JP2008219149A - Traffic control system and traffic control method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To interrupt or suppress undesired traffic on the basis of an individual personal policy near the transmitting source of the undesired traffic without taking the detection of the undesired traffic in a user device of a user site as an opportunity. <P>SOLUTION: The user device transmits an individual policy being an aggregate obtained by regarding rules for controlling traffic as elements to a policy aggregating server connected to a wide area network about traffic transmitted and received between the user device and a different user network and/or traffic transmitted and received between the other user network that the user device manages its own user network and the different user network, the policy aggregating server transmits a rule being respective elements of the received individual policy to respective wide area network devices in each of which the rule should be set, and the respective wide area network devices control traffic according to the received rule. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a traffic control system and a traffic control method.

  Conventionally, in a communication environment of a network or a user terminal connected to the network, a countermeasure technique for unnecessary traffic is indispensable. That is, for example, unauthorized intrusion from the outside, a denial of service attack that sends a large amount of communication traffic (DoS attack: Denial of Service attack), or a distributed denial of service attack that simultaneously launches a denial of service attack (DDoS attack) : Countermeasure technology against Distributed Denial of Service attack) is indispensable.

  Unnecessary traffic caused by these attacks not only makes the user terminal targeted for attack (PC (Personal Computer) or server used by the user) unusable or stops service, but also causes the user terminal targeted for attack from the attack source. Occupies the bandwidth of the link or access line on the route in the network leading to the network, and causes a delay or loss to packets destined for the user terminal other than the attack target user terminal flowing on the link or access line.

  As countermeasure techniques for such unnecessary traffic, there are a firewall (FW: FireWall) that performs packet discard and flow rate restriction based on a preset rule, an attack detection system (IDS), and the like. . FW and IDS will be specifically described. First, FW is provided as software installed in a user terminal, a packet filtering function of a network device (NW device: NetWorker device) such as a router, or a dedicated device. For example, in the FW, only the packet of the service provided by the user terminal to the external terminal and the packet for the user terminal to use the service provided by the external terminal are passed, and the other packets are passed. For example, a rule is set by the user so as to block the message.

  The IDS is also provided as software installed in the user terminal, a network device function such as a router, or a dedicated device. The IDS includes a signature type for detecting an attack by comparing a packet acquired by the IDS with a preset attack packet pattern, or a flow information collected from a network device by the IDS acquired packet or IDS. There is a traffic anomaly type in which abnormal traffic is detected by monitoring traffic and analyzing monitoring data.

  FIG. 52 is a diagram for explaining countermeasures by a firewall or attack detection system. As shown in FIG. 52, FW and IDS are generally installed at a user site, sent from an external terminal, and sent via a network. Blocks attack traffic sent to the user site and protects the user terminal from attack traffic. However, as shown in FIG. 52, since FW and IDS cannot exclude attack traffic flowing through the access line connecting the network and the user site, the bandwidth of the access line is occupied by a large amount of attack traffic. As a result, communication between the user terminal and the outside is hindered, and packets and other user terminals that share part or all of the connection point between the network and the access line and the access line are likely to be delayed or lost. Become. Furthermore, since FW and IDS cannot exclude attack traffic flowing in the network, the bandwidth in the network is squeezed by a large amount of attack traffic. The packet addressed to other user terminals is also affected by delay and loss.

  For this reason, for example, in Patent Document 1, the network device holds an individual personal policy for each user terminal or CPE triggered by an attack detection in a user terminal or a network device (CPE: Customer Premises Equipment) at the user site. A technique for blocking attack traffic based on individual personal policies to be held is disclosed. FIG. 53 is a diagram for explaining the prior art. However, as shown in FIG. 53, the technique disclosed in Patent Document 1 is first transmitted from an external terminal to a user terminal (or CPE). The attack traffic (see (1) and (2) in FIG. 53) transmitted to the user site via the network is inspected based on the personal policy in the packet inspection unit, and when the attack packet is detected, the attack packet is discarded. Thus, the user terminal is protected (see (3) in FIG. 53), and the personal policy is transmitted to the NW device (see (4) in FIG. 53). Then, the NW device holds the received personal policy in the defense policy holding unit (see (5) in FIG. 53), and the attack traffic is based on the personal policy held in the defense policy holding unit in the packet inspection unit. If an attack packet is detected, the attack packet is discarded to protect the user terminal.

  Further, for example, Non-Patent Document 1 and Non-Patent Document 2 disclose traffic anomaly type IDSs. These IDSs are installed in the network and first monitor the traffic in the network. Next, IDS detects abnormal traffic such as attack traffic and file exchange by learning and analyzing the normal communication situation in the network, and blocks such attack traffic and abnormal traffic. The purpose is to create a filtering rule to be set in the router. The IDS sets the created filtering rule in a router or the like in the network.

JP 2006-146837 A “ARBOR NETWORKS”, [online], [Search February 16, 2007], Internet <http://www.cisco.com/jp/specialprog/avvidprog/partner/part_find/catalog/sec/secur-arbor. shtml_contact> “Cisco Guard XT 5650”, [online], [Search February 16, 2007], Internet <http://www.cisco.com/japanese/warp/public/3/jp/product/hs/security/ gdma / prodlit / gxt5600_ds.shtml>

  By the way, in the above-described conventional technology, as described below, in order to block or suppress unnecessary traffic based on individual personal policies, unnecessary traffic unless triggered by detection at a user terminal or a network device at a user site. Cannot be blocked or suppressed, and unnecessary traffic cannot be blocked or suppressed near the transmission source of unnecessary traffic.

  That is, with the technique disclosed in Patent Document 1, unnecessary traffic cannot be blocked or suppressed unless triggered by detection at the user terminal or CPE. If so, in general, a user terminal or CPE with low performance is instantaneously overloaded by an excessive attack and its operation becomes unstable. Therefore, when a user terminal or CPE receives an excessive attack, There is a possibility that a personal policy or the like cannot be transmitted to the device, and as a result, the network device may not be able to block or suppress unnecessary traffic. Further, with the technique disclosed in Patent Document 1, it is not possible to eliminate an attack packet near the source of the attack packet. As a result, the network device cannot eliminate the bandwidth compression in the network due to the attack packet, and cannot eliminate the influence on other user terminals such as a user terminal connected to the network. The techniques disclosed in Non-Patent Document 1 and Non-Patent Document 2 do not block or suppress unnecessary traffic based on individual personal policies.

  Therefore, the present invention has been made to solve the above-described problems of the prior art, near the source of unnecessary traffic without triggering detection in the user terminal or network device of the user site, It is an object of the present invention to provide a traffic control system and a traffic control method capable of blocking or suppressing unnecessary traffic based on individual personal policies.

  In order to solve the above-described problems and achieve the object, the invention according to claim 1 is configured so that each of user networks configured by user devices operated by a user can communicate with the plurality of user networks. A traffic control system for controlling traffic transmitted from a predetermined user network to another user network via the wide area network when connected to the wide area network via each wide area network device Any one or more of the user devices constituting the user network may be traffic transmitted / received between the user device and another user network other than the user network configured by the user device, and / or Alternatively, the user in the user network Policy aggregation that connects individual policies, which are aggregates whose elements are rules for controlling the traffic, to the wide area network for traffic transmitted and received between the other user devices managed by the device and the other user networks Policy transmitting means for transmitting to a server, wherein the policy aggregation server includes a policy receiving means for receiving each of the individual policies transmitted by the policy transmitting means, and each of the individual policies received by the policy receiving means. And a rule transmission means for transmitting the rule, which is an element of the rule, to each of the wide area network devices to which the rule is to be set, and each of the wide area network devices receives the rule transmitted by the rule transmission means. Rule receiving means for receiving and received by the rule receiving means In accordance with the rules, it is characterized in that and a traffic control unit for controlling the traffic.

  Further, in the invention according to claim 2, in the above invention, the rule transmission unit includes an aggregation rule obtained by aggregating the rule from the rule that is an element of each individual policy received by the policy reception unit, and the rule An aggregation policy that is an aggregate having the aggregation rule as an element is created, and the aggregation rule is transmitted to each of the wide area network devices to which the aggregation rule is to be set.

  The invention according to claim 3 is characterized in that, in the above invention, the policy receiving means verifies the validity of each individual policy when receiving each individual policy.

  Further, in the invention according to claim 4, in the above invention, the user device is disclosed on the network and a non-disclosure address and / or a non-disclosure port number which are not disclosed on a network other than the own user network. A NAT function for converting a disclosure address and / or a disclosure port number is used, and the rule is described by the non-disclosure address and / or the non-disclosure port number. Any one or more of the user devices constituting the device includes an address conversion unit that converts the non-disclosure address and / or the non-disclosure port number described in the rule into the disclosure address and / or the disclosure port number. Further, the policy transmission means is converted by the address conversion means. The individual policy to the rule elements, and transmits to the policy aggregation server.

  The invention according to claim 5 is characterized in that, in the above-mentioned invention, the rule transmitting means further creates, as statistical information, information relating to the user device whose traffic is to be controlled according to the rule, Based on the statistical information created by the rule transmission means, the policy aggregation server is configured to use the rule to control traffic according to the rule, and to another user device other than the user device and the other user network. And a judging means for judging whether or not it should be adopted as a rule for controlling traffic transmitted / received to / from.

  Further, the invention according to claim 6 is the above invention, in which the policy aggregation server includes attack countermeasure information including identification information for identifying an attack packet detected in the wide area network device and countermeasure information for the attack packet. An attack countermeasure information acquisition means acquired from a wide area network device, and an aggregate including countermeasure rules for controlling the traffic based on the attack countermeasure information from the attack countermeasure information acquired by the attack countermeasure information acquisition means. A countermeasure policy creating means for creating a certain countermeasure policy is further provided, wherein the rule transmission means reflects the countermeasure policy created by the countermeasure policy creating means in the rule.

  Further, in the invention according to claim 7, in the above invention, the rule transmitting means creates an aggregate policy that aggregates the rule for each group of user devices whose traffic is controlled based on the same type of rule, Setting information to be set in each of the wide area network devices so as to form a virtual network or a physical network for each group, and an aggregation policy for each group, the setting information and the aggregation policy are set. And transmitting to each of the wide area network devices.

  According to an eighth aspect of the present invention, each of the user networks composed of user devices operated by a user connects each of the wide area network devices to a wide area network in which a plurality of user networks are communicably connected. A traffic control method for controlling traffic transmitted from a predetermined user network to another user network via the wide area network when connected via a predetermined user network, wherein any of user devices constituting the user network One or a plurality of traffics transmitted / received between the user device and another user network other than the user user network constituted by the user device, and / or the user device in the user user network And other user devices managed by A policy transmission step of transmitting, to the policy aggregation server connected to the wide area network, an individual policy that is an aggregate of rules that control the traffic for traffic transmitted to and received from the user network The policy aggregation server receives a policy reception step for receiving each individual policy transmitted by the policy transmission step, and the rule that is an element of each individual policy received by the policy reception step. A rule transmission step for transmitting to each of the wide area network devices to be set, each of the wide area network devices receiving a rule transmitted by the rule transmission step, and a rule reception step. According to the received rule, the traffic is Characterized in that including a traffic control process Gosuru.

  According to the ninth aspect of the present invention, each of the user networks configured of user devices operated by a user connects each of the wide area network devices to a wide area network that connects the plurality of user networks so as to communicate with each other. The policy aggregation server connected to the wide area network receives each individual policy transmitted from any one or more of the user devices, and is a rule that is an element of each individual policy. Is transmitted to each of the wide area network devices to which the rule is to be set, and the wide area network device controls traffic transmitted from the predetermined user network to another user network via the wide area network. User terminal as the user device in An individual policy that is an aggregate of rules for controlling the traffic for traffic transmitted and received between the user terminal and another user network other than the user network configured by the user terminal. Is transmitted to the policy aggregation server.

  According to the tenth aspect of the present invention, each of the user networks configured by user devices operated by a user connects each of the wide area network devices to a wide area network in which a plurality of the user networks are communicably connected. The policy aggregation server connected to the wide area network receives each individual policy transmitted from any one or more of the user devices, and is a rule that is an element of each individual policy. Is transmitted to each of the wide area network devices to which the rule is to be set, and the wide area network device controls traffic transmitted from the predetermined user network to another user network via the wide area network. The user device as the user device in A set of network devices that have rules for controlling the traffic as elements of traffic transmitted / received between the user network device and a user network other than the user network configured by the user network device. It is characterized by comprising policy transmission means for transmitting an individual policy as a body to the policy aggregation server.

  According to an eleventh aspect of the present invention, each of the user networks composed of user devices operated by a user connects each of the wide area network devices to a wide area network in which a plurality of the user networks are communicably connected. The policy aggregation server connected to the wide area network receives each individual policy transmitted from any one or more of the user devices, and is a rule that is an element of each individual policy. Is transmitted to each of the wide area network devices to which the rule is to be set, and the wide area network device controls traffic transmitted from the predetermined user network to another user network via the wide area network. The user port as the user device in Traffic transmitted and received between another user device managed by the user policy server and another user network other than the own user network in the own user network configured by the user policy server A policy acquisition unit that acquires an individual policy that is an aggregate including rules that control the traffic from each of the other user devices, and each of the individual policies acquired by the policy acquisition unit. Policy transmission means for transmitting to the aggregation server.

  According to a twelfth aspect of the present invention, each of the user networks configured of user devices operated by a user connects each of the wide area network devices to a wide area network that connects the plurality of user networks so as to communicate with each other. A policy aggregation server connected to the wide area network in a traffic control system for controlling traffic transmitted from a predetermined user network to another user network via the wide area network Traffic transmitted / received between any one or a plurality of user devices constituting the user network between the user device and another user network other than the own user network configured by the user device, and / or Or the user A policy for receiving each individual policy, which is an aggregate of rules that control the traffic, for traffic transmitted / received between the other user device managed by the user device and the other user network in the network. By transmitting the rule that is an element of each of the individual policies received by the receiving unit and the policy receiving unit to each of the wide area network devices to which the rule is to be set, And a rule transmission means for controlling the traffic according to the rule.

  According to a thirteenth aspect of the present invention, each of the user networks composed of user devices operated by a user connects each of the wide area network devices to a wide area network that connects the plurality of user networks so that they can communicate with each other. A policy aggregation server connected to the wide area network in a traffic control system for controlling traffic transmitted from a predetermined user network to another user network via the wide area network Traffic transmitted / received between any one or a plurality of user devices constituting the user network between the user device and another user network other than the own user network configured by the user device, and / or Or the user A policy for receiving each individual policy, which is an aggregate of rules that control the traffic, for traffic transmitted / received between the other user device managed by the user device and the other user network in the network. From the receiving means and the rules that are elements of each of the individual policies received by the policy receiving means, an aggregate policy that aggregates the rules for each group of user devices whose traffic is controlled based on the same type of rules. The setting information to be created and set in each of the wide area network devices so as to form a virtual network or a physical network for each group, and the aggregation policy for each group are represented by the setting information and the aggregation policy. The wide area network device to be set By transmitting each, characterized in that and a rule sending means for controlling the traffic in accordance with the rules in each of the wide area network device.

