JP2010026547A - Firewall load balancing method and firewall load balancing system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a firewall load balancing method and a firewall load balancing system for providing a service according to the request of a user. <P>SOLUTION: A firewall group is configured of three stages of load levels, such as a high load firewall 2, a middle load firewall 3, and a low load firewall 4 according to a service level selectable by a user. The service level optionally selected by the user is stored in a storage means 1a as management information 1d. When access is acquired from the user, a service level decision means 1f extracts identification information of the user, and retrieves management information 1d, and decides a service level selected by the user. A distribution means 1g distributes access to any of the high, middle, and low load firewalls 2, 3, and 4 corresponding to the decided service level. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a firewall load distribution method and a firewall load distribution system, and more particularly to a firewall load distribution method and a firewall load distribution system that distribute access by distributing access data from a user to a plurality of firewalls.

  In recent years, unauthorized access to applications on the Web (abbreviation of the World Wide Web; hereinafter referred to as the Web) has increased and has become a social problem. Firewalls (FireWalls) are widely used to prevent such unauthorized access. A conventional general firewall is a packet filter type that performs monitoring at a network level, and monitors access based on communication behavior, for example, a destination, a source IP address, a port number, and the like. However, such a conventional firewall cannot check the contents (contents) of http / https communication. Therefore, the introduction and use of Web Application Firewall (hereinafter referred to as WAF) as a firewall for dealing with threats such as attacks targeting Web sites and attacks aimed at databases (hereinafter referred to as DB). It is being advanced. In the following description, a conventional general firewall that performs monitoring at the network level is denoted as F / W, and is distinguished from all firewalls including F / W and WAF.

  The WAF performs management at the application level, for example, directly checks the input content passed to the program, and blocks access regarded as illegal. The WAF includes a reverse proxy type that operates as a reverse proxy and a transparent type that can be used as a transparent device. As security models, there are a positive security model that does not pass traffic that is not set, and a negative security model that passes only set traffic. Also, WAF is often used in combination with F / W.

  In a conventional outsourcing service using a firewall, a load balancer for load distribution is installed in the IDC (Internet Data Center) that provides the service, and data is distributed to the F / W or WAF configuring the cluster according to certain rules. . As the distribution rules, there are a round robin method, a method using CPU load, response time, and the like as indexes.

In addition to these indicators, there is a load balancing system that monitors the connection status / load of multiple firewalls and distributes data to firewalls with low connection loads to prevent load concentration on specific firewalls (for example, Patent Document 1). There is also an apparatus that detects unauthorized intrusion by packet inspection on a network and generates a policy for identifying a signature based on detected unauthorized access information (see, for example, Patent Document 2). Furthermore, there is an apparatus in which a corresponding Web server and a center-side policy server perform security management in cooperation with a firewall for access to a plurality of applications protected from a remote site (for example, Patent Document 3).
JP 2000-330897 A JP 2006-244141 A JP 2001-236319 A

However, the firewall load balancing performed in the conventional system has a problem that it cannot be differentiated according to the user contract on the outsourcing service.
As described above, in the conventional firewall load balancing, all normal data to be processed and unauthorized access data are equally distributed to the F / W server and the WAF server. For this reason, the influence of the capacity and performance due to the load occurs equally in the F / W server and WAF server under the load balancer.

  Here, there are a wide variety of user requests for outsourcing services, ranging from being able to endure a little high load if the service price is low to being high if the service price is low. That is, in the outsourcing service market, it is required to provide various service menus such as performance-oriented, price-oriented, and those located in the middle according to user needs. However, in the conventional system, access data is equally distributed to a plurality of firewalls, and the load cannot be distributed according to the service level desired by the user. For example, when there are a plurality of F / W servers or WAF servers having the same performance, the load is equally distributed to each server. . Therefore, it is not possible to present multiple service menus according to load distribution, such as price-oriented services that are inexpensive but high in load, and performance-oriented services that are effective but low in load. It was not possible to meet.

  The present invention has been made in view of these points, and an object of the present invention is to provide a firewall load distribution method and a firewall load distribution system capable of providing a service according to a user's request.

  In order to solve the above-described problem, a firewall load distribution method for distributing access by distributing access data from a user to a plurality of firewalls is provided. In the disclosed firewall load distribution method, when access data including the identification information of the transmission source user is received via the external network, the service level determination unit acquires the identification information of the transmission source user. Then, based on the acquired identification information of the transmission source user, the management information stored in the storage means that associates the service level selected by the user in advance with the identification information of the user is searched, and based on the searched management information Thus, the service level of the access data transmission source user is determined. Based on the service level of the transmission source user determined by the service level determination unit, the distribution unit selects a firewall corresponding to the service level of the transmission source user from a group of firewalls each having a load level corresponding to the service level. select. Then, the access data is distributed to the selected firewall.

  According to such a firewall load distribution method, each firewall included in the firewall group is set with a load level corresponding to a service level selectable by the user. The service level arbitrarily selected by the user is stored in the storage means as management information. When access data from a user is received, user identification information is acquired, and management information is searched using the user identification information. Then, the service level selected by the user is determined from the retrieved management information. Then, a firewall corresponding to the determined service level is selected, and access data is distributed to the selected firewall.

  In addition, in order to solve the above-described problems, a firewall load distribution system that executes the above-described firewall load distribution method is provided.

  According to the disclosed firewall load distribution method and firewall load distribution system, different load levels are set in the firewall according to service levels that can be selected by the user. Then, the received access data is distributed to a firewall having a load level corresponding to the service level selected by the transmission source user. As described above, since firewalls having different load levels are selected in accordance with the service level selected by the user, the user can arbitrarily select a service level having performance that meets the demands such as the purpose of use and budget. In addition, the service providing side can provide the user with a number of service menus that can be selected according to demand.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. First, the concept of the invention applied to the embodiment will be described, and then the specific contents of the embodiment will be described.
FIG. 1 is a conceptual diagram of the invention applied to the embodiment.

  The firewall load distribution system according to the embodiment includes a load distribution apparatus 1 connected to an external network, a firewall group including a high load firewall 2, a medium load firewall 3, and a low load firewall 4 in which different load levels are set; Have In the figure, the firewall group includes three types of load level firewalls of high load, medium load, and low load, but the number of firewalls to be arranged and the setting state of the load level are appropriately set according to the system. .

  The load balancer 1 includes a storage unit 1a for storing various types of information, an unauthorized intrusion prevention unit 1e for detecting and preventing unauthorized access through an external network, and a service level for determining the service level of the access data transmission source user. The determination unit 1f and the distribution unit 1g for distributing the access data are provided. The processing functions of the processing means are realized by the computer executing a program describing the processing procedure.

  The storage means 1a stores black list information 1b, signature information 1c, and management information 1d. The black list information 1b is a list that defines a blocking target that does not permit access. The IP address of the transmission source to be blocked is registered. The signature information 1c is definition information that describes the characteristics of access data that denies or permits access, such as attack patterns recognized in the past. Here, it is used as a negative security model that blocks an access pattern that matches a registered signature. The management information 1d is information defined by associating the service level selected by the user with the user identification information. The high load firewall 2, the medium load firewall 3, and the low load firewall 4 are set with load levels associated with service levels. Here, the load level of the high load firewall 2 is set to the maximum, and the load levels are set to be lower in the order of the medium load firewall 3 and the low load firewall 4. Since the load is kept low, a high service level is set for the low-load firewall 4 that is expected to have high performance. Conversely, since the load increases, a low service level is set in the high-load firewall 2 where performance is not expected. Further, an intermediate service level is set for the intermediate medium load firewall 3. On the service providing side, a usage fee is set according to the service level so that the higher the service level, the higher the usage fee. The user selects a service level according to the purpose of use or budget.

  The unauthorized intrusion prevention unit 1e reads the black list information 1b and the signature information 1c stored in the storage unit 1a, and blocks access data corresponding to registration. This prevents unauthorized access from entering. The access data permitted to pass is output to the service level determination means 1f.

