JP2011124774A - Network monitoring device, and network monitoring method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent communication from an unregistered node to a registered node, and to perform communication with a node in which an unregistered node is set. <P>SOLUTION: An unregistered PC detection module 204 of a monitoring unit 101 detects an ARP request packet transmitted from an unregistered node with reference to a registered list and a detection list. In the case of detecting the ARP request packet from the unregistered node, it is determined whether a destination of the ARP request packet is included in a connection allowable list. The unregistered PC detection module 204 allows communication between the unregistered node and a destination node when it is determined that the destination is included in the connection allowable list. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a network monitoring apparatus and a network monitoring method for monitoring access on a network.

  In recent years, various methods for dealing with unauthorized access on a network have been proposed. One of such methods is a method using an Address Resolution Protocol (ARP).

  The address resolution protocol (ARP) is a protocol for determining the MAC address of a node whose IP address is known on the network.

  Each node on the network transmits an address resolution protocol request (ARP request) and, based on an address resolution protocol response (ARP response) transmitted from another node, an IP address (network address) and a MAC address (physical address) ) Is described in the ARP table. For this reason, the fake MAC address of another node can be described in the ARP table of the node by transmitting the camouflaged ARP response. A node whose fake MAC address is described in the ARP table cannot perform normal communication. In other words, if the node is an unauthorized node, communication by the unauthorized node can be interrupted.

  In Patent Literature 1, an ARP request transmitted from an unauthenticated terminal is received, a forged ARP response is transmitted to the unauthenticated terminal, and a forged ARP request is transmitted to the authenticated terminal that is the access destination of the unauthenticated terminal A network quarantine apparatus is disclosed. The network quarantine apparatus can prevent communication between the unauthenticated terminal and the authenticated terminal by using the above-mentioned camouflaged ARP response and camouflaged ARP request.

JP 2006-262019 A

  In the network quarantine apparatus disclosed in Patent Document 1, an unregistered node cannot access any node on the network.

  An object of the present invention is to provide a network monitoring apparatus and a network monitoring method that can prevent communication from an unregistered node to a registered node and can communicate with a node in which the unregistered node is set. .

  A network monitoring apparatus for monitoring a network to which a plurality of nodes are connected according to an example of the present invention, which is included in the received address resolution protocol request packet in response to receiving an address resolution protocol request packet. Based on the source physical address, the source node of the received address resolution protocol request packet determines whether the source node is an unregistered node; the unregistered node determination unit determines whether the source node is When it is determined that the node is an unregistered node, it is determined whether the destination node of the received address resolution protocol request packet is a connection permission node based on a destination network address included in the received address resolution protocol request packet. A connection-permitted node determination means; When it is determined that the destination node is a connection-permitted node by a connection-permitted node determination unit, the destination node is connected by the unit that permits communication between the transmission source node and the destination node and the connection-permitted node determination unit. Forged address resolution protocol request transmission means for transmitting a forged address resolution protocol request packet to a destination node that is a node corresponding to a destination network address included in the received address resolution protocol request packet when it is determined that the node is not an allowed node. And forged address resolution for transmitting a forged address resolution protocol response packet to the unregistered node in response to receiving an address resolution protocol response packet for the forged address resolution protocol request packet transmitted from the destination node. Professional Characterized by comprising the Col response transmitting means.

  According to the present invention, it becomes possible to prevent communication from an unregistered node to a registered node and to communicate with a node in which the unregistered node is set.

The figure which shows the example of the network to which the network monitoring apparatus which concerns on 1st Embodiment is connected. The figure explaining the flow of the data on the network of FIG. 2 is an exemplary block diagram showing a functional configuration of the network monitoring apparatus according to the embodiment. FIG. The figure explaining the list | wrist which the network monitoring apparatus of the embodiment hold | maintains. FIG. 5 is a diagram for explaining a description example of entries in a registered list and a detection list in FIG. FIG. 5 is a diagram for explaining a description example of entries in the connection permission list of FIG. 4. The figure explaining the ARP packet which the network monitoring apparatus of the embodiment transmits / receives. FIG. 5 is a diagram for explaining a description example of entries in the transmission list in FIG. 4. The sequence diagram of the packet which the network monitoring apparatus of the embodiment monitors. The figure which shows the ARP table of each node after the completion of the sequence of FIG. 6 is a flowchart showing a procedure of unregistered PC exclusion processing by the network monitoring apparatus according to the first embodiment. The flowchart sequence diagram which shows the procedure in which the information of a computer is added to the registered list. The block diagram which shows the structure of the security server which updates the registration list | wrist concerning 2nd Embodiment. 10 is a flowchart showing a procedure of processing performed by the quarantine agent software, the security server, and the monitoring unit from when the computer according to the second embodiment is turned on until the power is turned off.

  Embodiments of the present invention will be described below with reference to the drawings.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(First embodiment)
First, an example of a network to which a network monitoring apparatus according to the first embodiment of the present invention is connected will be described with reference to FIG. This network monitoring apparatus is realized as a personal computer, for example.

  On this network, a security server (security device) 100, monitoring units 101 and 121, a router 110, registered computers 102 and 123, and unregistered computers 103 and 122 are connected. The segment to which the security server 100, the monitoring unit 101, the registered computer 102, and the unregistered computer 103 are connected, and the segment to which the monitoring unit 121, the unregistered computer 122, and the registered computer 123 are connected include the router 110. Connected to each other.

  On this network, only communication by the security server 100, the monitoring units 101 and 121, and the registered computers 102 and 123 is permitted. On the other hand, the unregistered computers 103 and 122 permit communication with only the security server 100.

  The security server 100 holds a registered list describing information on registered computers on the network. In the registered list, for example, MAC addresses (physical addresses), IP addresses (network addresses), host names, and the like of registered computers 102 and 123 are described. The registered list is created and updated on the security server 100. The security server 100 distributes this registered list to the monitoring units 101 and 121.

  In addition, the security server 100 receives from each of the monitoring units 101 and 121 a detection list in which information related to the unregistered computers 103 and 122 newly detected by the monitoring units 101 and 121 is described. The security server 100 updates the registered list based on the received detection list. The registered list may be changed manually on the security server 100.

  The monitoring units 101 and 121 monitor packets on the network, detect access to the registered computers 102 and 123 by the unregistered computers 103 and 122, and exclude access to the registered computers. Specifically, each of the monitoring units 101 and 121 receives an address resolution protocol request packet (ARP request packet) transmitted from the unregistered computers 103 and 122 or an address resolution protocol request packet (ARP request packet) transmitted to the unregistered computers 103 and 122 ( When an ARP request packet) is detected, a process for preventing access to the registered computers 102 and 123 by the unregistered computers 103 and 122 is executed.

  The address resolution protocol (ARP) is a protocol for determining the MAC address of a node whose IP address is known on the network. When communicating between two nodes, the first node requests an address resolution protocol specifying the IP address of the second node in order to investigate the MAC address of the second node that is the communication partner prior to communication. A packet (ARP request packet) is broadcast on the network. The second node that has received the ARP request packet transmits (unicasts) an address resolution protocol response packet (ARP response packet) including the MAC address of the second node to the first node. The first node acquires the MAC address of the second node included in the ARP response packet, and describes the IP address and MAC address of the second node in the ARP table held in the first node. Thereafter, when communicating between two nodes, the first node refers to this ARP table and transmits a packet to the MAC address of the second node described in the ARP table.

