JP2008107919A - Firewall device and firewall program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a firewall device capable of easily performing description in which a plurality of security policies are related to each other and capable of reducing also the processing load of packet filtering. <P>SOLUTION: A plurality of security policies are input and set from a GUI picture. An input area of each security policy is displayed in an input area of another policy so as to display inclusion relation. The firewall device filters packets by regarding an outside security policy as an upper (general) policy and an inside security policy as a (lower) exceptional policy out of a plurality of security policies displayed in a nest and applying security policies successively from the upper policy. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a firewall device that selects packets to be transmitted and received.

  A firewall is a device (or function) for controlling access between an untrusted network and a trusted network. Specifically, it is a device that monitors incoming and outgoing packets between an in-house network (trusted network) and the Internet (untrusted network), and passes or discards packets based on a predetermined security policy. . This security policy separates a packet to be passed and a packet to be discarded based on the attribute of the packet.

A packet (IP packet) transmitted through a network has attributes such as a source IP address indicating a source and a destination, a destination IP address, a source port indicating a type of service (application), and a destination port. Yes. By setting what attribute packets are allowed to pass and what attribute packets are to be discarded to the firewall as a security policy, the firewall can pass only specific data and does not need to flow from the outside. Data can be blocked, and leakage of data from the inside can be prevented.
JP 2004-342072 A

  As shown in FIG. 7, the conventional firewall device stores a security policy setting table in which security policies for filtering packets are described in a linear list. When a packet is input, the packet is input from the top of the list. The security policies were sequentially applied to check whether there is a corresponding security policy.

  Because of this determination method, strictness is required in the description order of security policies. That is, since the security policy is always referred to in order from the top, the general policy with a mild judgment condition (a lot of packets are applicable) and a part of the packets corresponding to the general policy are applicable, that is, the packet If there is an exception policy that falls within the applicable range of the general policy, the exception policy must be described at the top. This is because a packet that falls under the exception policy always falls under the general policy, so if the decision is made by applying the general policy first, the packet that falls under the exception policy is also changed to the general policy before the exception policy is applied. This is because the packet is processed as a corresponding packet. For this reason, it has been necessary to always describe the security policies in the order determined in consideration of the inclusion relationship of the security policies.

  Also, with such a linear description method, each policy must be described as an independent security policy, even if it is a security policy that has a relationship between a general policy and an exception policy. It was necessary to describe the judgment conditions. For this reason, even if there are duplicate judgment conditions between multiple security policies (for example, between a general policy and an exception policy), one cannot be omitted, and the description becomes redundant and redundant. Even in the filtering process, it is necessary to determine a duplicated determination condition for each security policy, and there is a problem in that the process is duplicated and the burden on the processing unit increases.

  In addition, since all security policies are linearly described, it was impossible to intuitively understand which was a general policy and which was an exception policy when a staff member listed the list.

  An object of the present invention is to provide a firewall device that can easily describe a plurality of security policies in association with each other and reduce the processing load of packet filtering.

  The invention of claim 1 includes a display area generating means for generating a display area for displaying a security policy on a display screen, a policy input means for describing a security policy input by a user in the generated display area, A firewall apparatus comprising: policy storage means for storing a security policy described by policy input means; and packet processing means for filtering packets using the security policy stored in the policy storage means, wherein the display The area generation means generates a display area in another display area in accordance with a user operation, and the packet processing means includes a higher-level policy that is a security policy for the outer display area, and an inner display area. Apply packets in the order of security policies, and then filter packets. It characterized in that it grayed.

  According to a second aspect of the present invention, the policy input means describes only a changed portion of the lower policy with respect to the higher policy, and the packet processing means filters packets by applying only the changed portion of the lower policy. It is characterized by doing.

  According to a third aspect of the present invention, the policy input means specifies a determination rule for determining whether a packet falls under this security policy target, and an operation that specifies an operation to be executed when the packet falls under this security policy target When the packet corresponds to the upper policy, the packet processing means determines whether the packet corresponds to the lower policy. When the packet also corresponds to the lower policy, the packet processing means The operation specified by the operation specifying information is executed, and when the packet does not correspond to the lower policy, the operation specified by the higher policy is executed.