  According to the fourteenth aspect of the present invention, each of the user networks composed of user devices operated by a user connects each of the wide area network devices to a wide area network in which a plurality of such user networks are communicably connected. The policy aggregation server connected to the wide area network receives each individual policy transmitted from any one or more of the user devices, and is a rule that is an element of each individual policy. Is transmitted to each of the wide area network devices to which the rule is to be set, and the wide area network device controls traffic transmitted from the predetermined user network to another user network via the wide area network. Is a computer as the user device. A user terminal program to be executed by a user terminal, and a rule for controlling the traffic with respect to traffic transmitted / received between the user terminal and a user network other than the user network configured by the user terminal. It is characterized by causing a user terminal, which is the computer, to execute a policy transmission procedure for transmitting individual policies, which are aggregates as elements, to the policy aggregation server.

  In the invention according to claim 15, each of the user networks configured by user devices operated by a user can connect each of the wide area network devices to a wide area network in which a plurality of user networks are communicably connected. The policy aggregation server connected to the wide area network receives each individual policy transmitted from any one or more of the user devices, and is a rule that is an element of each individual policy. Is transmitted to each of the wide area network devices to which the rule is to be set, and the wide area network device controls traffic transmitted from the predetermined user network to another user network via the wide area network. Is a computer as the user device. A user network device program to be executed by a user network device, wherein the traffic is transmitted and received between the user network device and a user network other than the user network configured by the user network device. It is characterized by causing a user network device, which is the computer, to execute a policy transmission procedure for transmitting an individual policy, which is an aggregate including rules to be controlled, to the policy aggregation server.

  The invention according to claim 16 is that each of the user networks configured by user devices operated by a user connects each of the wide area network devices to a wide area network in which a plurality of user networks are communicably connected. The policy aggregation server connected to the wide area network receives each individual policy transmitted from any one or more of the user devices, and is a rule that is an element of each individual policy. Is transmitted to each of the wide area network devices to which the rule is to be set, and the wide area network device controls traffic transmitted from the predetermined user network to another user network via the wide area network. Is a computer as the user device. A user policy server program to be executed by a user policy server, the other user device managed by the user policy server in the own user network configured by the user policy server and another user network other than the own user network The policy acquisition procedure for acquiring the individual policy, which is an aggregate of rules that control the traffic, from each of the other user devices, and the policy acquisition procedure In addition, a policy transmission procedure for transmitting each individual policy to the policy aggregation server is executed by a user policy server which is the computer.

  In the invention according to claim 17, each of the wide area network apparatuses is connected to a wide area network in which each of the user networks configured by user apparatuses operated by the user is connected to be able to communicate with each other. A computer as a policy aggregation server for connecting a traffic control method for controlling traffic transmitted from a predetermined user network to another user network via the wide area network when connected via the wide area network A policy aggregation server program to be executed by any one or more of the user devices constituting the user network, the user device and a user network other than the user network configured by the user device; Sending and receiving between And a rule for controlling the traffic with respect to traffic transmitted / received between the other user network and the other user device managed by the user device in the user network. A policy reception procedure for receiving each individual policy that is an aggregate, and the rule that is an element of each individual policy received by the policy reception procedure is transmitted to each of the wide area network devices to which the rule is to be set. Thus, a rule transmission procedure for causing each of the wide area network devices to control the traffic according to the rule is executed by the computer as the policy aggregation server.

  According to an eighteenth aspect of the present invention, each of the user networks configured by user devices operated by a user connects each of the wide area network devices to a wide area network in which a plurality of the user networks are communicably connected. A computer as a policy aggregation server for connecting a traffic control method for controlling traffic transmitted from a predetermined user network to another user network via the wide area network when connected via the wide area network A policy aggregation server program to be executed by any one or more of the user devices constituting the user network, the user device and a user network other than the user network configured by the user device; Send and receive between And a rule for controlling the traffic with respect to traffic transmitted / received between the other user network and the other user device managed by the user device in the user network. From the policy reception procedure for receiving each individual policy that is an aggregate, and the rule that is an element of each of the individual policies received by the policy reception procedure, the user apparatus whose traffic is controlled based on the same type of rule Create an aggregation policy that aggregates the rules for each group, setting information to be set in each of the wide area network devices so as to form a virtual network or a physical network for each group, and for each group The aggregation policy is changed to the setting information and Causing the computer as the policy aggregation server to execute a rule transmission procedure for causing each of the wide area network devices to control the traffic in accordance with the rules by transmitting the aggregation policies to each of the wide area network devices to be set. It is characterized by.

  According to the first, eighth to twelfth and fourteenth to seventeenth aspects of the present invention, each of the user networks configured by user devices operated by a user is connected to a wide area network that connects a plurality of user networks so as to communicate with each other. A traffic control system that controls traffic transmitted from a predetermined user network to another user network via a wide area network when the network is connected via each of the wide area network devices. Any one or more of the user devices are traffic transmitted / received between the user device and another user network other than the own user network configured by the user device, and / or the user device within the own user network. Managed by other user devices and other users For the traffic sent to and received from the network, an individual policy that is an aggregate of rules that control traffic is sent to the policy aggregation server connected to the wide area network. Each individual policy is received, and a rule that is an element of each received individual policy is transmitted to each of the wide area network devices to which the rule is to be set, and each of the wide area network devices receives and receives the transmitted rule. Because traffic is controlled according to established rules, it is unnecessary based on individual personal policies near the source of unnecessary traffic without triggering detection at user equipment (user terminals, network devices, etc.) at the user site. It becomes possible to block or suppress the traffic.

  Further, according to the invention of claim 2, the policy aggregation server creates an aggregation rule that is an aggregation of rules and an aggregation policy that is an aggregate of the aggregation rules from the rules that are elements of each individual policy, Since the aggregation rule is transmitted to each of the wide area network devices for which the aggregation rule is to be set, in addition to the above effect, by creating the aggregation policy, the total number of rules is reduced. As a result, the FW processing and IDS of the wide area network device Since the effect of reducing the processing load can be obtained, it is possible to set an aggregation policy for all wide area network devices in advance to block or suppress unnecessary traffic.

  According to the invention of claim 3, since the policy aggregation server verifies the validity of each individual policy when receiving each individual policy, in addition to the above effect, the wide area network device is an individual that is not valid. According to the policy, it is possible to avoid the risk of improperly controlling traffic.

  According to the invention of claim 4, the user apparatus can provide a non-disclosure address and / or a non-disclosure port number that is not disclosed on a network other than its own user network and a disclosure address and / or a disclosure port disclosed on the network A NAT function for converting numbers is used, and the rule is described by a non-disclosure address and / or a non-disclosure port number, and any one or a plurality of user devices constituting a user network are used. Converts a non-disclosure address and / or a non-disclosure port number described in a rule into a disclosure address and / or a disclosure port number, and transmits an individual policy having the converted rule as an element to the policy aggregation server Therefore, in addition to the above effects, user devices (user terminals, network devices, etc.) Even in an environment which is connected to the wide area network by using the function, it is possible to block or inhibit unwanted traffic.

  According to the invention of claim 5, the policy aggregation server creates, as statistical information, information related to a user device whose traffic is to be controlled according to the rule, and the rule is determined based on the created statistical information. In addition to the above effect, it is determined whether or not to adopt as a rule for controlling traffic transmitted / received between other user devices other than the user device whose traffic is to be controlled according to In determining whether or not abnormal traffic detected by a wide area network device should be blocked or suppressed as unnecessary traffic, statistical information (for example, how many individual policies are aggregated by the rule, how many people The user's rules are aggregated, etc.) as the user's consensus It is possible to Rukoto can determine whether or not the material.

  According to the invention of claim 6, the policy aggregation server acquires attack countermeasure information including identification information for identifying an attack packet detected in the wide area network device and countermeasure information for the attack packet from the wide area network device. From the attack countermeasure information created, a countermeasure policy that is an aggregate of countermeasure rules that control traffic based on the attack countermeasure information is created, and the created countermeasure policy is reflected in the rules. In addition to the above effects, Abnormal traffic detected on the wide-area network device side and determined as countermeasures can be blocked or suppressed as unnecessary traffic.

  According to the seventh, thirteenth, or eighteenth aspect of the present invention, the policy aggregation server creates an aggregation policy in which rules are aggregated for each group of user devices whose traffic is controlled based on the same type of rules. Setting information to be set in each of the wide area network devices to form a virtual network or a physical network, and an aggregation policy for each group, to each of the wide area network devices to which the setting information and the aggregation policy should be set Since transmission is performed, in addition to the above-described effects, it is possible to ensure fairness among users when a large amount of traffic that is not attack traffic occurs.

  Exemplary embodiments of a traffic control system and a traffic control method according to the present invention will be explained below in detail with reference to the accompanying drawings. In the following, the main terms used in the embodiment, the outline and features of the traffic control system according to the first embodiment, the configuration of the traffic control system according to the first embodiment, the procedure of processing by the traffic control system according to the first embodiment, The effects of the first embodiment will be described in order, and then other embodiments will be described.

[Explanation of terms]
First, main terms used in the following examples will be described. A “user network” is a network of a user site operated by an individual user, such as a corporate network or a home network. More specifically, the “user network” is a terminal (hereinafter referred to as user terminal) such as a PC (Personal Computer) or a server used by a user (hereinafter referred to as user terminal), or a network device (hereinafter referred to as CPE) that connects these user terminals. : Customer Premises Equipment). In the following, when considering a device having the same function that constitutes a “user network” without distinguishing between such user terminals and CPE, it is expressed as “user device”, and the user terminal and CPE are distinguished. When considering a device having a different function, it is expressed as “user terminal” or “CPE”. In the following embodiments, “user policy server” also appears as “user device”.

  By the way, normally, a “user device” does not transmit / receive traffic only to / from a “user device” in the same “user network”. A plurality of “user networks” are communicably connected to each other by a “wide area network” operated by an Internet service provider (hereinafter referred to as ISP: Internet Service Provider) or the like to constitute a predetermined “user network”. The “user device” transmits / receives traffic to / from another “user network”. Thus, when the “user device” transmits / receives traffic to / from another “user network”, as is well known, a countermeasure technique for unnecessary traffic becomes indispensable.

  Here, “unnecessary traffic” refers to attack traffic, mass traffic, and the like. Conventionally, a “user device” having an FW function and an IDS function controls such traffic according to a personal policy (corresponding to “individual policy” described in the claims), and thus such “unnecessary traffic”. ”Has been taken. However, “unnecessary traffic” is transmitted from “predetermined“ user network ”to other“ user network ”via“ wide area network ””, so that “unnecessary traffic” is It is desirable to be blocked or suppressed at the entrance in the “wide area network”. For this reason, in the following embodiments, “unnecessary traffic” is transmitted to a “wide area network device” that is passed when a “user network” is transmitted to another “user network”. How to set personal policy to “Wide area network device” and how to set “Wide area network device” at the entrance to “Wide area network”. The setting is important.

[Outline and Features of Traffic Control System According to Embodiment 1]
Next, the outline and characteristics of the traffic control system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining the outline and features of the traffic control system according to the first embodiment.

  As described above, in the traffic control system according to the first embodiment, each of user networks configured by user devices operated by users is connected to a wide area network in which a plurality of network users are communicably connected to each other. When connected via each network device, the outline is to control the traffic transmitted from a predetermined user network to another user network via a wide area network, and the detection at the user device at the user site is triggered. The main feature is that unnecessary traffic is blocked or suppressed based on an individual personal policy near the transmission source of unnecessary traffic.

  This main feature will be briefly described. As shown in FIG. 1, the traffic control system according to the first embodiment is any one or a plurality of user devices (user terminals, CPEs, user policy servers) constituting a user network. Is transmitted to the policy aggregation server connected to the wide area network (see (1) in FIG. 1).

  Specifically, any one or more of the user devices transmit and receive between the user device (user terminal, CPE, user policy server) and a user network other than the own user network configured by the user device. Rules for controlling the traffic to be transmitted and received and traffic transmitted / received between other user devices (user terminals, CPE) and other user networks managed by the user device (user policy server) in the own user network The individual policy, which is an aggregate of the elements, is transmitted to the policy aggregation server. For example, in the first embodiment, the user terminal 4A, the CPE 5A, and the user policy server 6 transmit the individual policies to the policy aggregation server 7 as user devices.

  Next, the policy aggregation server receives each transmitted individual policy (see (2) in FIG. 1). For example, in the first embodiment, the policy aggregation server 7 receives each individual policy transmitted from the user terminal 4A, the CPE 5A, and the user policy server 6.

  Subsequently, the policy aggregation server transmits a rule that is an element of each received individual policy to each of the wide area network devices to which the rule is to be set (see (3) in FIG. 1). For example, in the first embodiment, the policy aggregation server 7 transmits rules that are elements of individual policies to the wide area network devices 3A, 3B, and 3C.

  Then, the wide area network apparatus receives the transmitted rule (see (4) in FIG. 1), and controls traffic according to the received rule (see (5) in FIG. 1). For example, in the first embodiment, the wide area network devices 3A, 3B, and 3C receive the rules transmitted from the policy aggregation server 7, and control the traffic according to the received rules.

  For this reason, according to the traffic control system according to the first embodiment, individual detection is performed near the source of unnecessary traffic without triggering detection in a user device (such as a user terminal or CPE) at the user site. Unnecessary traffic can be blocked or suppressed based on the personal policy.

[Configuration of Traffic Control System According to Embodiment 1]
Next, the configuration of the traffic control system according to the first embodiment will be described with reference to FIGS. FIG. 2 is a block diagram illustrating the overall configuration of the traffic control system according to the first embodiment, FIG. 3 is a block diagram illustrating the configuration of the user terminal according to the first embodiment, and FIG. 4 illustrates service information of the user terminal. 5 is a diagram for explaining a storage unit, FIGS. 5 to 7 are diagrams for explaining a rule set storage unit of a user terminal, and FIGS. 8 and 9 are diagrams for explaining a policy transmission unit of a user terminal. FIG. 10 is a block diagram illustrating a configuration of a user network device (CPE) in the first embodiment, and FIG. 11 is a diagram for explaining a service information storage unit of the CPE, and FIGS. FIG. 15 is a diagram for explaining a rule set storage unit of the CPE, FIGS. 15 and 16 are diagrams for explaining a policy transmission unit of the CPE, and FIG. 17 is a user policyr in the first embodiment. FIG. 18 is a diagram for explaining the service information storage unit of the user policy server, and FIGS. 19 to 23 are diagrams for explaining the rule set storage unit of the user policy server. 24 and 25 are diagrams for explaining the policy transmission unit of the user policy server, FIG. 26 is a block diagram showing the configuration of the policy aggregation server in the first embodiment, and FIG. FIG. 28 is a diagram for explaining a user information storage unit of the aggregation server, FIGS. 28 to 31 are diagrams for explaining a policy data storage unit of the policy aggregation server, and FIG. 32 is a wide area network device of the policy aggregation server FIG. 33 is a diagram for explaining a configuration information storage unit, FIG. 33 is a diagram for explaining an attack countermeasure information acquisition unit of a policy aggregation server, and FIG. 34 is a policy aggregation server. It is a diagram for explaining a countermeasure policy creation unit Bas, FIG. 35 is a diagram for explaining the policy aggregating unit of the policy aggregation server.

  First, the configuration of the traffic control system according to the first embodiment will be described with reference to FIG. As shown in FIG. 2, the traffic control system according to the first embodiment includes user terminals 4A, 4B, 4C, 4D, and 4E used by a user, and user network devices (CPE) 5A and 5B operated by the user. The user networks 1B, 1C, and 1D that are configured to include such user terminals and user network devices, the user policy server 6 that configures the user network, the ISP, and the like. A wide area network 1A that is communicably connected, wide area network devices 3A, 3B, and 3C that are installed between the user network and the wide area network 1A, and a policy aggregation server 7 that is connected to the wide area network 1A.

