JP2009159045A - Connection controller, connection control method and control program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To wait until a manager deletes the information of a spoofed ARP packet manually from an ARP table on an apparatus on which the information of a spoofed ARP packet is registered, or until information of a spoofed ARP packet is erased automatically from an ARP table of the apparatus on which the information of a spoofed ARP packet is registered when connection is restored. <P>SOLUTION: A connection controller is connected with a network including: an apparatus with which connection is not permitted; and an apparatus with which connection is permitted; and an external apparatus for transmitting a command. The connection controller includes a means for transmitting a packet including false address information of a permitted apparatus at least to a non-permitted apparatus upon receiving an interruption command of a non-permitted apparatus from the external apparatus, and transmitting a packet including correct address information of a permitted apparatus at least to a non-permitted apparatus upon receiving an authorization command of a non-granted apparatus from the external apparatus. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a connection control device, a connection control method, and a control program, and in particular, a connection control device that controls connection using ARP (Address Resolution Protocol), a connection control method using the connection control device, and the connection control. The present invention relates to a control program that operates on an apparatus.

  2. Description of the Related Art In recent years, various information processing apparatuses are used by being connected via a TCP / IP (Transmission Control Protocol / Internet Protocol) network such as the Internet or an intranet. In this type of network, an IP address that is an identification number unique to each information processing apparatus and a MAC (Media Access Control) address that is an identification number unique to each Ethernet (registered trademark) card are used to identify each other. When obtaining a MAC address from an IP address, a protocol called ARP (Address Resolution Protocol) is used.

  In this way, necessary information can be shared by connecting various information processing apparatuses via a network, and work efficiency can be improved. However, if an unauthorized device enters the network, information stored in the authorized device may be destroyed or leaked. Therefore, in Patent Document 1 below, in order to prevent unauthorized access, an unauthorized connection prevention system that blocks an unauthorized device's communication by transmitting an ARP packet with a spoofed address (referred to as a spoofed ARP packet). is suggesting.

  The unauthorized connection prevention device described in Patent Document 1 will be described with reference to FIGS. 11 and 12. As illustrated in FIG. 11, in the unauthorized connection prevention system using the camouflaged ARP, the unauthorized device 120 that is not permitted to connect, the permitted device 130 that is permitted to connect, and the unauthorized connection prevention device 110 are the same. It is connected to the network. As illustrated in FIG. 12, the unauthorized connection prevention device 110 monitors packets on the network, and receives an ARP packet transmitted from the unauthorized device 120, makes false information about the unauthorized device 120 and the permitted device 130. The camouflaged ARP packet describing the MAC address of is transmitted. Then, by registering information on the spoofed ARP packet in a predetermined database (referred to as an ARP table) of the unauthorized device 120 and the authorized device 130, communication between the unauthorized device 120 and the authorized device 130 is blocked. .

JP 2005-79706 A

  By using such an unauthorized connection prevention system, an unauthorized connection of an unauthorized device can be blocked. However, if the device that has blocked the connection is subsequently approved, the connection of this device is disconnected. Need to recover. However, since the unauthorized connection prevention system does not have a mechanism for restoring a connection to a device that has been disconnected, the connection must be restored by the following method.

  (1) On the device in which the information of the camouflaged ARP packet is registered, the administrator manually deletes the information of the camouflaged ARP packet from the ARP table.

  (2) Wait until the information of the camouflaged ARP packet is automatically deleted from the ARP table of the device in which the information of the camouflaged ARP packet is registered.

  However, when the connection is restored by the above method, there are the following problems.

  First, in the case of using the method (1), the administrator needs to perform an operation on all devices in which information of the spoofed ARP packet is registered using the means provided by each device. Yes, the burden on the administrator increases.

  When the method (2) is used, it is necessary to wait until the cache entry in the ARP table is automatically deleted, and the connection cannot be quickly restored. Further, since the cache entry retention time of the ARP table depends on the characteristics of each device, it is difficult to grasp at which timing after the approval the connection is guaranteed.

  The present invention has been made in view of the above-described problems, and its main purpose is to quickly and surely restore the connection without imposing a burden on the administrator when the connection is interrupted. To provide a connection control device, a connection control method in the connection control device, and a control program that operates in the connection control device.