  According to the invention of claim 4, a display area generation procedure for generating a display area for displaying a security policy on the display screen is described in the packet processing apparatus, and a security policy input by the user is described in the generated display area. A firewall program that executes a policy input procedure, a policy storage procedure for storing a security policy described in the policy input procedure, and a packet processing procedure for filtering packets using the security policy stored in the policy storage procedure. The display area generation procedure includes a procedure of generating a display area inside another display area in accordance with a user operation, and the packet processing procedure is a higher level policy that is a security policy of the outer display area. Policy, lower-level policy that is the security policy of the inner display area Characterized in that it comprises the steps of filtering by applying packets in the order of over.

  The invention according to claim 5 is a procedure in which the policy input procedure describes only a changed portion of the lower policy with respect to the upper policy, and the packet processing procedure applies only the changed portion with respect to the lower policy. It is a procedure for filtering packets.

  According to a sixth aspect of the present invention, the policy input procedure includes a determination rule for determining whether a packet falls under the subject of the security policy, and an operation that specifies an operation to be executed when the packet falls under the subject of the security policy. The packet processing procedure includes a procedure for determining whether or not the packet corresponds to a lower policy when the packet corresponds to a higher policy, and when the packet corresponds to a lower policy, It includes a procedure for executing an operation specified by the operation specifying information of the lower policy and executing an operation specified by the upper policy when the packet does not correspond to the lower policy.

  According to the present invention, since a rough (general) security policy is determined and then the human thought process of defining the exception is met, intuitive setting is possible, and after setting, Even when the setting contents are observed, the intention of the setting can be intuitively grasped.

≪Summary of invention≫
First, an outline of a security policy description method and a security policy processing method according to the present invention will be described with reference to FIGS. In these drawings, a case where seven security policies including the default security policy are described will be described.
Here, the security policy in this embodiment is a determination rule that specifies all or part of a packet attribute, and operation specification information that specifies processing to be performed on the packet when the packet falls under this determination rule. It is data including.

FIG. 1 is a diagram showing the inclusion relationship of each security policy. FIG. 2 is a diagram showing an example of a security policy table in which each security policy is described. FIG. 3 is a diagram illustrating a decision tree for packet processing based on each security policy.
In FIG. 1, the default (applicable to all conditions) security policy is C0. That is, C0 is a security policy to which all input packets correspond (conform), and if there is no other security policy to which the packet corresponds, it is processed according to the operation designation information of this default security policy C0. The

  Each security policy except the default security policy C0 has a determination rule that specifies the content of one or more pieces of attribute information among the attribute information (attribute 1 to attribute N) of the packet. When the packet attribute matches the specified content, the packet is deemed to correspond to the security policy (determination rule). In general, the more detailed the condition (corresponding condition) described in this determination rule is, the narrower the corresponding range to which the packet corresponds to the security policy. Each security policy also defines operation designation information (A1 to A7) that designates processing for a packet that matches the corresponding condition of the security policy.

In this figure, the corresponding range of the packet is (C1) ⊃ (C1.1) ⊃ (C1.1.1), (C1) ⊃.
(C1.2), (C2) ⊃ (C2.1). That is, in terms of the relationship between the security policy C1 and the security policy C1.1, the security policy C1 is a higher-level policy (general policy) that is a higher-level security policy, and the security policy C1.1 is a lower-level policy that is a lower-level security policy. (Exception policy) relationship. In terms of the relationship between the security policy C1.1 and the security policy C1.1.1, the security policy C1.1 is a higher-level policy and the security policy C1.1.1 is a lower-level policy. C1 and C2, and C1.1 and C1.2 are security policies arranged in parallel in the same layer.

