JP2009278178A - Device and method for distributing security parameter - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a security parameter distributing device and a security parameter distribution method, capable of setting an appropriate security level according to an installation place and distributing a security parameter required for setting the security communication of the security level to a terminal. <P>SOLUTION: The security parameter distributing device 1 has: an information holding means for holding information on concentrators 3-5 included in the same data link; a security level decision means for deciding the security level from the information on the concentrators connected to a first terminal held by the information holding means and those connected to a second terminal, when the security parameter, which is needed for the setting of the security communication to the terminal, is required; and a security parameter distribution means for distributing the security parameter having communication conditions according to the security level to the first and second terminals. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a security parameter distribution apparatus and a security parameter distribution method, and more particularly to a security parameter distribution apparatus and a security parameter distribution method for distributing security parameters necessary for setting of security communication between terminals to terminals.

  With the recent increase in information security awareness, for example, terminals such as PCs connected to an in-house LAN are desired to apply an appropriate security level to each communication partner terminal. Between terminals, for example, a protocol called IPsec (Internet Protocol Security) can be used as a security technique for general use in a TCP / IP environment (see, for example, Patent Documents 1 and 2). IPsec is a secure communication protocol realized by Layer3.

  IPsec basically secures communication between two points, and supports an encryption function that prevents a third party from stealing communication contents and an authentication function that avoids session hijacking by a third party. . In IPsec, a fine security level can be set by setting. However, in IPsec, when the security level is increased, the communication speed decreases, and when the security level is decreased, the communication speed increases.

In this way, a terminal such as a PC connected to the in-house LAN can use different IPsec communication at different security levels depending on the communication partner's terminal. The user was able to set in detail whether to do.
JP 2007-135083 A JP 2007-235853 A

  Conventionally, a terminal such as a PC connected to an in-house LAN uses a different security level for IPsec communication depending on the communication partner terminal. For example, the security level is set in association with the MAC address of the communication partner terminal. . However, when the terminal is a portable notebook PC or the like, there are the following problems.

  For example, there are various places with different security levels, such as reception rooms with many visitors and server rooms where only employees enter. Between terminals such as PCs installed in a server room with a high security level, the security level of the server room itself is high, so the IPsec security level is set low.

  When a terminal such as a PC with a low IPsec security level installed in a server room with a high security level is carried and used in a low security level such as a reception room, the IPsec security level is It is desirable to reset it so that it becomes higher.

  However, while the IPsec security level can be set finely, the setting is very complicated. When the terminal is a portable terminal such as a notebook PC, it is not realistic for the user to reset the IPsec security level according to the security level of the place every time the terminal is moved to a new place. It was.

  Note that terminals such as PCs connected to the in-house LAN set the security level of the other party's terminal in association with the MAC address, etc. that does not change even if the installation location changes. It was difficult to detect the movement to a new location, and it was difficult to automatically reset the security level. As described above, the conventional terminal has a problem that it is not possible to easily set an appropriate security level according to the place where the terminal is installed.

  The present invention has been made in view of the above points. A security level that sets an appropriate security level in accordance with an installed location and can distribute security parameters necessary for setting security communication at the security level to terminals. It is an object to provide a parameter distribution device and a security parameter distribution method.

  In order to solve the above-mentioned problems, the present invention provides a security parameter distribution device that distributes security parameters necessary for setting up security communication between terminals to the terminals, and collects the terminals included in the same data link. Concentrator information holding means for holding apparatus information, and the first terminal held by the concentrator information holding means when a security parameter required for setting security communication with the second terminal is requested from the first terminal. Security level determination means for determining a security level from information on the line concentrator connected to the second terminal and the line concentrator connected to the second terminal, and security parameters with uniform communication conditions according to the security level. Security parameter distribution means distributed to the first terminal and the second terminal And wherein the Rukoto.