  To achieve the above object, the present invention provides a connection control connected to a network including an unpermitted device for which connection is not permitted, an permitted device for which connection is permitted, and an external device for transmitting a command. A device that transmits a packet including false address information of the permitted device to at least the unauthorized device, when the cutoff command for the unauthorized device is received from the external device; When an approval command for an unauthorized device is received, at least means for transmitting a packet including correct address information of the authorized device to at least the unauthorized device.

  The connection control device, the connection control method, and the control program of the present invention have the following effects.

  The first effect of the present invention is that a device disconnected from the network can be quickly restored to the network. The reason is that the connection control device performs processing when receiving the approval command, transmits a recovery ARP packet having a correct MAC address, and can rewrite the ARP table of each device with correct information.

  The second effect of the present invention is that it is possible to guarantee the timing at which a device disconnected from the network is restored to the network. The reason is that since the connection control device transmits a recovery ARP packet to recover the connection, the connection can be recovered without waiting for the cache retention time of the ARP table that is different for each device to expire.

  The third effect of the present invention is that even if it is desired to immediately restore the connection, the connection to the network can be automatically restored without manpower, thereby reducing the burden on the administrator. It can be done. The reason is that the connection is restored by the connection control device sending a recovery ARP packet, so the administrator executes a command to delete information on the spoofed ARP packet for each device or restarts the machine. This is because it is no longer necessary to perform such operations.

  In a preferred embodiment of the connection control system of the present invention, an unauthorized device, an authorized device, a connection control device, and an external device are connected to the same network. When the connection control device receives a blocking command from an external device, the connection control device transmits a forged ARP packet having a false MAC address to at least the device to be blocked, and registers the false MAC address in the ARP table of the device. Block communication. At that time, the IP address of the blocked device, the MAC address, the transmission destination MAC address of the forged ARP packet, and the IP address set in the forged ARP packet are registered in the forged ARP transmission list.

  When the connection control device receives an approval command for the blocked device from the external device, the connection control device reads the information registered in the spoofed ARP transmission list and correct MAC address corresponding to the IP address set in the spoofed ARP packet from the approval list. Get the address. Then, the recovery ARP packet having the correct MAC address is transmitted to the device that has transmitted the forged ARP packet, and the correct MAC address is registered in the ARP table of the device to recover the communication.

  As a result, the MAC address stored in the ARP table of the unauthorized device and the authorized device can be automatically updated as appropriate, and the communication between the devices can be quickly and reliably interrupted without burdening the administrator. / Recovery can be controlled.

  A connection control device, a connection control method, and a control program according to an embodiment of the present invention will be described with reference to FIGS. FIG. 1 is a diagram illustrating a configuration example of a connection control system according to the present embodiment, and FIG. 2 is a block diagram illustrating a configuration example of a connection control apparatus according to the present embodiment. FIG. 3 is a flowchart showing the operation of the connection control device when there is a cutoff command or an approval command, and FIG. 4 is a diagram showing the operation of the connection control system when the connection is restored. 5 is a configuration example of blocking command data, FIG. 6 is a configuration example of approval command data, FIG. 7 is a registration example of an approval list, and FIG. 8 is a diagram illustrating a registration example of a camouflaged ARP transmission list. FIG. 9 is a diagram illustrating a configuration example of a camouflaged ARP packet, and FIG. 10 is a diagram illustrating a configuration example of a recovery ARP packet.

  As shown in FIG. 1, the connection control system of the present embodiment is assumed to be a connection control device 10 that controls disconnection / recovery of a connection and a device that is a target of connection cutoff / recovery (hereinafter referred to as an unauthorized device 20). ), A device to which the unpermitted device 20 is connected (hereinafter, referred to as a permitted device 30), and an external device 40 that instructs connection blocking / approval are connected via a TCP / IP network. Is done.

  Note that the unpermitted device 20 and the permitted device 30 include means for executing transmission / reception of an ARP packet, and the external device 40 issues a connection blocking / approval command to any device on the network. It is assumed that a means for transmitting is provided. In addition, here, for ease of explanation, a case is shown in which each device is provided on the network, but the number of unpermitted devices 20, permitted devices 30, and external devices 40 is not limited. The form of each device is arbitrary, and can be, for example, a computer device, a storage device, a PDA (Personal Digital Assistants), a mobile phone, or the like.