  The service level determination unit 1f acquires the IP address of the access data transmission source. Then, the management information 1d stored in the storage unit 1a is searched, and the service level of the user corresponding to the acquired IP address of the transmission source is detected.

  The distribution unit 1g determines the access data distribution destination based on the service level detected by the service level determination unit 1f. When the lower service level is selected, the high load firewall 2 is selected and the access data is distributed. When the medium service level is selected, the medium load firewall 3 is selected and the access data is distributed. When the higher service level is selected, the low load firewall 2 is selected and the access data is distributed.

  In the figure, the load distribution device 1 is configured to include the unauthorized intrusion prevention unit 1e, the service level determination unit 1f, and the distribution unit 1g, but each processing unit may be realized by a separate computer.

  The high-load firewall 2 is a firewall server having the highest load level of data to be distributed, and includes a policy storage unit 2a, an unauthorized access learning unit 2b, and a policy distribution unit 2c. The policy storage unit 2a stores a policy for refusing or permitting the input access data, and a filter processing unit (not shown) performs access data passing or blocking processing based on the policy. The unauthorized access learning means 2b learns unknown unauthorized access that could not be detected by the unauthorized intrusion prevention means 1e of the load distribution apparatus 1. When a user who has made unauthorized access is newly detected, the host IP address of the detected user is added to the blacklist information 1b. When an unauthorized access pattern is newly detected, a signature pattern for identifying this unauthorized access is newly generated and added to the signature information 1c. Further, the signature information 1c and the policy information stored in the policy storage unit 2a are collated to check whether there is any contradiction. If there is a discrepancy, the signature or policy is updated to enhance security, that is, to deny access. If an access pattern denied by the signature rule is permitted by the policy, the policy setting is updated to deny the access pattern. When the access pattern denied by the policy is permitted by the signature, the signature is updated so as to deny the access pattern. When the policy is updated by the unauthorized access learning unit 2b, the policy distribution unit 2c transfers the updated latest policy to the medium load firewall 3 and the low load firewall 4.

  The medium load firewall 3 is a firewall server having a medium load level of data to be distributed. A policy storage unit 3a is provided, and a filter processing unit (not shown) performs a data filtering process based on a policy stored in the policy storage unit 3a. The policy information stored in the policy storage unit 3a is the same as the policy information stored in the policy storage unit 2a of the high-load firewall 2.

  The low-load firewall 4 is a firewall server having the lowest load level of data to be distributed. A policy storage unit 4a is provided, and a filter processing unit (not shown) performs a data filtering process based on a policy stored in the policy storage unit 4a. The policy information stored in the policy storage unit 4a is the same as the policy information stored in the policy storage unit 2a of the high-load firewall 2.

The operation of the firewall load distribution system having such a configuration and the firewall load distribution method will be described.
The storage unit 1a of the load balancer 1 stores black list information 1b, signature information 1c, and management information 1d. When the access data from the user is acquired via the external network, the unauthorized intrusion prevention unit 1e checks the access data based on the black list information 1b and the signature information 1c. As a result of the inspection, when it is determined that the access is normal, the access data is sent to the service level determination means 1f. If it is determined that the access is unauthorized, the access data is discarded and the communication is terminated. The service level determination unit 1f acquires the identification information of the access data transmission source user, searches the management information 1d based on this identification information, reads the user management information, and determines the service level selected by the user. The distribution unit 1g distributes the access data to either the high load firewall 2, the medium load firewall 3, or the low load firewall 4 according to the determined service level of the transmission source user.

  According to the firewall load distribution system described above, access data is distributed to firewalls having different load levels according to the service level selected by the transmission source user. As a result, the service providing side can distribute the load in accordance with the service level of the user, instead of distributing the load uniformly, so that the service can be differentiated in terms of performance. In addition, it is possible to provide more service menus with limited resources, such as a service with high performance due to low load and a service with low performance due to high load but low cost. For the user, it is possible to select an arbitrary service according to the purpose of use and the budget, and there is an advantage that convenience is improved.

  Furthermore, the high-load firewall 2 has unauthorized access learning means 2b and policy distribution means 2c, and learns unknown unauthorized access. When a new unauthorized access is detected, the black list information 1b and signature information 1c are updated. At this time, the signature information 1c and the policy stored in the policy storage unit 2a are collated, and if there is a contradiction, the signature information 1c or policy information is updated in a direction in which security is strengthened. The updated policy information is distributed to the medium load firewall 3 and the low load firewall 4. In this way, unauthorized access learning is concentrated on the high-load firewall 2 and the latest learning results are transferred to other medium-load firewalls 3 and low-load firewalls 4 later, thereby improving the efficiency of the latest unauthorized access countermeasures. be able to. In addition, since the unauthorized access learning function that imposes a burden on the server is not performed, an extra load is not applied to the medium load firewall 3 and the low load firewall 4, and the service quality can be maintained.

  In the above example, the unauthorized intrusion prevention means 1e is placed in the load distribution device 1 at the preceding stage of the firewall. However, a configuration without this is also possible. In this case, the access data input to the load balancer 1 is not subjected to unauthorized intrusion detection, and the high load firewall 2 and the medium load firewall are selected according to the service level selected by the user by the service level determination unit 1f and the distribution unit 1g. 3 or a low-load firewall. Then, the access data distribution destination firewall determines whether the access data is rejected or permitted. The unauthorized access learning unit 2b analyzes the log and the policy information, and if necessary, newly generates a policy for blocking unauthorized access and updates the policy information. The updated policy information is distributed to the medium load firewall 3 and the low load firewall 4 by the policy distribution means 2c.

Hereinafter, the embodiment will be described in detail with reference to the drawings, taking as an example a case where the embodiment is applied to an IDC in which a packet filter type F / W and a WAF are incorporated.
FIG. 2 is a configuration diagram illustrating an example of the firewall load distribution system according to the embodiment.

  The firewall load distribution system according to the embodiment includes a high load F / W 12a, a medium load F / W 12b, and F / W load balancers 11a and 11b and a subordinate F / W server group in an outsourcing service environment in the IDC 10. It has a low load F / W 12c, a high load WAF 15a, a medium load WAF 15b and a low load WAF 15c that constitute the WAF load balancers 14a and 14b and a subordinate WAF server group, a rich content server 17 and a plain content server 18. . Further, the user group 40 and each of the contract DB 31, the black list DB 32, the F / W signature DB 33, and the WAF signature DB 34 are connected to the IDC 10 via the Internet 20.

  The F / W side is located between the external Internet 20 and the internal network, and distributes inward traffic (from the external Internet 20 to the internal network) to each F / W F / W load balancer 11a, It has an F / W load balancer 11b, a high load F / W 12a, a medium load F / W 12b, and a low load F / W 12c that distribute outward traffic (from the internal network to the external Internet 20) to each F / W. The F / W load balancer 11a prevents unauthorized access and reduces the load on the F / W, and the user distribution that selects F / Ws with different load levels according to user contracts. It has a function. The high load F / W 12a is an F / W server in which the highest load level is set, and has an unauthorized access learning function and a policy distribution function. The low load F / W 12c is an F / W server in which the lowest load level is set, and the medium load F / W 12b is an F / W server in which a medium load level is set. The log 13 stores at least information related to unauthorized access detected by the high load F / W 12a as log information.

  The WAF side is located between the F / W group and the content server group. The WAF load balancer 14a distributes inbound traffic to each WAF, the WAF load balancer 14b distributes outbound traffic to each WAF, A load WAF 15a, a medium load WAF 15b, and a low load WAF 15c are included. The WAF load balancer 14a, like the F / W load balancer 11a, prevents known unauthorized access and reduces the load on the WAF, and the WAF with different load levels depending on the user's contract. Has a user distribution function for selecting. The high load WAF 15a is a WAF server to which the highest load level is set, and has an unauthorized access learning function and a policy distribution function. The low load WAF 15c is a WAF server in which the lowest load level is set, and the medium load WAF 15b is a WAF server in which a medium load level is set. The log 16 stores at least information related to unauthorized access detected by the high-load WAF 15a as log information.

