network, an ARP Request or ARP Reply addressed to the terminal may be output when the terminal is activated. The ARP output at this time is called gravitational ARP.

The purpose and operation of the gratuitous ARP in a normal environment will be described.
The purpose of gratuitous ARP is to check IP address duplication and update the ARP cache of devices such as terminals and switches in the network.
The operation of the gratuitous ARP is to send an ARP Request to itself when a certain terminal is connected to the network and return an ARP Reply to the ARP Request by itself. If no ARP Reply is received in addition to the ARP Reply transmitted by the user, it can be understood that the IP address is not duplicated in the network below the switch.

Next, the operation of the gratuitous ARP in the network in which the quarantine system 1000 described in the above embodiment is constructed will be described.
The agent 3 controls so that all agent terminals 300 other than the sender that have received the gratuitous ARP Request do not output the ARP Reply in response to this ARP Request. Further, the agent 3 performs control so that the ARP cache of the agent terminal 300 is not updated. By doing so, the quarantine system 1000 described in the above embodiment functions. On the other hand, the IP address duplication check that is the purpose of the gratuitous ARP does not function as it is.
However, the IP address duplication check that is the purpose of the gratuitous ARP is realized by using the ARP resolution table of the SGW 100.
The SGW 100 manages the IP address of the terminal after the quarantine determination in the ARP resolution table. The SGW 100 that has received the gratuitous ARP request has an IP duplication if the IP address included in the gratuitous ARP request is the same as the already quarantined terminal. In this case, in the same manner as the operation in which the SGW 100 described in the above embodiment determines whether or not to output an ARP reply to the ARP request, it is determined whether or not to output the ARP reply to the gratuitous ARP request. . Here, the transmission destination terminal in the above embodiment corresponds to another terminal having the same IP address as that of the transmission terminal of the gratuitous ARP request. That is, the SGW 100 determines whether to induce another terminal having the same IP address as the sender of the gratuitous ARP Request to output the ARP Reply. Here, when it is determined that the transmission terminal of the gratuitous ARP request is not an unauthorized terminal, an output of the ARP reply is instructed to another terminal having the same IP address as the sender of the gratuitous ARP request. As a result, the ARP Reply output is received by the source terminal of the gratuitous ARP Request, and duplication of the IP address is detected.

  In addition, if the IP address does not exist in the ARP resolution table, the SGW 100 that has received the gratuitous ARP request performs a quarantine determination on the transmission source terminal using the received gratuitous ARP request information. If the result of the determination is that the terminal is a normal terminal, the SGW 100 instructs the gravitational ARP request source terminal itself to create a gratuitous ARP reply to the gratuitous ARP request. Then, the transmission source terminal itself outputs ARP Reply, which is received by the transmission source terminal itself. Since the transmission source terminal of the gratuitous ARP request does not receive the ARP reply from another terminal, it can be confirmed that the IP address is not duplicated.

That is, a terminal that outputs a gratuitous ARP reply from the beginning performs normal quarantine if the IP address is not in the ARP resolution table of the SGW 100. If the IP address is duplicated, the latter is treated as an unauthorized terminal. Further, when the gratuitous ARP transmission source terminal is an unauthorized terminal, the SGW 100 only treats it as an unauthorized terminal.
Alternatively, the terminal that has output the gratuitous ARP reply may induce the agent 3 to output one-time reply from the already existing terminal in order to perform the IP duplication check expected by the gratuitous ARP.

  By operating in this way, the gratuitous ARP operates normally by the quarantine system 1000 described in the above embodiment.

Embodiment 4 FIG.
In the fourth embodiment, a method for confirming the security of a transmission source network when it is dangerous to return an ARP Reply from an internal terminal in all cases for an ARP Request that arrives from outside will be described.

  Before inducing ARP Reply to the internal terminal, the SGW 100 checks the identity of the other party by performing whitelist matching on the network of the transmission source terminal.

  The function and operation of the quarantine system 1000 having the function of confirming the security of the transmission source network will be described in detail with reference to FIGS.