  In addition, when the node which transmitted the ARP request packet receives a plurality of ARP response packets responding to the ARP request packet, the node processes the ARP response packets in the order of reception. That is, a node that has transmitted one ARP request packet can receive a plurality of ARP response packets. A node that has not transmitted an ARP request packet can also receive a plurality of ARP response packets, and processes the ARP response packets in the order in which they are received.

  As described above, since the first node describes the ARP table based on the ARP response, the second node sends the spoofed ARP response to the first node, so that the second node is added to the ARP table of the first node. A fake MAC address different from the MAC address of the node can be described. The first node whose fake MAC address is described in the ARP table cannot perform normal communication. Therefore, when the first node is an unregistered node, communication by the first node can be disturbed.

  Using the above ARP property, access from the unregistered computers 103 and 122 to other nodes on the network and access from other nodes on the network to the unregistered computers 103 and 122 are excluded. Can do.

  In addition, the monitoring units 101 and 121 describe information on the newly detected unregistered computers 103 and 122 in the detection list, and send the detection list to the security server 100 every predetermined period or in response to an instruction from the security server 100. Send. In the detection list, for example, the MAC address (physical address), IP address (network address), and host name of the unregistered computers 103 and 122 are described as information regarding the unregistered computers 103 and 122.

  When the monitoring units 101 and 121 detect the unregistered computers 103 and 122, the monitoring units 101 and 121 detect the unregistered computers 103 and 122 in the collection mode in which information about the unregistered computers 103 and 122 is detected. Information regarding the registered computers 103 and 122 is described in the detection list, and the operation mode is set to any one of the block modes in which access to the registered computers by the unregistered computers 103 and 122 is excluded.

  One or more monitoring units 101 and 121 are provided in each segment. The monitoring unit 101 in the same segment as the security server 100 may also function as the security server 100.

  FIG. 2 is a diagram showing a data flow on the network.

  The security server 100 transmits information indicating the registered list, the connection permission list, and the operation mode to the monitoring units 101 and 121. In the registered list, information on the registered computer 102 and the registered computer 123 is described. In addition, information related to the security server 100 is described in the connection permission list.

  The monitoring units 101 and 121 operate in either the collection mode or the block mode based on the received information indicating the operation mode.

  The monitoring units 101 and 121 monitor ARP request packets in the segments to which they belong. By this monitoring, the monitoring unit 101 detects the registered computer 102 and the unregistered computer 103. In addition, the monitoring unit 121 detects the unregistered computer 122 and the registered computer 123.

  When operating in the collection mode, the monitoring unit 101 describes information related to the unregistered computer 103 in the detection list held by the monitoring unit 101, and the monitoring unit 121 holds information related to the unregistered computer 122 in the monitoring unit 121. In the detection list. The monitoring units 101 and 121 transmit detection lists held respectively to the security server 100.

  When operating in the block mode, the monitoring unit 101 describes information related to the unregistered computer 103 in the detection list held by the monitoring unit 101, and further eliminates access to the registered computers 102 and 123 by the unregistered computer 103. To do. In addition, the monitoring unit 121 describes information related to the unregistered computer 122 in the detection list held by the monitoring unit 121, and further excludes access to the registered computers 102 and 123 by the unregistered computer 122. Note that the monitoring unit 101 permits access to the security server 100 from unregistered computers 103 and 122.

  Each of the monitoring units 101 and 121 blocks access from the unregistered computer 103 to the registered computer 102 and access from the unregistered computer 122 to the registered computer 123 by the following three measures.

  First, the monitoring unit 101 registers a pair of the IP address of the unregistered computer 103 and the MAC address of the monitoring unit 101 in the ARP table of the communication partner computer 102 of the unregistered computer 103. Therefore, the monitoring unit 101 transmits a camouflaged ARP request including the MAC address of the monitoring unit 101 as the transmission source MAC address and the IP address of the unregistered computer 103 as the transmission source IP address to the communication partner computer 102.

  Second, the monitoring unit 101 registers a pair of the IP address of the communication partner computer 102 and the MAC address of the unregistered computer in the ARP table of the unregistered computer 103. Therefore, the monitoring unit 101 transmits a fake ARP reply including the MAC address of the unregistered computer 103 as the transmission source MAC address and the IP address of the communication partner computer 102 as the transmission source IP address to the unregistered computer 103.

  Third, the monitoring unit 101 registers the pair of the IP address of the unregistered computer 103 and the MAC address of the monitoring unit 101 in the ARP table of the monitoring unit 101, and disguises the ARP table.

  By the above three measures, the monitoring units 101 and 121 block access from the unregistered computer 103 to the registered computer 102 of the communication partner and access from the unregistered computer 122 to the registered computer 123 of the communication partner. .

  Furthermore, each of the monitoring units 101 and 121 transmits a detection list held therein to the security server 100.

  The security server 100 that has received the detection list describes information on the newly registered computer among the described unregistered computers 103 and 122 based on the detection list in the registered list.

  The security server 100 has a function of installing agent software in response to a request from an unregistered computer. The agent software has a function of transmitting information (machine name, IP address, etc.) of the installed computer to the security server.

  In the following, the network monitoring apparatus of the present embodiment will be described mainly focusing on one monitoring unit 101. However, it is assumed that other monitoring units on the network such as the monitoring unit 121 operate in the same manner as the monitoring unit 101. In the following, it is assumed that the monitoring unit 101 excludes access from the unregistered computer 103 to the registered computer 102.

FIG. 3 is a block diagram showing a functional configuration of the monitoring unit 101.
The monitoring unit 101 includes a network interface module 201, a reception module 202, a communication protocol determination module 203, an unregistered PC detection module 204, a destination determination module 205, an ARP table disguise module 206, a disguise ARP request transmission module 207, and a disguise ARP reply transmission module. 208, a name resolution packet transmission / reception module 209, an ARP table storage module 210, a registered list storage module 211, a detection list storage module 212, a transmission list storage module 213, a connection permission list storage module 214, and the like.

  The network interface module 201 is an interface for connecting the monitoring unit 101 to the network. The network interface module 201 controls, for example, transmission / reception of packets transmitted from the monitoring unit 101 to other nodes and packets received by the monitoring unit 101 from other nodes. The network interface module 201 is connected to each unit that performs packet transmission / reception such as the reception module 202, the fake ARP request transmission module 207, the fake ARP reply transmission module 208, and the name resolution packet transmission / reception module 209.

  The receiving module 202 receives a packet transmitted from another node via the network interface module 201. The received packet is a broadcast packet and a packet addressed to the MAC address of the monitoring unit 101. The reception module 202 outputs the received packet data to the communication protocol determination module 203.

  The communication protocol determination module 203 determines the protocol of the received packet. When the protocol of the received packet is ARP, the communication protocol determination module 203 outputs the received packet data, that is, the ARP packet data to the unregistered PC detection module 204.

  The unregistered PC detection module 204 refers to the registered list stored in the registered list storage module 211 and the detection list stored in the detection list storage module 212, and the transmission source computer of the received ARP packet is not registered. Determine if it is a computer.

  If the transmission source computer of the received ARP packet is an unregistered computer, the unregistered PC detection module 204 refers to the connection permission list stored in the connection permission list storage module 214 and transmits the received ARP packet. It is determined whether the destination is registered in the connection permission list.

  The registered list, detection list, transmission list, and connection permission list will be described with reference to FIGS.