  The rich content server 17 is a server that provides content with a high density of information including images and sounds. The plain content server 18 is a server that provides content composed of text, still images, and the like. There is also a service that prepares rich content and plain content of the same content and provides either one according to the performance of the user's computer.

  The hosts of the user group 40 connected to the IDC 10 via the Internet 20 are classified into a first class 41, a business class 42, and an economy class 43 according to the service level selected by the user. The service class provided by the user is determined by a contract with the user.

  The contract DB 31 is a DB that stores contract information with the user. The contract information includes identification information for identifying the user and the service level with which the user has contracted. The black list DB 32 is a DB in which IP addresses of hosts that have been involved in unauthorized access in the past are stored as black list information. The F / W signature DB 33 is a DB that stores F / W signature information in which rules for unauthorized access patterns for detecting unauthorized access in the F / W are defined. The WAF signature DB 34 is a DB that stores WAF signature information in which rules of an unauthorized access pattern for detecting unauthorized access in the WAF are defined.

  Here, it is necessary to prepare two types of signature information in which rules for unauthorized access patterns are defined: F / W for monitoring access at the network level and WAF for monitoring access at the application level. The list information can be common. In the embodiment, it is assumed that the blacklist information is shared between the F / W side and the WAF side, and access monitoring using the blacklist information is performed only on the F / W side. The black list information is updated by the unauthorized access learning function on both the F / W side and the WAF side. As described above, by performing access monitoring only on the F / W side while sharing the blacklist information, it is possible to improve the efficiency of the unauthorized intrusion prevention processing.

Here, the hardware configuration of the load balancer will be described. FIG. 3 is a block diagram illustrating a hardware configuration example of the load balancer according to the present embodiment.
The entire load balancer 11 for F / W is controlled by a CPU (Central Processing Unit) 101. A random access memory (RAM) 102, a hard disk drive (HDD) 103, a graphic processing device 104, an input interface 105, and a communication interface 106 are connected to the CPU 101 via a bus 107.

  The RAM 102 temporarily stores at least part of an OS (Operating System) program and application programs to be executed by the CPU 101. The RAM 102 stores various data necessary for processing by the CPU 101. The HDD 103 stores the OS and application programs. A monitor 108 is connected to the graphic processing device 104, and an image is displayed on the screen of the monitor 108 in accordance with a command from the CPU 101. A keyboard 109 a and a mouse 109 b are connected to the input interface 105, and signals transmitted from the keyboard 109 a and the mouse 109 b are transmitted to the CPU 101 via the bus 107. The communication interface 106 is connected to the network 21 and transmits / receives data to / from other devices via the network 21. In addition, the monitor 108, the keyboard 109a, and the mouse 109b are not directly connected via the graphic processing device 104 and the input interface 105, but the monitor, keyboard, and mouse of the terminal device via the terminal device connected via the network 21. It may be connected to such as.

  With such a hardware configuration, the processing functions of the present embodiment can be realized. 3 shows the hardware configuration of the F / W load balancer, the hardware configurations of the WAF load balancer, the F / W server, the WAF server, and the user's host are the same.

  Next, contract information stored in the contract DB 31 will be described. In the embodiment, the selection of what service each user receives is determined in advance by a contract. The contract information indicating the contents of the contract with the user is centrally managed by the contract DB 31. In the example of the embodiment, as the service level, three levels of first class, business class and economy class are prepared for each of F / W and WAF. The first class is the highest service level, and an expensive but low-load firewall is selected, so that high performance can be obtained. The economy class is the lowest service level, and an inexpensive but high-load firewall is selected, so high performance like the first class cannot be obtained. The business class is intermediate between the first class and economy class, a medium-load firewall is selected, and the price and performance are medium.

FIG. 4 is a diagram showing F / W service contract information.
The F / W service contract (first class) 3100 is a list of users who have contracted a first class service in which the low load F / W 12c is selected at the time of distribution, such as a user name 3101 representing the user, a host IP address 3102 of the user, etc. Is registered. The F / W service contract (business class) 3110 is a list of users who have contracted a business class service for which the medium load F / W 12b is selected at the time of distribution. As in the first class 3100, a user name, a host IP address, and the like are registered. The F / W service contract (economy class) 3120 is a list of users who have contracted for an economy class service in which the high load F / W 12a is selected at the time of distribution. As in the first class 3100, a user name, a host IP address, and the like are registered.

  The high load F / W 12a, the medium load F / W 12b, and the low load F / W 12c may change the F / W performance itself, but if the F / W performance is similar, the total number of contracts is adjusted. Can be differentiated. In the illustrated example, the total number of contracts is limited to 100 for the first class 3100, 400 for the business class 3110, and 1000 for the economy class 3120.

FIG. 5 is a diagram showing WAF service contract information.
The WAF service contract (first class) 3130 is a list of users who have contracted a first class service in which the low-load WAF 15c is selected at the time of distribution, and information such as the user name 3131 and the user's host IP address 3132 is registered. . Similarly, the WAF service contract (business class) 3140 is a user who has contracted a business class service for which the medium load WAF 15b is selected at the time of distribution, and the WAF service contract (economy class) 3150 is selected for the high load WAF 15a at the time of distribution. It is a list of users who have contracted for economy class services.

  The service level to be contracted can be arbitrarily selected by the user according to the needs (priority of security measures) and the budget. Also, the service level selected by F / W and the service level selected by WAF may be different. For example, in the F / W service contract of FIG. 4, the user “A” contracted in the first class is contracted in the business class in the WAF service contract of FIG. Furthermore, it is possible to select only the F / W service and not the WAF service.

  Next, the operation of the firewall load distribution system and the firewall load distribution method of the embodiment will be described. First, processing on the F / W side will be described, and then processing on the WAF side will be described.

(1) Processing on F / W side On the F / W side, the F / W load balancer 11a checks the access data received via the Internet 20, and the source of unauthorized access detected in the past, or unauthorized Those that do not match the access pattern are assigned to the F / W group. In the F / W group, the high load F / W 12a performs unauthorized access learning to detect a new unauthorized access source or unauthorized access pattern. In the following description, the processing of the F / W load balancer 11a will be described first, and then the processing of the high load F / W 12a will be described.

FIG. 6 is a diagram for explaining processing functions of the F / W load balancer. The same parts as those in FIG.
The load balancer 11a for F / W includes an unauthorized intrusion prevention unit 111, a user distribution unit 112, a signature 113, and a source 114, and monitors unauthorized access by monitoring user access data input via the Internet 20. To do. Then, only the access data that has been normally accessed is allowed to pass and is distributed to the high load F / W 12a, the medium load F / W 12b, or the low load F / W 12c.

  The signature 113 stores the latest F / W signature extracted from the F / W signature DB 33 (a set of illegal access pattern rules obtained by analyzing a packet). The source 114 stores contract information (management information) including at least the user identification information (user's host IP address) extracted from the contract DB 31 and the user's contract service level.

  The unauthorized intrusion prevention unit 111 functions as the unauthorized intrusion prevention means 1e. The black list information stored in the black list DB 32 is read and collated with the host IP address of the acquired packet. If this host IP address is registered in the blacklist information, the communication is forcibly terminated and access is denied. As a result, access from hosts that have been involved in unauthorized access in the past is blocked. Further, F / W signature information stored in the signature 113 is fetched and executed to detect unauthorized access data. When detected, the communication is forcibly terminated and the access is denied. As a result, access that matches an unauthorized access pattern detected in the past is blocked.

  The user distribution unit 112 functions as a service level determination unit 1f and a distribution unit 1g. The source IP address of the packet permitted to be accessed by the unauthorized intrusion prevention unit 111 is compared with the IP address of the user's host classified for each service level registered in the source 114, and the distribution destination is determined. If the service contract of the accessing user is the first class, the load is assigned to the low load F / W 12c, if the business class is the business class, the medium load F / W 12b is assigned, and if the economy class is the economy class, the high load F / W 12a is assigned.

