JP2012199758A - Quarantine management device, quarantine system, quarantine management method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a quarantine management device, a quarantine system, a quarantine management method, and a program capable of securing security, reducing introduction costs, and reducing operational burdens.SOLUTION: To quarantine PCs 3 and 7 connected to a LAN 2, a quarantine management device 1 comprises an access control part 11 for transmitting a duplication response to the PCs 3 and 7 when detecting an ARP request from the PCs 3 and 7, and acquiring a link local address for physically and logically enabling only communication on a single link to communicate with the quarantine management device 1; and a security policy confirmation part 12 for determining whether the PCs 3 and 7 introduce a quarantine agent 5 for protecting the LAN 2 via the link local address, and for confirming possibility of adaptation of the security policy when the quarantine agent 5 is introduced as a result of the determination. The access control part 11 allows the PCs to acquire an IP address when the security policy is adapted.

Description

  The present invention relates to a quarantine management device, a quarantine system, a quarantine management method, and a program.

  In recent years, computer networks in which the IPv4 protocol operates are used as local area networks (hereinafter abbreviated as “LAN”) in organizations in organizations and organizations. In this case, two security risks can be considered for the act of connecting a personal computer (hereinafter abbreviated as PC) to the LAN.

  The first is a security risk that a person who wants to steal information in an organization connects a PC that is not permitted as a means for deliberately entering the LAN to the LAN. Secondly, software that corrects security problems of PC operating software (hereinafter abbreviated as “OS”) and software programs used for business or group activities (hereinafter abbreviated as “software”). (Hereinafter referred to as “patch”) is a security risk due to not being applied to a PC.

  The second security risk poses a problem with computer virus infection and its transmission to other PCs. In addition, when a computer virus infection occurs, it becomes difficult for a company to use a PC or conduct group activities, information inside the organization is leaked to the outside, and these damages are caused by other companies. Or it spreads to organizations, causing further problems.

  As countermeasures against these security risks, it is necessary to control such that PCs that are not permitted by the organization are not connected to the LAN, and PCs to which patches are not applied are not connected to the LAN. Specifically, when the PC is connected to the LAN, the policy is confirmed, and the connection of the PC is controlled depending on whether the policy confirmation satisfies the condition or not. Such control may be referred to as “network quarantine” or simply “quarantine”. In addition, when a PC is incompatible with policy confirmation, there is a network that connects the PC for the purpose of applying a patch, and such a network is called a “quarantine network”.

  Here, a specific method of network quarantine will be briefly described below with four main quarantine methods.

(1) Quarantine method by DHCP authentication DHCP (Dynamic Host Configuration Protocol) is a rule defined by IETF (registered trademark) RFC 2131 (see Non-Patent Document 1), and setting information is transmitted to a host on a TCP / IP network. Provides a framework for passing against Further, by using DHCP, a reusable network address can be automatically assigned.

  In the quarantine method using DHCP authentication, first, when a network address is automatically assigned by DHCP, a temporary IP address is assigned to a PC that has requested a network address. Next, policy confirmation is performed, and the connection of the PC is controlled based on the result of the policy confirmation.

(2) Quarantine method by 802.1X authentication 802.1X (see Non-Patent Document 2) is a method for controlling connection based on a port of a network access point. In 802.1X, an authenticator, a supplicant, An element called an authentication server is used.

  The network access point is a LAN switch, a wireless LAN access point, or the like. The authenticator is a network access point that helps authenticate other devices connected to the LAN. A supplicant is an element that is physically connected to a LAN and that requires authentication by an authenticator. The authentication server is an element that provides an authentication service to the authenticator based on a protocol such as Diameter (see Non-Patent Document 3) or RADIUS (see Non-Patent Document 4).

  In the quarantine method based on the 802.1X authentication, first, when the 802.1X authentication is performed, the policy is confirmed, and if it matches, the PC is connected to the business VLAN. On the other hand, in the case of nonconformity, the PC is connected to the VLAN for the quarantine network.

(3) Quarantine method by personal firewall Built-in OS or installed in PC for the purpose of detecting, blocking and controlling access for intrusion from LAN to PC and communication between PC and LAN Software called "Personal Firewall" is used.

  In a quarantine method using a personal firewall, first, software called a quarantine agent is installed in a PC. When the PC is connected to the LAN, the policy check is performed by the quarantine agent, and if the PC matches, the PC is connected to the LAN. On the other hand, in the case of incompatibility, communication is controlled using a personal firewall, and the PC cannot be connected to the LAN.

  In addition, when there is a PC in which the quarantine agent has not been installed (hereinafter abbreviated as “unintroduced PC”), since the other PCs share the personal firewall communication control settings for the unintroduced PC, The operation of not performing communication is realized.

(4) Quarantine Method by Quarantine Gateway LANs to be managed are usually divided into an internal network and an external network. A device that is arranged at a relay point between the internal network and the external network and that performs transfer processing at a level higher than the transport layer or converts a protocol is called a gateway (see Non-Patent Document 7). In addition, a “quarantine gateway” is constructed by introducing a firewall that controls communication according to whether the terminal conforms to the security policy.

  In the quarantine method using the quarantine gateway, first, since the internal network is arranged and protected in a place where the PC cannot be physically connected, the PC that wants to use the internal network is physically connected to the external network. Subsequently, the PC in which the quarantine agent is installed receives policy confirmation by the quarantine agent.

  Then, the PC that conforms to the policy confirmation communicates from the quarantine agent to the quarantine gateway, and registers the network address of the PC in the firewall of the quarantine gateway as a network address that allows communication. Thereafter, the quarantine gateway enables connection between the PC and the internal network.

  On the other hand, when a PC that does not conform to the policy confirmation tries to connect to the internal network, the communication is controlled by the quarantine gateway, and the internal network is protected from security risks.

  Various systems have been proposed to realize network quarantine (see Patent Documents 1 to 3). Specifically, Patent Document 1 discloses an unauthorized connection prevention system that prevents unauthorized PCs from being connected to a LAN. First, whether the PC sets a fixed IP address or assigns an IP address by DHCP, at the stage of setting the IP address, an ARP (Address Resolution Protocol) called Gratuitous ARP is used to confirm IP address duplication. The packet of Reference 5) is transmitted. This is defined in “IPv4 address collision detection” (Non-Patent Document 6).

