JP2013030880A - Quarantine control device, quarantine control computer program and quarantine method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a quarantine control device capable of appropriately deciding a terminal device interfering communication.SOLUTION: A quarantine control device 2 includes: an inspection result transmission request unit 211 for requesting a terminal device 3 to transmit an inspection result which the terminal device 3 obtains by inspecting an internal state thereof according to a predetermined inspection policy; based on a response of the terminal device 3 to the transmission request of the inspection result, a decision unit 220 for deciding whether or not the terminal device 3 is a successful terminal; and if the decision unit 220 decides the terminal device 3 is not a successful device, a communication interference unit 260 for performing communication interference processing of the terminal device 3; and a deferment processing unit 220c for deferring the execution of the interference processing by the communication interference unit 260 for a predetermined time.

Description

  The present invention relates to a quarantine control device and the like used for network quarantine.

  Network quarantine eliminates network access by unauthorized unauthorized terminal devices such as PCs. There exists a thing of the following patent document 1 as what performs such network quarantine.

JP 2008-278193 A

  In the above-described conventional technology, the quarantine control device determines whether or not the terminal device should be isolated by interfering with communication by using the response function of the agent program installed in the terminal device to be quarantined. The quarantine control device isolates the terminal device to be isolated by transmitting data for interfering with communication, thereby realizing network quarantine.

  Here, when the terminal device is changed from the stopped state to the operating state, normally, since the operation program of the terminal device is started and then the agent program is started and the operation is started, the operation system of the terminal device is There is a time lag between starting and starting the agent program.

However, in the above prior art, if the agent program of the terminal device is not operating, the agent program cannot respond to the request of the quarantine control device.
For this reason, since the agent program is not operating during the time lag from when the operation system of the terminal device is activated until the agent program is activated, even if the terminal device is a normal terminal, The control device determines that the terminal device should be isolated.
Similarly, when the terminal device is changed from the operating state to the stopped state, a time lag occurs between the end of the agent program and the end of the operation system. During this time lag, the quarantine control device The terminal device is determined as a terminal device to be isolated.

  If the quarantine control device mistakenly determines that a normal terminal device should be isolated as described above, data for interfering with communication is continuously transmitted to the terminal device. In addition, since the normal terminal device is registered in the quarantine control device as a terminal device to be isolated, administrative processing and work for correcting such erroneous registration occurs. End up.

  The present invention has been made in view of such circumstances, and provides a quarantine control device, a quarantine control computer program, and a quarantine method that can more appropriately determine a terminal device that should interfere with communication. Objective.

(1) The present invention provides a quarantine control device that interferes with communication of a terminal device connected to a network, wherein the terminal device transmits an inspection result obtained by inspecting an internal state in accordance with a predetermined inspection policy. Whether or not the terminal device satisfies a predetermined condition for the inspection result based on the inspection result transmission requesting unit requested to the device and the response of the terminal device to the inspection result transmission request A determination unit that performs the determination, and a communication disturbing unit that executes a communication disturbing process of the terminal device when the determining unit determines that the terminal is not an acceptable terminal, and the execution of the disturbing process by the communication disturbing unit for a predetermined time And a grace processing unit for grace.

  According to the quarantine control device configured as described above, the quarantine target terminal device is running, for example, because it includes a grace processing unit for suspending execution of interference processing by the communication interference unit for a predetermined time. Even when the response transmission unit is not yet operating, it is possible to make a determination in a state where the response transmission unit is operating in the subsequent re-determination by delaying the predetermined time. As a result, it is possible to prevent the terminal device from being determined as an execution target of the interference process even though the terminal is a successful terminal, and to more appropriately determine the terminal device that should interfere with the communication.