  FIG. 2 is a diagram showing an example of a storage form on the memory of the security policy shown in FIG. In this example, a security policy table is configured to store a security policy group. As described above, each security policy is identified by a rule number (numerical value of C or less). That is, it can be seen that rule C1.1 and rule C1.2 are rules in the lower hierarchy of rule C1, and rule C1.1.1 is a rule in the lower hierarchy of rule C1.1. Each security policy includes conditions and operations for each attribute (attribute 1 to attribute N) of the packet. The default security policy C0 is unexamined (*) for all attributes. The security policy C1 defines applicable conditions of “a0” for attribute 1, “b0” for attribute 2, and “c0” for attribute 3. Applicable conditions for other attributes are not described as following the higher-level policy. In the case of C1, since the higher-level policy is the default security policy C0, the conformance condition of other attributes is unexamined (*).

  Security policy C1.1 prescribes only “d0” for attribute 4 as the applicable condition. Applicable conditions for other attributes follow the general policy. Therefore, the corresponding condition for all attributes of the security policy C1.1 is “attribute 1 = a0, attribute 2 = b0, attribute 3 = c0, attribute 4 = d0, attributes 5 to N = *”.

  Security policy C1.1.1 defines “a1” for attribute 1 as a corresponding condition. The corresponding condition “a1” is a condition (a1⊂a0) included in “a0” that is a corresponding condition of the security policy C1. For example, “a0” is in the range of IP address 192.168.0.1-63, and a1 is in the range of 192.168.0.1-7. In this way, a corresponding condition may be further defined for attributes already defined in the higher-level policy. If the corresponding condition of the lower policy corresponds to a packet in a narrower range than the corresponding condition of the upper policy, it functions as a lower policy.

  In addition, if the applicable condition of the lower policy corresponds to a packet in a wider range than the applicable condition of the upper policy, all the packets that conform to the upper policy also correspond to the lower policy. Although it does not function as a subordinate policy, there is no real harm to the packet filtering function.

  Similarly, the security policy C1.2 defines “d1” for attribute 4 as a corresponding condition. Further, the security policy C2 defines a conforming condition of “c2” for attribute 3 and “d2” for attribute 4. The security policy C2.1 defines “n2” for the attribute N as a conforming condition.

  The policy names “C1”, “C1.1”, etc. for identifying the security policy are not automatically input by the user when setting the security policy, but are automatically given by the firewall device. By inputting and setting a security policy using a GUI as shown in FIG. 5 described later, the firewall device can automatically grasp the hierarchical relationship, and the firewall device can easily understand the grasped hierarchical relationship. A policy name is automatically assigned and registered in the security policy table. In addition, the policy name of each security policy is not limited to the above-mentioned style.

  FIG. 3 shows a decision tree when a packet is filtered with the security policy hierarchized as shown in FIGS. In this decision tree, the security policies are arranged so that the upper policies are on the left and the lower policies are on the right. Security policies arranged vertically in the same row (column) are security policies defined in parallel in the same hierarchy.

  In this decision tree, the default policy C0 is first applied to the input packet. Since all packets correspond to the default policy C0, the determination always proceeds to the lower level policies (C1, C2). In this way, when a packet corresponds to the applied security policy, the subordinate policy immediately below it is applied to the packet. When a plurality of security policies exist in the same hierarchy, the security policies arranged above are applied to the packets in order.

  Here, C1 is first applied. If the packet conforms to the security policy C1, the security policy lower than the security policy C1 is then applied to this packet. If the packet does not conform to the security policy C1, the security policy C2 of the same hierarchy is applied to this packet. When the packet conforms to the security policy C2, a security policy lower than the security policy C2 is applied to the packet. If the packet does not conform to the security policy C2, it can be seen that this packet conforms only to the default policy C0 because there is no security policy at the same level. For this reason, the firewall apparatus performs the process of the operation A1 specified by the operation specification information of the default policy for this packet. In this way, when a packet is input, the security policy is applied to the packet by sequentially tracing the decision tree. When there is no security policy to be applied next, the packet does not conform to the last security policy. If (No), the operation specified in the immediately higher security policy is executed.