  In addition, what applied the component, expression, or arbitrary combination of the component of this invention to a method, an apparatus, a system, a computer program, a recording medium, a data structure, etc. is also effective as an aspect of this invention.

  According to the present invention, a security parameter distribution device and a security parameter distribution capable of setting an appropriate security level according to an installed location and distributing security parameters necessary for setting security communication at the security level to terminals. A method can be provided.

  Next, the best mode for carrying out the present invention will be described based on the following embodiments with reference to the drawings. In this embodiment, IPsec communication will be described as an example of security communication.

  FIG. 1 is a configuration diagram of an embodiment of a network system according to the present invention. The network system in FIG. 1 has a configuration including a security server 1, a router 2, hubs 3 to 5, master terminals 6 to 8 and terminals 9 to 11. The security server 1 is an example of a security parameter distribution device. The hubs 3 to 5 are examples of the concentrator.

  The network system in FIG. 1 represents a network topology (network form) of data links divided by the router 2. Security server 1, hubs 3-5, master terminals 6-8, and terminals 9-11 are nodes connected to the same data link. The network system in FIG. 1 represents an example in which the security server 1 is directly under the router 2. A node connected to the data link can be identified by using the MAC address. That is, the network system shown in FIG.

  The security server 1 distributes IPsec parameters used for IPsec communication to the master terminals 6 to 8 and the terminals 9 to 11 as described later. The hub 3 collects and connects the master terminal 6 and the terminal 9. The hub 4 collects and connects the hub 5 and the master terminal 7. The hub 5 collects and connects the master terminal 8 and the terminals 10 and 11.

  One master terminal 6 to 8 that exists immediately below each hub 3 to 5 is a terminal that is a key for specifying each hub 3 to 5. The master terminals 6 to 8 may be PCs, but are desirably terminals with little movement after installation. As a terminal that moves less after installation, a multifunction peripheral (MFP) or a whiteboard that can be connected to a data link can be used. Terminals 9 to 11 perform IPsec communication.

  Each of the hubs 3 to 5 is installed in various places having different encryption strength levels (security levels). The terminals 9 to 11 are identified by the hubs 3 to 5 to which the terminals 9 to 11 are installed as described below.

  FIG. 2 is a block diagram of another embodiment of the network system according to the present invention. The network system of FIG. 2 has a configuration in which the security server 1 of the network system of FIG. 1 is not provided and the master terminal 6 is replaced with a security server / master terminal 20. The network system in FIG. 2 represents an example in which the position of the security server 1 in FIG. 1 is not directly under the router 2. The network system of FIG. 2 represents an example in which the security server 1 of FIG.

  As shown in the network system of FIG. 2, the position of the security server 1 of FIG. 1 does not necessarily need to be directly under the router 2. Further, when the security server 1 in FIG. 1 is connected to the hub 3 that is not directly under the router 2, it always becomes the security server / master terminal 20 that also serves as the master terminal 6 in FIG. 1. The other configuration is the same as that of the network system of FIG.

  FIG. 3 is a functional configuration diagram of an example of the security server. The security server 1 includes each terminal information holding unit 31, each hub information holding unit 32, an IPsec level information holding unit 33, a hub information setting function unit 34, an IPsec level determination function unit 35, an IPsec parameter distribution function unit 36, and an LLTD mapper function. Unit 37, LLTD responder function unit 38, and network interface 39.

  Each terminal information holding unit 31 holds terminal information for each terminal shown in FIG. FIG. 4 is an exemplary image diagram showing terminal information for each terminal. The terminal information for each terminal in FIG. 4 includes an IPv4 address, an IPv6 address, a host name, a MAC address, information indicating the presence / absence of an IPsec function, information indicating whether or not the terminal is a master terminal, and an identifier of a parent hub (or router).

  Each hub information holding unit 32 holds hub information for each hub shown in FIG. FIG. 5 is an image diagram showing an example of hub information for each hub. The hub information for each hub in FIG. 5 includes information representing the identifier of the hub itself, the MAC address of the connected master terminal, the identifier of the parent hub (or router), and the IPsec setting.