(2) (3) In the quarantine control device, when the determination unit determines that the terminal device is not the acceptable terminal, the grace processing unit determines whether or not to postpone execution of interference processing. It is preferable.
Furthermore, a terminal information table in which information for specifying the terminal device that should postpone the disturbance processing is registered in the terminal information table, and the terminal device determined by the determination unit as not being a passing terminal is registered in the terminal information table. A table updating unit that registers information related to the terminal device in the terminal information table, the table updating unit is determined by the determination unit to be not the passed terminal after registration, and the grace process Information about the terminal device determined not to postpone execution of interference processing by the unit from the terminal information table, and the grace processing unit performs interference processing on the terminal device deleted from the terminal information table. It is preferable that the blocking unit be executed.

  In this case, since it is determined that the terminal information table is not a successful terminal after registration and the grace processing unit determines that the execution of the interference process is not suspended, the terminal device information is deleted. Or, depending on the end, the registered information is not deleted. Therefore, the terminal device registered in the table is registered in the terminal information table even if the terminal device enters the operation state again after being changed from the operation state to the stop state. For this reason, if execution of the obstruction processing is delayed at the end, it can also be delayed at startup.

(4) If the terminal device to be quarantined is activated and the response transmission unit is not yet operating, the terminal device is recognized as a terminal device, but it is in a state where it cannot transmit the response transmission of the inspection result.
Therefore, whether the grace processing unit graces the execution of the disturbing process when it is determined that the terminal device is not the successful terminal by judging that the terminal device does not respond to the inspection result transmission request. It is preferable to determine whether or not.
In this case, it is possible to reliably identify the terminal device that is being activated and in which the response transmission unit is not yet operating, and to postpone the execution of the disturbance process.

(5) Furthermore, the table update unit identifies the terminal device when it is determined that the terminal device is not the passing terminal by determining that there is no response from the terminal device to the inspection result transmission request. It is preferable that the information to be registered is registered in the terminal information table.
In this case, even when a terminal device that is not registered in the terminal information table is activated and receives a transmission request, the execution of the interference process is delayed for a certain period of time. Can be prevented.

(6) Further, the present invention is a quarantine control computer program for causing a computer to function as a quarantine control device connected to the network, which executes a quarantine method for interfering with communication of a terminal device connected to the network. A test result transmission requesting step for requesting the terminal device to transmit a test result of the terminal device inspecting its internal state according to a predetermined test policy; Based on the response, a determination step for determining whether or not the terminal device is a passing terminal that satisfies a predetermined condition with respect to the inspection result, and if it is determined that the terminal device is not the passing terminal, communication of the terminal device If it is determined that the terminal is not a passing terminal in the communication blocking step for performing blocking processing and the determining step, the communication blocking step is performed. It is characterized in that it comprises a grace processing step of the execution a predetermined time grace.

(7) Further, the present invention is a quarantine method in which a quarantine control device connected to a network interferes with communication of a terminal device connected to the network, and the terminal device checks its internal state in a predetermined inspection. Based on an inspection result transmission request step for requesting the terminal device to transmit an inspection result inspected according to a policy, and the terminal device responding to the inspection result transmission request, the terminal device determines a predetermined result for the inspection result. A determination step for determining whether or not the terminal is a passing terminal that satisfies the above condition, a communication blocking step for performing a communication blocking process for the terminal device when it is determined that the terminal is not the passing terminal, and the determination step If it is determined that the terminal is not a passing terminal, a grace processing step of gracefully executing the communication blocking step for a predetermined time is included.

  According to the quarantine control computer program and the quarantine method of the above configuration, the same operational effects as the quarantine control device are obtained.

  ADVANTAGE OF THE INVENTION According to this invention, determination of the terminal device which should interfere with communication can be performed more appropriately.