  As described above, since the intrusion prevention processing is performed based on the blacklist information and the F / W signature before the high load F / W 12a, the medium load F / W 12b, and the low load F / W 12c, it has been detected in the past. Unauthorized access data is not distributed to each F / W. Therefore, it is possible to reduce the load of F / W and increase the efficiency of detecting / protecting unauthorized access. In addition, since the access data permitted to pass is distributed to one of the high load F / W 12a, the medium load F / W 12b, and the low load F / W 12c according to the service level of the user, the user has a need and a usage fee. We can receive service according to.

Next, the unauthorized access learning on the F / W side performed by the high load F / W 12a will be described.
FIG. 7 is a diagram for explaining an unauthorized access learning function of F / W. The same components as those in FIGS. 2 and 6 are denoted by the same reference numerals, and description thereof is omitted.

  The high load F / W 12 a includes a policy 121, an unauthorized access detection unit 122, an unauthorized access learning unit 123, and a policy transfer unit 124. The policy 121 stores F / W policy information for detecting unauthorized access. The unauthorized access detection unit 122 determines whether the access data that has passed through the F / W load balancer 11a is unauthorized access based on the policy information. When unauthorized access data is detected, it is discarded and log information is generated and stored in the log 13. The unauthorized access learning unit 123 reads log information from the log 13 and collates it with the host IP address that performed unauthorized access and the host IP address registered in the blacklist information of the blacklist DB 32. When a host IP address that is not registered in the blacklist information is detected, the newly detected host IP address is added to the blacklist information. It should be noted that the blacklist information is added when a condition such as when access is attempted beyond a predetermined frequency from this host IP address is satisfied. Further, referring to the log information and the F / W signature information in the F / W signature DB 33, the newly detected signature pattern is added to the F / W signature information. If there is a contradiction between the signature rule set in the F / W signature information and the policy information of the policy 121, a new policy or a new signature in the direction of strengthening security (direction of denying this access) Is automatically generated. When the policy information is updated, the policy transfer unit 124 transfers the updated policy information to the medium load F / W 12b and the low load F / W 12c, and matches the policy information held by each F / W.

  As described above, in the high load F / W 12a, unauthorized access learning is performed in order to detect unknown unauthorized access that has not yet been registered in the blacklist information of the blacklist DB 32 or the signature information of the F / W signature DB 33. . Then, when the IP address of the host that newly made unauthorized access, or when a new unauthorized access pattern is detected, the blacklist information and signature information are updated, so the latest unauthorized access measures can be automatically taken. it can. Further, since unauthorized access learning is performed only with the high load F / W 12a and the obtained policy is reflected in the medium load F / W 12b and the low load F / W 12c, the efficiency of countermeasures against unauthorized access can be improved. If there is a contradiction between the signature rule for detecting and preventing unauthorized intrusion before the F / W and the policy used in the F / W, one of them is updated in the direction of denying access. As a result, it is possible to improve efficiency for enhancing security.

  Next, processing procedures performed by the F / W load balancer 11a and the high load F / W 12a will be described in detail. First, unauthorized intrusion prevention processing and user distribution processing of the F / W load balancer 11a will be described with reference to flowcharts.

FIG. 8 is a flowchart showing the processing procedure of the unauthorized intrusion prevention processing of the F / W load balancer.
The access data transmitted via the Internet 20 is accepted and processing is started.

  [Step S11] The source IP address of the input access data is acquired. Then, the black information stored in the black list DB 32 is read out and collated with the transmission source IP address of the acquired access data.

  [Step S12] As a result of the collation, it is determined whether or not the source IP address is registered in the blacklist information. If there is an address that matches the blacklist information, the process proceeds to step S16. If there is no address matching the black list information, the process proceeds to step S13.

  [Step S13] If the access data is not determined to be unauthorized access in the unauthorized intrusion detection based on the black list information, the F / W stored in the F / W signature DB 33 via the Internet 20 for signature verification. The W signature information is transferred to the signature 113.

  [Step S14] The F / W signature information acquired in step S13 is collated with the access data. The signature information defines illegal access attacks that can be detected at the network level, such as DoS (Denial of Service) attacks, unauthorized port scans, telenets, and FTP (File Transfer Protocol) patterns. By comparing with the signature information, it is possible to determine whether or not the access data is unauthorized access.

  [Step S15] If the packet checked in step S14 matches the signature, it is determined as unauthorized access, and the process proceeds to step S16. If they do not match, it is determined that this packet is a normal access, and the process ends normally so as to proceed to the next stage (user distribution process).

[Step S16] Since it is determined that the access is unauthorized, the communication is forcibly terminated, and the process is terminated so as not to proceed to the subsequent stage (user distribution process).
By executing the processing procedure described above, detection of unauthorized intrusion in the F / W load balancer 11a and protection processing for discarding a packet detected as unauthorized access and forcibly terminating communication are performed. Subsequently, the next-stage user distribution process is performed on the access data determined to be normal access.

FIG. 9 is a flowchart showing a processing procedure of user distribution processing of the F / W load balancer.
[Step S21] The latest contract information stored in the contract DB 31 is transferred to the source 114 via the Internet 20. Since the contract information is updated every time a contract is made with the user, the latest information is acquired before processing. To the source 114, the host IP address of the registered user for each F / W service level based on the F / W service contract shown in FIG. 4 is transferred.

[Step S22] The source IP address of the access data is acquired.
[Step S23] It is determined whether or not the source IP address is registered in the host IP address of the user registered in the first class having the highest service level in the F / W service. If it is registered in the first class, the process proceeds to step S24. If not registered, the process proceeds to step S25.

  [Step S24] If the host IP address of the accessing user is registered in the first class of the F / W service, this access data is distributed to the low-load F / W 12c, and the process ends normally.

  [Step S25] If the host IP address of the accessing user is not registered in the first class, it is determined whether or not the source IP address is registered in the host IP address of the user registered in the next business class. judge. If registered in the business class of the F / W service, the process proceeds to step S26. If not registered, the process proceeds to step S27.

  [Step S26] If the host IP address of the accessing user is registered in the business class, the access data is distributed to the medium load F / W 12b, and the process is normally terminated.

  [Step S27] If the host IP address of the accessing user is not registered in the business class, it is determined whether or not the source IP address is registered in the host IP address of the user registered in the next economy class. judge. If it is registered in the economy class of F / W service, the process proceeds to step S28. If not registered, the process proceeds to step S29.

  [Step S28] If the host IP address of the accessing user is registered in the economy class of the F / W service, this access data is distributed to the high-load F / W 12a, and the process ends normally.

  [Step S29] If the host IP address of the accessing user is not registered in the economy class of the F / W service, it is not a processing target, so the communication is forcibly terminated and the access data is discarded.

  By executing the above processing procedure, normal access data is converted into a high load F / W 12a, a medium load F / W 12b, and a low load F according to the service level of the user of the access data that has been contracted in advance. / W12c.

  The high load F / W 12a, the medium load F / W 12b, and the low load F / W 12c each check the input access data based on the policy setting. The same policy is set for each F / W, and the same determination process is performed. However, since the load of the low load F / W 12c is kept low, the number of access data to be processed is inevitably small, High-speed processing is possible. The access data determined as normal access by each F / W is sent to the WAF load balancer 14a at the next stage via the F / W load balancer 11b. Access data determined to be unauthorized access is discarded and communication is forcibly terminated.

Further, the unauthorized access learning process is performed in the high load F / W 12a. FIG. 10 is a flowchart showing a processing procedure of unauthorized access learning processing in a high load F / W.
[Step S31] The log information stored in the log 13 is read, the high load F / W forcibly terminates communication, and extracts information related to the discarded access data.

[Step S32] The host IP address of the discarded access data is checked against the host IP address of the contract user stored in the source 114.
[Step S33] It is determined whether or not there is a user who frequently attempts to execute the discarded unauthorized service (packet). The frequency is calculated by analyzing log information and calculating the number of service requests from the same user recorded in a certain period. If a user who frequently executes an unauthorized service is detected, the process proceeds to step S34. If such a user is not detected, the process proceeds to step S35.