  The information indicating the IPsec setting includes an encryption strength level, an IPsec parameter applied to the communication with the hub having the encryption strength level “strong”, an IPsec parameter applied to the communication with the hub having the encryption strength level “medium”, and the encryption The IPsec parameter applied to the communication to the hub of the strength level “weak” and the IPsec parameter applied to the communication within the same hub are included.

  The IPsec level information holding unit 33 holds the IPsec level information shown in FIG. FIG. 6 is an image diagram showing an example of IPsec level information. In the IPsec level information of FIG. 6, an encryption algorithm and an authentication algorithm for each encryption strength level are set.

  The hub information setting function unit 34 is a function for causing the user to set hub information for each hub held in each hub information holding unit 32. The hub information setting function unit 34 displays, for example, a hub information setting screen on a display device such as a display, and allows the user to input hub information from the setting screen.

  The IPsec level determination function unit 35 is a function for determining the encryption strength level used for IPsec communication when starting IPsec communication between terminals. The IPsec parameter distribution function unit 36 is a function that reads out the IPsec parameters based on the encryption strength level determined by the IPsec level determination function unit 35 from each hub information holding unit 32 and distributes it to the terminal that starts the IPsec communication.

  The LLTD mapper function 37 conforms to the specification of LLTD (Link Layer Topology Discovery), and is a function of determining a network topology by searching for a node via the data link layer (layer 2).

  Specifically, the LLTD mapper function 37 exchanges messages with the LLTD responder functions such as the master terminals 6 to 8 and the terminals 9 to 11 included in the same data link, and data from the exchanged messages. By determining the network topology in the link, network topology information (network configuration information) representing the network form in the data link is acquired.

  The LLTD mapper function 37 receives an LLTD response from the LLTD responder functions such as the master terminals 6 to 8 and the terminals 9 to 11 included in the same data link by broadcasting an LLTD query. The LLTD mapper function 37 determines the network topology based on the LLTD response returned from the LLTD responder functions such as the master terminals 6 to 8 and the terminals 9 to 11 included in the same data link.

  Since the technique for determining the network topology based on the LLTD response returned from the LLTD responder function is well known, the description thereof is omitted. The security server 1 also has an LLTD responder function 38 in addition to the LLTD mapper function 37. The LLTD mapper function 37 is an example of a network configuration information acquisition unit.

  The administrator (user) of the network system according to the present invention performs IPsec setting according to the procedure of the flowchart shown in FIG. FIG. 7 is a flowchart illustrating an example of an IPsec setting process performed by the security server. The IPsec setting processing procedure performed by the security server 1 is started, for example, by a predetermined operation (mouse click, command input, etc.) by the administrator.

  In step S1, the LLTD mapper function 37 of the security server 1 exchanges messages with the LLTD responder functions such as the master terminals 6-8 and terminals 9-11 included in the same data link as described above. To obtain network topology information representing the network configuration in the data link.

  The LLTD packet as a message received from the LLTD responder function such as the master terminals 6 to 8 and the terminals 9 to 11 in which the LLTD mapper function 37 is included in the same data link includes information as shown in FIG. FIG. 8 is a configuration diagram of an example of an LLTD packet.

  The LLTD packet shown in FIG. 8 includes information defined by the protocol specification of LLTD and information to be sent to the security server 1 in a unique format. Information defined by the protocol specification of LLTD includes an IPv4 address, an IPv6 address, a host name, and a MAC address. The information sent to the security server 1 in the unique format includes information indicating the presence / absence of the IPsec function and information indicating whether the terminal is a master terminal.

  In step S <b> 2, the hub information setting function unit 34 refers to each terminal information holding unit 31 and each hub information holding unit 32 to acquire the network topology information held in the security server 1. The hub information setting function unit 34 determines whether or not there is a change in the network topology information acquired in step S1, as compared with the network topology information held in the security server 1.