  The same applies to the case where the packet corresponds to the security policy C1 and the lower policies C1.1 and C1.2 are applied to this packet. C1.1 applies first. If the packet conforms to the security policy C1.1, then C1.1.1, which is a security policy lower than the security policy C1, is applied to this packet. If the packet corresponds to the security policy C1.1.1, there is no security policy lower than the security policy C1.1.1, so that it can be seen that this packet conforms to C1.1.1. Therefore, the operation A4 specified in the operation specification information of the security policy C1.1.1 is executed for this packet. In this way, when a packet is input, the security policy is applied to the packet by sequentially tracing the decision tree. When there is no security policy to be applied next, the last security policy is applicable (Yes ), The operation specified in the last applicable security policy is executed.

  If the packet does not correspond to the security policy C1.1.1, it can be seen that this packet corresponds to the security policy C1.1 because the next security policy no longer exists. For this reason, A3 which is the operation defined in the security policy C1.1 is executed for this packet.

  If the packet does not correspond to the security policy C1.1, the security policy C1.2 of the same hierarchy is applied to this packet. When the packet corresponds to the security policy C1.2, it is understood that this packet conforms to C1.2 because there is no security policy lower than the security policy C1.2. For this reason, A5 which is the operation defined in the security policy C1.2 is executed for this packet.

  Furthermore, if the packet does not conform to the security policies C1.1 and C1.2, it can be seen that the packet conforms to the security policy C1 because there is no security policy at the same level. For this reason, A2 which is the operation defined in the security policy C1 is executed for this packet.

  In this way, in this security policy processing method, a higher-level policy (general policy) with a broader packet range is applied to the input packet first to narrow down the attributes of the lower frame. Then, it is only necessary to determine the attribute of the exception part, and the determination of the duplicate attribute is omitted, and an efficient determination is possible.

≪Router device≫
Hereinafter, a router apparatus to which the security policy description method / processing method is applied will be described with reference to FIGS.
A router device is a device that connects two networks. When a packet is transferred from one network to the other, it is determined whether transfer of the packet is permitted, and only packets that can be permitted are allowed to pass. Perform filtering.

In FIG. 4, the router device includes four LAN side ports 14 and one WAN side port 16. The WAN side port 16 is connected to an ISP or the like that provides Internet services. The WAN side port 16 is connected to the CPU 10 via the PHY chip 15.
A client device (not shown) is connected to each of the four LAN ports 14. These LAN side ports 14 are connected to the layer 2 switch chip 13. The layer 2 switch chip 13 controls communication between a plurality of client devices connected to the LAN side port 14. The layer 2 switch chip 13 is also connected to the CPU 10. The CPU 10 controls communication between the WAN side port 16 and the LAN side port 14.

A flash memory 11 and a RAM 12 are connected to the CPU 10. The flash memory 11 stores a security policy table as shown in FIG. The RAM 12 buffers packets input from the LAN side port 14 and the WAN side port 16 until transfer or discard processing is determined.
In this embodiment, the CPU 10 is used as a control unit that controls communication between the WAN and the LAN. However, a dedicated LSI called a network processor may be used.

FIG. 5A is a diagram showing a display example of a security policy setting screen generated by this router device. FIG. 6 is a diagram showing a decision tree of the security policy group displayed on this setting screen.
The security policy setting screen of FIG. 5A is created by the CPU 10 of the router, and is displayed on the screen of the client PC that has accessed this router device via the network. For example, when a client PC connected to the LAN accesses an address “http://192.168.0.1” with an Internet browser, the screen is displayed in a browser window. In this display screen, a conceptual diagram showing the inclusion relationship of security policies as shown in FIG. 1 is made rectangular so that it can be easily displayed in a window, and each security policy shown in FIG. 2 can be described in each rectangle. It is a thing.

In this figure, the security policy described with reference to FIGS. 1 to 3 is shown in a concrete and simplified manner. The security policy consists of "Receiving interface", "Sending interface", "Start address",
Applicable conditions are defined for all or part of the attributes of “end point address” and “service”. As the operation designation information, one of two types of “passing:...” For allowing the packet to pass or “discarding: ×” for discarding is specified.