  Further, as shown in FIG. 2, the user terminal 4A is given an external address 10.10.1.1, the user terminal 4B is given an internal address 192.168.1.1, and the user terminal 4C has an internal address The address 192.168.1.2 is assigned, the internal address 192.168.1.1 is assigned to the user terminal 4D, the internal address 192.168.2.1 is assigned to the user terminal 4E, and the external address is assigned to the CPE 5A. 10.10.1.2 is assigned, the external address 10.10.1.3 is assigned to the CPE 5B, the internal address 192.168.2.2 is assigned to the user policy server 6, and the external address is sent to the policy aggregation server 7. The address 10.10.180.120 is given. The user terminal 4E and the user policy server 6 are installed in a demilitarized zone (DMZ).

  In the first embodiment, an example in which the user terminals 4A, CPE 5A, and CPE 5B are connected to the wide area network device 3A will be described, but the present invention is not limited to this, and more user terminals and Either a case where a CPE is connected or a case where only a user terminal is connected may be used. In the first embodiment, a case where user terminals 4B, 4C, 4D, and 4E are connected to CPE 5A and CPE 5B will be described. However, the present invention is not limited to this, and more user terminals are used. Any case may be used, such as a case where is connected. In other words, the traffic control system according to the present invention is not limited to the first embodiment (example in FIG. 2) regarding the specific configuration of the user network, and the number and connection of user terminals, CPEs, and user policy servers. The same applies to other configurations having different forms and the like.

  Below, user terminal 4A, user terminal 4B, CPE 5A, user policy server 6, policy aggregation server 7, and wide area network apparatus 3A will be described in order as typical apparatuses constituting the traffic control system according to the present invention.

[User terminal 4A]
The user terminal 4A in the first embodiment is a user terminal directly connected to the wide area network apparatus 3A as shown in FIG. 2, and particularly as closely related to the present invention, as shown in FIG. A policy transmission unit 401, a service information storage unit 402, an address conversion unit 403, and a rule set storage unit 404 are provided. The policy transmission unit 401 corresponds to the “policy transmission unit” described in the claims, and the address conversion unit 403 corresponds to the “address conversion unit” described in the claims.

  The service information storage unit 402 stores in advance the address and authentication information of the policy aggregation server 7. Specifically, the service information storage unit 402 stores the address and authentication information of the policy aggregation server 7 in advance, and the user terminal policy is stored in the policy aggregation server by the policy transmission unit 401 described later. It is used when it is transmitted to 7. For example, as shown in FIG. 4, the service information storage unit 402 stores the policy aggregation server address “10.10.180.120”, the port number “1025”, and the authentication data “abcd” in advance in association with each other. Yes.

  The rule set storage unit 404 stores user terminal policies in advance. Specifically, the rule set storage unit 404 stores in advance rules such as FW, IDS, and NAT (Network Address Translation) as user terminal policies. It is transmitted to the aggregation server 7.

  For example, the rule set storage unit 404 stores in advance FW rules as shown in FIG. 5, IDS rules as shown in FIG. 6, and IDS rules as shown in FIG. First, the FW rules will be described. For example, as shown in FIG. 5, the rule set storage unit 404 includes an input / output direction, a destination address, a source address, a destination port number, a source port number, FW rules that associate protocols, protocol-dependent information, and operations are stored in advance. For example, if the protocol is “TCP (Transmission Control Protocol)”, the protocol dependency information means flags such as “SYN”, “ACK”, “RST”, “FIN”, and the protocol is “ICMP ( Internet Control Message Protocol ”means a message type such as“ echo ”or“ echo-reply ”.

  Here, the rule with the number “4” is a packet in the direction of “INPUT” for the user terminal 4A, the destination address is “any” (arbitrary), the source address is “any” (arbitrary), and the destination If the port number is “any” (arbitrary), the source port number is “any” (arbitrary), the protocol is “any” (arbitrary), and there is no protocol-dependent information, the operation is “Reject” It prescribes. In other words, the user terminal 4A prescribes that all packets should be “discarded” in principle by the rule of the number “4”. On the other hand, the user terminal 4A prescribes exceptionally “receiving” some packets according to the rules of the numbers “1” to “3”. For example, the rule of number “1” is a packet in the direction of “INPUT” for the user terminal 4A, the destination address is “any” (arbitrary), the source address is “any” (arbitrary), and the destination port It is defined that the operation is “Accept” for a packet whose number is “8000”, the source port number is “any” (arbitrary), the protocol is “TCP”, and the protocol dependency information is “SYN”.

  Next, an IDS rule will be described. For example, as shown in FIG. 6, the rule set storage unit 404 has a detection target (input / output direction, destination address, source address, destination port number, source port number, protocol). , And protocol-dependent information), IDS rules in which detection conditions (abnormality detection threshold and abnormality detection threshold excess time) are associated with countermeasures are stored in advance. The protocol-dependent information means, for example, a flag such as “SYN”, “ACK”, “RST”, “FIN”, etc. if the protocol is “TCP”, and “echo” if the protocol is “ICMP”. ”And“ echo-reply ”, and further includes application protocols such as HTTP (HyperText Transfer Protocol) and messages thereof.

  Here, the rule with the number “1” is a packet in the direction of “INPUT” for the user terminal 4A, the destination address is “any” (arbitrary), the source address is “any” (arbitrary), and the destination The packet number is “any” (optional), the source port number is “HTTP (80)”, the protocol is “TCP”, and the protocol-dependent information is not detected, and “50Mpps” is set as a threshold. The detection condition is that the packet is detected when this threshold is exceeded by “3 minutes”, and “rate limiting 10 Mpps” is specified as a countermeasure when a detection target is detected.

  Next, NAT rules will be described. For example, as shown in FIG. 7, the rule set storage unit 404 stores, in advance, NAT rules in which external addresses and external port numbers are associated with internal addresses and internal port numbers. I remember it. Here, the rule of number “1” stipulates that all internal addresses are converted to external addresses “10.10.1.1”.

  The address conversion unit 403 converts addresses and port numbers according to NAT rules when NAT is used. Specifically, the address conversion unit 403 converts the destination address and destination port number included in the FW rule and IDS rule of the rule set storage unit 404 into the destination address and destination used in the network according to the NAT rule. Convert to port number.

  For example, the address conversion unit 403 converts the destination address included in the FW rule (see FIG. 5) stored in advance by the rule set storage unit 404 into the external address according to the NAT rule (see FIG. 7). Convert to “10.10.1.1” (see FIG. 8). Further, the address conversion unit 403 converts the destination address included in the IDS rule (see FIG. 6) stored in advance by the rule set storage unit 404 into an external address according to the NAT rule (see FIG. 7). Convert to “10.10.1.1” (see FIG. 9).

  The policy transmission unit 401 transmits the user terminal policy to the policy aggregation server 7. Specifically, the policy transmission unit 401 sends the rule set (rules such as FW, IDS, and NAT stored in advance by the rule set storage unit 404) converted by the address conversion unit 403 to the policy aggregation server 7. Send. For example, the policy transmission unit 401 transmits the FW rule as illustrated in FIG. 8 and the IDS rule as illustrated in FIG. 9 to the policy aggregation server 7. The policy transmission unit 401 may transmit the user terminal policy to the policy aggregation server 7 in a timely manner or may transmit the user terminal policy in response to a request from the policy reception unit 701 of the policy aggregation server 7.

[User terminal 4B]
As shown in FIG. 2, the user terminal 4B in the first embodiment is a user terminal that is indirectly connected to the wide area network apparatus 3A via the CPE 5A that is directly connected to the wide area network apparatus 3A. As described above, it is not necessary to provide the policy transmission unit 401, the service information storage unit 402, the address conversion unit 403, and the rule set storage unit 404.

[CPE5A]
As shown in FIG. 2, the CPE 5A according to the first embodiment is a CPE that is directly connected to the wide area network apparatus 3A and indirectly connects the user terminal 4B and the like to the wide area network apparatus 3A, and is particularly closely related to the present invention. As shown in FIG. 10, a policy transmission unit 501, a service information storage unit 502, an address conversion unit 503, and a rule set storage unit 504 are provided. The policy transmission unit 501 corresponds to the “policy transmission unit” described in the claims, and the address conversion unit 503 corresponds to the “address conversion unit” described in the claims.

  Similar to the service information storage unit 402, the service information storage unit 502 stores in advance the address and authentication information of the policy aggregation server 7. Specifically, the service information storage unit 502 stores the address and authentication information of the policy aggregation server 7 in advance, and the user terminal policy is stored in the policy aggregation server by the policy transmission unit 501 described later. It is used when it is transmitted to 7. For example, as shown in FIG. 11, the service information storage unit 502 stores in advance the policy aggregation server address “10.10.180.120”, the port number “1025”, and the authentication data “efgh” in association with each other. Yes.

  Similar to the rule set storage unit 404, the rule set storage unit 504 stores a user network device policy in advance. Specifically, the rule set storage unit 504 stores in advance rules such as FW, IDS, and NAT as user network device policies. These rules are stored in the policy aggregation server 7 by the policy transmission unit 501 described later. Sent.

  For example, the rule set storage unit 504 stores in advance FW rules as shown in FIG. 12, IDS rules as shown in FIG. 13, and NAT rules as shown in FIG. First, the FW rules will be described. For example, as shown in FIG. 12, the rule set storage unit 504 includes an input / output direction, a destination address, a source address, a destination port number, a source port number, FW rules that associate protocols, protocol-dependent information, and operations are stored in advance.

  Here, the rule of the number “6” is a packet in the “INPUT” direction for the CPE 5A, the destination address is “any” (arbitrary), the source address is “any” (arbitrary), and the destination port number Is specified as “Reject” as the operation for packets with “any” (optional), source port number “any” (optional), protocol “any” (optional), and no protocol-dependent information. ing. That is, the CPE 5A prescribes that all packets are “discarded” in principle by the rule of the number “6”. On the other hand, the CPE 5A prescribes exceptionally “receiving” some packets according to the rules of the numbers “1” to “5”. For example, the rule with the number “1” is a packet in the “INPUT” direction for the CPE 5A, the destination address is “192.168.1.1”, the source address is “any” (arbitrary), and the destination port number is “ For HTTP (80), a packet with a source port number of “any” (optional), a protocol of “TCP”, and protocol-dependent information of “SYN” is defined as “Accept” as an operation.

  Next, the IDS rules will be described. The rule set storage unit 504, as shown in FIG. 13, for example, is a detection target (input / output direction, destination address, source address, destination port number, source port number, protocol). , And protocol-dependent information), IDS rules in which detection conditions (abnormality detection threshold and abnormality detection threshold excess time) are associated with countermeasures are stored in advance.

  Here, the rule with the number “1” is a packet in the direction of “INPUT” for the CPE 5A, the destination address is “192.168.1.1”, the source address is “any” (arbitrary), and the destination port number is A packet with “HTTP (80)”, source port number “any” (optional), protocol “TCP”, protocol dependency information “SYN” is targeted for detection, and “50 Mpps” is set as a threshold. The detection condition is that the packet is detected when the threshold is exceeded by “3 minutes”, and “rate limiting 10 Mpps” is specified as a countermeasure when a detection target is detected.

  Next, NAT rules will be described. For example, as shown in FIG. 14, the rule set storage unit 504 stores, in advance, NAT rules in which external addresses and external port numbers are associated with internal addresses and internal port numbers. I remember it. Here, the rule with the number “1” is that the packet of the combination of the internal address “192.168.1.1” and the internal port number “80” has the external address “10.10.1.2” and the external port number “HTTP (80)”. It is specified that the packet is converted into a combination packet.

  Similarly to the address conversion unit 403, the address conversion unit 503 converts an address and a port number according to the NAT rule when using NAT. Specifically, the address conversion unit 503 converts the destination address and destination port number included in the FW rule and IDS rule of the rule set storage unit 504 into the destination address and destination used in the network according to the NAT rule. Convert to port number.

  For example, the address conversion unit 503 converts the destination address included in the FW rule (see FIG. 12) stored in advance by the rule set storage unit 504 into an external address according to the NAT rule (see FIG. 14). Conversion to “10.10.1.2” (see FIG. 15). Further, the address conversion unit 503 converts the destination address included in the IDS rule (see FIG. 13) stored in advance by the rule set storage unit 504 into an external address according to the NAT rule (see FIG. 14). It is converted to “10.10.1.2” (see FIG. 16).

  The policy transmission unit 501 transmits the user network device policy to the policy aggregation server 7, similarly to the policy transmission unit 401. Specifically, the policy transmission unit 501 transfers the rule set (rules such as FW, IDS, and NAT stored in advance by the rule set storage unit 504) address-converted by the address conversion unit 503 to the policy aggregation server 7. Send. For example, the policy transmission unit 501 transmits the FW rule as illustrated in FIG. 15 and the IDS rule as illustrated in FIG. 16 to the policy aggregation server 7.

[User Policy Server 6]
As shown in FIG. 2, the user policy server 6 according to the first embodiment is a user policy server that is indirectly connected to the wide area network apparatus 3A via the CPE 5B that is directly connected to the wide area network apparatus 3A. As closely related to the present invention, as shown in FIG. 17, a policy transmission unit 601, a service information storage unit 602, an address conversion unit 603, a rule set storage unit 604, and a policy acquisition unit 605 are provided. Prepare. The policy transmission unit 601 corresponds to the “policy transmission unit” described in the claims, and the address conversion unit 603 corresponds to the “address conversion unit” described in the claims, and the policy acquisition unit 605. Corresponds to “policy acquisition means” recited in the claims. In the following embodiment, an example in which the user policy server 6 configures the traffic control system as a single device will be described. However, the present invention is not limited to this, and the user policy server 6 is provided in the CPE. Any specific implementation such as a case of configuring a traffic control system as a function to be performed may be used.

  Similar to the service information storage unit 402, the service information storage unit 602 stores in advance the address and authentication information of the policy aggregation server 7. Specifically, the service information storage unit 602 stores the address and authentication information of the policy aggregation server 7 in advance, and these addresses and authentication information are stored in the policy aggregation server 7 by the policy transmission unit 601 described later. Used when sent. For example, as shown in FIG. 18, the service information storage unit 602 stores the policy aggregation server address “10.10.180.120”, the port number “1025”, and the authentication data “ijkl” in advance in association with each other. Yes.

  Similar to the rule set storage unit 404, the rule set storage unit 604 stores a policy in advance. Specifically, the rule set storage unit 604 stores rules such as FW, IDS, and NAT as policies in advance, and these rules are transmitted to the policy aggregation server 7 by the policy transmission unit 601 described later. . Of course, the rule set storage unit 404 stores the user terminal policy of the user terminal in advance, and the rule set storage unit 504 stores the user network device poly of the user network device itself in advance. The unit 604 stores in advance a user terminal policy of a user terminal managed by the user policy server 6 and a user network device policy of a user network device managed by the user policy server 6.

  The ruleset storage unit 604 holds these user terminal policies and user network device policies, for example, by a method that the user policy server 6 holds by accepting settings by the user, or a policy acquisition unit 605 described later, for example. Any method such as a method of acquiring and holding from the rule set storage unit 404 of the user terminal 4D or the rule set storage unit 504 of the CPE 5B may be used.