  If there is no change, the hub information setting function unit 34 proceeds to step S4, and displays the IPsec setting screen shown in FIG. 9 on a display device such as a display with reference to each terminal information holding unit 31 and each hub information holding unit 32. To do. FIG. 9 is an image diagram of an example of the IPsec setting screen. The IPsec setting screen is synonymous with the hub information setting screen described above.

  The hub information setting function unit 34 displays an IPsec setting screen 90 including an LLTD result (topology map) based on the network topology information acquired in step S1 on the display device.

  On the other hand, if there is a change in the network topology information acquired in step S1, the hub information setting function unit 34 proceeds to step S3, and the network topology information among the hub information for each hub held in each hub information holding unit 32. The cipher strength level included in the hub information of the hub corresponding to the changed part is set to a default value. In step S4, the hub information setting function unit 34 refers to each terminal information holding unit 31 and each hub information holding unit 32, and displays the IPsec setting screen shown in FIG. 9 on a display device such as a display.

  When the administrator selects any hub from the IPsec setting screen 90, the hub information setting function unit 34 proceeds to step S5, and displays an individual IPsec setting screen 91 for performing IPsec setting for each hub on the display device.

  From the individual IPsec setting screen 91, the administrator uses the encryption strength level, the IPsec parameter applied to communication within the same hub, the IPsec parameter applied to communication to the hub of the encryption strength level “weak”, and the encryption strength level “medium”. It is possible to set an IPsec parameter to be applied to communication with a hub of the same type and an IPsec parameter to be applied to communication with a hub of encryption strength level “strong”.

  Upon receiving an IPsec setting change operation by the administrator, the hub information setting function unit 34 proceeds to step S6, and updates the hub information held by each hub information holding unit 32 based on the IPsec setting change received in step S5. Then, the process shown in the flowchart of FIG.

  When the terminal starts IPsec communication, the network system according to the present invention performs processing according to the procedure shown in the sequence diagram of FIG. 10 or FIG. FIG. 10 is a sequence diagram illustrating an example of a processing procedure when terminal B, which is a communication partner, is capable of IPsec communication among processing procedures when terminal A starts IPsec communication. Hereinafter, terminal A will be described as terminal 9, terminal B as terminal 10, and other terminals as terminal 11.

  In step S11, the terminal 9 requests the IPsec parameter distribution function unit 36 of the security server 1 for an IPsec parameter using the terminal 10 as a communication partner. The IPsec parameter distribution function unit 36 refers to information indicating the presence or absence of the IPsec function included in the terminal information of the terminal 10 held by each terminal information holding unit 31, and determines that the terminal 10 is capable of IPsec communication.

  In step S12, the LLTD mapper function unit 37 of the security server 1 transmits an LLTD query by broadcasting to the terminals 9 to 11 included in the same data link. In step S13, the LLTD mapper function unit 37 of the security server 1 receives an LLTD response from the terminals 9 to 11 that have received the LLTD query. Steps S12 and S13 are processes for obtaining network topology information in order to check whether or not the current network topology and the network topology at the time of IPsec setting shown in FIG. 7 are the same.

  The IPsec level determination function unit 35 determines IPsec parameters necessary for performing IPsec communication between the terminal 9 and the terminal 10 as described later. In step S 14, the IPsec parameter distribution function unit 36 distributes the IPsec parameters necessary for performing IPsec communication between the terminal 9 and the terminal 10 to the terminal 9 and the terminal 10.

  In step S15, the terminal 9 and the terminal 10 perform IKE negotiation according to the IPsec parameters distributed from the security server 1, and start IPsec communication.

  FIG. 11 is a sequence diagram illustrating an example of a processing procedure when terminal B, which is a communication partner, cannot perform IPsec communication among processing procedures when terminal A starts IPsec communication.