  As a method for preventing the PC from setting an IP address by setting a fixed IP address or assigning an IP address by DHCP, a false MAC (Media Access Control) is applied to an ARP request packet from the PC. A method of transmitting an ARP response packet having an address (hereinafter referred to as “spoofed ARP response”) is conceivable. The unauthorized connection prevention system disclosed in Patent Document 1 employs this method.

  On the other hand, for a PC that has been approved for connection to the LAN, the unauthorized connection prevention system disclosed in Patent Document 1 refers to an authorization list storage unit that stores the MAC address of the PC, thereby impersonating an ARP response. Works not to send.

  Further, Patent Document 2 discloses an unauthorized connection prevention system that restricts access to a network of terminals that do not satisfy a set policy. The unauthorized connection prevention system disclosed in Patent Document 2 is a conventional unauthorized connection prevention system (disclosed in Patent Document 1) that implements access restriction that does not allow a client terminal other than those permitted by a MAC address and an IP address to be connected to the network. (Including system problems).

  In other words, in the conventional unauthorized connection prevention device, if it is a client terminal permitted by a MAC address, an IP address, etc., it can be connected to the network even if the necessary agent software is not installed, the MAC address, the IP address, etc. If the client terminal is permitted by the above, even if the necessary agent software is uninstalled, it can be connected to the network.

  The unauthorized connection prevention system disclosed in Patent Document 2 detects a terminal in which agent software necessary for a client is not installed, and restricts access to a network of a terminal in which necessary agent software is not installed. Furthermore, the unauthorized connection prevention system disclosed in Patent Document 2 restricts access to the network even for terminals in which agent software necessary for the client is installed but does not satisfy the set policy. To do.

  Patent Document 3 discloses a quarantine system that performs quarantine by cooperation of an authentication device, an authentication server, and a DHCP server. In Patent Document 3, the authentication device detects connection of a client terminal to a network, and a client terminal in which agent software is not installed is connected to a guest network. In addition, the authentication apparatus connects a terminal in which the agent software is installed to the quarantine network.

  According to the quarantine system disclosed in Patent Literature 3, it is possible to prevent a client terminal that may be infected with a computer virus from being connected to the user network for a certain period of time. Further, since the authentication apparatus can use the 802.1X protocol, the authentication apparatus can mediate between the authentication server and the client terminal. The authentication device can also give out the IP addresses of the guest network, the quarantine network, and the user network according to an instruction to the DHCP server.

Japanese Patent No. 4174392 (page 19, Fig. 2) Japanese Patent No. 4437797 (page 3) Japanese Patent No. 45524288 (first page, second page, sixth page, FIG. 1)

“IETF (Internet Engineering Task Force) RFC2131”, [online], March 1997, Dynamic Host Configuration Protocol, [October 28, 2010 search], Internet <URL: http://tools.ietf.org/html / rfc2131> “IEEE Standard for Local and metropolitan area networks—Port-Based Network Access Control”, pp.1,6-9, [online], February 2010, IEEE Std 802.1X (TM) -2010 (Revision of IEEE Std 802.1 X-2004), [October 28, 2010 search], Internet <URL: http: //standards.ieee.org/getieee802/download/802.1X-2010.pdf> “IETF RFC 3588”, [online], September 2003, Diameter Base Protocol, [October 28, 2010 search], Internet <URL: http: //tools.ietf.org/html/rfc3588> “IETF RFC 2865”, [online], June 2000, Remote Authentication Dial In User Service (RADIUS), [October 28, 2010 search], Internet <URL: http://tools.ietf.org/html / rfc2865> “IETF RFC 826”, [online], November 1982, An Ethernet Address Resolution Protocol, [October 28, 2010 search], Internet <URL: http://tools.ietf.org/html/rfc826> “IETF RFC 5227”, [online], July 2008, IPv4 Address Conflict Detection, [October 28, 2010 search], Internet <URL: http: //tools.ietf.org/html/rfc5227> Takashi Takeshita, Koho Murayama, Toru Arai, Yukio Hirota, "Mastering TCP / IP Introduction 3rd Edition", 3rd Edition 4th Edition, Ohmsha, May 10, 2002, pp.45-46

  The above-described four quarantine methods are appropriately selected and used according to the demands and circumstances of the introduction side. In addition, the systems disclosed in Patent Documents 1 to 3 may be combined with these quarantine methods to perform actual network quarantine.

  However, when the four quarantine methods and the systems disclosed in Patent Documents 1 to 3 are used, there are problems that security is not sufficiently secured, introduction cost cannot be reduced, and operation burden is large. To do. This will be described below.

[Quarantine method by DHCP authentication],
In the quarantine method using DHCP authentication, when the IP address is set to a PC with a fixed IP address, quarantine cannot be executed and connection to the LAN is possible, thus ensuring security. There is no problem.

  In order to prevent connection with a fixed IP address, measures such as introducing a network switch having a function called DHCP snooping may be considered. However, in this case, additional introduction costs are required, which increases the introduction costs. End up.

  In addition, when using DHCP snooping, it is necessary to set a trusted port in the network switch, and it is only at the port of the network switch that communication can be blocked. For this reason, in order to ensure high security between the PCs, it is necessary for the terminal network switch to which the PCs are connected to support DHCP snooping, which also increases the introduction cost.

  In addition, in an environment where DHCP snooping is used for the purpose of blocking a fixed IP address, it is considered that it is actually difficult to operate a terminal that can use a fixed IP address exceptionally. Furthermore, in the quarantine method based on DHCP authentication, a temporary IP address for the quarantine network is assigned to a PC that requests connection. In order to perform this process, the network administrator defines a temporary IP address in advance and sends it to the DHCP server. It is necessary to set, and the operation burden becomes large.

[Quarantine method using 802.1X authentication]
In order to execute the quarantine method using 802.1X authentication, it is necessary to install an authentication server such as RADIUS that supports 802.1X and a device that supports 802.1X authentication. Therefore, companies that do not have such devices need to replace the devices, which causes a problem of high introduction costs.