  As shown in FIG. 2, the connection control device 10 includes, as means for connection control according to the present embodiment, an external command reception unit 11, an ARP transmission unit 12, an approval list control unit 13, and a fake ARP transmission list control. Unit 14.

  The external command receiving unit 11 is a unit that receives a command transmitted by the external device 40 connected to the same network, and includes a blocking command receiving unit 11a that receives a blocking command and an approval command receiving unit 11b that receives an approval command. Prepare.

  The ARP transmission unit 12 is a means for transmitting an ARP packet to a device connected to the same network, and includes a forged ARP transmission unit 12a for transmitting a forged ARP packet, a recovery ARP transmission unit 12b for transmitting a recovery ARP packet, Is provided.

  The approval list control unit 13 is a means for managing information related to the devices approved by the administrator, and includes an approval list storage unit 13a for storing a list in which the above information is described (hereinafter referred to as an approval list). In this embodiment, the IP address and MAC address of the permitted device 30 are stored in this approval list.

  The camouflaged ARP transmission list control unit 14 is a means for managing information related to a device to which the ARP transmitter 12 transmits a camouflaged ARP packet, and stores a list in which the information is described (hereinafter referred to as a camouflaged ARP transmission list). The camouflaged ARP transmission list storage unit 14a is provided. In the present embodiment, the spoofed ARP transmission list stores the IP address and MAC address of the unauthorized device 20, the MAC address of the transmission destination of the spoofed ARP packet, and the IP address described in the spoofed ARP packet.

  The external command reception unit 11, the ARP transmission unit 12, the approval list control unit 13, and the camouflaged ARP transmission list control unit 14 may be configured as hardware in the connection control device 10, or the computer may be configured to receive an external command. The control program may be configured to operate as at least one of the unit 11, the ARP transmission unit 12, the approval list control unit 13, and the impersonation ARP transmission list control unit 14, and the control program may be operated on the connection control device 10. . Further, the approval list storage unit 13a and the camouflaged ARP transmission list storage unit 14a may be provided inside the connection control device 10 or may be provided outside.

  The operation of the connection control system having the above configuration will be described below.

  Initially, with reference to FIG. 3, the operation | movement when the connection control apparatus 10 receives the interruption | blocking instruction | command of the non-permitted apparatus 20 from the external apparatus 40 is demonstrated.

  First, in step S101, the external command receiving unit 11 (shut-off command receiving unit 11a) of the connection control device 10 monitors the command data from the external device 40. When the command data is received from the external device 40, in step S102, The command data is analyzed to determine whether the command is a shut-off command or an approval command. Here, it is determined that the command is a shut-off command.

  This blocking command data is configured as shown in FIG. 5, for example, and the IP address and MAC address of the device to be blocked (here, the unauthorized device 20) and the MAC address of the transmission destination of the spoofed ARP packet And an IP address described in the camouflaged ARP packet.

  FIG. 5 is a command for transmitting a spoofed ARP packet (unicast transmission) to the unauthorized device 20 and transmitting a spoofed ARP packet (broadcast transmission) to all devices on the network. A command may be used to transmit a spoofed ARP packet (unicast transmission) to the device 20 and to transmit a spoofed ARP packet (unicast transmission) to a specific permitted device 30 to which the unpermitted device 20 transmits an ARP packet. .

  Next, in step S103, the approval list control unit 13 has a combination of the IP address and MAC address of the unpermitted device 20 to be blocked by the block command data in the approval list stored in the approval list storage unit 13a. Find out. If it does not exist, the process skips to step S105. If it does exist, the IP address and MAC address of the unpermitted device 20 to be blocked are deleted from the approval list in step S104.

  This process is a process of excluding from the approval list even if the apparatus is registered in the approval list, when it receives a blocking command from the external apparatus 40, and will be described later on this apparatus by excluding it from the approval list. A recovery ARP packet is transmitted to restore the connection.

  Next, in step S105, the ARP transmitter 12 (spoofed ARP transmitter 12a) transmits a spoofed ARP packet according to the instruction of the cutoff command data. This spoofed ARP packet is configured as shown in FIG. 9, for example, and includes a correct IP address and a false MAC address of the specific permitted device 30 that are unicast transmitted to the unauthorized device 20 to be blocked. The packet includes an included packet and a packet including a correct IP address and a false MAC address of the unauthorized device 20 to be blocked, which are broadcast to all devices on the network.