  The registered list is a list describing information on registered computers. Each entry stored in the registered list includes information such as the MAC address, IP address, and host name of one registered computer. FIG. 5 is an example of description of each entry. In the MAC address field, a device-specific MAC address (physical address) value is described. In the IP address field, the value of an IP address (network address) assigned on the network is described. In the host name field, a name acquired by name resolution based on the IP address is described. The registered list is created by the security server 100 and distributed from the security server 100 to the monitoring unit 101. In the network illustrated in FIG. 2, the security server 100 describes information on the registered computer 102 and the registered computer 123 in the registered list.

  The detection list is a list that describes information on computers that are on the same segment as the monitoring unit 101 and is not described in the registered list, that is, a list that describes information on unregistered computers. Each entry stored in the detection list includes information such as the MAC address, IP address, and host name of one unregistered computer. Like the registered list, each entry is described as shown in FIG. In the MAC address field, a device-specific MAC address (physical address) value is described. In the IP address field, the value of an IP address (network address) assigned on the network is described. In the host name field, a name acquired by name resolution based on the IP address is described. The host name field may be blank.

  The connection permission list is a list that describes information on computers that exist on the network and are permitted to communicate with unregistered computers. Each entry stored in the connection permission list includes information such as the IP address and host name of one connection-permitted computer. Each entry in the connection permission list is described as shown in FIG. In the IP address field, the value of an IP address (network address) assigned on the network is described. In the host name field, a name acquired by name resolution based on the IP address is described. The host name field may be blank.

  When the transmission source MAC address in the received ARP request packet is a MAC address that is not registered in the registered list, the unregistered PC detection module 204 of the monitoring unit 101 sets the transmission source computer of the ARP request packet as an unregistered computer. And an entry describing information on the transmission source computer is added to the detection list. However, the unregistered PC detection module 204 does not add a new entry when the information of the transmission source computer is already registered in the detection list.

  FIG. 7 shows a format of an Ethernet (registered trademark) frame including an ARP packet part.

  The Ethernet frame consists of a 6-byte destination hardware address (Destination HW Address), a 6-byte transmission source hardware address (Source HW Address), a 2-byte protocol type (Type), and a data portion of up to 1500 bytes in order from the beginning. (Data) and each field of an 18-byte trailer.

  The destination hardware address indicates the MAC address (physical address) of the device (node) that is the destination of the Ethernet frame. The transmission source hardware address indicates the MAC address (physical address) of the device (node) that is the transmission source of the Ethernet frame. The protocol type indicates the type of protocol that is used for communication and is positioned above Ethernet. When communication is performed by ARP, “0806h” is set in the protocol type field.

  The data part includes the value of each field set for each protocol specified in the protocol type. When ARP is designated as the protocol type, the data part is composed of necessary fields as an ARP packet. Therefore, the data part (ARP packet part) has a 2-byte hardware type (Hardware Type), a 2-byte protocol type (Protocol Type), a 1-byte MAC address length (Hardware Length), a 1-byte IP address length ( Protocol Length), 2 bytes of operation (Operation), 6 bytes of source MAC address (Sender MAC), 4 bytes of source IP address (Sender IP), 6 bytes of destination MAC address (Target MAC), and 4 bytes Each field of a destination IP address (Target IP).

  The hardware type indicates the type of physical medium in the network. In the case of Ethernet, “0001h” is set in the hardware type field.

  The protocol type indicates the type of protocol handled by the ARP protocol. In the case of IP, “0800h” is set in the protocol type field.

  The MAC address length indicates the length of the MAC address. In the case of Ethernet, the length of the MAC address is 6 bytes, and “06h” is set in the MAC address length field.

  The IP address length indicates the length of the IP address. In the case of Version 4 IP (IPv4), the length of the IP address is 4 bytes, and “04h” is set in the IP address length field.

  The operation indicates the type of ARP operation. In communication by ARP, first, one computer transmits an ARP request, and a computer corresponding to the ARP request returns an ARP response. Therefore, a value for determining a request and a response is set in the operation field. Specifically, when the ARP packet is an ARP request packet, “0001h” is set in the operation field. On the other hand, when the ARP packet is an ARP response packet, “0002h” is set in the operation field.

  The source MAC address indicates a MAC address (physical address) unique to the source device (node). Therefore, the same value is set in the source hardware address field of the Ethernet frame and the source MAC address field of the ARP packet part.

  The source IP address indicates an IP address (network address) assigned to the source device (node).

  The destination MAC address indicates a MAC address (physical address) unique to the destination device (node). Therefore, the same value is set in the destination hardware address field of the Ethernet frame and the destination MAC address field of the ARP packet portion. When the ARP packet is an ARP request packet (when a value corresponding to the ARP request is set in the operation field), since the destination MAC address is unknown, “0” is set in the destination MAC address field. Is done.

  The destination IP address indicates an IP address (network address) assigned to the destination device (node).

  The trailer is a data string added to the end of the Ethernet frame. The trailer is used for an error correction code or the like.

  When an ARP request packet based on the above-described format is received, the unregistered PC detection module 204 first extracts a transmission source MAC address from the received ARP request packet. The unregistered PC detection module 204 determines that the transmission source computer is a registered computer when the transmission source MAC address is described in the registered list.

  The unregistered PC detection module 204 determines that the transmission source computer is an unregistered computer when the transmission source MAC address is not described in the registered list. When it is determined that the transmission source computer is an unregistered computer, the unregistered PC detection module 204 adds an entry describing the transmission source MAC address and the transmission source IP address included in the received ARP request packet to the detection list. In addition, information included in the ARP request packet is described in the transmission list stored in the transmission list storage module 213 together with the reception time. If the entry describing the source MAC address and the source IP address included in the received ARP request packet is already registered in the detection list, the unregistered PC detection module 204 enters the detection list. Do not add this entry.

  As described above, the correspondence between the IP address and the MAC address in the DHCP environment is determined by determining whether or not the transmission source computer is an unregistered computer based on only the transmission source MAC address included in the received ARP request packet. It can be determined whether or not the transmission source computer of the ARP request packet is an unregistered computer even when the IP address changes dynamically or when the unregistered computer impersonates an IP address.

  As shown in FIG. 4, the transmission list is a list that describes information for generating and transmitting a jamming packet for excluding unregistered computers from the network. The jamming packet is an ARP request packet (forged ARP request packet) and an ARP response packet (forged ARP response packet) in which the correspondence between the source MAC address and the source IP address is forged. When the unregistered PC detection module 204 receives an ARP request packet including a source MAC address not registered in the registered list, that is, when an ARP request broadcast from an unregistered computer is received, the ARP request packet Add an entry containing the information to the send list.

  FIG. 8 shows an example of fields constituting each entry of the transmission list.

  An entry in the transmission list includes a transmission source MAC address, a transmission source IP address, a destination MAC address, a destination IP address, a reception time, a request transmission flag, and the like.

  The sender MAC address (Sender MAC) indicates the MAC address of an unregistered computer. Therefore, the value of the source MAC address included in the ARP request transmitted from the unregistered computer is set in the field of the source MAC address.

  The source IP address (Sender IP) indicates the IP address of an unregistered computer. Therefore, the value of the source IP address included in the ARP request transmitted from the unregistered computer is set in the field of the source IP address.

  The destination MAC address (Target MAC) indicates 0. This is because 0, which is the value of the destination MAC address included in the ARP request transmitted from the unregistered computer, is set in the destination MAC address field.