  For example, the rule set storage unit 604 stores in advance FW rules as shown in FIGS. 19 and 20 and IDS rules as shown in FIGS. Here, FIG. 19 shows the FW rule acquired by the policy acquisition unit 605 described later from the rule set storage unit 404 of the user terminal 4D and held by the rule set storage unit 604, and FIG. The policy acquisition unit 605 to acquire the FW rule acquired from the rule set storage unit 504 of the CPE 5B and held by the rule set storage unit 604. Similarly, FIG. 21 shows IDS rules acquired by the policy acquisition unit 605 described later from the rule set storage unit 404 of the user terminal 4D and held by the rule set storage unit 604, and FIG. The policy acquisition unit 605 to acquire the IDS rule acquired from the rule set storage unit 504 of the CPE 5B and held by the rule set storage unit 604.

  Next, the NAT rules will be described. For example, as shown in FIG. 23, the rule set storage unit 604 stores a NAT rule in which an external address and an external port number are associated with an internal address and an internal port number in advance. I remember it. Here, the rule with the number “1” is that the packet of the combination of the internal address “192.168.1.1” and the internal port number “80” has the external address “10.10.1.3” and the external port number “HTTP (80)”. It is specified that it is converted into a combination packet.

  Similar to the address conversion unit 403, the address conversion unit 603 converts an address and a port number according to a NAT rule when using NAT. Specifically, the address conversion unit 603 converts the destination address and destination port number included in the FW rule and IDS rule of the rule set storage unit 604 into the destination address and destination used in the network according to the NAT rule. Convert to port number.

  For example, the address conversion unit 603 converts destination addresses included in some FW rules (see FIGS. 19 and 20) stored in advance by the rule set storage unit 604 into NAT rules (see FIG. 23). In response, the external address is converted to “10.10.1.3” (see FIG. 24). Further, the address conversion unit 603 converts the destination address included in the IDS rule (see FIGS. 21 and 22) stored in advance by the rule set storage unit 604 in accordance with the NAT rule (see FIG. 23). The external address is converted to “10.10.1.3” (see FIG. 25).

  The policy transmission unit 601 transmits the user terminal policy and the user network device policy to the policy aggregation server 7, similarly to the policy transmission unit 401. Specifically, the policy transmission unit 601 sends the rule set (address rules such as FW, IDS, and NAT stored in advance by the rule set storage unit 604), which has been converted by the address conversion unit 603, to the policy aggregation server 7. Send. For example, the policy transmission unit 601 transmits the FW rule as illustrated in FIG. 24 and the IDS rule as illustrated in FIG. 25 to the policy aggregation server 7.

  The policy acquisition unit 605 is a user terminal policy or user network device policy that is an aggregate of rules that control traffic for traffic transmitted / received between a user terminal or user network device and another user network device. Is acquired from the user terminal or the user network device.

[Policy Aggregation Server 7]
As shown in FIG. 2, the policy aggregation server 7 according to the first embodiment is connected to the wide area network 1A, and particularly as closely related to the present invention, as shown in FIG. Information storage unit 702, policy management unit 703, policy data storage unit 704, policy aggregation unit 705, control management unit 706, countermeasure policy creation unit 707, attack countermeasure information acquisition unit 708, and wide area network device configuration And an information storage unit 709. The policy receiving unit 701 corresponds to the “policy receiving unit” described in the claims, and the policy management unit 703 corresponds to the “determination unit” described in the claims, and includes the policy aggregating unit 705 and The control management unit 706 corresponds to the “rule transmission unit” described in the claims, and the countermeasure policy creation unit 707 corresponds to the “measure policy creation unit” described in the claims, and acquires attack countermeasure information. The unit 708 corresponds to “attack countermeasure information acquisition unit” recited in the claims.

  The user information storage unit 702 stores in advance information necessary for verifying the validity of the transmission source of the individual policy, and information necessary for verifying the validity of the FW rule and IDS rule that are elements of the individual policy. Specifically, the user information storage unit 702 stores in advance the addresses and authentication information of the user terminal 4A, the CPE 5A, and the user policy server 6 as information necessary for verifying the validity of the transmission source of the individual policy, Permitted as the destination address of the FW rule and IDS rule transmitted by the user terminal 4A, CPE 5A, and user policy server 6 as information necessary for verifying the validity of the FW rule and IDS rule that are the elements of the individual policy An address or the like is stored in advance, and the stored information is used for verification in the policy receiving unit 701.

  For example, as shown in FIG. 27, the user information storage unit 702 has a user ID (UID) “A”, a source address “10.10.1.1”, authentication information “abcd”, and an assigned address “10.10.1.1”. Are stored in advance.

  In the first embodiment, an example has been described in which the user information storage unit 702 stores the above information in advance as information for verifying the validity of each individual policy. However, the present invention is not limited to this. Any specific information may be used as long as it is information that can verify the validity of each individual policy according to the form of operation. In the first embodiment, since the policy receiving unit 701 employs a technique for verifying the validity of each individual policy when receiving each individual policy, the policy aggregation server 7 includes the user information storage unit 702. However, the present invention is not limited to this, and the policy receiving unit 701 employs a method that does not verify the validity of each individual policy (such as receiving each individual policy without verifying it). In this case, the policy aggregation server 7 does not need to include the user information storage unit 702.

  The policy data storage unit 704 stores individual policies, aggregate policies, and countermeasure policies. Specifically, the policy data storage unit 704 transfers the individual policy, the aggregate policy, or the countermeasure policy from the policy receiving unit 701, the policy aggregation unit 705, and the countermeasure policy creation unit 707 through the mediation of the policy management unit 703. The stored individual policy, aggregation policy, or countermeasure policy is transferred to the policy aggregation unit 705 or the control management unit 706 through the mediation of the policy management unit 703. For example, the policy data storage unit 704 stores the individual policy received by the policy reception unit 701, stores the aggregate policy created by the policy aggregation unit 705, or the countermeasure policy created by the countermeasure policy creation unit 707. Or remember.

  For example, the policy data storage unit 704 stores individual policies (FW rules) as shown in FIG. 28 and individual policies (IDS rules) as shown in FIG. Further, for example, the policy data storage unit 704 stores an aggregate policy (FW rule) as shown in FIG. 30 and an aggregate policy (IDS rule) as shown in FIG. Further, for example, the policy data storage unit 704 stores a countermeasure policy as shown in FIG. 34 and an aggregate policy reflecting the countermeasure policy as shown in FIG.

  The wide area network device configuration information storage unit 709 stores in advance information necessary for creating a wide area network device specific rule. Specifically, the wide area network device configuration information storage unit 709 includes, as information necessary for creating rules for each wide area network device, setting methods for the wide area network devices 3A, 3B, and 3C, settable rule types, and rules. The format and the like are stored in advance, and the stored information is used for processing in the control management unit 706.

  For example, as shown in FIG. 32, the wide area network device configuration information storage unit 709 includes a device number “3A”, a setting method “telnet / CL1, 10.10.10.1 passwd: xxxx”, a settable rule type “FW”, The rule format “maker A format” is stored in advance in association with each other. The attack countermeasure information acquisition method is information used by the attack countermeasure information acquisition unit 708.

  In the first embodiment, an example has been described in which the wide area network device configuration information storage unit 709 stores the above information in advance as information necessary for creating a rule for each wide area network device. The present invention is not limited to this, and any specific information may be used as long as it is information for creating a rule for each wide area network device in accordance with the form of operation.

  The policy receiving unit 701 receives each transmitted individual policy. Specifically, the policy receiving unit 701 receives each individual policy transmitted from the user terminal 4A, the CPE 5A, and the user policy server 6, and stores each received individual policy in the policy data storage unit 704. Also, the policy receiving unit 701 in the first embodiment verifies the validity of each individual policy when receiving each individual policy. The specific processing by the policy receiving unit 701 will be described in detail later when the processing procedure (at the time of individual policy reception) by the policy aggregation server is described.

  The policy aggregation unit 705 creates an aggregation policy. Specifically, the policy aggregating unit 705 creates an aggregation rule that aggregates the rules from the rules that are elements of the individual policies for the individual policies received by the policy receiving unit 701 and stored in the policy data storage unit 704. Then, an aggregation policy that is an aggregate having aggregation rules as elements is created, and the created aggregation policy is stored in the policy data storage unit 704 through the mediation of the policy management unit 703.

  Further, the policy aggregating unit 705 according to the first embodiment, when creating an aggregation rule, statistical information on information related to user devices (user terminal 4A, CPE 5A, user policy server 6) whose traffic is controlled according to the aggregation rule. The created statistical information is used for determination in the policy management unit 703. Further, the policy aggregation unit 705 according to the first embodiment reflects the countermeasure policy created by the countermeasure policy creation unit 707 described later and stored in the policy data storage unit 704 in the aggregation policy stored in the policy data storage unit 704. To do. The specific processing by the policy aggregation unit 705 will be described later when the processing procedure by the policy aggregation server (at the time of individual policy reception) and the processing procedure by the policy aggregation server (at the time of attack countermeasure information reception) are described. The details will be described below.

  The control management unit 706 sets the rules for each wide area network device in the wide area network device. Specifically, the control management unit 706 is a wide area network device in which an aggregation rule needs to be set from an aggregation rule that is an element of an aggregation policy created by the policy aggregation unit 705 and stored in the policy data storage unit 704 A wide-area network device-specific rule (FW processing or IDS processing rule) in a form suitable for the network, and set the created wide-area network device-specific rule in the wide-area network device to which the wide-area network device-specific rule needs to be set To do. The specific processing by the control management unit 706 will be described in detail later when the processing procedure (at the time of individual policy reception) by the policy aggregation server is described.

  The policy management unit 703 manages policies. Specifically, the policy management unit 703 includes the individual policy and aggregation among the policy reception unit 701, policy aggregation unit 705, control management unit 706, countermeasure policy creation unit 707, and policy data storage unit 704. The policy is managed by mediating the delivery of the policy or the countermeasure policy. For example, the policy management unit 703 stores the individual policy received by the policy reception unit 701 in the policy data storage unit 704 or the aggregate policy created by the policy aggregation unit 705 and stored in the policy data storage unit 704. The countermeasure policy is transmitted to the control management unit 706, or the countermeasure policy created by the countermeasure policy creating unit 707 is stored in the policy data storage unit 704.

  In addition, the policy management unit 703 according to the first exemplary embodiment uses the user device (user terminal, CPE, user) whose traffic is controlled according to the aggregation rule based on the statistical information created by the policy aggregation unit 705. A function for determining whether or not to adopt a rule for controlling traffic transmitted / received between other user devices other than the policy server and other user networks (corresponding to “determination means” described in claims) ). The specific processing by the policy management unit 703 will be described later when the processing procedure by the policy aggregation server (when individual policy is received) and the processing procedure by the policy aggregation server (when attack countermeasure information is received) are described. The details will be described below.

  The attack countermeasure information acquisition unit 708 acquires attack countermeasure information. Specifically, the attack countermeasure information acquisition unit 708 acquires, from the wide area network device, identification information for identifying an attack packet detected in the wide area network device and attack countermeasure information including countermeasure information for the attack packet. The attack countermeasure information thus used is used for processing by the countermeasure policy creation unit 707. The specific processing by the attack countermeasure information acquisition unit 708 will be described in detail later when the processing procedure (when attack countermeasure information is received) by the policy aggregation server is described.

  The countermeasure policy creation unit 707 creates a countermeasure policy. Specifically, the countermeasure policy creation unit 707 is a countermeasure policy that is an aggregate of countermeasure rules that control traffic based on the attack countermeasure information from the attack countermeasure information acquired by the attack countermeasure information acquisition unit 708. And the created countermeasure policy is stored in the policy data storage unit 704 through the mediation of the policy management unit 703. In the first embodiment, the countermeasure policy stored in the policy data storage unit 704 is reflected on the aggregation policy by the policy aggregation unit 705. The specific processing by the attack countermeasure information acquisition unit 708 will be described in detail later when the processing procedure (when attack countermeasure information is received) by the policy aggregation server is described.

[Wide area network device 3A]
The wide area network device 3A (same for 3B and 3C) in the first embodiment is a router or FW device having a packet filter function, an FW device having an IDS function, or the like, and blocks or blocks a packet according to a set FW rule. While suppressing, an attack is detected according to the set IDS rule. Although not shown, the wide area network device 3A receives a wide area network device specific rule transmitted by the policy aggregation server 7 (corresponding to the “rule receiving means” described in the claims), A traffic control unit (corresponding to “traffic control means” described in claims) according to the rules for each wide area network device.

[Procedure of processing by traffic control system according to embodiment 1]
Next, a processing procedure by the traffic control system according to the first embodiment will be described with reference to FIGS. 36 is a flowchart showing a processing procedure by the user terminal, FIG. 37 is a flowchart showing a processing procedure by the CPE, FIG. 38 is a flowchart showing a processing procedure by the user policy server, and FIG. FIG. 40 is a flowchart showing a processing procedure (when an individual policy is received) by the policy aggregation server, FIG. 40 is a flowchart showing a processing procedure (when attack countermeasure information is received) by the policy aggregation server, and FIG. 41 is a policy. It is a flowchart which shows the procedure of the policy reception process by an aggregation server.

[Processing procedure by user terminal]
Hereinafter, the processing procedure by the user terminal 4A will be described as an example. As shown in FIG. 36, first, the user terminal 4A in the address conversion unit 403, the FW rules and IDS stored in the rule set storage unit 404 are stored. Of the rules and NAT rules, for each rule (FW rule and IDS rule) other than the NAT rule, the destination address and / or destination port number is converted based on the NAT rule, and the converted FW rule and IDS rule are The policy is transmitted to the policy transmission unit 401 (step S1).

  For example, if the NAT rule “1” stored in the rule set storage unit 404 stipulates that the address “A” of the user terminal 4A is converted to the address “B”, the user terminal 4A The address conversion unit 403 converts the destination address of the address “A” included in the FW rule and the IDS rule into the address “B”. Further, in the NAT rule “2” stored in the rule set storage unit 404, the combination of the address “C” and the port number “D” of the user terminal 4A becomes the combination of the address “E” and the port number “F”. In the case where it is defined to be converted, the user terminal 4A uses the address conversion unit 403 to change the combination of the address “C” and the port number “D” included in the FW rule and IDS rule to the address “E”. And a combination of the port number “F”.

  When the user terminal 4A does not have the NAT function, the user terminal 4A does not store the NAT rule in the rule set storage unit 404. The FW rule and IDS rule stored in the storage unit 404 are simply delivered to the policy transmission unit 401.

  Next, the user terminal 4A uses the information stored in the service information storage unit 402 as the individual policy for the FW rule and the IDS rule delivered from the address conversion unit 403 in the policy transmission unit 401, using the policy aggregation. It transmits to the server 7 (step S2). Here, the service information storage unit 402 stores information necessary for transmission of individual policies, such as the address, port number, authentication information, and the like of the policy aggregation server 7 that is the transmission destination.

  For example, in the example of the FW rule in FIG. 5 and the IDS rule in FIG. 6, the destination address of each FW rule and IDS rule is defined as “any” (arbitrary). In the example of the NAT rule in FIG. It stipulates that the internal address is converted to the external address “10.10.1.1”. Therefore, the user terminal 4A uses the address conversion unit 403 to set the destination addresses of all the rules to “10.10”, such as the FW rule of FIG. 5 and the IDS rule of FIG. 6, and the FW rule of FIG. 8 and the IDS rule of FIG. To ".1.1".