  Further, 802.1X authentication is performed on a port basis. Therefore, if there is a repeater hub or a wireless LAN access point between the supplicant that has been authenticated and the port, it becomes possible to connect to the LAN from the other PC connected to the port through the port. There is also a problem that it cannot be secured. This problem can be dealt with by controlling the connection using the MAC address, but in this case, the introduction cost and the labor of operation increase.

  In addition, in order to execute the quarantine method based on 802.1X authentication, it is necessary for the network administrator to define a VLAN for the quarantine network in advance and set it in the device, which increases the operation burden. . Similarly, in the quarantine system disclosed in Patent Document 3, it is necessary for the network administrator to set up a guest network, and it can be said that the operation burden is large in the quarantine system disclosed in Patent Document 3.

[Quarantine method by personal firewall]
In the quarantine method using the personal firewall, the PC that has not yet been installed is connected to the other PC that has not been installed since the setting of communication control of the personal firewall for the PC to which the quarantine agent has not been installed is shared with the other PC that has been installed. Communication is not possible. For this reason, a PC that has not been installed for a long time is not connected to the LAN.

  However, a PC that has not been installed is temporary, but can be connected to a network, so that a problem arises that security is not sufficient. This also applies to the unauthorized connection prevention system disclosed in Patent Document 2.

[Quarantine method by quarantine gateway]
In order to control communication by providing a quarantine gateway, if it is applied to a LAN that needs to be provided with a plurality of gateways, there is a problem that the setting becomes complicated and the operation is troublesome. In addition, a PC that is permitted to connect to the internal network may be permanently present in the same external network as a PC that is not permitted to connect, so that they can communicate with each other. Under such circumstances, there arises a problem that a PC that is permitted to connect to the internal network is susceptible to information security attacks from a PC that is not permitted to connect, and security is not sufficient.

  An example of an object of the present invention is to provide a quarantine management device, a quarantine system, a quarantine management method, and a program that can solve the above-described problems and can ensure security, reduce the introduction cost, and reduce the operation burden. is there.

In order to achieve the above object, a quarantine management apparatus according to one aspect of the present invention is a quarantine management apparatus for quarantining a terminal device connected to a network,
When an ARP request from the terminal device is detected, a duplicate response is transmitted to the terminal device, and only communication on a single link physically and logically is possible for communication with the quarantine management device. An access control unit for acquiring a link local address to be
The terminal device that has acquired the link local address via the link local address determines whether an agent program for protecting the network is installed, and if the result of the determination is, A security policy confirmation unit that confirms whether the security policy conforms;
With
The access control permits the terminal device to obtain an IP address when the security policy is met.

In order to achieve the above object, a quarantine system according to an aspect of the present invention includes a terminal device connected to a network, and a quarantine management device for quarantining the terminal device,
The quarantine management device
When an ARP request from the terminal device is detected, a duplicate response is transmitted to the terminal device, and only communication on a single link physically and logically is possible for communication with the quarantine management device. To get the link local address, and
When the terminal device notifies from the link local address that an agent program for protecting the network has been introduced, the terminal device is confirmed as to whether or not security policy conforms,
Permitting the terminal device to obtain an IP address when the security policy is compliant;
It is characterized by that.

In order to achieve the above object, a quarantine management method according to one aspect of the present invention is a method for quarantining a terminal device connected to a network,
(A) Upon detecting an ARP request from the terminal device, a duplicate response is transmitted to the terminal device to acquire a link local address that enables communication on a single link physically and logically. , Steps and
(B) It is determined whether or not the terminal device that has acquired the link local address has installed an agent program for protecting the network via the link local address. If the security policy conformance is confirmed, step,
(C) permitting the terminal device to obtain an IP address when the security policy conforms; and
It is characterized by having.

Furthermore, in order to achieve the above object, a program according to one aspect of the present invention is a program for quarantining a terminal device connected to a network by a computer,
In the computer,
(A) Upon detecting an ARP request from the terminal device, a duplicate response is transmitted to the terminal device, and only communication on a single link physically and logically is performed for communication with the computer. Getting the link-local address to be enabled, and
(B) It is determined whether or not the terminal device that has acquired the link local address has installed an agent program for protecting the network via the link local address. If the security policy conformance is confirmed, step,
(C) permitting the terminal device to obtain an IP address when the security policy conforms; and
Is executed.

  As described above, according to the quarantine management device, the quarantine system, the quarantine management method, and the program according to the present invention, security can be ensured, introduction cost can be reduced, and operation burden can be reduced.

FIG. 1 is a block diagram illustrating a configuration of a quarantine system and a quarantine management apparatus according to an embodiment of the present invention. FIG. 2 is a flowchart showing the operation of the quarantine management apparatus according to the embodiment of the present invention. FIG. 3 is a flowchart showing the operation of the terminal device to be quarantined in the embodiment of the present invention. FIG. 4 is a sequence diagram showing the operation of the quarantine system according to the embodiment of the present invention, and shows a case where a quarantine agent is installed in the terminal device. FIG. 5 is a sequence diagram showing the operation of the quarantine system according to the embodiment of the present invention, and shows a case where a quarantine agent is not installed in the terminal device. FIG. 6 is a block diagram illustrating an example of a computer that implements the quarantine management apparatus according to the embodiment of the present invention.

(Summary of Invention)
When a terminal device such as a PC is connected to a LAN that is a local area network using IPv4, first, an IP address is set by a fixed value (hereinafter referred to as a fixed IP address) or an IP address by DHCP is set. In order to perform allocation, an ARP request is transmitted.

  When the quarantine management apparatus in the present invention receives an ARP request, it determines whether the request is from a terminal in which identification information is registered in advance, and in the case of a request from a terminal that is not registered, in order to restrict communication, A terminal is set with a link local address (hereinafter abbreviated as LL address).

Here, the “LL address” in IPv4 is an address (reference document 1) in a range expressed by 169.254.0.0/16 (CIDR notation). The “IPv4 link local address allocation method (reference document 2)” includes a range of 169.254.1.0 to 169.254.254.255 in which the PC voluntarily exists in a situation where there is no DHCP address setting entity such as a DHCP server not found. It is defined that an IP address can be randomly selected from and assigned to the PC itself.
[Reference 1]
“IETF RFC 3330”, pp.2-3, September 2002, Special-Use IPv4 Addresses, <URL: http: //tools.ietf.org/html/rfc3330>
[Reference 2]
“IETF RFC 3927”, May 2005, Dynamic Configuration of IPv4 Link-Local Addresses, <URL: http: //tools.ietf.org/html/rfc3927>

  Then, the quarantine management apparatus checks the presence / absence of a quarantine agent via the LL address with respect to the terminal apparatus for which the LL address is set. If the quarantine agent is installed in the terminal device as a result of the confirmation, the quarantine management device transmits information on the security policy to the terminal device.