  The destination IP address (Target IP) indicates the IP address of an access destination computer of an unregistered computer. Therefore, the value of the destination IP address included in the ARP request transmitted from the unregistered computer is set in the destination IP address field.

  The reception time indicates the time when the monitoring unit 101 receives an ARP request transmitted from an unregistered computer.

  The request transmission flag indicates whether a forged ARP request packet has been transmitted to an access destination computer of an unregistered computer. Therefore, in the request transmission flag field, “True” is set when the spoofed ARP request packet has been transmitted to the access destination computer of the unregistered computer, and “False” is set when it has not been transmitted. .

  An entry based on the above-described fields is added to the transmission list, and the monitoring unit 101 executes processing for excluding unregistered computers with reference to the transmission list.

  The destination determination module 205 of the monitoring unit 101 determines whether the destination IP address described in the entry read from the transmission list matches the IP address of the monitoring unit 101. The destination determination module 205 outputs this determination result to the camouflaged ARP request transmission module 207.

  The ARP table disguise module 206 executes a process for disguising the ARP table stored in the ARP table storage module 210. As described above, the ARP table is a table in which an IP address and a MAC address are described in association with each other. Each node holds an ARP table, and associates the source IP address and source MAC address included in the received ARP request packet, and the source IP address and source MAC address included in the received ARP response packet. To register in the ARP table. When the IP address to be registered is already registered in the ARP table, the MAC address associated with the IP address in the ARP table is the source MAC address included in the received ARP request packet or ARP response packet. Overwritten with.

  The ARP table impersonation module 206 associates the MAC address of the monitoring unit 101 with the IP address of the unregistered computer 103 and overwrites the ARP table. By associating the fake MAC address with the IP address of the unregistered computer 103, when ICMP redirect is enabled, communication from the registered computer 102 to the unregistered computer 103 is performed from the monitoring unit 101 to the unregistered computer. It can be prevented from being established by redirection to 103.

  If the destination determination module 205 determines that the destination IP address described in the entry read from the transmission list does not match the IP address of the monitoring unit 101, the impersonation ARP request transmission module 207 accesses the unregistered computer. A forged ARP request packet is transmitted to the previous computer. The forged ARP request transmission module 207 generates a forged ARP request packet based on the information described in the entry read from the transmission list.

  Values are set as follows in each field constituting the camouflaged ARP request packet.

  In the transmission source IP address field, the transmission source IP address described in the transmission list entry is set. The MAC address of the monitoring unit 101 is set in the source MAC address field. In the destination IP address field, the destination IP address described in the entry of the transmission list is described. In the destination MAC address field, “0” is set.

  Therefore, for example, the IP address of the unregistered computer 103 is set in the source IP address field. The MAC address of the monitoring unit 101 is set in the source MAC address field. The IP address of the registered computer 102 is described in the destination IP address field. In the destination MAC address field, “0” is set.

  The camouflaged ARP reply transmission module 208 transmits a camouflaged ARP response packet to an unregistered computer. The forged ARP reply transmission module 208 generates a forged ARP response packet based on the information described in the entry read from the transmission list.

  Values are set in the fields constituting the camouflaged ARP response packet as follows.

  The destination IP address described in the entry of the transmission list is set in the source IP address field. In the transmission source MAC address field, the transmission source MAC address described in the transmission list entry is set. In the field of the destination IP address, the source IP address described in the entry of the transmission list is described. In the field of the destination MAC address, the source MAC address described in the entry of the transmission list is described.

  Therefore, for example, the IP address of the registered computer 102 is set in the source IP address field. The MAC address of the unregistered computer 103 is set in the source MAC address field. The IP address of the unregistered computer 103 is described in the destination IP address field. The MAC address of the unregistered computer 103 is set in the destination MAC address field.

  The name resolution packet transmission / reception module 209 reads an entry made up of a MAC address and an IP address registered in the detection list, acquires a host name corresponding to the IP address, and updates the detection list with the entry with the added host name. . The name resolution packet transmission / reception module 209 performs name resolution based on the IP address, for example, by DNS or NetBIOS. By adding a host name to each entry in the detection list, it becomes possible to access a node based on the host name.

  FIG. 9 is a sequence diagram illustrating an example in which the monitoring unit 101 which is the network monitoring apparatus according to the present embodiment excludes access from an unregistered computer to a registered computer. Here, it is assumed that the monitoring unit 101 excludes access from the unregistered computer 103 to the registered computer 102. It is assumed that the MAC address of the monitoring unit 101 is MAC0, the IP address is IP0, the MAC address of the registered computer 102 is MAC1, the IP address is IP1, the MAC address of the unregistered computer 103 is MAC2, and the IP address IP2.

  First, the unregistered computer 103 broadcasts an ARP request packet that inquires about the MAC address of the registered computer 102 that is the access destination (attack destination) (S11A, S11B). Since the transmission is by broadcast, both the monitoring unit 101 and the registered computer 102 receive the ARP request packet. This ARP request packet inquires the source MAC address indicating the MAC address (MAC2) of the unregistered computer 103, the source IP address indicating the IP address (IP2) of the unregistered computer 103, and the MAC address of the registered computer 102. The destination MAC address indicating “0” and the destination IP address indicating the IP address (IP1) of the registered computer 102 are included. The monitoring unit 101 and the registered computer 102 register the IP address (IP2) and MAC address (MAC2) of the unregistered computer 103 in association with each ARP table.

  In response to receiving the ARP request packet, the registered computer 102 that is the destination of the broadcast ARP request packet unicasts the ARP response packet to the unregistered computer 103 (S12). This ARP response packet includes a transmission source MAC address indicating the MAC address (MAC1) of the registered computer 102, a transmission source IP address indicating the IP address (IP1) of the registered computer 102, and a MAC address (MAC2) of the unregistered computer 103. And a destination IP address indicating the IP address (IP2) of the unregistered computer 103. Since transmission is by unicast, only the unregistered computer 103 receives the ARP response packet, and the monitoring unit 101 cannot receive the ARP response packet. The unregistered computer 103 registers the IP address (IP1) and MAC address (MAC1) of the registered computer 102 in association with each other in the ARP table. As a result, packets can be transmitted and received between the unregistered computer 103 and the registered computer 102.

  In addition, the monitoring unit 101 rewrites the IP address (IP2) and MAC address (MAC2) of the unregistered computer 103 registered in association with the ARP table of the monitoring unit 101 and disguises it. The monitoring unit 101 registers the MAC address (MAC0) of the monitoring unit 101 in association with the IP address (IP2) of the unregistered computer 103. This prevents communication from the registered computer 102 to the unregistered computer 103 from being established by the redirect function of the monitoring unit 101.

  The monitoring unit 101 monitors the MAC address of the unregistered computer 103 in order to rewrite the IP address (IP2) and MAC address (MAC2) of the unregistered computer 103 registered in the ARP table of the registered computer 102. A spoofed ARP request packet spoofed at the MAC address (MAC0) of the unit 101 is broadcast (S13A, S13B). Therefore, the spoofed ARP request packet inquires of the transmission source MAC address indicating the MAC address (MAC0) of the monitoring unit 101, the transmission source IP address indicating the IP address (IP2) of the unregistered computer 103, and the MAC address of the registered computer 102. Therefore, the destination MAC address indicating “0” and the destination IP address indicating the IP address (IP1) of the registered computer 102 are included. Since the transmission is by broadcast, both the unregistered computer 103 and the registered computer 102 receive the fake ARP request packet, but the unregistered computer 103 ignores the fake ARP request packet because it is not itself the destination. The registered computer 102 registers the IP address (IP2) of the unregistered computer 103 and the MAC address (MAC0) of the monitoring unit 101 in the ARP table in association with each other. As a result, transmission of packets from the registered computer 102 to the unregistered computer 103 can be prevented.