  In the first embodiment, the case where there is only one rule set has been described. However, the present invention is not limited to this, and may be any case where there are a plurality of rule sets. When there are a plurality of rule sets, a rule set number for distinguishing the rule set is added to each rule so as to distinguish the rule set by an individual policy.

[Processing procedure by CPE]
Hereinafter, the processing procedure by the CPE 5A will be described as an example. As shown in FIG. 37, first, the CPE 5A in the address conversion unit 503 is the FW rule, IDS rule, and NAT stored in the rule set storage unit 504. Among the rules, for each rule (FW rule and IDS rule) other than the NAT rule, the destination address and / or the destination port number are converted based on the NAT rule, and the converted FW rule and IDS rule are converted to the policy transmission unit 501. (Step S11).

  For example, if the NAT rule “1” stored in the rule set storage unit 504 specifies that the address “A” of the CPE 5A is converted to the address “B”, the CPE 5A In unit 503, the destination address of address “A” included in the FW rule and IDS rule is converted to address “B”. Further, in the NAT rule “2” stored in the rule set storage unit 504, the combination of the address “C” and the port number “D” of the CPE 5A is converted into the combination of the address “E” and the port number “F”. In the address conversion unit 503, the combination of the address “C” and the port number “D” included in the FW rule and the IDS rule is converted into the address “E” and the port number “ F ”combination.

  If the CPE 5A does not have a NAT function, the CPE 5A is not stored in the rule set storage unit 504, and therefore the CPE 5A is stored in the address conversion unit 503 by the rule set storage unit 504. The FW rule and IDS rule that have been received are simply delivered to the policy transmission unit 501.

  Next, in the policy transmission unit 501, the CPE 5A uses the information stored in the service information storage unit 502 by using the FW rule and IDS rule delivered from the address conversion unit 503 as individual policies, and uses the policy aggregation server 7 (Step S12). Here, the service information storage unit 502 stores information necessary for transmission of individual policies, such as the address, port number, authentication information, and the like of the policy aggregation server 7 that is the transmission destination.

  For example, in the example of the NAT rule in FIG. 14, a combination of the internal address “192.168.1.1” and the internal port number “80” is converted into a combination of the external address “10.10.1.2” and the external port number “80”. The combination of the address “192.168.1.2” and the internal port number “80” is converted into the combination of the external address “10.10.1.2” and the external port number “3000”. It stipulates that an arbitrary internal address is converted to an external address “10.10.1.2”. Therefore, the CPE 5A uses the internal address “192.168.1.1” and the internal port number for the FW rule in FIG. 12 and the IDS rule in FIG. 13 in the address conversion unit 503 as in the FW rule in FIG. 15 and the IDS rule in FIG. The combination of `` 80 '' is converted to the combination of external address `` 10.10.1.2 '' and external port number `` 80 '', and the combination of internal address `` 192.168.1.2 '' and internal port number `` 80 '' is converted to external address `` 10.10. 1.2 ”and external port number“ 3000 ”, and any other internal address and internal port number combination is converted to an external address“ 10.10.1.2 ”.

  In the first embodiment, the case where there is only one rule set has been described. However, the present invention is not limited to this, and may be any case where there are a plurality of rule sets. When there are a plurality of rule sets, a rule set number for distinguishing the rule set is added to each rule so as to distinguish the rule set by an individual policy.

[Processing procedure by user policy server]
Below, the procedure of the process by the user policy server 6 will be described as an example. The user terminal 4D stores a plurality of FW rules and IDS rules in advance in the rule set storage unit 404, and the CPE 5B stores a plurality of FW rules, IDS rules, and NAT rules in advance in the rule set storage unit 504. It shall be remembered. As shown in FIG. 38, first, the user policy server 6 acquires each rule set from the rule set storage unit 404 of the user terminal 4D and the rule set storage unit 504 of the CPE 5B in the policy acquisition unit 605. Store in the rule set storage unit 604. The rule set stored in the rule set storage unit 604 by the user policy server 6 may be directly input from the user (step S20).

  Next, the user policy server 6 in the address conversion unit 603, each rule other than the NAT rule (FW rule and IDS rule) among the FW rule, IDS rule, and NAT rule stored in the rule set storage unit 604. , The destination address and / or destination port number is converted based on the NAT rule, and the converted FW rule and IDS rule are delivered to the policy transmission unit 601 (step S21).

  For example, if the NAT rule “1” stored in the rule set storage unit 604 specifies that the address “A” of the user policy server 6 is converted to the address “B”, the user policy In the address conversion unit 603, the server 6 converts the destination address of the address “A” included in the FW rule and the IDS rule into the address “B”. Further, in the NAT rule “2” stored in the rule set storage unit 604, the combination of the address “C” and the port number “D” of the user policy server 6 is the combination of the address “E” and the port number “F”. In the address policy conversion unit 603, the user policy server 6 converts the combination of the address “C” and the port number “D” included in the FW rule and IDS rule to the address “ E ”and port number“ F ”.

  When the user policy server 6 does not have the NAT function, the user policy server 6 does not store the NAT rule in the rule set storage unit 604. The FW rule and IDS rule stored in the rule set storage unit 604 are simply delivered to the policy transmission unit 601.

  Next, the user policy server 6 uses the information stored in the service information storage unit 602 as the individual policy for the FW rule and IDS rule delivered from the address conversion unit 603 in the policy transmission unit 601. It transmits to the aggregation server 7 (step S22). Here, the service information storage unit 602 stores information necessary for transmission of individual policies, such as the address, port number, and authentication information of the policy aggregation server 7 that is the transmission destination.

  For example, in the example of the NAT rule in FIG. 23, the combination of the internal address “192.168.1.1” and the internal port number “80” is converted into the combination of the external address “10.10.1.3” and the external port number “80”. The combination of the address “192.168.1.2” and the internal port number “53” is converted into the combination of the external address “10.10.1.3” and the external port number “53”, and the internal address “192.168.1.2” and the internal port number “25” ”Is converted into a combination of external address“ 10.10.1.3 ”and external port number“ 25 ”, and any other internal address and internal port number combination can be changed to any internal address“ external address “10.10.1.3”. ”Is specified. Therefore, the user policy server 6 uses the address conversion unit 503 to convert the FW rule of FIGS. 19 and 20 and the IDS rule of FIGS. 21 and 22 into the internal address “192.168” as in the FW rule of FIG. 24 and the IDS rule of FIG. .1.1 ”and internal port number“ 80 ”are converted into a combination of external address“ 10.10.1.3 ”and external port number“ 80 ”, and a combination of internal address“ 192.168.1.2 ”and internal port number“ 53 ” Is converted to a combination of the external address “10.10.1.3” and the external port number “53”, and the combination of the internal address “192.168.1.2” and the internal port number “25” is converted to the external address “10.10.1.3” and the external port It is converted into a combination of number “25”, and any other internal address and internal port number combination can be changed to any internal address. To convert to an external address "10.10.1.3".

  Since there are a plurality of rule sets, a rule set number for distinguishing the rule set is added to each rule so as to distinguish the rule set by an individual policy.

  As described above, the destination address and the destination port number included in the FW rule and the IDS rule of the individual policy transmitted by the policy transmission units 401, 501 and 601 to the policy aggregation server 7 by the address conversion units 403, 503 and 603 are the network Since the addresses and port numbers used in 1A, 1C, and 1D are converted, an aggregate policy is created using this individual policy, rules for each wide area network device are created from the aggregate policy, and the wide area network device is assigned to the wide area network. When the device-specific rules are set, the FW process and the IDS process can be performed in the wide area network apparatuses 3A, 3B, and 3C.

[Procedure for processing by policy aggregation server (when individual policy is received)]
In the following, a processing procedure by the policy aggregation server 7 (a processing procedure when the policy aggregation server 7 receives individual policies from the user terminal 4A, the CPE 5A, and the user policy server 6) will be described as an example. FIG. As shown in the figure, first, the policy aggregation server 7 receives the individual policy transmitted from the policy transmission unit 401 of the user terminal 4A, the policy transmission unit 501 of the CPE 5A, and the policy transmission unit 601 of the user policy server 6 in the policy reception unit 701. Each information is received, using the information stored in the user information storage unit 702, the validity of the individual policy is confirmed, and each rule included in the individual policy is supplemented and transferred to the policy management unit 703 ( Step S301).

  Here, a specific processing procedure of the policy reception unit 701 will be described. As shown in FIG. 41, the policy aggregation server 7 uses the policy transmission unit 401 of the user terminal 4A and the policy transmission of the CPE 5A in the policy reception unit 701. Each individual policy transmitted from the means 501 and the policy transmission means 601 of the user policy server 6 is received (step S401).

  In the user information storage unit 702, as in the example of user information in FIG. 27, information necessary for verifying the validity of the individual policy transmission source (addresses and authentication information of the user terminal 4A, the CPE 5A, and the user policy server 6). Etc.) and information necessary for verifying the validity of the FW rules and IDS rules that are elements of individual policies (the destination addresses of the FW rules and IDS rules transmitted from the user terminal 4A, CPE 5A, and user policy server 6) Permissible addresses and the like) are stored in advance.

  For this reason, the policy aggregation server 7 uses the information stored in the user information storage unit 702 in the policy reception unit 701 to verify the validity of the transmission source of the individual policy, the FW rule and the IDS rule included in the individual policy. The reception of the invalid individual policy is rejected or discarded (step S402).

  For example, in the first embodiment, the policy aggregation server 7 discards the individual policy whose source address is other than “10.10.1.1”, “10.10.1.2”, or “10.10.1.3” in the policy receiving unit 701. . In addition, the policy aggregating server 7 uses the individual policy in the policy receiving unit 701 when the source information is “10.10.1.1”, “10.10.1.2”, or “10.10.1.3”, but the authentication information does not match. Reject reception or discard after reception. Regarding the individual policy whose validity is confirmed, the policy aggregation server 7 next verifies the validity of the rule in the policy receiving unit 701. In the first embodiment, since the assigned address of the user whose transmission source address is “10.10.1.1” is “10.10.1.1”, the value of the transmission address of the rule of the individual policy received from the transmission source address “10.10.1.1” Must be "10.10.1.1" or "any" indicating any value. Therefore, the policy aggregation server 7 discards the individual policy including rules other than the source address “10.10.1.1” or “any” in the policy receiving unit 701 as invalid.

  Subsequently, the policy aggregating server 7 allows the policy receiving unit 701 to accept a rule for which the destination address is not specified among the rules of the individual policy for which the validity of the rule is confirmed, from the source of the individual policy. The destination address stored is supplemented using information stored in the user information storage unit 702 (step S403).

  For example, in the first embodiment, the user apparatus with the source address “10.10.1.2” is CPE5A, and the assigned address is “10.10.1.2”. Therefore, R1015 in the example of the FW rule of CPE5A in FIG. The destination address “any” of R1113 in the example of the IDS rule of CPE5A in FIG. 16 is replaced with the assigned address “10.10.1.2” to become R2115 and R2116 in FIG. 28 and R2513 in FIG. In addition, when there are multiple allocation addresses such as "10.10.1.1" and "10.10.2.0/24" (network address), there are multiple destination addresses such as "10.10.1.1" and "10.10.2.0/24" Is replaced with the address. By performing this verification and complementation, it is possible to avoid the mixing of individual policies from unauthorized senders and the mixing of unauthorized individual policies in the policy aggregation processing in the policy aggregation unit 705 described later.

  Then, the policy aggregation server 7 passes the individual policy to the policy management unit 703 in the policy reception unit 701 (step S404).

  Then, the policy aggregation server 7 causes the policy management unit 703 to receive the individual policy delivered from the policy reception unit 701, the aggregation policy created by the policy aggregation unit 705 described later, and the countermeasure policy created by the countermeasure policy creation unit 707. Is stored and managed in the policy data storage unit 704 (S302).

  In the first embodiment, the example of the FW rule in FIG. 28 and the example of the IDS rule in FIG. 29 are transferred from the policy reception unit 701 to the policy management unit 703 and stored in the policy data storage unit 704.

  Thereafter, the policy aggregation server 7 delivers the individual policy delivered from the policy receiver 701 and the aggregate policy held in the policy data storage unit 704 to the policy aggregator 705. The policy aggregator 705 And a new aggregation policy are created from the aggregation policy (step S303).

  This policy aggregating unit 705 aggregates the FW rules, IDS rules, etc. included in each individual policy in the same type of rule unit, and the aggregation policy having a smaller number of rules than the total number of individual policy rules received by the policy receiving unit 701. Create As this aggregation method, for example, when there is a rule having all the same attribute values other than attributes (for example, destination addresses) in all individual policies, the value of the attribute is set to “any”. Can be one rule. In this example, the rules R2014, R2116, R2314, and R2325 in FIG. 28 are all integrated with the rule R2709 in FIG. 30 because all the attributes other than the destination address are the same.

  Further, a rule in which a rule having the same value for all attributes other than a certain attribute value (for example, a destination address) exists in the individual policy of the majority or more is assumed to exist in all the individual policies. By making one rule that does not specify a destination address and a rule that reverses the operation of that rule that specifies a destination address that is allowed for an individual policy that does not include that rule, the rule number of the majority of individual policies is at least The number of rules can be reduced to less than a majority of individual policies.

  For example, in the first embodiment, R2111 and R2311 in FIG. 28 have the same values for all attributes other than the destination address, and in terms of rule sets, two of the four rule sets are considered in units of user devices. In FIG. 30, the R2704 rule in which the destination address is “any” and the destination address of the R2111 rule are R2111 and R2311 except for the destination address. The destination address (10.10.1.1) allowed for the user apparatus A that does not have the same rule is collected into the R2703 rule that performs the opposite operation. In the first embodiment, since the number of user devices is 3, only two rules are provided. However, as the number of user devices having the same type of rules increases, the effect of aggregation increases.

  Also, if there are multiple rules that differ only in the value of a certain attribute (for example, destination address) and all other attribute values are the same, if the value of that attribute is a continuous value, the attribute value is The rule can be expressed as In the first embodiment, the R2511 rule and R2611 rule in FIG. 29 differ only in the destination address, all other attribute values are the same, and the destination address is continuous. Aggregated.

  As described above, since the policy aggregation unit 705 reduces the total number of rules, the effect of reducing the load of FW processing and IDS processing in the network device can be obtained. And IDS rules can be set to block, suppress, or detect attack packets. The policy aggregation unit 705 may present the created aggregation policy to an ISP operator.

  Further, the policy aggregation server 7 creates, in the policy aggregation unit 705, statistical information indicating the number of aggregated individual policies and which individual policy rules are aggregated. The policy aggregation server 7 stores and manages the statistical information in the policy data storage unit 704 together with the aggregation policy in the policy management unit 703. The policy aggregation server 7 retains this statistical information to determine whether the abnormality detected by the IDS function of the wide area NW devices 3A, 3B, and 3C can be blocked or suppressed as an attack. Whether or not each rule can be interpreted as a user consensus can be used as a judgment material.