  Based on the received information, the terminal device that received the information, for example, whether there is a legitimacy for obtaining permission to connect to the LAN, whether a patch is applied, the latest pattern file in the antivirus software, Check whether the condition is applied. Subsequently, when the condition confirmation (hereinafter referred to as “policy confirmation”) is completed, the terminal device responds to the quarantine management apparatus with the result of the policy confirmation.

  The quarantine management apparatus that has received the response registers the identification information of the terminal apparatus that has made the response. Thereafter, the terminal device again sets a fixed IP address and assigns an IP address by DHCP. In this case as well, the quarantine management apparatus receives an ARP request from the terminal device, but since the identification information is registered this time, communication of the terminal device is not restricted. As a result, the terminal device can acquire a global IP address or a private IP address for using the LAN.

  Even when a quarantine agent is not installed in a terminal device connected to the LAN, when the quarantine management device receives the ARP request, the quarantine management device causes the terminal device to set an LL address because identification information is not registered. . However, in this case, since the quarantine agent is not installed in the terminal device, the quarantine management device does not transmit information on the security policy to the terminal device. As a result, the terminal device cannot set a fixed IP address or assign an IP address by DHCP, and communication between this terminal device and the terminal device that acquired the IP address is blocked.

  Thus, in the present invention, unlike the private address, the IPv4 LL address can be used for communication within a single LAN, but security is ensured by utilizing the property that routing is not possible. In other words, the present invention uses the property that a terminal device having an LL address cannot connect to another server or a device such as a PC across a router. Then, by using a link local address as a quarantine network, the LAN used for business operations and group activities is protected from the quarantine network.

(Embodiment)
Hereinafter, a quarantine system, a quarantine management apparatus, a quarantine management method, and a program according to an embodiment of the present invention will be described with reference to FIGS.

[System configuration and device configuration]
First, the configuration of the quarantine system 10 and the quarantine management apparatus 1 according to the embodiment of the present invention will be described. FIG. 1 is a block diagram illustrating a configuration of a quarantine system and a quarantine management apparatus according to an embodiment of the present invention.

  As shown in FIG. 1, a quarantine system 10 according to the first embodiment includes terminal devices 3 and 7 connected to a network 2 and a quarantine management device 1 for quarantining these terminal devices. The network 2 is a local area network and is hereinafter referred to as “LAN” 2. The quarantine management device 1 and the terminal devices 3 and 7 are connected to the LAN 2. In the present embodiment, the LAN 2 is a network using IPv4. Further, the LAN 2 is connected to the external network 9 via the communication device 8.

  The terminal devices 3 and 7 are PCs in the present embodiment. Hereinafter, they are referred to as “PC” 3 and “PC” 7, respectively. Further, it is assumed that an agent program (hereinafter referred to as “quarantine agent”) 5 for protecting the LAN 2 is installed in the PC 3 among the PCs shown in FIG. On the other hand, it is assumed that no quarantine agent is installed in the PC 7.

  When the quarantine agent 5 receives the condition information that defines the security policy from the quarantine management apparatus 1, the quarantine agent 5 confirms whether the PC conforms to the security policy and responds with the conformity availability. In addition, the quarantine agent 5 has a function of responding to its presence when it is introduced. Further, the quarantine agent 5 has a function of instructing the PC to reset the IP address.

  The communication device 8 is a network device such as a router serving as a relay point between the LAN 2 and the external network 9. The communication device 8 has a function of not routing communication from the LL address to the outside of the LAN 2 and a function of not routing communication from the LL address to different subnets inside the LAN 2.

  As shown in FIG. 1, the quarantine management apparatus 1 mainly includes an access control unit 11 and a security policy confirmation unit 12. When the access control unit 11 detects an ARP request from the PC, the access control unit 11 transmits a duplicate response to the PC and acquires an LL address for communication with the quarantine management apparatus 1. The LL address is an address that enables only communication with a server, a terminal, a device, or the like that is physically and logically on a single link. In this embodiment, the LL address is a link local address defined by IPv4. It is.

  The security policy confirmation unit 12 determines whether the PC that has acquired the LL address has installed the quarantine agent 5 via the LL address. If the result of the determination indicates that the security policy conforms to the security policy, Confirm availability. Further, the security policy confirmation unit 12 notifies the access control unit 11 of the confirmation result.

  If the access control unit 11 is notified that the security policy is met, the access control unit 11 permits the PC to acquire an IP address. On the other hand, when notified that the security policy does not conform, the access control unit 11 does not permit the PC to acquire an IP address.

  As described above, in this embodiment, the PC to be connected to the LAN 2 is configured with the LL address by the quarantine management apparatus 1 regardless of whether the fixed IP address is set or the IP address is assigned by DHCP. Connected to the same subnet. For this reason, the security in LAN2 is ensured reliably. Further, only the quarantine management apparatus 1 needs to be constructed on the network, and the introduction cost can be reduced. Furthermore, there are no items that must be set manually by the network administrator, reducing the operational burden.

  In the present embodiment, the quarantine management apparatus 1 includes network interfaces 13 and 14, an approval list storage unit 4, and a policy storage unit 6 in addition to the access control unit 11 and the security policy confirmation unit 12. Yes.

  The network interface 13 is used for communication with the LL address. On the other hand, the network interface 14 is used for communication with a terminal device such as a PC that is permitted to connect to the LAN 2. The network interface 14 is assigned a routable IP address.

  The policy storage unit 6 stores condition information that defines the security policy. In the present embodiment, the security policy confirmation unit 12 transmits the condition information stored in the policy storage unit 6 to the PC, and causes the quarantine agent 5 of the PC to determine whether or not it conforms to the security policy. Further, the security policy confirmation unit 12 receives the determination result, and confirms whether or not the security policy conforms based on the determination result.