  Instead of broadcasting the latter spoofed ARP packet, a spoofed ARP packet including the correct IP address and false MAC address of the unauthorized device 20 to be blocked is sent to the specific authorized device 30. Unicast transmission is also possible.

  By transmitting such a camouflaged ARP packet, the unpermitted device 20 to be blocked registers the regular IP address and false MAC address of the specific permitted device 30 in the ARP table of the own device. It becomes impossible to connect to a specific authorized device 30. Further, the other device registers the correct IP address and false MAC address of the unpermitted device 20 to be blocked in the ARP table of its own device, so that it can connect to the unpermitted device 20 to be blocked. become unable.

  Next, in step S106, the camouflaged ARP transmission list control unit 14 adds the combination of the IP address and MAC address of the unauthorized device 20 to be blocked to the camouflaged ARP transmission list stored in the camouflaged ARP transmission list storage unit 14a. If it does exist, the process is terminated, and if it does not exist, the information of the transmitted forged ARP packet is registered in the forged ARP transmission list in step S107.

  This spoofed ARP transmission list is configured, for example, as shown in FIG. 8, and, similar to the block command data in FIG. 5, the IP address and MAC address of the unauthorized device 20 to be blocked, and the transmission destination of the spoofed ARP packet The MAC address and the IP address described in the camouflaged ARP packet are registered. When a spoofed ARP packet is unicast transmitted to a specific authorized device 30, the MAC address (lower MAC address) of the destination of the spoofed ARP packet is the MAC address of the specific authorized device 30.

  This process is necessary for restoring the connection of the device that has transmitted the forged ARP packet when an approval command is received. By registering in the forged ARP transmission list, a later-described recovered ARP packet is transmitted. Connection is restored.

  Thereafter, in step S108, the connection control device 10 confirms that the communication of the non-permitted device 20 to be blocked is cut off, and the non-permitted to be a block target for the external device 40 that has transmitted the block command data. Notify that the connection of the device 20 has been cut off.

  Next, with reference to FIG. 3 and FIG. 4, an operation when the connection control device 10 receives an approval command from the external device 40 will be described.

  Similarly to the above, in step S101, the external command receiving unit 11 (approval command receiving unit 11b) of the connection control device 10 monitors the command data from the external device 40, and receives the command data from the external device 40. In S102, the command data is analyzed to determine whether the command is a shut-off command or an approval command. Here, it is determined that the command is an approval command.

  This approval command data is configured as shown in FIG. 6, for example, and includes the IP address and MAC address of the device to be approved (here, the blocked unpermitted device 20).

  Next, in step S109, the approval list control unit 13 checks whether the combination of the IP address and the MAC address of the non-permitted device 20 to be approved is registered in the approval list stored in the approval list storage unit 13a. . If it is registered, the process is terminated because it is not necessary to approve it again. If it is not registered, the IP address and MAC address information of the unpermitted device 20 to be approved is displayed in the approval list in step S110. sign up.

  Next, in step S111, the camouflaged ARP transmission list control unit 14 has a combination of the IP address and MAC address of the unauthorized device 20 to be approved exists in the camouflaged ARP transmission list stored in the camouflaged ARP transmission list 14a. If it does not exist, it can be determined that the connection is not interrupted, and the process is terminated.

  On the other hand, if it exists, the camouflaged ARP transmission list control unit 14 acquires information of the camouflaged ARP packet (the MAC address of the camouflaged ARP transmission destination and the IP address specified by the camouflaged ARP packet) from the camouflaged ARP transmission list, The recovery ARP transmission unit 12b is notified. Further, the approval list control unit 13 searches the approval list using the IP address designated by the camouflaged ARP packet as a key, acquires a correct MAC address corresponding to the IP address, and notifies the recovery ARP transmission unit 12b.

  In step S112, the ARP transmission unit 12 (recovery ARP transmission unit 12b) transmits the recovery ARP packet in which the correct MAC address is specified to the destination device of the spoofed ARP packet (see FIG. 4). This restoration ARP packet is configured as shown in FIG. 10, for example, and is composed of a packet that is unicasted to the unauthorized device 20 to be approved and a packet that is broadcasted to all devices on the network. Is done.