  In the first embodiment, T1 and T2 in FIGS. 30 and 31 are statistical information of the aggregation policy, and for each rule, the aggregation source, the statistics in units of sets, and the statistics in units of users are described. For example, in the rule of R2704 in FIG. 30, the aggregation source is “B1, C1”, which is an aggregation of the rule of rule set 1 of user B and the rule of rule set 1 of user C. It shows that there is. Further, the set unit statistics are “50%” because two rule sets are aggregated out of the total number 4 of rule sets used for aggregation. Further, the user unit statistics are “66%” because the individual policies of the three users are aggregated and aggregated from the individual policies of the two users. For example, in the rule of R2803, if a “TCP” “SYN” packet with a destination port number “80” continuously flows for more than “50M” packets per second for 3 minutes, the rate is set to “10M” packets per second as an abnormality. Since more than half of the users have a policy to restrict, this is considered as user consensus, and even if the destination is not "10.10.1.2" or "10.10.1.3", abnormal traffic is determined to be an attack It can be a judgment criterion to suppress.

  Then, the policy aggregation server 7 stores the aggregation policy newly created in the policy aggregation unit 705 in the policy data storage unit 704 in the policy management unit 703 (step S304).

  Subsequently, the policy aggregation server 7 hands over the newly created aggregation policy from the policy data storage unit 704 to the control management unit 706. The control management unit 706 creates a FW rule and an IDS rule for each NW device based on the information of the wide area NW device held in the wide area NW device configuration information storage unit 709 from the delivered aggregation policy. The NW device is set (step S305).

  The wide area network device configuration information storage unit 709 stores in advance a setting method, settable rule types, rule formats, and the like for the wide area network devices 3A, 3B, and 3C as information necessary for creating a rule for each wide area network device. is doing. FIG. 32 shows an example of the network device configuration information. For the NW device 3A, “telnet” to the address “10.10.10.1”, log in with the password “xxxx”, and set with the command line interface (CLI). It is shown. In the settable rule type, the rule that can be set for the wide-area NW device is described as “FW”, and the rule format input by the CLI is described as the format of manufacturer A. Such a wide area NW device can be set by using a script language such as Perl.

  Further, the wide area NW device configuration information storage unit 709 holds the FW rules and IDS rules already set in the wide area NW devices 3A, 3B, and 3C as existing setting rules, so that the control management unit 706 can The rule set in the devices 3A, 3B, and 3C can be only the difference between the newly created FW rule and IDS rule and the existing FW rule and IDS rule (step S305).

  With the above operation, the policy aggregation server 7 sets each rule of the aggregation policy in the wide area NW devices 3A, 3B, and 3C using the setting format of each device. Specific examples of the rules to be set are as shown in the FW rule of FIG. 30 and the IDS rule of FIG. 31, but the set type and statistical information are not included. The wide area NW devices 3A, 3B, and 3C are specifically routers, FW devices having a packet filter function, FW devices having an IDS function, and the like.

  The router or FW device having the packet filter function then sets the destination address, source address, destination port number, source port number, protocol, and protocol-specific attributes (protocol-dependent information) of the received packet. Packet destination address, source address, destination port number, source port number, protocol, protocol-specific attributes and rule packet destination address, source address, destination port number, source port If the number, protocol, and protocol-specific attributes match, the operation specified by the matched rule is performed on the packet. In the example of the FW rule shown in FIG. 30, the R2701 rule has a destination address “10.10.1.1”, a destination port number “8000”, a protocol “TCP”, and a TCP flag “SYN”. Passage is allowed. As the operation of the example of the FW rule, only “Accept” for allowing passage and “Reject” for rejecting passage are described, but other operations such as rate limiting at an arbitrary rate are also possible.

  In addition to the above-described operation, the FW device having the IDS function implements a designated measure when a detection target packet satisfies a detection condition. In the example of the IDS rule of FIG. 31, the destination address to be detected by the R2802 rule is “10.10.1.2”, the destination port number is “3000”, the protocol is “TCP”, and the TCP flag is “SYN”. If the packet exceeds the threshold excess time of “3 minutes or more” at the rate of “50 Mpps”, which is the abnormality detection threshold of the detection condition, the packet rate is limited to “10 Mpps” as a countermeasure. In general, when an event occurs that satisfies the detection condition of the packet to be detected and the countermeasure is implemented, and when the event ends and the countermeasure is canceled, the FW device satisfies the detection target and the detection condition. The packet attribute information and the implemented countermeasures or the cancellation of the countermeasures are recorded in a log or notified to the operator. In this embodiment, this record and operator notification are used as attack countermeasure information. The example of the attack countermeasure information at the time of implementing the countermeasure of FIG. 33 is an example of the attack countermeasure information when the R2802 rule event of the IDS rule example of FIG. 31 occurs and the countermeasure is implemented. The example of the attack countermeasure information at the time of release is an example of attack countermeasure information when the countermeasure is released.

[Procedure for processing by policy aggregation server (when attack countermeasure information is received)]
In the following, a processing procedure by the policy aggregation server 7 (a processing procedure when the policy aggregation server 7 receives attack countermeasure information from the wide area NW devices 3A, 3B, and 3C or the operator) will be described as an example. The attack countermeasure information includes detection targets such as the packet destination address, source address, destination port number, source port number, protocol, protocol-dependent information, and detection conditions such as anomaly detection threshold excess time. It includes a measure, information identifying the device that has implemented or canceled the measure, and the type of whether the attack measure information is information relating to the implementation of the measure or information relating to the release of the measure.

  As shown in FIG. 40, first, the policy aggregation server 7 uses the attack countermeasure information acquisition unit 708 to identify the attack packets that have been blocked or suppressed by the IDS function detected from the wide area NW devices 3A, 3B, and 3C. And attack countermeasure information including the contents of the countermeasure (step S306).

  This attack countermeasure information acquisition may be active reception of notifications from the wide area NW devices 3A, 3B, and 3C, or the attack countermeasure information acquisition based on information held in the wide area NW device configuration information storage unit 709. The unit 708 may make an inquiry from the wide area NW devices 3A, 3B, and 3C. Moreover, you may input directly from an operator. For example, the attack countermeasure information example of FIG. 33 (a) is an example of attack countermeasure information when an event of the R2802 rule of the IDS rule example of FIG. 31 occurs and the countermeasure is implemented. The example (b) of the attack countermeasure information is an example of the attack countermeasure information when the event of the R2802 rule in the example of the IDS rule in FIG. 31 converges and the countermeasure is canceled. The policy aggregation server 7 passes the acquired attack countermeasure information in the attack countermeasure information acquisition unit 708 to the countermeasure policy creation unit 707.

  Next, the policy aggregation server 7 creates a countermeasure policy including the FW rule created from the attack countermeasure information in the countermeasure policy creation unit 707 (step S307). First, the policy aggregation server 7 uses the countermeasure policy creation unit 707 to determine from the received attack countermeasure information a destination address, a source address, a destination port number, a source port number, a protocol, and protocol-dependent information as detection conditions for the attack countermeasure information. FW rules are created with the values of Destination Address, Source Address, Destination Port Number, Source Port Number, Protocol, and Protocol Dependent Information, respectively. The “action” value of the FW rule is the “measure” value of the attack countermeasure information. In addition, the value of the user ID is the value of the ID of the device that has implemented or canceled the countermeasure.

  Then, the policy aggregation server 7 uses the policy management unit 703 to acquire the countermeasure policy from the policy data storage unit 704. When the attack countermeasure information type is countermeasure implementation, the policy aggregation server 7 adds the created FW rule to the acquired countermeasure policy, and when the attack countermeasure information type is cancellation of countermeasure, the created FW rule is used. The countermeasure policy is deleted from the acquired countermeasure policy, and the countermeasure policy is transferred to the policy management unit 703. Therefore, the countermeasure policy of FIG. 34 is created from the example of the attack countermeasure information of FIG.

  Thereafter, the policy aggregation server 7 delivers the created countermeasure policy to the policy management unit 703 and stores it in the policy data storage unit 704 (step S308).

  Subsequently, the policy aggregation server 7 passes the policy policy delivered from the policy policy creation unit 707 and the policy held in the policy data storage unit 704 to the policy aggregation unit 705 in the policy management unit 703, The aggregation unit 705 creates a new aggregation policy from the delivered individual policy and the aggregation policy (step S309).

  Next, the policy aggregation server 7 stores the aggregation policy newly created in the policy aggregation unit 705 in the policy data storage unit 704 by the policy management unit 703 (step S310).

  Then, the policy aggregation server 7 delivers the newly created aggregation policy in the policy aggregation unit 705 to the control management unit 706, and the control management unit 706 sets the FW rule and IDS rule of the aggregation policy in each wide area NW device. (Step S311).

  The attack countermeasure information acquisition unit 708 and the countermeasure policy creation unit 707 detect the IDS function of the wide area NW devices 3A, 3B, and 3C, and the user terminals 4A, 4B, and 4C, and the CPEs 5A and 5B are detected from the attacks for which the countermeasures are determined. It is also possible to defend access lines and networks.

  In the first embodiment, the IDS rule in FIG. 31 is set only in the wide area NW apparatus 3C according to the NW apparatus configuration information in FIG. 32, but the attack countermeasure implemented in the wide area NW apparatus 3C is the FW rule. As a result, the rate limitation is realized also in the wide area NW devices 3A and 3B.

[Effect of Example 1]
As described above, according to the first embodiment, each of the user networks configured by the user devices operated by the user is connected to the wide area network in which a plurality of user networks are communicably connected to each other. A traffic control system for controlling traffic transmitted from a predetermined user network to another user network via a wide area network when connected via each of the user apparatuses, and any of user devices constituting the user network Or one or more of the traffic transmitted / received between the user device and another user network other than the own user network configured by the user device, and / or other managed by the user device within the own user network Other user devices and other user networks For the traffic sent to and received from the network, an individual policy that is an aggregate of rules that control traffic is sent to the policy aggregation server connected to the wide area network. Each individual policy is received, and a rule that is an element of each received individual policy is transmitted to each of the wide area network devices to which the rule is to be set, and each of the wide area network devices receives and receives the transmitted rule. Because traffic is controlled according to established rules, it is unnecessary based on individual personal policies near the source of unnecessary traffic without triggering detection at user equipment (user terminals, network devices, etc.) at the user site. It becomes possible to block or suppress the traffic.

  More specifically, unlike the conventional method in which a user device transmits a personal policy or the like to a wide area network device triggered by an attack detection in a user device (user terminal, network device, etc.) at the user site, the present invention For example, even if the user device is subjected to excessive attacks, the attack traffic is blocked or suppressed at the exit to the user network in the wide area network before the attack traffic reaches the user device. It becomes possible to do. Further, according to the present invention, it is possible to block or suppress the attack traffic not only at the exit to the user network in the wide area network but also at the entrance of the attack traffic in the wide area network. Band pressure in the wide area network due to attack traffic can be eliminated, and influence on other user terminals such as user terminals connected to the wide area network can be eliminated.

  Further, according to the first embodiment, the policy aggregation server creates an aggregation rule that is an aggregation of the rules and an aggregation policy that is an aggregate of the aggregation rules from the rules that are the elements of the individual policies, and the aggregation rule Is transmitted to each of the wide area network devices for which the aggregation rules are to be set, and in addition to the above effects, the total number of rules is reduced by creating the aggregation policy. As a result, the FW processing and IDS processing of the wide area network devices Since the effect of reducing the load can be obtained, it is possible to set an aggregation policy for all wide area network devices in advance to block or suppress unnecessary traffic.

  In addition, according to the first embodiment, the policy aggregation server verifies the validity of each individual policy when receiving each individual policy. Therefore, in addition to the above effect, the wide area network device is in compliance with the invalid individual policy. Therefore, it is possible to avoid the risk of unjustly controlling the traffic.

  In addition, according to the first embodiment, the user apparatus may include a non-disclosure address and / or a non-disclosure port number that is not disclosed on a network other than its own user network, and a disclosure address and / or a disclosure port number disclosed on the network. The NAT function for converting the URL is used, and the rule is described by a non-disclosure address and / or a non-disclosure port number, and any one or more of the user devices constituting the user network are: Since the non-disclosure address and / or non-disclosure port number described in the rule is converted into a disclosure address and / or a disclosure port number, and an individual policy including the converted rule as an element is transmitted to the policy aggregation server In addition to the above effects, user equipment (user terminals, network devices, etc.) has a NAT function. Even in an environment which is connected to the wide area network using, it is possible to block or inhibit unwanted traffic.

  Specifically, in the conventional method, in an environment in which a user device is connected to a wide area network using the NAT function, a rule such as a personal policy includes a destination address disclosed only within the own user network, The destination port number will be described. However, in order to block or suppress attack traffic in the wide area network device, the destination address and the destination port number disclosed in the wide area network are required. Therefore, such a personal policy is eventually transmitted to the wide area network device. However, the wide area network device has a problem that it cannot block or suppress attack traffic. On the other hand, according to the present invention, a destination address and a destination port number described in a rule such as a personal policy are converted into a destination address and a destination port number disclosed in the wide area network and then transmitted to the policy aggregation server. Therefore, it becomes possible to solve the above-mentioned problem.

  Further, according to the first embodiment, the policy aggregation server creates, as statistical information, information related to a user device whose traffic is to be controlled according to the rule, and based on the created statistical information, the policy is changed according to the rule. In addition to the above effects, in addition to the above effect, it is determined whether or not to adopt as a rule for controlling traffic transmitted / received between other user devices other than the user device to be controlled. In determining whether or not abnormal traffic detected by a network device should be blocked or suppressed as unnecessary traffic, statistical information (for example, how many individual policies are aggregated by the rule, how many users For example), the rules are interpreted as user consensus. It is possible to be determined whether the material.

  Specifically, with conventional techniques, attacks aimed at overloading a wide area network, such as when a personal policy is inadequate or a small amount of packets are sent to an unspecified number of user devices Since traffic is not regarded as attack traffic in the personal policy, there is a problem that such attack traffic cannot be blocked or suppressed. Further, in the conventional method, even when abnormal traffic is detected on the wide area network side, the wide area network side asks the user whether or not such abnormal traffic should be blocked or suppressed as unnecessary traffic. (In general, IDS detects abnormal traffic using a built-in algorithm, and therefore, it is left to the IDS user or the like to determine whether or not the abnormal traffic is attack traffic.) IDS itself does not have a judgment standard), and there is a problem that it cannot be immediately blocked or suppressed as unnecessary traffic. Furthermore, in the conventional method, when there is a large amount of traffic that is not attack traffic, even if there is a large amount of traffic, it is regular traffic that the user needs. There is a problem that it cannot be suppressed and fairness among users cannot be ensured. According to the present invention, it is possible to solve the above problems.

  Further, according to the first embodiment, the policy aggregation server acquires attack countermeasure information including identification information for identifying an attack packet detected in the wide area network device and countermeasure information for the attack packet from the wide area network device, and acquires the acquired attack. From the countermeasure information, a countermeasure policy that is an aggregate of countermeasure rules that control traffic based on attack countermeasure information is created, and the created countermeasure policy is reflected in the rules. It is possible to block or suppress abnormal traffic detected on the device side and determined as countermeasures as unnecessary traffic.

  Specifically, with conventional techniques, attacks aimed at overloading a wide area network, such as when a personal policy is inadequate or a small amount of packets are sent to an unspecified number of user devices Since traffic is not regarded as attack traffic in the personal policy, there is a problem that such attack traffic cannot be blocked or suppressed. On the other hand, according to the present invention, it is possible to solve the above problems.