  In FIG. 5A, the security policies P1 to P7 are displayed in the respective description areas. P1 is a default policy for packets transferred from the LAN to the WAN. That is, it is a policy that, in principle, a packet whose reception interface is a LAN side port and transmission interface is a WAN side port is discarded. The subordinate policy is P2. P2 is a policy that allows a packet corresponding to P1 to pass if a service (protocol or the like) is a packet related to an essential service.

  Further, the subordinate policies are P3 and P4. The policy P3 is a policy of discarding a packet corresponding to P2 if the start point address is 192.168.0.21 to 255. The policy P4 is a policy that discards packets corresponding to P2 in the case of FTP packets.

  According to these security policies, as shown in FIG. 6 (A), among the packets transferred from the LAN side port to the WAN side port, these are essential service packets having a start address of 192.168.0.1-20. In addition, the service can be passed except for the FTP (File Transfer Protocol).

P5 is a default policy for packets transferred from the WAN to the LAN. That is, it is a policy that, in principle, a packet whose reception interface is the WAN side port and transmission interface is the LAN side port is discarded. The subordinate policy is P6. P6 is a policy that even a packet corresponding to P5 is allowed to pass if the service is an SIP (Session Initiation Protocol) packet. Furthermore, the lower policy is P7. The policy P7 is a policy of discarding a packet corresponding to P6 when the start address is an address registered in the nuisance call list. By these security policies, as shown in FIG. 6 (B), among packets transferred from the WAN side port to the LAN side port, only SIP packets whose start address is not registered in the nuisance call list are allowed to pass. Can do.
In determining the appropriateness of each security policy, only attribute information described as a determination rule is determined, and those not described are not determined. This is because the filtering is already performed by the determination of the upper rule.

In the security policy setting screen shown in FIG. 5A, the user can display the menu list in FIG. 5B by right-clicking the mouse, and select a desired menu from the menu list. Thus, this hierarchical security policy table can be created.
FIG. 5B is a diagram showing a menu list generated and displayed by the router device when the screen is right-clicked. The menu list includes “edit”, “delete”, “copy”, “paste”, “add (parallel)”, “add (narrow down)”, and “invalid” menus.

When a user adds a new security policy to the table, the user selects an “add (parallel)” or “add (narrow down)” menu. When “add (parallel)” is selected, the router device creates a new security policy description area at the same level as the security policy description area right-clicked with the mouse. For example, in FIG. 3A, when this “add (parallel)” is selected in the area P3, a description area P4 is generated.

  When “add (narrow down)” is selected, the router device creates a new security policy description area below the security policy description area right-clicked with the mouse. For example, in FIG. 5A, when this “add (parallel)” is selected in the area P2, a description area P3 or P4 is generated.

  When the user wants to duplicate the previously set security policy, the menu of “copy” and “paste” is selected. When “copy” is selected, the router device stores the security policy of the area right-clicked with the mouse at that time in the buffer. Next, when “Paste” is selected, a security policy area copied below the area right-clicked with the mouse is created and the buffered contents are displayed.

  The “edit” menu is a menu for correcting a security policy that has already been set. When “edit” is selected, the router device can correct the determination rule and the operation selection information of the area right-clicked with the mouse at that time.

  The “delete” menu is a menu for deleting a set security policy. When “Delete” is selected, the router device deletes the security policy in the area right-clicked with the mouse at that time.

  The “invalid” menu is a menu for temporarily not applying the set security policy without deleting it. When “invalid” is selected, the router device invalidates the security policy of the area right-clicked with the mouse at that time, and changes the description area to dark (gray) display. When the same “invalid” operation is performed again, the router device re-enables the security policy in the area and restores the display. In this case, when the security policy is invalidated, the display of the “invalid” button is changed to the “valid” button, and the above “against“ invalid ”operation” is changed to the “valid” operation. Good.

  Note that the processing operations “copy”, “paste”, “delete”, and “edit” executed by the router device may be executed only for the security policy in the area designated by right-clicking. Further, it may be executed as a process including a subordinate policy subordinate to the security policy.