  Instead of broadcasting the latter recovery ARP packet, the IP address of the non-permitted device 20 to be approved is correct to the specific permitted device 30 to which the non-permitted device 20 to be approved has transmitted the ARP packet. A restored ARP packet including the MAC address can also be unicasted.

  By transmitting such a restored ARP packet, the unpermitted device 20 to be approved registers the IP address and correct MAC address of the specific permitted device 30 in the ARP table of the own device. It becomes possible to connect to the permitted device 30. Further, since the other device registers the IP address and the correct MAC address of the unauthorized device 20 to be authorized in the ARP table of the own device, it can be connected to the unauthorized device 20 to be authorized. become.

  Next, in step S113, the camouflaged ARP transmission list control unit 14 deletes the information of the camouflaged ARP packet registered in step S107 from the camouflaged ARP transmission list.

  Thereafter, in step S114, the connection control device 10 transmits an ARP packet to the unauthorized device 20 to be approved, confirms that the correct MAC address has been returned, and transmits the approval command data to the external device 40 that has transmitted the approval command data. Thus, it is notified that the connection of the unauthorized device 20 to be approved has been restored.

  As described above, when the external command receiving unit 11 (blocking command receiving unit 11a) receives a blocking request from the external device 40, the ARP transmitting unit 12 (spoofed ARP transmitting unit 12a) uses a spoofed ARP packet having a false MAC address. To interrupt communication between devices. Further, the camouflaged ARP transmission list control unit 14 registers the information of the transmitted camouflaged ARP packet in the camouflaged ARP transmission list, and the approval list control unit 13 deletes the information of the device to be blocked from the approval list.

  Further, when the external command receiving unit 11 (approval command receiving unit 11b) receives the approval command of the device that has been blocked from the external device 40, the ARP transmitting unit 12 (recovered ARP transmitting unit 12b) has the recovery ARP having the correct MAC address. A packet is transmitted to restore communication between devices. Further, the camouflaged ARP transmission list control unit 14 deletes the information of the transmitted camouflaged ARP packet from the camouflaged ARP transmission list, and the approval list control unit 13 registers the information of the device to be approved in the approval list.

  As a result, the ARP table held by the unpermitted device 20 and the permitted device 30 can be updated as appropriate, and the disconnection / recovery of the connection can be controlled quickly and reliably without imposing a load on the administrator. .

  In the above embodiment, the spoofed ARP packet and the recovery ARP packet are transmitted to the unauthorized device 20, and the spoofed ARP packet and the recovery ARP packet are transmitted to all devices on the network (or a specific permitted device 30). However, it is possible to adopt a configuration in which the spoofed ARP packet and the restored ARP packet are transmitted only to the unauthorized device 20.

  In the above-described embodiment, the connection / disconnection of the unauthorized device 20 has been described as an example. However, the present invention is not limited to the above-described embodiment, and the connection / disconnection of the permitted device 30 is blocked / recovered. The same applies to the case.

  Furthermore, in the above-described embodiment, the ARP packet is transmitted. However, the present invention can be applied to a case where a packet other than the ARP packet is transmitted.

  The present invention is applicable to an arbitrary connection control device connected to a plurality of devices over a network and a connection control method in the connection control device.

It is a figure which shows the structural example of the connection control system which concerns on one Example of this invention. It is a block diagram which shows the structural example of the connection control apparatus which concerns on one Example of this invention. It is a flowchart figure which shows operation | movement when there exists a cutting | disconnection instruction | command or approval instruction | indication of the connection control apparatus which concerns on one Example of this invention. It is a figure which shows operation | movement in the case of restoring a connection of the connection control system which concerns on one Example of this invention. It is a figure which shows the structural example of the interruption | blocking command data which concerns on one Example of this invention. It is a figure which shows the structural example of the approval command data which concerns on one Example of this invention. It is a figure which shows the example of registration of the approval list based on one Example of this invention. It is a figure which shows the example of registration of the camouflaged ARP transmission list which concerns on one Example of this invention. It is a figure which shows the structural example of the camouflaged ARP packet which concerns on one Example of this invention. It is a figure which shows the structural example of the recovery ARP packet which concerns on one Example of this invention. It is a figure which shows the structural example of the unauthorized connection prevention system of patent document 1. FIG. It is a figure which shows the operation example of the unauthorized connection prevention system of patent document 1. FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Connection control apparatus 11 External command reception part 11a Blocking instruction reception part 11b Approval command reception part 12 ARP transmission part 12a Impersonation ARP transmission part 12b Recovery ARP transmission part 13 Approval list control part 13a Approval list memory | storage part 14 Impersonation ARP transmission list control part 14a Impersonation ARP transmission list storage unit 20 Unpermitted device 30 Permitted device 40 External device 110 Connection control device 111 Approval list storage unit 120 Unpermitted device 130 Permitted device