  By the way, as a first embodiment, on the premise that unnecessary traffic is attack traffic, the traffic control system has described a method of controlling traffic for the purpose of blocking or suppressing such attack traffic. The present invention is not limited to this. For example, on the assumption that unnecessary traffic is mass traffic that is not attack traffic, the traffic control system also controls traffic for the purpose of ensuring fairness among users when such mass traffic occurs, The present invention can be similarly applied. Therefore, in the following, as a second embodiment, a method in which the traffic control system controls traffic for the purpose of ensuring fairness among users when a large amount of traffic occurs will be described.

  FIG. 42 is a block diagram showing the configuration of the policy aggregation server in the second embodiment. As shown in FIG. 42, the traffic control system according to the second embodiment is configured in substantially the same manner as in the first embodiment. However, the wide area NW devices 3A, 3B, and 3C have a VPN function that configures a virtual network (hereinafter referred to as VPN: Virtual Private Network) that can guarantee the bandwidth, and the policy aggregation server 7 stores VPN information. The main difference is that the unit 710 is added. Other points include the information stored in the user information storage unit 702 and the policy data storage unit 704 and the processing by the policy management unit 703 and the control management unit 706. Is different from the first embodiment.

  Below, it demonstrates using FIG. 43-51 other than FIG. 42 centering on said point different from Example 1. FIG. 43 is a diagram for explaining a user information storage unit of the policy aggregation server, FIGS. 44 to 49 are diagrams for explaining a policy data storage unit of the policy aggregation server, and FIG. 50 is a policy aggregation. It is a figure for demonstrating the wide area network apparatus structure information storage part of a server, and FIG. 51 is a figure for demonstrating the VPN information storage part of a policy aggregation server.

[Policy Aggregation Server 7]
The user information storage unit 702 (see FIG. 43) in the second embodiment is the same as the user information storage unit 702 in the first embodiment (see FIG. 27), and the information necessary for verifying the validity of the individual policy transmission source The information necessary for verifying the validity of the FW rule and IDS rule that are elements of the individual policy is stored in advance, but unlike the user information storage unit 702 in the first embodiment, each user belongs to VPN identification information is held. For example, as illustrated in FIG. 43, the user information storage unit 702 according to the second embodiment stores a group ID (GID) “GA” in association with a user ID (UID) “A” in advance. .

  The policy data storage unit 704 (see FIGS. 44 to 49) in the second embodiment stores individual policies, aggregate policies, and countermeasure policies in the same manner as the policy data storage unit 704 in the first embodiment (see FIGS. 28 to 31). However, unlike the policy data storage unit 704 in the first embodiment, an individual policy in which a group ID (identification information of a VPN to which each user belongs) is added or an aggregate policy in which a group ID is added are displayed. Remember.

  For example, the policy data storage unit 704 according to the second embodiment stores an individual policy (FW rule) as shown in FIG. 44 and an individual policy (IDS rule) as shown in FIG. It can be seen that the group ID (GID) is stored in association with the ID (UID). Further, for example, the policy data storage unit 704 stores the aggregate policy (FW rule) as shown in FIGS. 46 and 47 and the aggregate policy (IDS rule) as shown in FIGS. 48 and 49. It can be seen that the aggregate policy is stored for each group ID (GID).

  The wide area network device configuration information storage unit 709 (see FIG. 50) according to the second embodiment is similar to the wide area network device configuration information storage unit 709 according to the first embodiment (see FIG. 32). Information necessary for the storage is stored in advance.

  The VPN information storage unit 710 (see FIG. 51) includes a group ID (GID) that is identification information of a VPN to which each user belongs, and identification information (VPN ID) that identifies a VPN set between the NW devices. Are stored in advance in association with each other. For example, as illustrated in FIG. 51, the VPN information storage unit 710 stores a group ID (GID) “GA” and a VPN ID “VPN-A” in association with each other in advance.

[Wide-area NW devices 3A, 3B and 3C]
The NW devices 3A, 3B, and 3C according to the second embodiment have a VPN function that configures a VPN that can guarantee a bandwidth. Accordingly, the policy aggregation server 7 sets these rules in the NW device by specifying the VPN to be set so that the FW rule and the IDS rule only work for the corresponding VPN. For example, a technique such as MPLS (Multi-Protocol Label Switching) is used for creating the VPN. As shown in FIG. 42, 8A and 8B are VPNs configured in the wide area NW 1A by the wide area NW devices 3A, 3B, and 3C.

[Procedure for Processing by Traffic Control System According to Second Embodiment]
Next, the procedure of the process performed by the traffic control system according to the second embodiment will be described mainly focusing on differences from the procedure of the process performed by the traffic control system according to the first embodiment. The traffic control system according to the second embodiment is different from the traffic control system according to the first embodiment in the processing by the policy aggregation server (at the time of individual policy reception). A procedure of processing by the aggregation server 7 (procedure of processing when the policy aggregation server 7 receives individual policies from the user terminal 4A, the CPE 5A, and the user policy server 6) will be described as an example.

  First, the policy aggregation server 7 is transmitted from the policy transmission unit 401 of the user terminal 4A, the policy transmission unit 501 of the CPE 5A, and the policy transmission unit 601 of the user policy server 6 in the policy reception unit 701, as in the first embodiment. Each individual policy is received and delivered to the policy management unit 703. Unlike the first embodiment, the policy reception unit 701 refers to the user information storage unit 702, and identifies the identification information of the VPN to which each user belongs to each individual policy. And the group ID (GID) is added to the policy management unit 703.

  Then, the policy aggregation server 7, as in the first embodiment, the policy management unit 703 converts the individual policy delivered from the policy reception unit 701 and the aggregation policy held in the policy data storage unit 704 into the policy aggregation unit. The policy aggregating unit 705 creates a new aggregated policy from the individual policy and the aggregated policy. Unlike the first embodiment, the policy management unit 703 is configured to store the individual policy received from the policy receiving unit 701. Using the group ID (GID), an aggregation policy having the same group ID (GID) as the individual policy is acquired from the aggregation policy held in the policy data storage unit 704, and the aggregation policy having the same group ID (GID) as the individual policy is acquired. To the policy aggregating unit 705, which collects the same group ID (GID) as that of the individual policy. From the policy, to create a new aggregation policy.

  As this aggregation method, as in the first embodiment, for example, when there is a rule having all the same attribute values other than attributes (for example, destination addresses) in all individual policies, the value of the attribute is set to “any”. In the second embodiment, the R3116, R3314, and R3325 rules in FIG. 44 have the same attributes except for the destination address. Therefore, the R3712 in FIG. The rules are summarized.

  Also, if there are multiple rules that differ only in the value of a certain attribute (for example, destination address) and all other attribute values are the same, if the value of that attribute is a continuous value, the attribute value is In the embodiment, the R3511 rule and R3611 rule of FIG. 45 differ only in the destination address, all other attribute values are the same, and the destination addresses are continuous. For this reason, the rules are integrated into the rules of R3803 in FIG.

  Similarly to the first embodiment, the policy aggregating server 7 creates, in the policy aggregating unit 705, statistical information indicating the number of individual policies aggregated and which individual policy rules the aggregated rules are aggregated. In the second embodiment, T11 to T14 in FIGS. 46 to 49 are statistical information of the aggregation policy, and for each rule, the aggregation source, the statistics in units of sets, and the statistics in units of users are described. For example, in the rule of R3707 in FIG. 47, the aggregation source is “B1, C1”, which is an aggregation of the rule of rule set 1 of user B and the rule of rule set 1 of user C. It shows that there is. Further, the set unit statistics is “66%” since two rule sets are aggregated out of the total number 3 of rule sets used for aggregation. The user unit statistics are “100%” because the individual policies of the two users are aggregated and aggregated from the individual policies of the two users. For example, in the R3803 rule, if a “TCP” “SYN” packet with a destination port number “80” continuously flows for more than “50M” packets per second for 3 minutes, the rate is set to “10M” packets per second as abnormal. Since more than half of the users have a policy of restricting this, this is considered as a consensus of the user, and even if the destination addresses are not "10.10.1.2" and "10.10.1.3", abnormal traffic is considered as an attack. It can be a criterion for judgment and suppression.

  Then, as in the first embodiment, the policy aggregation server 7 stores the newly created aggregation policy in the policy aggregation unit 705 in the policy data storage unit 704 in the policy management unit 703, and then creates the newly created policy. The aggregated policy is transferred from the policy data storage unit 704 to the control management unit 706. Unlike the first embodiment, the aggregated policy delivered to the control management unit 706 by the policy management unit 703 includes a group ID (GID) that identifies a group. )It is included.

  Therefore, as in the first embodiment, the control management unit 706 uses the FW rule and IDS rule of each NW device based on the NW device information held in the wide area NW device configuration information storage unit 709 from the delivered aggregate policy. However, unlike the first embodiment, the FW rule and IDS rule for each NW device are created based on the information stored in the VPN information storage unit 710.

  That is, the control management unit 706 identifies the aggregation policy based on the VPN ID corresponding to the group ID based on the association between the group ID (GID) stored in the VPN information storage unit 710 and the VPN ID. It is set in each NW device so as to be applied to the VPN. For example, the aggregation policy with the group ID “GA” is set to “VPN-A”.

  Thus, the policy aggregation server 7 sets each rule of the aggregation policy in the wide area NW devices 3A, 3B, and 3C using the setting format of each device. In the second embodiment, as shown in FIG. 43, the user “A” belongs to the group “GA”, the users “B” and “C” belong to the group “GB”, and FIG. As shown in FIG. 3, the group “GA” is accommodated in “VPN-A” and the group “GB” is accommodated in “VPN-B”, so that the user “A” has a large amount of traffic. Transmission / reception does not affect the communication of the users “B” and “C”. Further, even when the users “B” and “C” both transmit and receive a large amount of traffic, only the users “B” and “C” having the same type of policy are affected, and the communication of the user “A” Will not be affected.

  As described above, in the second embodiment, by setting the VPN information storage unit 710 so that users having similar individual policies are accommodated in the same VPN, it is not an attack between users, for example, file sharing, etc. Even when a large amount of traffic occurs, fairness among users can be ensured.

[Effect of Example 2]
As described above, according to the second embodiment, the policy aggregation server creates an aggregation policy in which rules are aggregated for each group of user devices whose traffic is controlled based on the same type of rules, and virtual Configuration information to be set in each wide area network device so as to form a secure network or a physical network, and an aggregation policy for each group are transmitted to each of the wide area network devices to which the setting information and the aggregation policy should be set In addition to the effects of the first embodiment, it is possible to ensure fairness among users when a large amount of traffic that is not attack traffic occurs.

  More specifically, for example, a personal policy of a user who performs file exchange has a rule that allows a packet for file exchange to pass. Therefore, according to the present invention, users who pass packets for file exchange are grouped, and the group and other groups are accommodated in another virtual (or physical) network. Even if the user performing the exchange exchanges a large number of files, there is no possibility that the communication of the user who does not exchange the file will be hindered by the file exchange packet. It becomes possible to ensure fairness.

  Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the embodiments described above.

  In the first and second embodiments, the policy aggregation server creates an aggregation policy from individual policies, creates a rule for each wide area network device from the aggregation policy, and sets a rule for each wide area network device for each wide area network device. Although described, the present invention is not limited to this. For example, the policy aggregation server transmits the individual policy as it is to each wide area network device, and creates an aggregate policy from the individual policy in the wide area network device, or creates a rule for each wide area network device from the aggregate policy, The present invention can be similarly applied to a case where a rule for each network device is set. Also, in an environment where the performance of the wide area network device is high, the present invention is similarly applied to an example in which a rule for each wide area network device created from the individual policy itself is set without creating an aggregate policy from the individual policy. can do.

  In the first and second embodiments, the policy aggregation server has described the method for verifying the validity of each individual policy when receiving each individual policy. However, the present invention is not limited to this. The present invention can be similarly applied to a technique in which the policy aggregation server trusts and uses the received individual policy without verifying the validity of each individual policy.

  In the first and second embodiments, the example in which the user device uses the NAT function has been described. However, the present invention is not limited to this, and the user device does not use the NAT function. The user apparatus may transmit the address of the individual policy as it is to the policy aggregation server without conversion, and the present invention can be similarly applied to this case.

  Further, in the first and second embodiments, the case where the policy aggregation server creates statistical information and determines based on the statistical information has been described, but the present invention is not limited to this, and the policy aggregation server The present invention can be similarly applied to cases where statistical information is not created.

  Further, in the first and second embodiments, the case where the policy aggregation server acquires the attack countermeasure information from the wide area network device and creates the countermeasure policy from the attack countermeasure information has been described, but the present invention is not limited to this. In addition, the present invention can be similarly applied to a case where the policy aggregation server does not acquire the attack countermeasure information from the wide area network device and does not create the countermeasure policy.

[System configuration, etc.]
In addition, among the processes described in this embodiment, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-mentioned document and drawings can be arbitrarily changed unless otherwise specified.

  Further, for example, each component of each device illustrated in FIGS. 3, 10, 17 and 26 is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  Note that the traffic control method described in the present embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via a network such as the Internet. The program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD and being read from the recording medium by the computer.