  The approval list storage unit 4 stores identification information of terminal devices such as PCs that are permitted to connect to the LAN 2. Examples of terminal device identification information include a MAC address and an IP address.

  Furthermore, in this embodiment, when the access control unit 11 detects an ARP request from the PC, first, based on the identification information stored in the approval list storage unit 4, whether the PC is registered in advance. Determine if. Furthermore, the access control unit 11 also determines whether the source address of the ARP request is within the LL address range. If the PC is not registered in advance and is not within the LL address range as a result of the determination, a duplicate response is transmitted to the PC.

[Operation of quarantine system and management device]
Next, operations of the quarantine system 10 and the quarantine management apparatus 1 according to the first embodiment of the present invention will be described with reference to FIGS. In the following description, FIG. 1 is taken into consideration as appropriate. In the present embodiment, the quarantine management method is implemented by operating the quarantine management apparatus 1. Therefore, the description of the quarantine management method in the present embodiment is replaced with the following description of the operation of the quarantine management apparatus 1.

  First, processing of the quarantine management apparatus 1 and the PC 3 will be described below with reference to FIGS. 2, 3, and 4. FIG. 2 is a flowchart showing the operation of the quarantine management apparatus according to the embodiment of the present invention. FIG. 3 is a flowchart showing the operation of the terminal device to be quarantined in the embodiment of the present invention. FIG. 4 is a sequence diagram showing the operation of the quarantine system according to the embodiment of the present invention, and shows a case where a quarantine agent is installed in the terminal device. Further, in FIG. 4, the linked state between each step shown in FIG. 2 and each step shown in FIG. 3 and the required waiting time are shown.

  As shown in FIGS. 2 to 4, first, when the PC 3 is connected to the LAN 2, it starts setting an IP address. Then, the PC 3 determines whether there is a DHCP setting (step S20 in FIG. 3). As a result of the determination in step S20, if there is a DHCP setting, the PC 3 communicates with the DHCP server and receives an IP address from the DHCP server (step S21 in FIG. 3). Subsequently, the PC 3 transmits Gratuitous ARP in order to confirm duplication of the IP address presented by DHCP (step S22 in FIG. 3).

  On the other hand, as a result of the determination in step S20, if the PC 3 has no DHCP setting and the PC 3 holds the fixed IP address setting, the PC 3 transmits Gratuitous ARP with the fixed IP address setting (step in FIG. 3). S23). In operation, it is assumed that no LL address is set for the fixed IP address.

  Next, after transmitting Gratuitous ARP in Step A22 or A23, the PC 3 waits for a response informing the duplication of the IP address for the set time W1 (maximum value: time A) (see FIG. 4). It becomes a state.

  Subsequently, as shown in FIG. 2, the quarantine management apparatus 1 receives the gratuitous ARP transmitted in step S22 or step S23 shown in FIG. 3 (step S10 in FIG. 2). Then, the quarantine management apparatus 1 (access control unit 11) determines whether or not the IP address that is the target of confirmation of duplication is in the range of the LL address by Gratuitous ARP (step S11 in FIG. 2). Since the terminal device connected to the LAN 2 is the PC 3, it is determined in step S11 that the terminal device is not in the LL address range.

  Since it is determined in step S11 that it is not in the range of the LL address, the quarantine management apparatus 1 determines whether or not the information corresponding to the PC 3 exists in the identification information of the approval list storage unit 4, specifically, Gratuitous ARP. It is determined whether or not the MAC address exists (step S17). Since there is no corresponding information this time, the quarantine management apparatus 1 transmits a duplicate response using a camouflaged ARP in order to restrict communication with the PC 3 (step S18 in FIG. 2). Note that step S18 can be executed in accordance with the processing disclosed in Patent Document 1 described above. Moreover, when step S18 is performed, the process in the quarantine management apparatus 1 is once ended.

  When step S18 is executed and an IP address duplication response is transmitted from the quarantine management apparatus 1, the PC 3 determines that there is a duplication response (step S24 in FIG. 3). Then, the PC 3 selects an LL address and transmits a gratuitous ARP from the selected LL address (step S26 in FIG. 3). Note that the “selection of the LL address” in step S26 is executed in accordance with the “IPv4 link local address allocation method (reference document 2)” described in the outline of the invention.

  Next, when step S26 is executed, the quarantine management apparatus 1 receives the gratuitous ARP transmitted in step S26 (step S10 in FIG. 2). Then, the quarantine management apparatus 1 (access control unit 11) again determines whether or not the IP address that is the target of confirmation of duplication by Gratuitous ARP is within the LL address range (step S11). In this case, since the IP address to be confirmed is within the range of the LL address, the quarantine management apparatus 1 does not execute Steps S17 and S18, and a response that the IP address is duplicated is made. There is no.

  Next, after transmitting Gratuitous ARP for the LL address (after execution of step S26 in FIG. 3), the PC 3 overlaps the IP address for a set time W2 (maximum value: time A) (see FIG. 4). Waiting for a response to inform Since there is no response within the set time, the PC 3 determines that there is no response (step S27 in FIG. 3). Then, the PC 3 sets the LL address as its own IP address (step S28 in FIG. 3).

  In step S11, since the quarantine management apparatus 1 determines that the received gratuitous ARP is in the range of the LL address, the time W3 (maximum value: considered to be sufficient for the PC 3 to set the LL address). It will be in a standby state until time B) elapses (see FIG. 4). Then, after the elapse of time, the quarantine management apparatus 1 (security policy confirmation unit 12) transmits a packet for confirming the existence of the quarantine agent 5 to the LL address determined in step S11 (see FIG. 2 step S12).

  Next, when step S12 is executed, the PC 3 receives the confirmation of the presence / absence of the quarantine agent (step S29 in FIG. 3), and determines whether the quarantine agent is installed (step S30 in FIG. 3). In step S30, since it is determined that the quarantine agent has been installed, the PC 3 makes a response notifying that the quarantine agent 5 has been installed (step S31 in FIG. 3).