  In response to receiving the fake ARP request packet, the registered computer 102 unicasts the ARP response packet to the monitoring unit 101 (S14). This ARP response packet includes a transmission source MAC address indicating the MAC address (MAC1) of the registered computer 102, a transmission source IP address indicating the IP address (IP1) of the registered computer 102, and a MAC address (MAC0) of the monitoring unit 101. And a destination IP address indicating the IP address (IP2) of the unregistered computer 103. The monitoring unit 101 registers the IP address (IP1) and MAC address (MAC1) of the registered computer 102 in association with each other in the ARP table.

  The monitoring unit 101 that has received the ARP response packet from the registered computer 102 determines that a normal ARP response packet has been transmitted from the registered computer 102 to the unregistered computer 103 (S12). Then, the monitoring unit 101 unicasts to the unregistered computer 103 a camouflaged ARP response packet that camouflages that the MAC address of the registered computer 102 is MAC2 (MAC address of the unregistered computer 103) (S15). Therefore, the spoofed ARP response packet includes a transmission source MAC address indicating the MAC address (MAC2) of the unregistered computer 103, a transmission source IP address indicating the IP address (IP1) of the registered computer 102, and a MAC address of the unregistered computer 103. The destination MAC address indicating (MAC2) and the destination IP address indicating the IP address (IP2) of the unregistered computer 103 are included. The unregistered computer 103 registers the IP address (IP1) of the registered computer 102 and the MAC address (MAC2) of the unregistered computer 103 in association with each other in the ARP table. Thereby, transmission of a packet from the unregistered computer 103 to the registered computer 102 can be prevented.

  As a result of the above processing, the ARP table of each node is described as shown in FIG.

  In the ARP table of the unregistered computer 103, the IP address (IP1) of the registered computer 102 is registered in association with the MAC address (MAC2) of the unregistered computer 103. The ARP table of the monitoring unit 101 includes the IP address (IP1) and MAC address (MAC1) of the registered computer 102, the IP address (IP2) of the unregistered computer 103, and the MAC address (MAC0) of the monitoring unit 101, respectively. Registered in association. In the ARP table of the registered computer 102, the IP address (IP2) of the unregistered computer 103 is registered in association with the MAC address (MAC0) of the monitoring unit 101.

  By describing the ARP table of each node as described above, transmission of packets from the unregistered computer 103 to the registered computer 102, transmission of packets from the registered computer 102 to the unregistered computer 103, and the monitoring unit 101 The packet transmission from the registered computer 102 to the unregistered computer 103 using the redirect function can be prevented.

  As described above, the unregistered computer 103 transmits an ARP request packet to the registered computer 102 (S11A), receives an ARP response packet from the registered computer 102 (S12), and then receives from the monitoring unit 101. Until the forged ARP response packet is received (S15), the unregistered computer 103 can transmit the packet to the registered computer 102. For this reason, after receiving the broadcast ARP request packet from the unregistered computer 103 (S11B), the monitoring unit 101 immediately transmits a forged ARP request packet to the registered computer 102, and the registered computer 102 receives the unregistered ARP request packet. Transmission (reply) of packets to the computer 103 is obstructed.

  Further, the spoofed ARP response packet (S15) transmitted from the monitoring unit 101 needs to be received by the unregistered computer 103 after the normal ARP response packet (S12) transmitted from the registered computer 102. This is because, after registering the IP address (IP1) and MAC address (MAC1) of the registered computer 102 in the ARP table of the unregistered computer 103 in association with the normal ARP response packet, the spoofed ARP response packet is registered. This is because the MAC address associated with the IP address (IP1) of the registered computer 102 is updated and registered with the MAC address (MAC2) of the unregistered computer 103 based on the above.

  Since the forged ARP request packet (S13A) reaches the registered computer 102 after the ARP request packet (S11A) transmitted by the unregistered computer 103, the ARP response packet (S12A) responds to the ARP request packet (S11A). ) Is transmitted from the registered computer 102, an ARP response packet (S14) responding to the forged ARP request packet (S13A) is transmitted. Therefore, the monitoring unit 101 waits for the ARP response packet (S14) for the camouflaged ARP request packet (S13A) transmitted from the registered computer 102, and then transmits the camouflaged ARP response packet to the unregistered computer 103 (S15). By doing so, the unregistered computer 103 can receive the fake ARP response packet (S15) after the normal ARP response packet (S12) transmitted from the registered computer 102.

  The camouflaged ARP response packet (S15) may be a camouflaged ARP request packet. This forged ARP request packet inquires about the source MAC address indicating the MAC address (MAC2) of the unregistered computer 103, the source IP address indicating the IP address (IP1) of the registered computer 102, and the MAC address of the unregistered computer 103. Therefore, the destination MAC address indicating “0” and the destination IP address indicating the IP address (IP2) of the unregistered computer 103 are included. However, when this forged ARP request packet is transmitted to the unregistered computer 103, the unregistered computer 103 transmits an ARP response packet in response to this forged ARP request packet, so that unnecessary packets can be sent out on the network. There is sex.

  The monitoring unit 101 can also block communication between the unregistered computer 103 and the registered computer by the following procedure. That is, the monitoring unit 101 receives an ARP request packet from the unregistered computer 103 and waits for a predetermined time, and then transmits a fake ARP response packet to the unregistered computer 103. Then, the monitoring unit 101 transmits a camouflaged ARP request packet to the registered computer 102 that is a communication partner.

  However, in this case, in order to cause the unregistered computer 103 to receive the spoofed ARP response packet after the unregistered computer 103 receives the ARP response packet from the registered computer 102, the monitoring unit 101 is not It is necessary to wait for a predetermined time after receiving the ARP request packet from the registration computer 103. However, while waiting for a predetermined time, the monitoring unit 101 cannot exclude access from the unregistered computer 103 to the registered computer 102 and access (response) from the registered computer 102 to the unregistered computer 103. If sufficient time is not secured as the predetermined time, there is a possibility that a forged ARP response packet must be retransmitted to the unregistered computer 103.

  The monitoring unit 101 which is the network monitoring apparatus of this embodiment first transmits a forged ARP request packet to the registered computer 102 which is a communication partner of the unregistered computer 103. As a result, the time during which communication from the registered computer 102 to the unregistered computer 103 is possible can be shortened. The monitoring unit 101 transmits a forged ARP response packet to the unregistered computer 103, triggered by receiving an ARP response packet for the forged ARP request packet from the registered computer 102. For this reason, the monitoring unit 101 can eliminate access (response) from the registered computer 102 to the unregistered computer 103 without waiting time. Further, in response to receiving the ARP response packet for the camouflaged ARP request packet from the registered computer 102, the camouflaged ARP response packet is transmitted to the unregistered computer 103, whereby the registered computer 102 transfers to the unregistered computer 103. The forged computer ARP response packet can be received by the unregistered computer 103 after the ARP response packet. Therefore, retransmission (retry) of a spoofed ARP response packet due to a short waiting time that may occur in the above method does not occur in this embodiment. Further, since an ARP response packet for a camouflaged ARP request packet is used as a trigger, in this embodiment, it is not necessary to secure an extra waiting time, and communication between the unregistered computer 103 and the registered computer 102 is possible. Time can be shortened.