  In step S21, the terminal 9 requests the IPsec parameter distribution function unit 36 of the security server 1 for an IPsec parameter with the terminal 10 as a communication partner. The IPsec parameter distribution function unit 36 refers to the information indicating the presence / absence of the IPsec function included in the terminal information of the terminal 10 held by each terminal information holding unit 31, and determines that the terminal 10 is not capable of IPsec communication. In step S22, the IPsec parameter distribution function unit 36 notifies the terminal 9 that IPsec communication with the terminal 10 as a communication partner cannot be performed.

  When the terminal 10 that is the communication partner of the terminal 9 is unable to perform IPsec communication, the security server 1 determines that the distribution of the IPsec parameters to the terminals 9 and 10 is unnecessary, and the network topology information indicating the network form in the data link is obtained. The process is terminated without obtaining.

  FIG. 12 is a flowchart showing the processing procedure of the security server when terminal A starts IPsec communication. In FIG. 12, a terminal that starts IPsec communication is called terminal A, and a communication partner terminal is called terminal B.

  When receiving the request for the IPsec parameter from the terminal A, the IPsec parameter distribution function unit 36 proceeds to step S31, and refers to the information indicating the presence or absence of the IPsec function included in the terminal information of the terminal B held by each terminal information holding unit 31. Terminal B determines whether IPsec communication is possible.

  If the terminal B determines that IPsec communication is possible, the LLTD mapper function unit 37 proceeds to step S32, transmits an LLTD query by broadcast to the terminals included in the same data link, and receives an LLTD response from the terminal that has received the LLTD query. To obtain the current network topology information.

  When the current network topology information is acquired, the IPsec level determination function unit 25 proceeds to step S33, and determines whether or not the positions of the terminals A and B on the network system are the same as those at the time of IPsec setting shown in FIG. . If the positions of the terminals A and B on the network system are the same as when IPsec is set, the IPsec level determination function unit 25 proceeds to step S35, and the IPsec level is set for the hub to which the terminals A and B are connected. It is determined whether or not.

  Note that the hub to which the terminals A and B are connected is determined by the identifier of the parent hub included in the terminal information of the terminals A and B held by each terminal information holding unit 31. Whether or not the IPsec level is set for the hub to which the terminals A and B are connected is determined by the IPsec included in the hub information of the hub to which the terminals A and B held by each hub information holding unit 32 are connected. It is determined by information indicating the setting.

  If an IPsec level is not set for the hub to which the terminals A and B are connected, the IPsec level determination function unit 25 proceeds to step S36 and uses the default IPsec level. Note that the default value of the IPsec level is set so as to inherit the IPsec level of the parent hub, for example. If the IPsec level is set for the hub to which the terminals A and B are connected, the IPsec level determination function unit 25 proceeds to step S37, and the IPsec level already set for the hub to which the terminals A and B are connected. Is used.

  In step S33, if the positions of the terminals A and B on the network system are not the same as when IPsec is set, the IPsec level determination function unit 25 proceeds to step S34 and uses the default IPsec level.

  Then, the process proceeds to step S38 following steps S34, S36, and S37, and the IPsec level determination function unit 25 distributes the IPsec parameters necessary for performing IPsec communication according to the IPsec level to be used to the terminals A and B. Then, the process shown in FIG. If it is determined in step S31 that the terminal B is not capable of IPsec communication, the IPsec parameter distribution function unit 36 proceeds to step S39 and notifies the terminal A that the terminal B cannot perform IPsec communication. The process shown in FIG.

  As described above, according to the network system according to the present invention, even when a terminal is reconnected to a hub having a different encryption strength level, the terminal information for each terminal is newly set without being reset. By using information indicating the IPsec setting included in the hub information of the hub that has been reconnected, appropriate IPsec parameters can be distributed.

  Therefore, if the network system according to the present invention is used, different IPsec levels depending on the location where the hub is installed and IPsec parameters for each IPsec level of the communication partner can be easily set. Appropriate IPsec parameters can be distributed.