  In step S12, the quarantine management apparatus 1 transmits a packet for confirming the presence / absence of the quarantine agent, and then waits for a response for a set time W4 (maximum value: time C) (see FIG. 4). It becomes a state. Then, after the set time has elapsed, the quarantine management apparatus 1 (security policy confirmation unit 12) determines whether or not a response notifying the presence of the quarantine agent has been received (step S13 in FIG. 2). In step S13, since it is determined that it has been received, the quarantine management apparatus 1 transmits the condition information stored in the policy storage unit 6 to the PC 3 (step S14 in FIG. 2).

  When the PC 3 receives the condition information after executing step S31 (step S32 in FIG. 3), the quarantine agent 5 checks whether the PC 3 conforms to the security policy (step S33). As a result of the confirmation, if the PC 3 conforms to the security policy, the PC 3 sends a policy OK response to the quarantine management apparatus 1 (step S34 in FIG. 3).

  When the quarantine management apparatus 1 receives a security policy conformity confirmation result from the PC 3 after executing step S14, the quarantine management apparatus 1 confirms whether or not the security policy is OK (step S15 in FIG. 2). If the security policy is OK as a result of the confirmation in step S15, the quarantine management apparatus 1 (access control unit 11) registers the identification information of the PC 3 in the approval list storage unit 4 (step S16). The process is temporarily terminated. On the other hand, if the security policy is NG as a result of the confirmation in step S15, the IP address of the PC 3 remains the LL address, and the process in the quarantine management apparatus 1 ends.

  The PC 3 waits for a period of time W5 (time D) that is considered sufficient for the identification information to be registered in the quarantine management apparatus 1 after responding the policy OK in step S34 (see FIG. 4). It becomes. After the elapse of time, the PC 3 executes steps S20 to S23 shown in FIG. 3 again in order to reset the IP address.

  When steps S20 to S23 are executed, the quarantine management apparatus 1 receives the gratuitous ARP transmitted in step S22 or step S23 described above (step S10 in FIG. 2), and executes each step shown in FIG. 2 again. To do. In this case, since the quarantine management apparatus 1 determines in step S11 that it is not in the range of the LL address, it determines whether or not the identification information is registered in the approval list storage unit 4 (step S17 in FIG. 2). . Since the identification information of the PC 3 is registered in the approval list storage unit 4 this time, the quarantine management apparatus 1 ends the process without executing communication restriction (without executing Step S18).

  After the execution of step S16, the PC 3 that has executed step S22 or S23 sends a response notifying the duplication of the IP address for the set time W6 (maximum value: time A) after the transmission of gratuitous ARP (see FIG. 4). It will be in a waiting state. Since there is no response within the set time this time, the PC 3 determines that there is no response (step S24 in FIG. 3). Then, the PC 3 sets the IP address presented by DHCP or a fixed IP address as the IP address (step S25 in FIG. 3).

  As described above, the PC 3 is once connected to the subnet configured by the LL address, but after that, since the quarantine agent has been installed and the security policy is met, the PC 3 is connected to the LAN 2.

  Subsequently, processing of the quarantine management apparatus 1 and the PC 7 will be described below with reference to FIGS. 2, 3, and 5. In addition, since the quarantine agent is not installed in the PC 7 as described above, it is referred to as “uninstalled PC 7” in the following description. FIG. 5 is a sequence diagram showing the operation of the quarantine system according to the embodiment of the present invention, and shows a case where a quarantine agent is not installed in the terminal device. Further, in FIG. 5, the linked state between each step shown in FIG. 2 and each step shown in FIG. 3 and the required waiting time are shown.

  As shown in FIGS. 2, 3, and 5, first, the unintroduced PC 7 starts setting an IP address when connected to the LAN 2. Then, the unintroduced PC 7 determines whether there is a DHCP setting (step S20 in FIG. 3). As a result of the determination in step S20, if DHCP is set, the unintroduced PC 7 communicates with the DHCP server and receives an IP address from the DHCP server (step S21 in FIG. 3). Subsequently, the unintroduced PC 7 transmits Gratuitous ARP in order to confirm duplication of the IP address presented by the DHCP service (step S22 in FIG. 3).

  On the other hand, if the result of determination in step S20 is that there is no DHCP setting in the PC 7 and the non-introduced PC 7 holds the fixed IP address setting, the non-introduced PC 7 transmits Gratuitous ARP with the fixed IP address setting ( Step S23 in FIG.

  Next, after transmitting Gratuitous ARP in Step A22 or A23, the unintroduced PC 7 waits for a response informing the IP address duplication for the set time V1 (maximum value: time A) (see FIG. 5). It will be in the state.

  Subsequently, as shown in FIG. 2, the quarantine management apparatus 1 receives the gratuitous ARP transmitted in step S22 or step S23 shown in FIG. 3 (step S10 in FIG. 2). Then, the quarantine management apparatus 1 (access control unit 11) determines whether or not the IP address that is the target of confirmation of duplication is in the range of the LL address by Gratuitous ARP (step S11 in FIG. 2). Since the terminal device connected to the LAN 2 is the unintroduced PC 7, it is determined in step S11 that the terminal device is not in the LL address range.

  Since it is determined in step S11 that it is not in the range of the LL address, the quarantine management apparatus 1 determines whether the identification information corresponding to the unintroduced PC 7 exists in the identification information in the approval list storage unit 4 (step S17). ). Since there is no corresponding information this time, the quarantine management apparatus 1 transmits a duplicate response using a camouflaged ARP in order to restrict communication with the unintroduced PC 7 (step S18 in FIG. 2).

  When step S18 is executed and an IP address duplication response is transmitted from the quarantine management apparatus 1, the non-introduced PC 7 determines that there is a duplication response (step S24 in FIG. 3). Then, the unintroduced PC 7 selects an LL address and transmits a gratuitous ARP from the selected LL address (step S26 in FIG. 3).

  Next, when step S26 is executed, the quarantine management apparatus 1 receives the gratuitous ARP transmitted in step S26 (step S10 in FIG. 2). Then, the quarantine management apparatus 1 again determines whether or not the IP address that is the target of confirmation of duplication by Gratuitous ARP is within the range of the LL address (step S11). In this case, since the IP address to be confirmed is within the range of the LL address, the quarantine management apparatus 1 does not execute Steps S17 and S18, and a response that the IP address is duplicated is made. There is no.