  Further, the camouflaged ARP response packet includes the MAC address (MAC2) of the unregistered computer 103 as the source MAC address. That is, a pair of the MAC address (MAC2) of the unregistered computer 103 and the IP address (IP1) of the registered computer 102 is registered in the ARP table of the unregistered computer 103. By registering the MAC address of the unregistered computer 103 in the ARP table, an unauthorized packet is not transmitted over the network, and an increase in traffic due to the unauthorized packet can be suppressed. Note that the transmission source MAC address included in the camouflaged ARP response packet may be the MAC address (MAC0) of the monitoring unit 101. In this case, the monitoring unit 101 can monitor an unauthorized packet transmitted from the unregistered computer 103.

  In addition, when the monitoring unit 101 receives a gratuitous ARP packet transmitted from the unregistered computer 103, the monitoring unit 101 ignores this packet.

  Gratuitous ARP is an ARP request packet in which its own IP address is set in the destination IP address field. Gratuitous ARP is usually used to confirm duplication of IP addresses. When an ARP request packet having its own IP address set in the destination IP address field is broadcast, there is no response to this ARP request packet unless there is another node having a duplicate IP address. However, if there is another node having a duplicate IP address, an ARP response packet is returned from that node. Therefore, duplication of IP addresses can be confirmed depending on whether an ARP response packet is returned.

  The monitoring unit 101 ignores the gratuitous ARP packet when the operating system (OS) of the unregistered computer 103 is, for example, Windows Vista (registered trademark) or Windows (registered trademark) Server 2008, and the IP address from DHCP This is because there is a possibility that there will be no IP address that can be leased by the DHCP server when the setting is “Obtain”. When the monitoring unit 101 receives the Gratuitous ARP packet from the unregistered computer 103 and transmits a forged ARP request packet to the unregistered computer 103 (S13B), the unregistered computer 103 determines that the currently used IP address is invalid. Determine and request the IP address again from the DHCP server. Therefore, when the above process is repeated, the IP addresses that can be leased by the DHCP server are exhausted. For this reason, when the monitoring unit 101 receives a gratuitous ARP packet transmitted from the unregistered computer 103, the monitoring unit 101 ignores this packet.

  When the above-mentioned unregistered PC is connected to the network, the monitoring / exclusion unit is obstructed from communication and cannot be connected anywhere. An unregistered PC can be connected to a computer listed in the connection permission list.

  FIG. 11 is a sequence diagram illustrating an example in which the monitoring unit 101 that is the network monitoring device of this embodiment permits communication with a computer in which an unregistered PC is registered in the connection permission list. Here, it is assumed that the monitoring unit 101 permits access from the unregistered computer 103 to the security server 100. The MAC address of the monitoring unit 101 is MAC0, the IP address is IP0, the MAC address of the security server 100 is MAC3, the IP address is IP3, the MAC address of the unregistered computer 103 is MAC2, and the IP address IP2.

  First, the unregistered computer 103 broadcasts an ARP request packet that inquires about the MAC address of the security server 100 that is the access destination (S11A, S11B). Since the transmission is by broadcast, both the monitoring unit 101 and the security server 100 receive the ARP request packet. This ARP request packet is used to inquire about the source MAC address indicating the MAC address (MAC2) of the unregistered computer 103, the source IP address indicating the IP address (IP2) of the unregistered computer 103, and the MAC address of the security server 100. The destination MAC address indicating 0 ″ and the destination IP address indicating the IP address (IP3) of the security server 100 are included. The monitoring unit 101 and the security server 100 register the IP address (IP2) and MAC address (MAC2) of the unregistered computer 103 in association with each ARP table.

  In response to receiving the ARP request packet, the security server 100 that is the destination of the broadcast ARP request packet unicasts the ARP response packet to the unregistered computer 103 (S12). This ARP response packet indicates the source MAC address indicating the MAC address (MAC3) of the security server 100, the source IP address indicating the IP address (IP3) of the security server 100, and the MAC address (MAC2) of the unregistered computer 103. The destination MAC address and the destination IP address indicating the IP address (IP2) of the unregistered computer 103 are included. Since transmission is by unicast, only the unregistered computer 103 receives the ARP response packet, and the monitoring unit 101 cannot receive the ARP response packet. The unregistered computer 103 registers the IP address (IP3) and MAC address (MAC3) of the security server 100 in association with the ARP table. As a result, packets can be transmitted and received between the unregistered computer 103 and the security server 100.

  Then, the monitoring unit 101 monitors the MAC address of the unregistered computer 103 in order to rewrite the IP address (IP2) and MAC address (MAC2) of the unregistered computer 103 registered in the ARP table of the security server 100. A spoofed ARP request packet spoofed at the MAC address (MAC0) of 101 is broadcast (S13A, S13B). Therefore, the spoofed ARP request packet inquires the source MAC address indicating the MAC address (MAC0) of the monitoring unit 101, the source IP address indicating the IP address (IP2) of the unregistered computer 103, and the MAC address of the security server 100. The destination MAC address indicating “0” and the destination IP address indicating the IP address (IP1) of the security server 100 are included. Since the transmission is by broadcast, both the unregistered computer 103 and the security server 100 receive the spoofed ARP request packet, but the unregistered computer 103 ignores the spoofed ARP request packet because it is not itself the destination. The security server 100 registers the IP address (IP2) of the unregistered computer 103 and the MAC address (MAC0) of the monitoring unit 101 in association with each other in the ARP table. Thereby, transmission of packets from the security server 100 to the unregistered computer 103 can be prevented.

  In response to the reception of the fake ARP request packet, the security server 100 unicasts the ARP response packet to the monitoring unit 101 (S14). This ARP response packet includes a source MAC address indicating the MAC address (MAC1) of the security server 100, a source IP address indicating the IP address (IP1) of the security server 100, and a destination indicating the MAC address (MAC0) of the monitoring unit 101. The MAC address and the destination IP address indicating the IP address (IP2) of the unregistered computer 103 are included. The monitoring unit 101 registers the IP address (IP1) and MAC address (MAC1) of the security server 100 in association with each other in the ARP table.

  The monitoring unit 101 that has received the ARP response packet from the security server 100 determines that a normal ARP response packet has been transmitted from the security server 100 to the unregistered computer 103 (S12). Then, the monitoring unit 101 unicasts to the unregistered computer 103 a camouflaged ARP response packet that camouflages that the MAC address of the security server 100 is MAC2 (MAC address of the unregistered computer 103) (S15). Therefore, the spoofed ARP response packet includes a transmission source MAC address indicating the MAC address (MAC2) of the unregistered computer 103, a transmission source IP address indicating the IP address (IP1) of the security server 100, and a MAC address of the unregistered computer 103 ( A destination MAC address indicating MAC2) and a destination IP address indicating the IP address (IP2) of the unregistered computer 103. The unregistered computer 103 registers the IP address (IP1) of the security server 100 and the MAC address (MAC2) of the unregistered computer 103 in association with each other in the ARP table. Thereby, transmission of packets from the unregistered computer 103 to the security server 100 can be prevented.

  FIG. 11 is a flowchart showing a procedure of unregistered computer exclusion processing by the monitoring unit 101.

  First, the monitoring unit 101 receives a packet transmitted from another node (step S101). Next, the monitoring unit 101 determines whether or not the received packet is an ARP request packet (step S102). Whether or not the received packet is an ARP request packet can be determined based on the value set in the field of the protocol type included in the packet as described above.