  [Step S34] When a user who frequently executes an unauthorized service is detected, the host IP address of the user is added to the blacklist information, and the blacklist DB 32 is updated.

[Step S35] The signature information stored in the signature 113 is read for reference.
[Step S36] The signature information and the log information are collated, and it is determined whether or not an unauthorized service (packet) is executed in an order not included in the rules of the signature information. If it is detected that the unauthorized service has been executed with a pattern not included in the signature rule, the process proceeds to step S37. If such a pattern is not detected, the process proceeds to step S38.

  [Step S37] When it is detected that an unauthorized service is executed with a pattern not included in the signature rule, a signature rule for checking the execution pattern is newly generated. The generated signature rule is added to the signature information, and the F / W signature DB 33 is updated.

  [Step S38] The latest F / W signature information is compared with the policy setting stored in the policy 121 of the high-load F / W 12a. Checking with W policy is performed. Details will be described later.

  By executing the above processing procedure, unknown unauthorized access learning is performed based on the unauthorized access log information detected by the high load F / W 12a. Then, when a user who has performed unauthorized service with high frequency is detected, the blacklist information is updated. Further, when an access request for performing an unauthorized service with a pattern not included in the signature is detected, the F / W signature information is updated. In this way, unauthorized access learning for detecting unknown unauthorized access is performed by the high-load F / W 12a having a high load and a large number of access data necessarily processed, and blacklist information and F / W signature information are obtained. Since it is updated, the latest countermeasures against unauthorized access are possible.

  Next, the signature, policy, and matching process will be described. FIG. 11 is a flowchart illustrating a procedure of signature / policy matching processing in a high-load F / W. After the latest signature information is set, the process is started.

[Step S381] The policy information stored in the policy 121 of the high load F / W 12a is read for reference.
[Step S382] The latest F / W signature information is compared with the policy information read in step S381, and it is determined whether there is any contradiction. First, it is determined whether or not the access pattern denied by the signature is permitted in the policy setting. If a setting rejected by the signature and permitted by the policy is detected, the process proceeds to step S383. If not detected, the process proceeds to step S384.

  [Step S383] When a setting that is rejected by the F / W signature and permitted by the F / W policy is detected, the policy is updated according to the signature. Specifically, a new policy that rejects the service that the signature rejects is generated, and the policy information is updated. At this time, the version number of the policy is updated so that it can be seen that it has been updated. Further, the update date and time may be stored.

  [Step S384] Next, it is determined whether or not an access pattern rejected by the F / W policy exists in the F / W signature rule. If an access pattern that is rejected by the policy and not included in the signature rule is detected, the process proceeds to step S385. If not detected, the process is terminated.

  [Step S385] When an access pattern that is rejected by the F / W policy and is not in the F / W signature rule is detected, a new signature that rejects the access pattern is generated and used for F / W. Add to the signature information. Then, the F / W signature DB 33 is updated.

  By executing the above processing procedure, if there is a contradiction between the signature rules for the intrusion prevention processing performed before the F / W and the F / W policy setting, the access denial is given priority ( New policies and signature rules are automatically generated to enhance security. Thereby, the efficiency for strengthening security can be achieved.

  When the policy information of the high load F / W 12a is updated in this way, the updated policy information of the high load F / W 12a does not match the policy information of the medium load F / W 12b and the low load F / W 12c. Therefore, in order to match these, the high load F / W 12a transfers the updated policy information to the medium load F / W 12b and the low load F / W 12c.

FIG. 12 is a flowchart showing the procedure of the policy information transfer process in the high load F / W.
[Step S41] The policy information generation of the high load F / W 12a is checked. When the policy information of the high load F / W 12a is updated, the version or the update date / time is changed, and based on these, it is detected that the generation has changed (updated).

  [Step S42] Based on the check result of step S41, it is determined whether the policy information of the high load F / W 12a has been updated. If updated, the process proceeds to step S43. If not updated, the process ends normally.

[Step S43] The policy information of the high load F / W 12a is compared with the policy information of the medium load F / W 12b, and the difference is extracted.
[Step S44] For the difference portion extracted in Step S43, the corresponding portion of the high load F / W 12b is transferred to the medium load F / W 12b. In the medium load F / W 12b, the corresponding part is updated to the information of the transferred high load F / W 12a.

[Step S45] The policy information of the high load F / W 12a is compared with the policy information of the low load F / W 12c, and the difference is extracted.
[Step S46] For the difference portion extracted in step S45, the corresponding portion of the high load F / W 12b is transferred to the low load F / W 12c. In the low load F / W 12c, the corresponding part is updated to the information of the transferred high load F / W 12a.

  By executing the above processing procedure, the policy information of the high load F / W 12a updated by the unauthorized access learning function is transferred to the medium load F / W 12b and the low load F / W 12c. Policy information is updated. Thereby, the policy information based on the latest learning result by the high load F / W 12a can be reflected on the other medium load F / W 12b and the low load F / W 12c, so that the latest illegal access countermeasure can be efficiently performed. it can.

(2) Processing on the WAF side On the WAF side, access data that is permitted to be accessed by the above F / W side processing is input. The WAF load balancer 14a checks this access data, and those that do not match the unauthorized access pattern detected in the past are distributed to the WAF group. In the WAF group, the high-load WAF 15a performs unauthorized access learning to detect a new unauthorized access source or unauthorized access pattern. In the following description, the processing of the load balancer 14a for WAF will be described first, and then the processing of the high load WAF 15a will be described.

FIG. 13 is a diagram for explaining the processing function of the load balancer for WAF. The same parts as those in FIG.
The load balancer 14a for WAF has an unauthorized intrusion prevention unit 141, a user distribution unit 142, a signature 143, and a source 144, and monitors the http / https communication input via the F / W load balancer 11b for unauthorized use. Block access. Then, only normal access is passed and distributed to the high load WAF 15a, the medium load WAF 15b, and the low load WAF 15c. If the access is from a user who does not have a WAF service contract, the access is directly distributed to the plain content server 18 without being distributed to the WAF group.

  The signature 143 stores the latest WAF signature extracted from the WAF signature DB 34 (a set of illegal access pattern rules obtained by analyzing a packet). The WAF signature information describes an unauthorized access pattern in the http / https communication protocol in order to perform an application level check. The source 144 stores contract information including at least the user identification information (user host IP address) extracted from the contract DB 31 and the user contract service level.

  The unauthorized intrusion prevention unit 141 captures and executes the signature information for WAF stored in the signature 143, and detects unauthorized access data. When detected, the communication is forcibly terminated and the access is denied. As a result, access that matches an unauthorized access pattern detected in the past is blocked. The difference between the F / W load balancer 11a and the unauthorized intrusion prevention unit 111 is that the unauthorized intrusion prevention unit 141 does not perform the check using the black list information stored in the black list DB 32. The check using the black list information is to check the host IP address of the access data transmission source and the host IP address registered in the black list information. Therefore, since it is already executed by the F / W load balancer 11a in the preceding stage, no check is performed here.

  The user distribution unit 142 compares the transmission source IP address of the packet permitted to be accessed by the unauthorized intrusion prevention unit 141 with the IP address of the user host classified for each service level registered in the source 144, and distributes the packet. Decide the destination. The service level can be set differently for the F / W service and the WAF service, so the contract information for the WAF service is referred to. If the service contract of the accessing user is the first class, the load is assigned to the low load WAF 15c, if the service contract is the business class, the medium load WAF 15b is assigned, and if the economy contract is the economy class, the load is assigned to the high load WAF 15a. The access data distributed to each WAF is transferred to the rich content server 17 via the WAF load balancer 14b if it is determined that the access is normal in the inspection by the WAF. In the WAF service, there may be a user who does not make a usage contract. In this way, for access from a user who does not make a usage contract, the access data is directly transferred to the plain content server 18.