FIG. 13 is a functional block diagram illustrating functions of the quarantine system 1000 according to the fourth embodiment. With respect to the functional block diagram shown in FIG. 13, only the parts different from the functional block diagram shown in FIG. 7 will be described.
The network monitoring unit 110 of the SGW 100 includes a white list storage unit 130 and a white list determination unit 132. The white list storage unit 130 stores a secure network other than the monitoring network in the storage device A 984A as a white list. When the ARP Request is transmitted from a terminal connected to a network that is not a monitoring network, the white list determination unit 132 is based on the white list stored in the white list storage unit 130, and the network to which the terminal that has transmitted the ARP Request is connected Is determined by the processing apparatus A 980A.

FIG. 14 is a flowchart showing a network monitoring process that is an operation of the SGW 100 according to the fourth embodiment. Only the parts of the network monitoring process according to the fourth embodiment that are different from the network monitoring process according to the first embodiment will be described.
When it is determined in (S120) that the transmission source terminal is an external terminal and the transmission destination terminal is an internal terminal, the network determination unit 114 proceeds to (S190). In the white list determination process (S190), the white list determination unit 132 determines whether the network to which the transmission source terminal is connected is a safe network based on the white list. When it is determined that the network to which the transmission source terminal is connected is not a secure network, the whitelist determination unit 132 discards the ARP Request. When it is determined that the network to which the transmission source terminal is connected is a safe network, the whitelist determination unit 132 proceeds to (S142).

  According to the quarantine system 1000 according to the fourth embodiment, when the transmission source is outside the monitoring network, whether or not to output the ARP reply after confirming the safety of the network to which the transmission source terminal is connected is determined. decide. Therefore, higher security of the monitoring network can be ensured.

  According to the quarantine system 1000 according to the above embodiment, it is possible to easily add on a quarantine network (quarantine system) to an existing switch network. That is, it is possible to realize a function for eliminating unauthorized terminals while using existing network devices.

  In addition, the quarantine system 1000 according to the above embodiment realizes the same function by controlling the ARP packet instead of unauthorized terminal isolation by VLAN, and improves the add-on property, but also starts an attack during the quarantine. Even if this occurs, it is possible to prevent this attack and to guide the attacker to the decoy network by controlling the ARP packet.

Here, the SGW 100 is an example of a network monitoring device. That is, the network management device is not limited to the SGW 100 or the gateway, and may be a router, a switch, a firewall, or another computer. Moreover, ARP Request is an example of a connection request. That is, the connection request is not limited to the ARP Request, and may be based on another protocol, for example. In other words, the response to the connection request is not limited to ARP Reply, but differs depending on the connection request.
Further, what has been described as “˜processing” in the above embodiment can be read as “˜step”.

The figure which shows an example of the external appearance of the quarantine system 1000 in embodiment. The figure which shows an example of the hardware resources of SGW100, management server 200, and agent terminal 300 in embodiment. 1 is a diagram illustrating a configuration of a quarantine system 1000 according to Embodiment 1. FIG. The figure which shows operation | movement when the quarantine system 1000 detects an unquarantined terminal. The figure which shows the bad effect by not having a VLAN function. The figure which shows the bad effect by not having a VLAN function. FIG. 3 is a functional block diagram showing functions of the quarantine system 1000 according to the first embodiment. 5 is a flowchart illustrating network monitoring processing that is an operation of the SGW 100 according to the first embodiment. 6 is a flowchart illustrating management server processing that is an operation of the management server 200 according to the first embodiment. The figure which shows operation | movement when the unquarantined terminal which is unclear whether it is normal or illegal is connected to the monitoring network, and accesses the terminal inside a monitoring network. The figure which shows the operation | movement when ARP Request arrives at the terminal inside the monitoring network from the outside of the monitoring network. The figure which shows the operation | movement which guides an unauthorized terminal to a decoy network. FIG. 9 is a functional block diagram showing functions of a quarantine system 1000 according to a fourth embodiment. 10 is a flowchart showing network monitoring processing that is an operation of the SGW 100 according to the fourth embodiment.