  When the received packet is an ARP request packet (YES in step S102), the monitoring unit 101 determines whether the received packet is a gratuitous ARP packet (step S103). When the value of “0” is set in the source IP address field included in the received packet or the source IP address and the destination IP address are equal, the received packet is a gratuitous ARP packet. Determined.

  If the received packet is not a gratuitous ARP packet (NO in step S103), the monitoring unit 101 determines whether or not the source MAC address included in the received packet is listed in the registered list (step S104).

  When the transmission source MAC address included in the received packet is not listed in the registered list (NO in step S104), the monitoring unit 101 determines that the transmission source computer of the received packet is an unregistered computer, It is determined whether or not the destination IP address included in the received packet is listed in the connection permission list (step S105).

  When the destination IP address included in the received packet is not described in the connection permission list (NO in step S105), the monitoring unit 101 transmits a forged ARP request packet to the access destination computer of the unregistered computer (step S105). S106). The monitoring unit 101 disguises its own ARP table (step S107).

  Next, the monitoring unit 101 receives an ARP response packet from the access destination computer of the unregistered computer (step S108). Then, the monitoring unit 101 transmits a camouflaged ARP response packet to the unregistered computer (step S109).

  Through the above processing, the monitoring unit 101 can permit access to an unregistered computer and a computer permitted to be connected, and can exclude access to an unregistered computer and a computer not permitted to connect.

  Unregistered computers can connect to the computers listed in the connection permission list, so by describing a security server in the connection permission list, unregistered computers can connect to the security server and install agent software. It becomes possible. After installation, the software runs and periodically sends the status to the security server. When the security server receives the status, it adds it to the registered list and sends it to the monitoring / exclusion unit. When the monitoring / exclusion unit updates the registered list, it can be used in the corporate network without being blocked.

  The agent software is installed as follows, for example. The security server is configured as a web server, and the link destination of the agent software installer is pasted on the web page. Even if the computer is not registered, the security server can be accessed, so the installer is transferred by clicking the link destination. The installer is installed on the transfer destination computer to install the agent software.

  The agent software has the following functions, for example. A shared folder is created on the security server 100. The name of the shared folder is the MAC address (for example, yy-yy-yy-yy-yy-yy) of the own machine so that the security server 100 can distinguish. As long as it can be distinguished, another name may be used.

  Then, the agent software creates a text file whose file name is “Config”. The agent software acquires system information from the computer and describes the computer name and IP address in the text file.

For example, enter:

Computer name = computer1
IP address = xxx.xxx.xxx.xxx
In addition, the agent software periodically transmits the status to the security server. When the security server receives the status, it adds it to the registered list and sends it to the monitoring unit. When the monitoring unit updates the registered list, it can be used on the corporate network without being blocked.

Next, a procedure for adding computer information to the registered list will be described with reference to FIG.
When the computer is turned on (step S201), the agent software periodically transmits the status (step S202) until the power is turned off (step S203).

  The security server periodically receives the status transmitted from the agent software (step S204). The security server determines whether a status has been received (step S205). If it is determined that the status has been received (YES in step S205), the security server determines whether the computer information exists in the registered list (step S206). When it is determined that it does not exist in the registered list (NO in step S206), the security server adds computer information to the registered list (step S207). Then, the security server transmits the registered list to the monitoring unit (step S208).

  The monitoring unit updates the registered list by replacing the registered list of its own device with the registered list transmitted from the security server (step S209).

  As described above, according to the present embodiment, it is possible to access a node from a non-registered computer to a security server or the like that is permitted to access in advance. Further, since it becomes possible to access a security server that distributes a registered list from an unregistered computer, the unregistered computer can be easily made a registered computer. In addition, only unregistered computers can be connected to a network isolated from the corporate network.

  Further, according to this embodiment, it is possible to shorten the period during which communication is possible between an unregistered node and an access destination node of the unregistered node. When the monitoring unit 101 which is the network monitoring apparatus of this embodiment detects an ARP request packet transmitted from an unregistered node, the monitoring unit 101 impersonates the ARP table of the monitoring unit 101 and impersonates the access destination node of the unregistered node. By transmitting a request packet and transmitting a forged ARP response packet to an unregistered node, communication between the unregistered node and the access destination node of the unregistered node is interrupted. The monitoring unit 101 transmits a spoofed ARP request packet to the access destination node of the unregistered node, receives an ARP response packet for the spoofed ARP request packet from the access destination node of the unregistered node, and then impersonates the unregistered node. By transmitting the response packet, it is possible to shorten the period during which communication is possible between the unregistered node and the access destination node of the unregistered node. Further, by transmitting the spoofed ARP request packet and the spoofed ARP response packet as described above, it is possible to spoof the ARP table of each node without wasteful waiting time and without retransmission (retry) of the spoofed ARP response packet. can do.

(Second Embodiment)
The security server 100 can also transfer the quarantine agent software to the computer. The quarantine agent software quarantines the installed computer when the power is turned on or connected to the network, and sends the quarantine result to the security server. The quarantine executed by the quarantine agent software is a process that determines whether the latest version of the anti-virus software pattern file has been installed and whether the latest patch file has been applied to the operating system. Yes.

  The quarantine agent software stores the text file with the file name “Status” in the shared folder on the security server in which the “Config” file described in the first embodiment is stored.

  The quarantine result described in the “Status” file is either pass or fail. The “Status” file describes the date and time of quarantine execution and the quarantine result, as shown below.

2009/09/08 14:28:00 Passed
2009/09/08 15:20:00 Fail When the computer is turned on, the computer information is not described in the registered list. When the quarantine result is “pass”, the security server describes the computer information in the registered list, and transmits the new registered list to the monitoring unit.

  After being added to the registered list, it will no longer be blocked by the monitoring unit, so the corporate network can be used. Until it is added, it is possible to connect only to computers existing in the connection permission list.

  By adding a countermeasure server such as a server that distributes WSUS (Windows Server Update Services) and pattern files to the connection permission list, the computer can connect to the countermeasure server even if the quarantine result is unsuccessful. it can. If the quarantine fails, the computer connects to the countermeasure server and attempts countermeasures, and then quarantines again. If it passes, the computer is added to the registered list.

  In addition, the quarantine agent software periodically writes the writing date and time in the “Status” file in the security server during operation (for example, at intervals of 1 minute). If the “Status” file is no longer updated (eg, more than 3 minutes), the security server assumes that the computer has been powered off or disconnected from the network. Then, the security server deletes the computer information from the registered list, and transmits a new registered list to the monitoring unit.

  The status transmission from the quarantine agent software is performed in the same manner as in the first embodiment. The security server searches the folder with the MAC address name in the shared folder to confirm whether the agent is installed. The agent writes in the “Status” file every minute, and the security server polls the “Status” file every three minutes to determine whether it is operating.

Next, the configuration of a security server that updates the registered list will be described with reference to FIG.
The security server includes a Status file management module 301, a quarantine result determination module 302, a registered list management module 303, a status determination module 304, a registered list transmission module 305, and the like.

  The Status file management module 301 receives the “Status” file transmitted from the quarantine agent software 310 and writes it in a folder corresponding to the computer that transmitted the “Status” file in response to a command transmitted from the quarantine agent software 310.