  Further, on the setting screen of FIG. 9A, when the mouse is moved (dragged) in a state where the description area of the security policy is left-clicked, the security policy can be moved. For example, if multiple security policies are set in parallel in the same hierarchy, the following policy judgment process can be reduced by bringing the security policy that most likely matches the packet to the top. For this reason, this drag allows maintenance to change the order of determination. This also makes it possible to perform maintenance such that a plurality of security policies are linearly described in the same hierarchy as in the past, and the exception policy is moved to a higher level than the general policy.

  In the policy setting on the security policy setting screen, when a policy that does not have a corresponding packet within the corresponding range of the higher policy is set as the lower policy, for example, “Service: HTTP” When the determination rule of “Service: FTP” is set as a lower-level policy even though the determination rule of “is set, this lower-level policy is meaningless, but the determination is all NO, Eventually, the packet is processed in accordance with the operation designation information of the upper policy, and there is no actual harm in packet filtering.

At the end of setting input, the apparatus may determine the above meaningless policy and automatically delete it.
Although the router device has been described in the above embodiment, the present invention can be applied to any device as long as it performs packet filtering while transferring packets. Further, the party to which the packet is transferred is not limited to WAN and LAN.

Diagram showing the inclusion relationship of each security policy The figure which shows the example of the security policy table where each security policy is described Diagram showing decision tree for packet processing based on each security policy Block diagram of a router device according to an embodiment of the present invention The figure which shows the example of a display of the security policy setting screen which the said router apparatus produces | generates The figure which shows the decision tree of the security policy group which is displayed on the setting screen of the above-mentioned security policy The figure which shows the example of a display of the conventional security policy setting screen

Explanation of symbols

10 CPU
11 Flash memory 12 RAM
13 Layer 2 switch chip 14 LAN side port 15 PHY chip 16 WAN side port

Claims (6)

Display area generation means for generating a display area for displaying the security policy on the display screen;
Policy input means for describing the security policy input by the user in the generated display area,
Policy storage means for storing the security policy described by the policy input means;
Packet processing means for filtering packets using the security policy stored in the policy storage means;
A firewall device comprising:
The display area generation means generates a display area inside another display area according to a user operation,
The firewall processing device applies the packet in the order of a higher policy that is a security policy of an outer display area and a lower policy that is a security policy of an inner display area. The policy input means describes only the changed part of the lower policy for the lower policy,
The firewall apparatus according to claim 1, wherein the packet processing unit filters the packet by applying only the changed portion for the lower-level policy. The policy input means describes a determination rule for determining whether a packet falls under this security policy, and operation designation information that designates an action to be performed when the packet falls under this security policy.
The packet processing means determines whether the packet corresponds to a lower policy when the packet corresponds to a higher policy,
The operation specified by the operation specifying information of the lower policy is executed when the packet also corresponds to the lower policy, and the operation specified by the upper policy is executed when the packet does not correspond to the lower policy. Item 3. The firewall device according to Item 2. In the packet processor,
A display area generation procedure for generating a display area for displaying a security policy on the display screen;
A policy input procedure that describes the security policy entered by the user in the generated display area,
A policy storage procedure for storing the security policy described in the policy input procedure;
A packet processing procedure for filtering packets using the security policy stored in the policy storage procedure;
A firewall program that runs
The display area generation procedure includes a procedure of generating a display area inside another display area in accordance with a user operation,
The packet processing procedure includes a procedure of filtering packets by applying an upper policy that is a security policy of an outer display area and a lower policy that is a security policy of an inner display area in this order. The policy input procedure is a procedure for describing only the changed part of the upper policy for the lower policy,
The firewall program according to claim 4, wherein the packet processing procedure is a procedure for filtering packets by applying only the changed portion to the lower-level policy. The policy input procedure is a procedure for describing a determination rule for determining whether a packet falls under the subject of this security policy, and operation designation information that designates an action to be executed when the packet falls under the subject of this security policy. Including
The packet processing procedure includes a procedure for determining whether a packet corresponds to a lower policy when the packet corresponds to a higher policy;
And a step of executing an operation specified by operation specifying information of the lower policy when the packet also corresponds to a lower policy, and executing an operation specified by the upper policy when the packet does not correspond to the lower policy. The firewall program according to claim 4 or claim 5.

Images