  As described above, since the intrusion prevention processing is performed based on the WAF signature in the preceding stage of the high load WAF 15a, the medium load WAF 15b, and the low load WAF 15c, the unauthorized access data detected in the past is not distributed to each WAF. . Therefore, it is possible to reduce the load on the WAF and increase the detection / protection efficiency of unauthorized access. Further, since the access data approved to pass is distributed to any one of the high load WAF 15a, the medium load WAF 15b, and the low load WAF 15c according to the service level of the user, the user can receive a service according to the needs. .

Next, unauthorized access learning on the WAF side performed by the high-load WAF 15a will be described.
FIG. 14 is a diagram for explaining the unauthorized access learning function of the WAF. The same parts as those in FIG.

  The high load WAF 15 a includes a policy 151, an unauthorized access detection unit 152, an unauthorized access learning unit 153, and a policy transfer unit 154. The policy 151 stores policy information for WAF for detecting unauthorized access. The unauthorized access detection unit 152 determines whether the access data that has passed through the WAF load balancer 14a is unauthorized access based on the policy information. When unauthorized access data is detected, it is discarded and log information is generated and stored in the log 16. The unauthorized access learning unit 153 reads the log information from the log 16 and collates it with the host IP address that performed unauthorized access and the host IP address registered in the blacklist information of the blacklist DB 32. When a host IP address that is not registered in the blacklist information is detected, the newly detected host IP address is added to the blacklist information. It should be noted that the blacklist information is added when a condition such as when access is attempted beyond a predetermined frequency from this host IP address is satisfied. Further, referring to the log information and the WAF signature information in the WAF signature DB 34, the newly detected signature pattern is added to the WAF signature information. If there is a discrepancy between the signature rule set in the signature information for WAF and the policy information of the policy 151, a new policy or a new signature is automatically generated in a direction to enhance security. When the policy information is updated, the policy transfer unit 154 transfers the updated policy information to the medium load WAF 15b and the low load WAF 15c, and matches the policy information held by each WAF.

  As described above, in the high load WAF 15a, unauthorized access learning is performed in order to detect unknown unauthorized access that has not yet been registered in the blacklist information of the blacklist DB 32 or the signature information of the WAF signature DB 34. Then, when the IP address of the host that newly made unauthorized access, or when a new unauthorized access pattern is detected, the blacklist information and signature information are updated, so the latest unauthorized access measures can be automatically taken. it can. Further, unauthorized access learning is performed only with the high-load WAF 15a, and the obtained policy is reflected in the medium-load WAF 15b and the low-load WAF 15c, so that the efficiency of countermeasures against unauthorized access can be improved. In addition, if there is a contradiction between the signature rule for detecting and preventing unauthorized intrusion by the WAF load balancer 14a preceding the WAF and the policy used in the WAF, the direction in which access is denied is selected. By updating, it is possible to improve efficiency for strengthening security.

  Next, processing procedures performed by the load balancer 14a for WAF and the high load WAF 15a will be described in detail. First, the unauthorized intrusion prevention process and the user distribution process of the WAF load balancer 14a will be described with reference to flowcharts.

  The WAF load balancer 14a performs a check specialized for http / https communication. FIG. 15 is a flowchart showing the procedure of the unauthorized intrusion prevention process of the load balancer for WAF.

The access data that has passed the F / W check is input, and the process is started.
[Step S51] For signature verification, the WAF signature information stored in the WAF signature DB 34 is transferred to the signature 143 via the Internet 20. In the signature information, an unauthorized access pattern for checking whether or not the http / https communication is unauthorized access (attack) is set. By using this, for example, parameter alteration, cross-site scripting, SQL injection, command injection, Cookie alteration, Web vulnerability attack, etc. can be detected.

  [Step S52] The WAF signature information acquired in step S51 is collated with the access data. By comparing with the signature information, it is possible to determine whether or not the access data is unauthorized access.

  [Step S53] If the packet checked in step S52 matches the signature, it is determined as unauthorized access, and the process proceeds to step S54. If they do not match, it is determined that this packet is a normal access, and the process ends normally so as to proceed to the next stage (user distribution process).

[Step S54] Since it is determined that the access is unauthorized, the communication is forcibly terminated, and the process is terminated so that the process does not proceed to the subsequent stage (user distribution process).
By executing the processing procedure described above, detection of unauthorized intrusion in the load balancer 14a for WAF, and protection processing for discarding packets detected as unauthorized access and forcibly terminating communication are performed. Subsequently, the next-stage user distribution process is performed on the access data determined to be normal access.

FIG. 16 is a flowchart illustrating a processing procedure of user distribution processing of the load balancer for WAF.
[Step S61] The latest contract information stored in the contract DB 31 is transferred to the source 144 via the Internet 20. Since the contract information is updated every time a contract with the user is made, the latest information is acquired before processing. Note that what is transferred to the source 144 is the host IP address of the registered user for each WAF service level based on the WAF service contract shown in FIG.

[Step S62] The host IP address of the transmission source of http / https communication that has passed through the F / W is acquired.
[Step S63] It is determined whether or not the source IP address is registered in the host IP address of the user registered in the first class having the highest service level. If it is registered in the first class, the process proceeds to step S64. If not registered, the process proceeds to step S65.

  [Step S64] If the host IP address of the accessing user is registered in the first class of the WAF service, the access data is distributed to the low-load WAF 15c, and the process proceeds to step S69.

  [Step S65] If it is not registered in the first class of the WAF service, it is determined whether or not this transmission source IP address is registered in the host IP address of the user registered in the next business class. If registered in the business class of the WAF service, the process proceeds to step S66. If not registered, the process proceeds to step S67.

[Step S66] If the access data is registered in the business class of the WAF service, the access data is distributed to the medium load WAF 15b, and then the process proceeds to step S69.
[Step S67] If it is not registered in the business class of the WAF service, it is determined whether or not this transmission source IP address is registered in the host IP address of the user registered in the next economy class. If it is registered in the economy class of the WAF service, the process proceeds to step S68. If not registered, the process proceeds to step S70.

[Step S68] If the access data is registered in the economy class of the WAF service, the access data is distributed to the high-load WAF 15a, and then the process proceeds to step S69.
[Step S69] When the WAF distribution destination is determined for the user registered in the WAF service, the distribution server of the content server after the end of WAF is set to the rich content server 17, and the process ends normally.

  [Step S70] If there is no registration in the economy class of the WAF service, the access data is not distributed to the WAF because it is not a processing target. The process is directly distributed to the plain content server 18 and the process is terminated.

  By executing the above processing procedure, normal access data is converted into a high load WAF 15a, a medium load WAF 15b, a low load WAF 15c, or plain content according to the service level of the user of the access data contracted in advance. It is distributed to the server 18.

  The high load WAF 15a, the medium load WAF 15b, and the low load WAF 15c check the inputted http / https communication based on the policy setting. The same policy is set for each WAF, and the same determination process is performed. The http / https communication determined to be normal access by each WAF is sent to the next rich content server 17 via the WAF load balancer 14b.

  On the other hand, the http / https communication determined to have no WAF service registration is directly transferred to the plain content server 18 without going through the WAF. For example, in an outsourcing service called housing, a service provider provides a server installation space and a backbone line, and a user prepares a server and deposits it with the service provider. For this reason, when a user who does not subscribe to the WAF service accesses the Web having rich contents, there is a concern that the user may be exposed to a threat of Web security. As a countermeasure, all accesses from users without a WAF service contract are distributed to the plain content server.

Further, the high load WAF 15a performs an unauthorized access learning process. FIG. 17 is a flowchart showing a processing procedure of unauthorized access learning processing in a high load WAF.
[Step S81] The log information stored in the log 16 is read, the high-load WAF forcibly terminates communication, and information regarding the discarded http / https communication is extracted.

[Step S82] The discarded host IP address of the http / https communication is compared with the host IP address of the contract user stored in the source 144.
[Step S83] It is determined whether or not there is a user who frequently attempts to execute the discarded unauthorized service (packet). The frequency is calculated by analyzing log information and calculating the number of service requests from the same user recorded in a certain period. If a user who frequently executes an unauthorized service is detected, the process proceeds to step S84. If such a user is not detected, the process proceeds to step S85.