Explanation of symbols

  1000 Quarantine system, 100 SGW, 110 Network monitoring unit, 112 Connection request receiving unit, 114 Network determination unit, 116 Address determination unit, 118 Quarantine determination information storage unit, 120 Quarantine determination unit, 122 Quarantine processing instruction unit, 124 Quarantine processing result Receiving unit, 126 quarantine processing result determination unit, 128 response instruction unit, 130 white list storage unit, 132 white list determination unit, 200 management server, 210 management server processing unit, 212 quarantine processing execution unit, 214 quarantine processing result transmission unit, 300 agent terminal, 310 terminal control unit, 3 agent, 4 switch, 901A, 901B, 901C LCD, 902A, 902B, 902C keyboard, 903A, 903B, 903C mouse, 904A, 904B, 904C FDD, 909A PCA, 909B PCB, 909C PCC, 910 server, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication board, 916A, 916B other server, 920 magnetic disk unit, 921 OS, 922 window system, 923 program group , 924 File group, 940 Internet, 942 LAN, 980A Processing device A, 980B Processing device B, 980C Processing device C, 982A Input device A, 982B Input device B, 982C Input device C, 984A Storage device A, 984B Storage device B 984C Storage device C, 986A Display device A, 988A Communication device A, B988B Communication device, 988C Communication device C.

Claims (11)