Claims (14)

A connection control device connected to a network including an unpermitted device that is not permitted to connect, an permitted device that is permitted to connect, and an external device that transmits a command,
When a blocking command for the unauthorized device is received from the external device, at least the unauthorized device transmits a packet including false address information of the authorized device,
A connection control device comprising at least means for transmitting a packet including correct address information of the permitted device to at least the unauthorized device when an approval command for the unauthorized device is received from the external device. . A connection control device connected to a network including an unpermitted device that is not permitted to connect, an permitted device that is permitted to connect, and an external device that transmits a command,
When a blocking instruction for the unauthorized device is received from the external device, a spoofed ARP packet including a correct IP address and a false MAC address of the authorized device is transmitted to the unauthorized device, and at least the permitted Send a spoofed ARP packet containing the correct IP address and false MAC address of the unauthorized device to
When an approval command for the unauthorized device is received from the external device, a recovery ARP packet including a correct IP address and a correct MAC address of the permitted device is transmitted to the unauthorized device, and at least the permitted A connection control apparatus, comprising: a device including at least means for transmitting a recovery ARP packet including a correct IP address and a correct MAC address of the unauthorized device. When the blocking instruction is received from the external device, the information of the transmitted spoofed ARP packet is registered in the spoofed ARP transmission list,
Means for transmitting the recovery ARP packet with reference to the forged ARP transmission list when the approval command is accepted from the external device, and then deleting the information of the transmitted forged ARP packet from the forged ARP transmission list The connection control device according to claim 2, further comprising: The connection control device includes at least an external command reception unit, an approval list control unit, an ARP transmission unit, and a camouflaged ARP transmission list control unit,
The external command receiving unit receives a blocking command for the unauthorized device from the external device,
The approval list control unit deletes the information on the non-permitted device from the approval list when the information on the non-permitted device exists in an approval list that describes information on a device that approves connection.
The ARP transmission unit refers to the blocking instruction and transmits a spoofed ARP packet including a correct IP address and a false MAC address of the permitted device to the unauthorized device, and the connection in the network. Sending a spoofed ARP packet containing the correct IP address and false MAC address of the unauthorized device to a device directly connected to the control device;
The connection control device according to claim 2 or 3, wherein the camouflaged ARP transmission list control unit registers information of the transmitted camouflaged ARP packet in a camouflaged ARP transmission list. The external command receiving unit receives an approval command for the unauthorized device from the external device,
The approval list control unit, when the information on the unauthorized device does not exist in the approved list, registers the information on the unauthorized device in the approved list,
The ARP transmission unit refers to the approval list and the fake ARP transmission list, and transmits a recovery ARP packet including a correct IP address and a correct MAC address of the permitted device to the unauthorized device, and Send a recovery ARP packet containing the correct IP address and correct MAC address of the unauthorized device to all devices connected to the network;
5. The connection control apparatus according to claim 4, wherein the forged ARP transmission list control unit performs control to delete information of the transmitted forged ARP packet from the forged ARP transmission list. In a network system including at least an unpermitted device that is not permitted to be connected, an permitted device that is permitted to be connected, an external device that transmits a command, and a connection control device that controls disconnection / recovery of the connection A connection control method,
The connection control device includes:
When a blocking command for the unauthorized device is received from the external device, at least the unauthorized device transmits a packet including false address information of the authorized device,
A connection control method comprising: transmitting a packet including correct address information of an authorized device to at least the unauthorized device when an approval command for the unauthorized device is received from the external device. In a network system including at least an unpermitted device that is not permitted to be connected, an permitted device that is permitted to be connected, an external device that transmits a command, and a connection control device that controls disconnection / recovery of the connection A connection control method,
The connection control device includes:
When a blocking instruction for the unauthorized device is received from the external device, a spoofed ARP packet including a correct IP address and a false MAC address of the authorized device is transmitted to the unauthorized device, and at least the permitted Send a spoofed ARP packet containing the correct IP address and false MAC address of the unauthorized device to