  [Step S84] When a user who frequently executes unauthorized services is detected, the host IP address of the user is added to the blacklist information, and the blacklist DB 32 is updated.

[Step S85] The signature information for WAF stored in the signature 143 is read for reference.
[Step S86] The signature information for WAF and the log information are collated, and it is determined whether or not an unauthorized service (packet) is executed in an order not included in the rules of the signature information. If it is detected that the unauthorized service has been executed with a pattern not included in the signature rule, the process proceeds to step S87. If such a pattern is not detected, the process proceeds to step S88.

  [Step S87] When it is detected that the unauthorized service is executed with a pattern not included in the signature rule, a signature rule for checking the execution pattern is newly generated. The generated signature rule is added to the signature information, and the WAF signature DB 34 is updated.

  [Step S88] The latest WAF signature information is compared with the policy setting stored in the policy 151 of the high-load WAF 15a. I do. Note that the WAF signature and the WAF policy matching process are the same as the signature / F / W policy matching process shown in FIG. 11, with the F / W signature being the WAF signature and the F / W policy being the same. Since it may be read as a WAF policy, the description is omitted.

  By executing the above processing procedure, unknown unauthorized access learning is performed based on the unauthorized access log information detected by the high-load WAF 15a. Then, when a user who has performed unauthorized service with high frequency is detected, the blacklist information is updated. In addition, when an access request for performing an unauthorized service with a pattern not included in the signature is detected, the signature information for WAF is updated. In this way, unauthorized access learning for detecting unknown unauthorized access is performed by the high load WAF 15a having a high load and a large number of access data that are necessarily processed, and the blacklist information and the WAF signature information are updated. The latest illegal access measures can be taken.

  When the policy information of the high load WAF 15a is updated in this way, the updated policy information of the high load WAFA does not match the policy information of the medium load WAF 15b and the low load WAF 15c. Therefore, in order to match these, the high load WAF 15a transfers the updated policy information to the medium load WAF 15b and the low load WAF 15c.

FIG. 18 is a flowchart showing the procedure of the policy information transfer process in the high-load WAF.
[Step S91] The generation of policy information of the high load WAF 15a is checked. When the policy information of the high load WAF 15a is updated, the version or the update date / time has changed, and based on these, it is detected that the generation has changed (updated).

  [Step S92] Based on the check result of step S91, it is determined whether or not the policy information of the high-load WAF 15a has been updated. If updated, the process proceeds to step S93. If not updated, the process ends normally.

[Step S93] The policy information of the high load WAF 15a and the policy information of the medium load WAF 15b are compared, and the difference is extracted.
[Step S94] For the difference portion extracted in step S93, the corresponding portion of the high load WAF 15b is transferred to the medium load WAF 15b. In the middle load WAF 15b, the corresponding part is updated to the information of the transferred high load WAF 15a.

[Step S95] The policy information of the high load WAF 15a is compared with the policy information of the low load WAF 15c, and the difference is extracted.
[Step S96] For the difference portion extracted in step S93, the corresponding portion of the high load WAF 15b is transferred to the low load WAF 15c. In the low load WAF 15c, the corresponding part is updated to the information of the transferred high load WAF 15a.

  By executing the above processing procedure, the policy information of the high load WAF 15a updated by the unauthorized access learning function is transferred to the medium load WAF 15b and the low load WAF 15c, and the policy information of each WAF is updated. Thereby, the policy information based on the latest learning result by the high load WAF 15a can be reflected on the other medium load WAF 15b and the low load WAF 15c, so that the latest illegal access countermeasure can be efficiently performed.

  In the above embodiment, priority is given to service differentiation (providing first class, business class, and economy class) according to the access load. For this reason, the intrusion prevention function that places a load on the server is placed in the load balancer in front of the F / W server or WAF server. Similarly, the unauthorized access learning function that imposes a load on the server is dedicated to the economy class, and is inevitably installed only on a high load server with a large number of accesses. For this reason, for first-class and business-class users, or those impersonated users who have passed through the intrusion prevention function and have reached a low-load or medium-load F / W server or WAF server, Not considered. However, by taking measures such as installing a monitoring server with an intrusion detection / protection function for monitoring packets flowing through the network between the load balancer in the previous stage and the low load server or medium load server, these Risk can be reduced.

  Further, the above processing functions can be realized by a computer. In that case, a program describing the processing contents of the functions that each device constituting the firewall load distribution system should have is provided. By executing the program on a computer, the above processing functions are realized on the computer. The program describing the processing contents can be recorded on a computer-readable recording medium.

  When distributing the program, for example, portable recording media such as a DVD (Digital Versatile Disc) and a CD-ROM (Compact Disc Read Only Memory) on which the program is recorded are sold. It is also possible to store the program in a storage device of a server computer and transfer the program from the server computer to another computer via a network.

  The computer that executes the program stores, for example, the program recorded on the portable recording medium or the program transferred from the server computer in its own storage device. Then, the computer reads the program from its own storage device and executes processing according to the program. The computer can also read the program directly from the portable recording medium and execute processing according to the program. Further, each time the program is transferred from the server computer, the computer can sequentially execute processing according to the received program.

Regarding the above embodiment, the following additional notes are disclosed.
(Supplementary note 1) In a load balancing method in which access data from a user is distributed to a plurality of firewalls to distribute the load,
When access data including identification information of the sender user is received via the external network,
Service level determination means acquires identification information of the transmission source user, and based on the acquired identification information of the transmission source user, the service level selected by the user in advance and stored in the storage means and identification of the user Searching for management information associated with information, and determining a service level of the transmission source user based on the searched management information;
Based on the service level of the transmission source user determined by the service level determination unit, the distribution unit changes the load level corresponding to the service level from the firewall group to the service level of the transmission source user. Selecting the appropriate firewall and distributing the access data to the selected firewall;
A firewall load balancing method comprising:

(Appendix 2) The firewall load balancing method further includes:
The unauthorized intrusion prevention means is stored in the storage means based on blacklist information in which a transmission source detected to have made unauthorized access in the past is defined, and the signature information for unauthorized access monitoring, Monitoring the access before allocating to the firewall group, and blocking unauthorized access when unauthorized access is detected;
When the unauthorized access learning means of the firewall monitors the access passed by the unauthorized intrusion prevention means based on the policy information specifying the unauthorized access stored in the policy storage means, and when unauthorized access is detected Blocking the unauthorized access, generating a new item of the blacklist information and the signature information based on the unauthorized access, and updating the blacklist information and the signature information;
The firewall load distribution method according to appendix 1, wherein:

(Appendix 3) The firewall group includes a first firewall group including a firewall that performs network-level access monitoring, and a second firewall group including a web application firewall that performs access monitoring at an application level; Have
The unauthorized access learning means is provided for each of the first firewall group and the second firewall group, and newly generates items of the blacklist information and the signature information based on the detected unauthorized access. The newly generated black list information item is registered in the black list information provided in common to the first firewall group and the second firewall group, and the newly generated signature information The firewall load distribution method according to appendix 2, wherein the item is registered in the signature information provided in each of the first firewall group and the second firewall group.

(Additional remark 4) The said unauthorized access learning means is provided in the high load firewall by which the highest load level is set among the said firewall groups,
When the unauthorized access learning unit of the high load firewall detects the unauthorized access, the unauthorized access learning unit updates the policy information stored in the policy storage unit of the high load firewall based on the detected unauthorized access. Procedure and
The policy distribution means of the high load firewall distributes the updated update policy information to other firewalls of the firewall group excluding the high load firewall when the policy information is updated by the unauthorized access learning means. When,
The firewall load distribution method according to appendix 2, characterized by comprising:

  (Supplementary Note 5) The policy distribution unit distributes the update policy information by extracting a difference between the current policy information stored in the storage unit of the distribution destination firewall and the update policy information, The firewall load distribution method according to appendix 4, wherein the update policy information of the extracted difference portion is distributed to the distribution destination firewall.