A connection request receiving unit that receives a connection request addressed to a destination terminal that does not respond to a connection request unless a response instruction is received even if a connection request is received from the transmission source terminal, via a network;
A quarantine determination information storage unit that stores quarantine determination information indicating whether or not the terminal is quarantined in a storage device;
Based on the quarantine determination information stored in the quarantine determination information storage unit, a quarantine determination unit that determines whether or not the transmission source terminal is quarantined by the processing device;
A network monitoring system comprising: a response instructing unit that instructs the transmission destination terminal to respond to the connection request when the quarantine determination unit determines that the transmission source terminal is quarantined. apparatus. The network monitoring device further includes:
When the quarantine determination unit determines that the transmission source terminal is not quarantined, a quarantine processing instruction unit that instructs a quarantine process of the transmission source terminal to the management server by a processing device;
A quarantine process in which the communication server receives from the management server a quarantine process result indicating whether the transmission source terminal is an unauthorized terminal, which is a result of the quarantine process instructed by the quarantine process instruction unit. A result receiving unit,
When the quarantine processing result received by the quarantine processing result receiving unit indicates that the transmission source terminal is not an unauthorized terminal, the response instruction unit instructs the transmission destination terminal to respond to the connection request. The network monitoring apparatus according to claim 1. The quarantine determination unit determines whether the transmission destination terminal is quarantined based on the quarantine determination information stored in the quarantine determination information storage unit,
The network according to claim 1, wherein the response instruction unit does not instruct the transmission destination terminal to respond to a connection request when the quarantine determination unit determines that the transmission destination terminal is not quarantined. Monitoring device. The connection request receiving unit receives a connection request including an address of a transmission source terminal,
The network monitoring device further includes:
A network determination unit for determining whether or not the connection request is transmitted from a terminal connected to the monitoring network;
An address determination unit that determines whether or not the address of the transmission source terminal included in the connection request is an address of the monitoring network by a processing device;
The network determination unit determines that the connection request is transmitted from a terminal connected to the monitoring network, and the address determination unit determines that the address of the transmission source terminal included in the connection request is not the address of the monitoring network. 2. The network monitoring device according to claim 1, wherein the response instruction unit does not instruct the transmission destination terminal to respond to the connection request. When the quarantine processing result received by the quarantine processing result receiving unit indicates that the transmission source terminal is an unauthorized terminal, the response instruction unit instructs to respond to a decoy terminal different from the transmission destination terminal. The network monitoring device according to claim 2, characterized in that: The network monitoring device further includes:
A whitelist storage unit for storing a safe network other than the monitoring network as a whitelist in the storage device;
A network determination unit for determining whether or not the connection request is transmitted from a terminal connected to the monitoring network;
When the network determination unit determines that the connection request is transmitted from a terminal connected to a network that is not a monitoring network, the terminal that transmitted the connection request is connected based on the white list stored in the white list storage unit. A white list determination unit that determines whether or not the network is a secure network,
When the whitelist determination unit determines that the network to which the terminal that transmitted the connection request is connected is not a secure network, the response instruction unit does not instruct the destination terminal to respond to the connection request The network monitoring device according to claim 1. In a quarantine system comprising a terminal connected to a monitoring network and a network monitoring device for monitoring the monitoring network,
The terminal
Provided with a terminal control unit that controls not to respond even when a connection request is received,
Network monitoring device
A connection request receiver for receiving a connection request addressed to a destination terminal connected to the monitoring network by the communication device;
A quarantine determination information storage unit that stores quarantine determination information indicating whether or not the terminal is quarantined in a storage device;
Based on the quarantine determination information stored in the quarantine determination information storage unit, the quarantine determination unit determines whether the transmission source terminal that is the transmission source terminal of the connection request received by the connection request reception unit is quarantined by the processing device. When,
When the quarantine determination unit determines that the transmission source terminal is quarantined, a response instruction unit that instructs the transmission destination terminal by the processing device to respond to the connection request,
The quarantine system, wherein the terminal control unit controls to respond to a connection request when instructed by the response instruction unit to respond to the connection request. The quarantine system further includes a management server,
The network monitoring device further includes:
When the quarantine determination unit determines that the transmission source terminal is not quarantined, a quarantine processing instruction unit that instructs the management server to perform a quarantine process of the transmission source terminal to the management server,
The management server
A quarantine processing execution unit that receives an instruction from the quarantine processing instruction unit and determines whether the terminal is an unauthorized terminal that does not match the security policy of the monitoring network;
A quarantine processing result transmission unit that transmits a quarantine processing result, which is a result determined by the quarantine processing execution unit, through a communication device;
The network monitoring device further includes:
A quarantine processing result receiving unit for receiving the quarantine processing result transmitted by the quarantine processing result transmitting unit by a communication device;
8. The response instructing unit instructs the destination terminal to respond when the quarantine processing result received by the quarantine processing result receiving unit indicates that the transmission source terminal is not an unauthorized terminal. Quarantine system. A connection request received by a communication device that receives an ARP Request addressed to a destination terminal that is connected to the monitoring network and does not output an ARP Reply to the ARP Request unless instructed by the secure gateway even when receiving an ARP (Address Resolution Protocol) Request And
A quarantine determination information storage unit that stores quarantine determination information indicating whether or not the terminal is quarantined in a storage device;
Based on the quarantine determination information stored in the quarantine determination information storage unit, the quarantine determination unit determines whether the transmission source terminal that is the transmission source terminal of the connection request received by the connection request reception unit is quarantined by the processing device. When,
A response instructing unit for instructing the destination terminal by the processing device so as to output an ARP reply to the ARP request when the quarantine determining unit determines that the source terminal is quarantined. Secure gateway. A connection request reception process for receiving a connection request addressed to a transmission destination terminal that does not respond to a connection request even if a response instruction is received even if a connection request is received from the transmission source terminal, via a network;
Based on quarantine determination information indicating whether or not the terminal stored in the storage device is quarantined, the processing device determines whether or not the transmission source terminal is quarantined,
When the quarantine determination process determines that the transmission source terminal is quarantined, the computer executes a response instruction process for instructing the transmission destination terminal by a processing device to respond to a connection request. Network monitoring program. A connection request receiving step for receiving, via the network, a connection request addressed to a transmission destination terminal that does not respond to the connection request even if the communication device receives a connection request from the transmission source terminal unless a response instruction is given; ,
A quarantine determination step for determining whether or not the transmission source terminal is quarantined based on quarantine determination information indicating whether or not the terminal stored in the storage device in the quarantine determination information storage step is quarantined;
A processing apparatus, comprising: a response instruction step for instructing a transmission destination terminal to respond to a connection request when it is determined in the quarantine determination step that the transmission source terminal has been quarantined. Monitoring method.

Images