When an approval command for the unauthorized device is received from the external device, a recovery ARP packet including a correct IP address and a correct MAC address of the permitted device is transmitted to the unauthorized device, and at least the permitted A connection control method, comprising: transmitting a recovery ARP packet including a correct IP address and a correct MAC address of the unauthorized device to a device. The connection control device includes:
When the blocking instruction is received from the external device, the information of the transmitted spoofed ARP packet is registered in the spoofed ARP transmission list,
When the approval command is received from the external device, the recovery ARP packet is transmitted with reference to the forged ARP transmission list, and then the information of the transmitted forged ARP packet is deleted from the forged ARP transmission list. The connection control method according to claim 7. In a network system including at least an unpermitted device that is not permitted to be connected, an permitted device that is permitted to be connected, an external device that transmits a command, and a connection control device that controls disconnection / recovery of the connection A connection control method,
The connection control device includes:
From the external device, accepting a cutoff command of the unauthorized device,
It is determined whether the information on the unauthorized device exists in an approval list that describes information on a device that approves connection, and if present, deletes the information on the unauthorized device from the approved list,
With reference to the blocking command, a spoofed ARP packet including a correct IP address and a false MAC address of the permitted device is transmitted to the unauthorized device, and is directly connected to the connection control device in the network. Sending a spoofed ARP packet containing the correct IP address and false MAC address of the unauthorized device to the device,
A connection control method comprising registering information of a transmitted spoofed ARP packet in an ARP transmission list. The connection control device further includes:
Accepting an approval command for the unauthorized device from the external device,
Determine whether the information on the unauthorized device exists in the approval list, and if not, register the information on the unauthorized device in the approval list,
Referring to the approval list and the spoofed ARP transmission list, a recovery ARP packet including a correct IP address and a correct MAC address of the permitted device is transmitted to the unauthorized device, and connected to the network. , Send a recovery ARP packet containing the correct IP address and correct MAC address of the unauthorized device;
The connection control method according to claim 9, wherein information on the transmitted forged ARP packet is deleted from the forged ARP transmission list. The connection control device further includes:
After the recovery ARP packet is transmitted, an ARP packet is transmitted to the unauthorized device, and when a normal ARP packet is received from the unauthorized device, the external device is notified that the connection of the unauthorized device has been restored. The connection control method according to claim 10. A control program that operates on a connection control device connected to a network including an unpermitted device that is not permitted to connect, an permitted device that is permitted to connect, and an external device that transmits a command,
Computer
When a blocking command for the unauthorized device is received from the external device, at least the unauthorized device transmits a packet including false address information of the authorized device,
A control program that causes at least the unpermitted device to function as a means for transmitting a packet including correct address information of the permitted device when an approval command for the unpermitted device is received from the external device. . A control program that operates on a connection control device connected to a network including an unpermitted device that is not permitted to connect, an permitted device that is permitted to connect, and an external device that transmits a command,
Computer
When a blocking instruction for the unauthorized device is received from the external device, a spoofed ARP packet including a correct IP address and a false MAC address of the authorized device is transmitted to the unauthorized device, and at least the permitted Send a spoofed ARP packet containing the correct IP address and false MAC address of the unauthorized device to
When an approval command for the unauthorized device is received from the external device, a recovery ARP packet including a correct IP address and a correct MAC address of the permitted device is transmitted to the unauthorized device, and at least the permitted A control program for causing a device to function as means for transmitting a recovery ARP packet including a correct IP address and a correct MAC address of the unauthorized device. Computer,
When the blocking instruction is received from the external device, the information of the transmitted spoofed ARP packet is registered in the spoofed ARP transmission list,
Means for transmitting the recovery ARP packet with reference to the forged ARP transmission list when the approval command is accepted from the external device, and then deleting the information of the transmitted forged ARP packet from the forged ARP transmission list 14. The control program according to claim 13, wherein the control program is made to function as.

Images