  (Additional remark 6) The said unauthorized access learning means collates the said latest signature information and the said policy information, and when there is a contradiction, selects the one whose security is strengthened, and when the signature information is selected, The firewall load distribution method according to claim 2, wherein the policy information is updated according to signature information, and when the policy information is selected, the signature information is updated according to the policy information.

  (Supplementary Note 7) When the target packet that is denied access in the signature information is permitted to be accessed in the policy information, the unauthorized access learning means denys access to the definition related to the target packet in the policy information. When the target packet that is denied access in the policy information is permitted access in the signature information, the definition of the signature packet in the signature information is updated to access denied. The firewall load distribution method according to appendix 6.

(Additional remark 8) The said firewall group is comprised by the web application firewall which performs access monitoring in an application level, and the rich content server and the plain content server are provided in the transfer destination of the said firewall group. When
The distribution unit distributes the access to the firewall group when the service level is set for the transmission source user based on the service level of the transmission source user determined by the service level determination unit, The firewall load distribution method according to claim 1, wherein when the service level is not set for the transmission source user, the access is transferred to the plain content server without passing through the firewall group.

(Supplementary note 9) In a firewall load balancing system that distributes load by distributing access data from users to multiple firewalls,
A group of firewalls each having a load level corresponding to the service level provided to the user;
Storage means for storing management information in which the service level selected by the user and the identification information of the user are associated with each other, and access data including identification information of the transmission source user is received via an external network. The identification information of the transmission source user is acquired from the data, the management information is searched based on the acquired identification information of the transmission source user, and the service level of the transmission source user is determined based on the searched management information. Based on the service level of the transmission source user determined by the service level determination unit and the service level determination unit to be determined, a firewall corresponding to the service level of the transmission source user is selected from the firewall group and selected Distribution of the access data to the firewall Only it means, and the load distribution apparatus provided with,
A firewall load balancing system comprising:

(Supplementary Note 10) The firewall load balancing system is
A first firewall group comprising firewalls for network level access monitoring;
A first load balancer for managing distribution of access to the first firewall group;
A second group of firewalls with a web application firewall for application level access monitoring;
A second load balancer for managing distribution of access to the second firewall group;
The firewall load distribution system according to appendix 9, characterized by comprising:

(Supplementary Note 11) In a load balancer that distributes load by distributing access data from users to a plurality of firewalls,
Storage means for storing management information associated with the service level selected by the user and the identification information of the user;
When access data including identification information of a transmission source user is received via an external network, the identification information of the transmission source user is acquired from the access data, and the management information is based on the acquired identification information of the transmission source user Service level determination means for determining the service level of the transmission source user based on the searched management information,
Based on the service level of the transmission source user determined by the service level determination means, the service level of the transmission source user from the firewall group in which a load level corresponding to the service level provided to the user is set for each. A distribution unit that selects a firewall corresponding to the selected firewall and distributes the access data to the selected firewall;
A load balancer comprising:

It is a conceptual diagram of the invention applied to embodiment. It is the block diagram which showed an example of the firewall load distribution system of embodiment. It is a block diagram which shows the hardware structural example of the load balancer of this Embodiment. It is the figure which showed the service contract information of F / W. It is the figure which showed the service contract information of WAF. It is a figure explaining the processing function of the load balancer for F / W. It is a figure explaining the unauthorized access learning function of F / W. It is the flowchart which showed the process sequence of the unauthorized intrusion prevention process of the load balancer for F / W. It is the flowchart which showed the process sequence of the user distribution process of the load balancer for F / W. It is the flowchart which showed the process sequence of the unauthorized access learning process in high load F / W. It is the flowchart which showed the procedure of the collation process of the signature and policy in high load F / W. It is the flowchart which showed the procedure of the transfer process of the policy information in high load F / W. It is a figure explaining the processing function of the load balancer for WAF. It is a figure explaining the unauthorized access learning function of WAF. It is the flowchart which showed the procedure of the unauthorized intrusion prevention process of the load balancer for WAF. It is the flowchart which showed the process sequence of the user distribution process of the load balancer for WAF. It is the flowchart which showed the process sequence of the unauthorized access learning process in high load WAF. It is the flowchart which showed the procedure of the transfer process of the policy information in high load WAF.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Load distribution apparatus 1a Memory | storage means 1b Blacklist information 1c Signature information 1d Management information 1e Unauthorized intrusion prevention means 1f Service level determination means 1g Distribution means 2 High load firewall 2a Policy storage means 2b Unauthorized access learning means 2c Policy distribution means 3 Medium load Firewall 3a Policy storage means 4 Low load firewall 4a Policy storage means

Claims (6)

In the load distribution method that distributes the load by distributing access data from users to multiple firewalls,
When access data including identification information of the sender user is received via the external network,
Service level determination means acquires identification information of the transmission source user, and based on the acquired identification information of the transmission source user, the service level selected by the user in advance and stored in the storage means and identification of the user Searching for management information associated with information, and determining a service level of the transmission source user based on the searched management information;
Based on the service level of the transmission source user determined by the service level determination unit, the distribution unit changes the load level corresponding to the service level from the firewall group to the service level of the transmission source user. Selecting the appropriate firewall and distributing the access data to the selected firewall;
A firewall load balancing method comprising: The firewall load balancing method further includes:
The unauthorized intrusion prevention means is stored in the storage means based on blacklist information in which a transmission source detected to have made unauthorized access in the past is defined, and the signature information for unauthorized access monitoring, Monitoring the access before allocating to the firewall group, and blocking unauthorized access when unauthorized access is detected;
When the unauthorized access learning means of the firewall monitors the access passed by the unauthorized intrusion prevention means based on the policy information specifying the unauthorized access stored in the policy storage means, and when unauthorized access is detected Blocking the unauthorized access, generating a new item of the blacklist information and the signature information based on the unauthorized access, and updating the blacklist information and the signature information;
The firewall load distribution method according to claim 1, further comprising: The firewall group includes a first firewall group including a firewall that performs access monitoring at a network level, and a second firewall group including a web application firewall that performs access monitoring at an application level;
The unauthorized access learning means is provided for each of the first firewall group and the second firewall group, and newly generates items of the blacklist information and the signature information based on the detected unauthorized access. The newly generated black list information item is registered in the black list information provided in common to the first firewall group and the second firewall group, and the newly generated signature information 3. The firewall load distribution method according to claim 2, wherein the item is registered in the signature information provided in each of the first firewall group and the second firewall group. The unauthorized access learning means is provided in a high-load firewall in which the highest load level is set in the firewall group,
When the unauthorized access learning unit of the high load firewall detects the unauthorized access, the unauthorized access learning unit updates the policy information stored in the policy storage unit of the high load firewall based on the detected unauthorized access. Procedure and
The policy distribution means of the high load firewall distributes the updated update policy information to other firewalls of the firewall group excluding the high load firewall when the policy information is updated by the unauthorized access learning means. When,
The firewall load distribution method according to claim 2, further comprising:   The unauthorized access learning means collates the latest signature information with the policy information, selects the one whose security is strengthened when there is a contradiction, and matches the signature information when the signature information is selected. 3. The firewall load distribution method according to claim 2, wherein the policy information is updated, and when the policy information is selected, the signature information is updated according to the policy information. In a firewall load balancing system that distributes load by distributing access data from users to multiple firewalls,
A group of firewalls each having a load level corresponding to the service level provided to the user;
Storage means for storing management information in which the service level selected by the user and the identification information of the user are associated with each other, and access data including identification information of the transmission source user is received via an external network. The identification information of the transmission source user is acquired from the data, the management information is searched based on the acquired identification information of the transmission source user, and the service level of the transmission source user is determined based on the searched management information. Based on the service level of the transmission source user determined by the service level determination unit and the service level determination unit to be determined, a firewall corresponding to the service level of the transmission source user is selected from the firewall group and selected Distribution of the access data to the firewall Only it means, and the load distribution apparatus provided with,
A firewall load balancing system comprising:

Images