  As described above, in the traffic control system and the traffic control method according to the present invention, each of user networks configured by user devices operated by a user connects a plurality of user networks so that they can communicate with each other. Is useful for controlling traffic transmitted from a predetermined user network to another user network via the wide area network, particularly when the user is connected to each other via the wide area network device. It is suitable for blocking or suppressing unnecessary traffic based on an individual personal policy near the transmission source of unnecessary traffic without triggering detection at a user device (user terminal, network device, etc.) at the site.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram for explaining an overview and characteristics of a traffic control system according to a first embodiment. 1 is a block diagram illustrating an overall configuration of a traffic control system according to a first embodiment. It is a block diagram which shows the structure of the user terminal in Example 1. FIG. It is a figure for demonstrating the service information storage part of a user terminal. It is a figure for demonstrating the rule set memory | storage part of a user terminal. It is a figure for demonstrating the rule set memory | storage part of a user terminal. It is a figure for demonstrating the rule set memory | storage part of a user terminal. It is a figure for demonstrating the policy transmission part of a user terminal. It is a figure for demonstrating the policy transmission part of a user terminal. It is a block diagram which shows the structure of the user network apparatus (CPE) in Example 1. FIG. It is a figure for demonstrating the service information storage part of CPE. It is a figure for demonstrating the rule set memory | storage part of CPE. It is a figure for demonstrating the rule set memory | storage part of CPE. It is a figure for demonstrating the rule set memory | storage part of CPE. It is a figure for demonstrating the policy transmission part of CPE. It is a figure for demonstrating the policy transmission part of CPE. It is a block diagram which shows the structure of the user policy server in Example 1. FIG. It is a figure for demonstrating the service information storage part of a user policy server. It is a figure for demonstrating the rule set memory | storage part of a user policy server. It is a figure for demonstrating the rule set memory | storage part of a user policy server. It is a figure for demonstrating the rule set memory | storage part of a user policy server. It is a figure for demonstrating the rule set memory | storage part of a user policy server. It is a figure for demonstrating the rule set memory | storage part of a user policy server. It is a figure for demonstrating the policy transmission part of a user policy server. It is a figure for demonstrating the policy transmission part of a user policy server. It is a block diagram which shows the structure of the policy aggregation server in Example 1. FIG. It is a figure for demonstrating the user information storage part of a policy aggregation server. It is a figure for demonstrating the policy data storage part of a policy aggregation server. It is a figure for demonstrating the policy data storage part of a policy aggregation server. It is a figure for demonstrating the policy data storage part of a policy aggregation server. It is a figure for demonstrating the policy data storage part of a policy aggregation server. It is a figure for demonstrating the wide area network apparatus structure information storage part of a policy aggregation server. It is a figure for demonstrating the attack countermeasure information acquisition part of a policy aggregation server. It is a figure for demonstrating the countermeasure policy preparation part of a policy aggregation server. It is a figure for demonstrating the policy aggregation part of a policy aggregation server. It is a flowchart which shows the procedure of the process by a user terminal. It is a flowchart which shows the procedure of the process by CPE. It is a flowchart which shows the procedure of the process by a user policy server. It is a flowchart which shows the procedure (at the time of individual policy reception) by the policy aggregation server. It is a flowchart which shows the procedure (at the time of attack countermeasure information reception) by a policy aggregation server. It is a flowchart which shows the procedure of the policy reception process by a policy aggregation server. It is a block diagram which shows the structure of the policy aggregation server in Example 2. FIG. It is a figure for demonstrating the user information storage part of a policy aggregation server. It is a figure for demonstrating the policy data storage part of a policy aggregation server. It is a figure for demonstrating the policy data storage part of a policy aggregation server. It is a figure for demonstrating the policy data storage part of a policy aggregation server. It is a figure for demonstrating the policy data storage part of a policy aggregation server. It is a figure for demonstrating the policy data storage part of a policy aggregation server. It is a figure for demonstrating the policy data storage part of a policy aggregation server. It is a figure for demonstrating the wide area network apparatus structure information storage part of a policy aggregation server. It is a figure for demonstrating the VPN information storage part of a policy aggregation server. It is a figure for demonstrating the countermeasure by a firewall or an attack detection system. It is a figure for demonstrating a prior art.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1A Wide area network 1B User network 1C User network 1D User network 3A Wide area network apparatus 3B Wide area network apparatus 3C Wide area network apparatus 4A User terminal 401 Policy transmission part 402 Service information storage part 403 Address conversion part 404 Ruleset storage part 4B User terminal 4C User Terminal 4D User terminal 4E User terminal 5A CPE
501 Policy transmission unit 502 Service information storage unit 503 Address conversion unit 504 Rule set storage unit 5B CPE
6 User policy server 601 Policy transmission unit 602 Service information storage unit 603 Address conversion unit 604 Rule set storage unit 605 Policy acquisition unit 7 Policy aggregation server 701 Policy reception unit 702 User information storage unit 703 Policy management unit 704 Policy data storage unit 705 Policy Aggregation unit 706 Control management unit 707 Countermeasure policy creation unit 708 Attack countermeasure information acquisition unit 709 Wide area network device configuration information storage unit 710 VPN information storage unit

Claims (18)

Predetermined when each of user networks configured by user devices operated by a user is connected via a wide area network device to a wide area network that connects a plurality of user networks so that they can communicate with each other. A traffic control system for controlling traffic transmitted from the user network to another user network via the wide area network,
Any one or more of the user devices constituting the user network are:
Traffic transmitted / received between the user device and another user network other than the own user network configured by the user device, and / or other user devices managed by the user device in the own user network Policy transmission for transmitting / receiving traffic to / from the other user network to a policy aggregation server connected to the wide area network, which is an aggregate of rules that control the traffic. With means,
The policy aggregation server
Policy receiving means for receiving each of the individual policies transmitted by the policy transmitting means;
Rule transmitting means for transmitting the rule, which is an element of each individual policy received by the policy receiving means, to each of the wide area network devices to which the rule is to be set,
Each of the wide area network devices
Rule receiving means for receiving the rule transmitted by the rule transmitting means;
Traffic control means for controlling the traffic according to the rule received by the rule receiving means;
A traffic control system comprising:   The rule transmission unit creates an aggregation rule that is aggregated for the rule and an aggregation policy that is an aggregate including the aggregation rule from the rule that is an element of each individual policy received by the policy reception unit. The traffic control system according to claim 1, wherein the aggregation rule is transmitted to each of the wide area network devices for which the aggregation rule is to be set.   The traffic control system according to claim 1, wherein the policy receiving unit further verifies the validity of each individual policy when receiving each individual policy. The user apparatus has a NAT function for converting a non-disclosure address and / or a non-disclosure port number that is not disclosed on a network other than the own user network and a disclosure address and / or a disclosure port number disclosed on the network. The rule is described by the non-disclosure address and / or the non-disclosure port number,
Any one or more of the user devices constituting the user network are:
An address conversion means for converting the non-disclosure address and / or the non-disclosure port number described in the rule into the disclosure address and / or the disclosure port number;
The said policy transmission means transmits the individual policy which uses the said rule converted by the said address conversion means as an element with respect to the said policy aggregation server, The Claim 1 characterized by the above-mentioned. Traffic control system. The rule transmission means further creates statistical information as information on the user device whose traffic is to be controlled according to the rule,
The policy aggregation server
Based on the statistical information created by the rule transmission means, the rule is transmitted and received between the other user device other than the user device and the other user network whose traffic is to be controlled according to the rule. The traffic control system according to claim 1, further comprising a determination unit that determines whether or not to adopt a rule for controlling the traffic to be performed. The policy aggregation server
Attack countermeasure information acquisition means for acquiring identification information for identifying an attack packet detected in the wide area network device and attack countermeasure information including countermeasure information for the attack packet from the wide area network device;
A countermeasure policy creating means for creating a countermeasure policy that is an aggregate of countermeasure rules that control the traffic based on the attack countermeasure information from the attack countermeasure information acquired by the attack countermeasure information acquiring means; Prepared,
The traffic control system according to claim 1, wherein the rule transmission unit reflects the countermeasure policy created by the countermeasure policy creation unit in the rule.   The rule transmission means creates an aggregate policy that aggregates the rule for each group of user devices whose traffic is controlled based on the same type of rule, and forms a virtual network or a physical network for the group. Further transmitting the setting information to be set in each of the wide area network devices and the aggregate policy for each group to each of the wide area network devices to which the setting information and the aggregate policy are to be set. The traffic control system according to any one of claims 1 to 6. Predetermined when each of user networks configured by user devices operated by a user is connected via a wide area network device to a wide area network that connects a plurality of user networks so that they can communicate with each other. A traffic control method for controlling traffic transmitted from the user network to another user network via the wide area network,
Any one or more of the user devices constituting the user network are:
Traffic transmitted / received between the user device and another user network other than the own user network configured by the user device, and / or other user devices managed by the user device in the own user network Policy transmission for transmitting / receiving traffic to / from the other user network to a policy aggregation server connected to the wide area network, which is an aggregate of rules that control the traffic. Including steps,
The policy aggregation server
A policy reception step of receiving each of the individual policies transmitted by the policy transmission step;
A rule transmission step of transmitting the rule, which is an element of each individual policy received by the policy reception step, to each of the wide area network devices to which the rule is to be set,
Each of the wide area network devices
A rule receiving step for receiving the rule transmitted by the rule transmitting step;
A traffic control step of controlling the traffic according to the rules received by the rule reception step;
A traffic control method comprising: When each of user networks configured by user devices operated by a user is connected via a wide area network device to a wide area network that connects a plurality of such user networks so as to communicate with each other, The policy aggregation server connected to the wide area network receives each individual policy transmitted from any one or more of the user devices, and the wide area network to set the rule as an element of each individual policy A user terminal as the user device in a traffic control system that controls traffic transmitted from a predetermined user network to another user network via the wide area network. And
For the traffic transmitted and received between the user terminal and another user network other than the own user network configured by the user terminal, an individual policy that is an aggregate including rules for controlling the traffic as an element, A user terminal comprising policy transmission means for transmitting to a policy aggregation server. When each of user networks configured by user devices operated by a user is connected via a wide area network device to a wide area network that connects a plurality of such user networks so as to communicate with each other, The policy aggregation server connected to the wide area network receives each individual policy transmitted from any one or more of the user devices, and the wide area network to set the rule as an element of each individual policy A user network device serving as the user device in a traffic control system that transmits traffic to each of the devices, and the wide-area network device controls traffic transmitted from the predetermined user network to another user network via the wide-area network. There,
For traffic transmitted / received between the user network device and another user network other than the user network configured by the user network device, an individual policy that is an aggregate including rules for controlling the traffic as elements. User network equipment comprising policy transmission means for transmitting to the policy aggregation server. When each of user networks configured by user devices operated by a user is connected via a wide area network device to a wide area network that connects a plurality of such user networks so as to communicate with each other, The policy aggregation server connected to the wide area network receives each individual policy transmitted from any one or more of the user devices, and the wide area network to set the rule as an element of each individual policy A user policy server as the user device in a traffic control system that controls traffic transmitted from a predetermined user network to another user network via the wide area network. There,
Controls the traffic for traffic transmitted / received between other user devices managed by the user policy server and other user networks other than the own user network within the own user network configured by the user policy server. A policy acquisition means for acquiring an individual policy that is an aggregate including rules to be executed from each of the other user devices;
Policy transmission means for transmitting each of the individual policies acquired by the policy acquisition means to the policy aggregation server;
A user policy server comprising: Predetermined when each of user networks configured by user devices operated by a user is connected via a wide area network device to a wide area network that connects a plurality of user networks so that they can communicate with each other. In a traffic control system for controlling traffic transmitted from a user network to another user network via the wide area network, a policy aggregation server connected to the wide area network,
Traffic transmitted / received between any one or a plurality of user devices constituting the user network between the user device and another user network other than the own user network configured by the user device, and / or Each of the individual policies that are aggregates whose elements are the rules for controlling the traffic for traffic transmitted / received between the other user network managed by the user device and the other user network in the user network Policy receiving means for receiving
By transmitting the rule, which is an element of each individual policy received by the policy receiving means, to each of the wide area network devices to which the rule is to be set, the traffic is transmitted to each of the wide area network devices according to the rule. Rule transmission means for controlling
A policy aggregation server characterized by comprising: Predetermined when each of user networks configured by user devices operated by a user is connected via a wide area network device to a wide area network that connects a plurality of user networks so that they can communicate with each other. In a traffic control system for controlling traffic transmitted from a user network to another user network via the wide area network, a policy aggregation server connected to the wide area network,
Traffic transmitted / received between any one or a plurality of user devices constituting the user network between the user device and another user network other than the own user network configured by the user device, and / or Each of the individual policies that are aggregates whose elements are the rules for controlling the traffic for traffic transmitted / received between the other user network managed by the user device and the other user network in the user network Policy receiving means for receiving
From the rules that are elements of each of the individual policies received by the policy receiving means, create an aggregate policy that aggregates the rules for each group of user devices whose traffic is controlled based on the same type of rules, The setting information to be set in each of the wide area network devices so as to form a virtual network or a physical network for each group, and the aggregation policy for each group, the setting information and the aggregation policy should be set A rule transmission means for causing each of the wide area network devices to control the traffic according to the rule by transmitting to each of the wide area network devices;
A policy aggregation server characterized by comprising: When each of user networks configured by user devices operated by a user is connected via a wide area network device to a wide area network that connects a plurality of such user networks so as to communicate with each other, The policy aggregation server connected to the wide area network receives each individual policy transmitted from any one or more of the user devices, and the wide area network to set the rule as an element of each individual policy A traffic control method for controlling traffic transmitted from a predetermined user network to another user network via the wide area network, which is transmitted to each of the apparatuses, is a computer as the user apparatus. User to be executed on user terminal An end program,
For the traffic transmitted and received between the user terminal and another user network other than the own user network configured by the user terminal, an individual policy that is an aggregate including rules for controlling the traffic as an element, A user terminal program that causes a user terminal, which is the computer, to execute a policy transmission procedure to be transmitted to a policy aggregation server. When each of user networks configured by user devices operated by a user is connected via a wide area network device to a wide area network that connects a plurality of such user networks so as to communicate with each other, The policy aggregation server connected to the wide area network receives each individual policy transmitted from any one or more of the user devices, and the wide area network to set the rule as an element of each individual policy A traffic control method for controlling traffic transmitted from a predetermined user network to another user network via the wide area network, which is transmitted to each of the apparatuses, is a computer as the user apparatus. Run on user network equipment A user network equipment program to,
For traffic transmitted / received between the user network device and another user network other than the user network configured by the user network device, an individual policy that is an aggregate including rules for controlling the traffic as elements. A user network device program for causing a user network device, which is the computer, to execute a policy transmission procedure to be transmitted to the policy aggregation server. When each of user networks configured by user devices operated by a user is connected via a wide area network device to a wide area network that connects a plurality of such user networks so as to communicate with each other, The policy aggregation server connected to the wide area network receives each individual policy transmitted from any one or more of the user devices, and the wide area network to set the rule as an element of each individual policy A traffic control method for controlling traffic transmitted from a predetermined user network to another user network via the wide area network, which is transmitted to each of the apparatuses, is a computer as the user apparatus. Let the user policy server execute A user policy server program,
Controls the traffic for traffic transmitted / received between other user devices managed by the user policy server and other user networks other than the own user network within the own user network configured by the user policy server. A policy acquisition procedure for acquiring an individual policy that is an aggregate including rules to be acquired from each of the other user devices;
A policy transmission procedure for transmitting each of the individual policies acquired by the policy acquisition procedure to the policy aggregation server;
Is executed by a user policy server which is the computer. Predetermined when each of user networks configured by user devices operated by a user is connected via a wide area network device to a wide area network that connects a plurality of user networks so that they can communicate with each other. A policy aggregation server program for causing a computer as a policy aggregation server connected to the wide area network to execute a traffic control method for controlling traffic transmitted from the user network to another user network via the wide area network. ,
Traffic transmitted / received between any one or a plurality of user devices constituting the user network between the user device and another user network other than the own user network configured by the user device, and / or Each of the individual policies that are aggregates whose elements are the rules for controlling the traffic for traffic transmitted / received between the other user network managed by the user device and the other user network in the user network Policy reception procedure for receiving
By transmitting the rule that is an element of each individual policy received by the policy reception procedure to each of the wide area network devices to which the rule is to be set, the traffic is transmitted to each of the wide area network devices according to the rule. Rule sending procedure to control
A policy aggregation server program, which causes a computer as the policy aggregation server to execute. Predetermined when each of user networks configured by user devices operated by a user is connected via a wide area network device to a wide area network that connects a plurality of user networks so that they can communicate with each other. A policy aggregation server program for causing a computer as a policy aggregation server connected to the wide area network to execute a traffic control method for controlling traffic transmitted from the user network to another user network via the wide area network. ,
Traffic transmitted / received between any one or a plurality of user devices constituting the user network between the user device and another user network other than the own user network configured by the user device, and / or Each of the individual policies that are aggregates whose elements are the rules for controlling the traffic for traffic transmitted / received between the other user network managed by the user device and the other user network in the user network Policy reception procedure for receiving
From the rules that are elements of each of the individual policies received by the policy reception procedure, an aggregate policy that aggregates the rules is created for each group of user devices whose traffic is controlled based on the same type of rules. The setting information to be set in each of the wide area network devices so as to form a virtual network or a physical network for each group, and the aggregation policy for each group, the setting information and the aggregation policy should be set A rule transmission procedure for causing each of the wide area network devices to control the traffic according to the rule by transmitting to each of the wide area network devices;
A policy aggregation server program, which causes a computer as the policy aggregation server to execute.

Images