  The quarantine result determination module 302 determines whether the quarantine result is pass or fail by referring to the “Status” file. The quarantine result determination module 302 notifies the determination result to the registered list management module 303. The quarantine result determination module 302 describes computer information in the registered list 307 of the server 100 when the quarantine result is acceptable.

  The status determination module 304 determines whether the computer is operating by periodically polling the “Status” file. The status determination module 304 notifies the registered list management module 303 of the determination result. The registered list management module 303 deletes the computer information from the registered list 307 when it is determined that the computer is not operating.

  The registered list transmission module 305 transmits the registered list 307 to the monitoring units (101, 121) when the registered list 307 is changed.

  Next, processing performed by the quarantine agent software, the security server, and the monitoring unit after the computer is turned on until the power is turned off will be described with reference to FIG.

  First, when the computer is turned on (step S301), the quarantine agent software 310 performs quarantine (step S302). The quarantine agent software 310 transmits the quarantine result to the security server 100 (step S303). Then, when the quarantine result is not acceptable (NO in step S304), the quarantine agent software 310 connects to the countermeasure server and implements the countermeasure (step S320).

  When receiving the “Status” file including the quarantine result transmitted from the computer, the quarantine result determination module 302 determines whether the computer has passed the quarantine (step S305). If it is determined that the quarantine did not pass (NO in step S305), the process waits for the quarantine result to be sent again from the computer, and when the quarantine result is received, the process of step S305 is executed again.

  If it is determined that the quarantine has passed (YES in step S305), the registered list management module 303 of the security server 100 adds computer information to the registered list (step S306). Then, the registered list transmission module 305 transmits the registered list to the monitoring units (101, 121) (step S307). The monitoring units (101, 121) update the registered list by replacing the registered list of the own device with the registered list transmitted from the security server 100 (step S308).

  If the quarantine is passed (YES in step S304), the quarantine agent software 310 periodically writes in the “Status” file (step S309). The security server 100 periodically polls the “Status” file (step S310). When the computer is turned off (step S312), the security server 100 does not write to the “Status” file. When there is no writing in the “Status” file (NO in step S311), the security server 100 deletes the computer information from the registered list of the own device (step S313). Then, the security server 100 transmits the registered list to the monitoring unit (101, 121) (step S314). The monitoring unit (101, 121) updates the registered list by replacing the registered list of its own device with the registered list transmitted from the security server 100 (step S315).

  According to the present embodiment, a quarantine network can be configured without using an authentication VLAN (Virtual Local Area Network), a PFW (Personal firewall), a gateway, a DHCP (Dynamic Host Configuration Protocol), or the like.

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. In addition, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, you may combine suitably the component covering different embodiment.

  DESCRIPTION OF SYMBOLS 100 ... Security server (security device), 101, 121 ... Monitoring unit (network monitoring device), 201 ... Network interface part, 202 ... Reception part, 203 ... Communication protocol determination part, 204 ... Unregistered PC detection part, 205 ... Address determination unit, 206 ... ARP table impersonation unit, 207 ... Impersonation ARP request transmission unit, 208 ... Impersonation ARP reply transmission unit, 209 ... Name resolution packet transmission unit, 210 ... ARP table storage unit, 211 ... Registered list storage unit, 212 ... Detection list storage unit, 213 ... Transmission list storage unit, 214 ... Connection permission list storage module.

Claims (9)

A network monitoring device for monitoring a network to which a plurality of nodes are connected,
In response to receiving the address resolution protocol request packet, the source node of the received address resolution protocol request packet is an unregistered node based on the source physical address included in the received address resolution protocol request packet. Unregistered node determining means for determining whether there is,
When the unregistered node determination unit determines that the transmission source node is an unregistered node, based on a destination network address included in the received address resolution protocol request packet, the received address resolution protocol request packet Connection-permitted node determination means for determining whether the destination node is a connection-permitted node;
Means for permitting communication between the transmission source node and the destination node when the connection permission node determination means determines that the destination node is a connection permission node;
If the connection-permitted node determination unit determines that the destination node is not a connection-permitted node, a spoofed address resolution protocol is sent to a destination node that is a node corresponding to a destination network address included in the received address resolution protocol request packet. A spoofed address resolution protocol request sending means for sending a request packet;
In response to receiving an address resolution protocol response packet for the forged address resolution protocol request packet transmitted from the destination node, a forged address resolution protocol response is transmitted to the unregistered node. A transmission means;
A network monitoring apparatus comprising: The spoofed address resolution protocol request packet includes a physical address of the network monitoring device as a source physical address, and includes a network address of the unregistered node as a source network address,
The spoofed address resolution protocol response packet includes a predetermined physical address other than a physical address of the destination node as a source physical address, and includes a network address of the destination node as a source network address. The network monitoring apparatus according to 1.   In response to receiving the address resolution protocol response packet for the spoofed address resolution protocol request packet transmitted from the destination node, the spoofed address resolution protocol response transmission means sends the unregistered node to the unregistered node. 3. The network monitoring apparatus according to claim 2, wherein a spoofed address resolution protocol response packet including the physical address of the destination node as a source physical address and including the network address of the destination node as a source network address is transmitted.   ARP table disguise means for associating and describing the network address of the unregistered node and the physical address of the network monitoring device in the ARP table describing the correspondence between the network address and the physical address held by the network monitoring device The network monitoring apparatus according to claim 2, further comprising:   The unregistered node determination unit is configured such that when a source node of the received address resolution protocol request packet is an unregistered node, and the received address resolution protocol request packet is a gratuit address resolution protocol request packet, 3. The network monitoring apparatus according to claim 2, wherein the address resolution protocol request packet is ignored. A receiving means for receiving a quarantine result from the node;
When the quarantine result transmitted from the node indicates a pass, information indicating the node that transmitted the quarantine result to a registered list;
Means for transmitting the registered list to a network monitoring device that permits communication between the nodes described in the registered list;
Means for receiving a status periodically transmitted from a node in which the quarantine result indicates success;
Means for generating a new registered list by deleting information indicating a node that has transmitted the quarantine result from the registered list when the status cannot be received;
Means for transmitting the new registered list to the network monitoring device;
A security device characterized by comprising:   7. The apparatus according to claim 6, further comprising means for transmitting an installer for installing the quarantine agent software for executing the quarantine of the node to a node whose information is not described in the registered list. Security device described. A network monitoring method for monitoring a network to which a plurality of nodes are connected by a network monitoring device connected on the network,
In response to receiving the address resolution protocol request packet, the source node of the received address resolution protocol request packet is an unregistered node based on the source physical address included in the received address resolution protocol request packet. Determine if there is,
When the source node is an unregistered node, it is determined whether the destination node of the received address resolution protocol request packet is a connection permission node based on a destination network address included in the received address resolution protocol request packet And
When it is determined that the destination node is a connection permission node, communication between the transmission source node and the destination node is permitted,
When it is determined that the destination node is not a connection permission node, a spoofed address resolution protocol request packet is transmitted to a destination node that is a node corresponding to a destination network address included in the received address resolution protocol request packet;
In response to receiving an address resolution protocol response packet for the forged address resolution protocol request packet transmitted from the destination node, a forged address resolution protocol response packet is transmitted to the unregistered node. Network monitoring method. The spoofed address resolution protocol request packet includes a physical address of the network monitoring device as a source physical address, and includes a network address of the unregistered node as a source network address,
The spoofed address resolution protocol response packet includes a predetermined physical address other than a physical address of the destination node as a source physical address, and includes a network address of the destination node as a source network address. 9. The network monitoring method according to 8.

Images