  The security server / master terminal 20 in FIG. 2 is a combination of the security server 1 and the master terminal 6 in FIG. 1, but is simply a combination of the processing of the security server 1 and the processing of the master terminal 6. Therefore, the description is omitted.

  The present invention is not limited to the specifically disclosed embodiments, and various modifications and changes can be made without departing from the scope of the claims.

It is a block diagram of one Example of the network system by this invention. It is a block diagram of the other Example of the network system by this invention. It is a function block diagram of an example of a security server. It is an image figure of an example showing the terminal information for every terminal. It is an image figure of an example showing hub information for every hub. It is an image figure of an example showing IPsec level information. It is a flowchart showing the processing procedure of the IPsec setting which a security server performs. It is a block diagram of an example of an LLTD packet. It is an image figure of an example of an IPsec setting screen. It is a sequence diagram of an example showing a processing procedure when terminal B, which is a communication partner, is capable of IPsec communication among processing procedures when terminal A starts IPsec communication. It is a sequence diagram showing an example of a processing procedure when terminal B, which is a communication partner, is unable to perform IPsec communication among processing procedures when terminal A starts IPsec communication. It is the flowchart showing the processing procedure of the security server when terminal A starts IPsec communication.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Security server 2 Router 3-5 Hub 6-8 Master terminal 9-11 Terminal 20 Security server and master terminal 31 Each terminal information holding part 32 Each hub information holding part 33 IPsec level information holding part 34 Hub information setting function part 35 IPsec Level decision function unit 36 IPsec parameter distribution function unit 37 LLTD mapper function unit 38 LLTD responder function unit 39 Network interface 90 IPsec setting screen 91 Individual IPsec setting screen

Claims (6)

A security parameter distribution device that distributes security parameters required for setting security communication between terminals to the terminals,
Concentrator information holding means for holding information on a concentrator that collects the terminals included in the same data link;
When the security parameter required for setting the security communication with the second terminal is requested from the first terminal, the line concentrator and the second terminal connected to the first terminal held by the line concentrator information holding unit Security level determining means for determining a security level from information of the line concentrator connected to
A security parameter distribution device comprising: security parameter distribution means for distributing security parameters having communication conditions according to the security level to the first terminal and the second terminal. Network configuration information acquisition means for searching for the terminal and the line concentrator included in the same data link and acquiring network configuration information representing a connection state of the terminal and the line concentrator;
Terminal information holding means for holding information on the terminals included in the same data link, and the network configuration information acquisition means receives the terminal information held by the terminal information holding means from the terminal. The security parameter distribution device according to claim 1, wherein the security parameter distribution device is included in the information. Based on the network configuration information acquired by the network configuration information acquisition means, a connection status display means for displaying on the display device the connection status of the terminal and the line concentrator included in the same data link;
When the concentrator is selected from the screen, a setting screen for inputting information of the selected concentrator is displayed on the display device, and the user is allowed to input the concentrator information, and the concentrator information is retained. 3. The security parameter distribution device according to claim 2, further comprising a concentrator information setting unit to be held by the unit.   4. The security parameter distribution apparatus according to claim 1, wherein a master terminal serving as key information for specifying the line concentrator is connected to the line concentrator.   5. The security parameter distribution device according to claim 1, wherein the information on the line concentrator includes a security parameter corresponding to the security level. A security parameter distribution method of a security parameter distribution device for distributing security parameters necessary for setting of security communication between terminals to the terminal,
When a security parameter required for setting security communication with the second terminal is requested from the first terminal, the security level determination means holds the information of the line concentrator that collects the terminals included in the same data link. Obtaining information on the line concentrator connected to the first terminal and the line concentrator connected to the second terminal from apparatus information holding means, and determining a security level;
A security parameter distribution method, comprising: a security parameter distribution unit that distributes security parameters having communication conditions according to the security level to the first terminal and the second terminal.

Images