  Next, the non-introduced PC 7 transmits the gratuitous ARP for the LL address (after execution of step S26 in FIG. 3), and for the set time V2 (maximum value: time A) (see FIG. 5), the IP address It will be in the state waiting for the response which notifies duplication of. Since there is no response within the set time, the unintroduced PC 7 determines that there is no response (step S27 in FIG. 3). The unintroduced PC 7 sets the LL address as its own IP address (step S28 in FIG. 3).

  In step S11, since the quarantine management apparatus 1 determines that the received gratuitous ARP is within the range of the LL address, the time V3 (time that is considered sufficient for setting the LL address in the non-installed PC 7) It will be in a standby state until B) elapses (see FIG. 5). Then, after the elapse of time, the quarantine management apparatus 1 (security policy confirmation unit 12) transmits a packet for confirming the existence of the quarantine agent 5 to the LL address determined in step S11 (see FIG. 2 step S12).

  Next, when step S12 is executed, the unintroduced PC 7 receives the confirmation of the presence or absence of the quarantine agent (step S29 in FIG. 3). However, since the quarantine agent is not installed in the unintroduced PC 7, the unintroduced PC 7 cannot correctly respond to a packet for confirming the existence of the quarantine agent. Therefore, the determination in step S30 in FIG. 3 is Yes, the IP address of the unintroduced PC 7 remains the LL address, and the process in the unintroduced PC 7 ends.

  In step S12, the quarantine management apparatus 1 transmits a packet for confirming the presence or absence of the quarantine agent, and then waits for a response for a set time V4 (maximum value: time C) (see FIG. 5). It becomes a state. Then, after the set time has elapsed, the quarantine management apparatus 1 (security policy confirmation unit 12) determines whether or not a response notifying the presence of the quarantine agent has been received (step S13 in FIG. 2). In step S13 in this case, since it is determined that it has not been received, the processing in the quarantine management apparatus 1 ends.

  As described above, since the quarantine agent is not installed in the PC 7, when connected to the subnet configured by the LL address, the state is maintained and the PC 7 is connected to the subnet to which the PC 3 is connected. Never happen. Therefore, the possibility that the PC 3 is attacked by the PC 7 is extremely small.

[Effects of the embodiment]
According to the present embodiment, the following first effect to fifth effect can be obtained.
[First effect]
According to the present embodiment, it is possible to perform quarantine even for a PC for which a fixed IP address is set, and security in the network can be improved. In this embodiment, regardless of whether a fixed IP address is set or an IP address is assigned by DHCP, the PC to be connected to the LAN 2 is first connected to the subnet of the LL address by the quarantine management apparatus 1. Because.

[Second effect]
According to this embodiment, even if there is an installed DHCP server on the network, the network administrator does not need to set up the DHCP service, and the operation burden is reduced. That is, when performing the quarantine method by DHCP authentication, it is necessary to perform communication for performing the quarantine, and it is necessary to assign a temporary IP address. In order to assign a temporary IP address, the network administrator needs to make settings on the DHCP server. On the other hand, according to the present embodiment, the LL address is set instead of the IP address for communication, and it is not necessary to set the DHCP service, so that the operation burden is reduced as described above. .

[Third effect]
In the present embodiment, even when a PC in which a quarantine agent has not been installed is connected to the LAN, it is possible to prevent the non-installed PC from being given time to use the LAN based on the private IP address or global IP address. Security is improved. That is, in the quarantine method using a personal firewall, when an unintroduced PC is connected, the unintroduced PC can be connected to the network for a certain time, which is a problem. On the other hand, in this embodiment, all PCs are connected to a quarantine network composed of LL addresses, and the suitability of the security policy is confirmed in that state. Absent. Also, a PC that can acquire only the LL address cannot be connected to another PC on the LAN or communicate with a terminal device or the like in an external network beyond a router.

[Fourth effect]
In this embodiment, since it does not depend on the function of the network switch, the introduction cost can be reduced. That is, in the quarantine method based on 802.1X authentication, an authentication server such as RADIUS corresponding to 802.1X and a device compatible with 802.1X authentication have to be introduced, resulting in a problem that the introduction cost is high. In this embodiment, such a configuration is not necessary, and the quarantine management device only has to be installed on the LAN, so that the introduction cost can be reduced.

  Further, in the present embodiment, it is not necessary to perform control such as DHCP snooping in the quarantine method based on DHCP authentication and blocking of communication in the quarantine method based on 802.1X authentication on the port of the network switch. For this reason, according to the present embodiment, a network can be constructed without being aware of the location of the network switch corresponding to the control.

[Fifth effect]
According to the present embodiment, the manual setting is not performed for the setting of the IP address of the quarantine network, so that it is possible to reduce the possibility of an artificial setting error, and in addition, in the setting of the quarantine network, The burden on the network administrator can be reduced.

  In other words, in the quarantine method using DHCP authentication, the quarantine method using 802.1X authentication, and the quarantine method disclosed in Patent Document 3, a PC that has become nonconforming in connection with the quarantine network in confirming the suitability of the security policy must be connected. It becomes. In this case, in the quarantine method using DHCP authentication, it is necessary to prepare an IP address of a quarantine network subnet. Further, in the quarantine method based on 802.1X authentication and the quarantine method disclosed in Patent Document 3, it is necessary to prepare a VLAN IP address for the quarantine network.

  Such an IP address for the quarantine network needs to be set and managed by the network administrator, which is a burden on the network administrator, and there is a possibility that an artificial setting error may be involved. In contrast, in the present invention, since the LL address is used as the IP address of the quarantine network, manual setting is not necessary. Therefore, the burden on the network administrator is reduced, and the possibility that an artificial setting error may be reduced.

  The program in the present embodiment may be a program that causes a computer to execute steps S11 to S16 shown in FIG. By installing and executing this program on a computer, the quarantine management apparatus 1 and the quarantine management method in the present embodiment can be realized. In this case, a central processing unit (CPU) of the computer functions as the access control unit 11 and the security policy confirmation unit 12 to perform processing. In the present embodiment, a storage device such as a hard disk provided in the computer functions as the approval list storage unit 4 and the policy storage unit 6.

  Here, a computer that realizes the quarantine apparatus by executing the program according to the embodiment will be described with reference to FIG. FIG. 6 is a block diagram illustrating an example of a computer that implements the quarantine management apparatus 1 according to the embodiment of the present invention.

  As shown in FIG. 6, the computer 110 includes a CPU 111, a main memory 112, a storage device 113, an input interface 114, a display controller 115, a data reader / writer 116, and a communication interface 117. Among these, the communication interface 117 functions as the network interfaces 13 and 14. These units are connected to each other via a bus 121 so that data communication is possible.

  The CPU 111 performs various calculations by developing the program (code) in the present embodiment stored in the storage device 113 in the main memory 112 and executing them in a predetermined order. The main memory 112 is typically a volatile storage device such as a DRAM (Dynamic Random Access Memory). Further, the program in the present embodiment is provided in a state of being stored in a computer-readable recording medium 120. Note that the program in the present embodiment may be distributed on the Internet connected via the communication interface 117.

  Specific examples of the storage device 113 include a hard disk and a semiconductor storage device such as a flash memory. The input interface 114 mediates data transmission between the CPU 111 and an input device 118 such as a keyboard and a mouse. The display controller 115 is connected to the display device 119 and controls display on the display device 119. The data reader / writer 116 mediates data transmission between the CPU 111 and the recording medium 120, and reads a program from the recording medium 120 and writes a processing result in the computer 110 to the recording medium 120. The communication interface 117 mediates data transmission between the CPU 111 and another computer.

  Specific examples of the recording medium 120 include general-purpose semiconductor storage devices such as CF (Compact Flash) and SD (Secure Digital), magnetic storage media such as a flexible disk, or CD-ROM (Compact Disk). Optical storage media such as Read Only Memory).

  INDUSTRIAL APPLICABILITY The present invention can be applied to defense against the risk that a person who wants to steal information in an organization connects a terminal device that is not permitted as a means for intentionally entering the LAN to the LAN.

  The present invention can also be applied to solving problems caused by not applying to a PC software that corrects security problems in PC operating software and software programs used in business operations and corporate activities. As a result, infection with computer viruses, infection to other PCs, suspension of business operations or group activities, leakage of information inside the organization to the outside, expansion of damage to other companies or groups, etc. Risk protection is planned.

  Furthermore, the present invention helps companies and organizations that have existing LANs, existing network devices, existing DHCP systems, etc. to introduce a network quarantine system with less effort and cost.

1 Quarantine management device 2 LAN
3 Terminal equipment (PC)
4 Approval list storage unit 5 Quarantine agent 6 Policy storage unit 7 Terminal device (uninstalled PC)
8 Communication Equipment 9 External Network 10 Quarantine System 11 Access Control Unit 12 Security Policy Confirmation Unit 13, 14 Network Interface 110 Computer 111 CPU
112 Main memory 113 Storage device 114 Input interface 115 Display controller 116 Data reader / writer 117 Communication interface 118 Input device 119 Display device 120 Recording medium 121 Bus

Claims (10)

A quarantine management device for quarantining terminal devices connected to a network,
When an ARP request from the terminal device is detected, a duplicate response is transmitted to the terminal device, and only communication on a single link physically and logically is possible for communication with the quarantine management device. An access control unit for acquiring a link local address to be
The terminal device that has acquired the link local address via the link local address determines whether an agent program for protecting the network is installed, and if the result of the determination is, A security policy confirmation unit that confirms whether the security policy conforms;
With
The access control permits the terminal device to obtain an IP address when the security policy conforms, wherein the quarantine management device is characterized in that: The network is a network using IPv4;
The quarantine management apparatus according to claim 1, wherein the access control unit causes the terminal device to acquire a link local address defined by IPv4. When the access control unit detects an ARP request from the terminal device, whether the terminal device is registered in advance and whether the source address of the ARP request is within the range of the link local address If the result of the determination is not registered in advance and not within the range, the duplicate response is transmitted to the terminal device.
The quarantine management apparatus according to claim 1 or 2. A terminal device connected to the network, and a quarantine management device for quarantining the terminal device;
The quarantine management device
When an ARP request from the terminal device is detected, a duplicate response is transmitted to the terminal device, and only communication on a single link physically and logically is possible for communication with the quarantine management device. To get the link local address, and
When the terminal device notifies from the link local address that an agent program for protecting the network has been introduced, the terminal device is confirmed as to whether or not security policy conforms,
Permitting the terminal device to obtain an IP address when the security policy is compliant;
Quarantine system characterized by that. A method for quarantining a terminal device connected to a network,
(A) Upon detecting an ARP request from the terminal device, a duplicate response is transmitted to the terminal device to acquire a link local address that enables communication on a single link physically and logically. , Steps and
(B) It is determined whether or not the terminal device that has acquired the link local address has installed an agent program for protecting the network via the link local address. If the security policy conformance is confirmed, step,
(C) permitting the terminal device to obtain an IP address when the security policy conforms; and
A quarantine management method characterized by comprising: The network is a network using IPv4;
6. The quarantine management method according to claim 5, wherein a link local address defined by IPv4 is acquired in the step (a). In the step (a), when an ARP request from the terminal device is detected, whether the terminal device is registered in advance and the transmission source address of the ARP request are within the range of the link local address. It is determined whether or not, if the result of determination is not registered in advance and not within the range, the duplicate response is transmitted to the terminal device,
The quarantine management method according to claim 5 or 6. A program for quarantine a terminal device connected to a network by a computer,
In the computer,
(A) Upon detecting an ARP request from the terminal device, a duplicate response is transmitted to the terminal device, and only communication on a single link physically and logically is performed for communication with the computer. Getting the link-local address to be enabled, and
(B) It is determined whether or not the terminal device that has acquired the link local address has installed an agent program for protecting the network via the link local address. If the security policy conformance is confirmed, step,
(C) permitting the terminal device to obtain an IP address when the security policy conforms; and
A program that executes The network is a network using IPv4;
The program according to claim 8, wherein in the step (a), a link local address defined by IPv4 is acquired. In the step (a), when an ARP request from the terminal device is detected, whether the terminal device is registered in advance and the transmission source address of the ARP request are within the range of the link local address. It is determined whether or not, if the result of determination is not registered in advance and not within the range, the duplicate response is transmitted to the terminal device,
The program according to claim 8 or 9.

Images