1 is an overall view of a quarantine system. It is a figure which shows the recording medium with which the quarantine system program set was recorded. It is a block diagram of a quarantine control apparatus. It is a data structure figure of the terminal information table of a quarantine control apparatus. It is a figure which shows an example of the isolation postponement terminal information table. It is a block diagram of a quarantine target terminal device. It is a block diagram of a quarantine management server. It is an ARP outline sequence. It is the first half of the flowchart of an ARP request packet monitoring process. It is the second half of the flowchart of the ARP request packet monitoring process. It is a data structure figure which shows the setting content of the address part of a pseudo ARP response. It is a data structure figure which shows the setting content of the address part of an ARP request | requirement. It is a data structure figure which shows the setting content of the address part of a pseudo ARP response. It is a flowchart of an agent ping process. It is a flowchart of isolation postponement determination processing. It is an agent ping protocol sequence. It is a list of agent ping “types”. It is a figure which shows the flag value of agent ping "check result." It is an agent ping start request protocol sequence. It is a flowchart of the periodic agent ping execution process with respect to a pass terminal. It is a data structure figure which shows the setting content of the address part of a pseudo ARP response. It is a flowchart of the periodic agent ping execution process with respect to an isolation terminal. It is a data structure figure which shows the setting content of the address part of a pseudo ARP response. It is a flowchart of the regular agent ping execution process with respect to the isolation postponement terminal. It is a flowchart of the isolation postponement determination process in FIG. It is a flowchart of the inspection process in a quarantine target terminal device. It is a flowchart of the 2nd table information transmission process by a quarantine management server. It is a flowchart of the 2nd table information reception process by a quarantine control apparatus. It is a data structure which shows the setting content of the address part of a pseudo ARP response. This is an ARP sequence until the interference is established. It is another ARP sequence until disturbance establishment. It is a sequence diagram for demonstrating the mode of the postponement of execution of a communication jamming process when a successful terminal changes from an operation state to a stop state and again enters an operation state. (A) is a sequence diagram for explaining a mode of postponement of communication disturbance processing when a terminal in which an agent program is not installed is connected to the network for the first time and is changed from a stopped state to an operating state. ) Is a sequence diagram for explaining a mode of postponement of communication interference processing when a terminal to be a passing terminal is connected to the network for the first time and enters an operating state from a stopped state.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[1. Overall configuration of the quarantine system]
FIG. 1 shows the entire quarantine system 1. The quarantine system 1 includes a network (TCP / IP network) such as a LAN, a quarantine control device 2 that performs network quarantine control, quarantine target terminals 3a and 3b such as PCs that are network quarantine targets, and a quarantine management server 4 Is connected. In addition, when not distinguishing in particular the some quarantine target terminal device 3a, 3b, it will generically call "quarantine target terminal device 3".

Further, in the same network segment N to be quarantined by the quarantine control device 2, a fixture such as a printer 7 that does not function as the quarantine target terminal devices 3 a and 3 b but can be a quarantine target, and also a quarantine target terminal device 3 a , 3b may not exist, but there may be a terminal device 8 such as a PC that can be a quarantine target. Further, the quarantine target terminal device 3, the fixtures such as the printer 7, and the terminal device 8 are common in terms of the “terminal device” in the network. Therefore, these are collectively referred to as “terminal device” as necessary. Sometimes it is.
FIG. 1 shows the in-house server 5 and the router 6, but these are components not directly related to the quarantine system 1.

[2. Quarantine system computer program set]
The quarantine control device 2, the quarantine target terminal device 3, and the quarantine management server 4 are configured by a computer that can execute a computer program, and a storage unit (not shown) such as a hard disk or a memory in which the computer program is stored. And a calculation unit (not shown) such as a CPU for executing the computer program.

As shown in FIG. 1, a quarantine control computer program P1 is installed in the quarantine control apparatus 2. An agent program P2 is installed in the quarantine target terminal device 3. The quarantine management server 4 is installed with a quarantine management computer program P3.
These computer programs P1, P2 and, if necessary, P3 are collectively referred to as a quarantine system computer program set.
Of the devices in the network segment N, the agent computer program P2 is not installed in the fixture such as the printer 7 or the terminal device 8.

As shown in FIG. 2, the quarantine system program set is recorded on one or a plurality of computer-readable recording media (CD-ROM or the like) C1, C2, C3 and provided to the user of the quarantine system. The quarantine system program set or the individual programs P1, P2, and P3 are provided to the user when the devices 2, 3, and 4 download the programs P1, P2, and P3 from a program providing server (not shown) on the Internet. You can go.
Further, the quarantine control program P2 can be provided to the user in a state preinstalled in the quarantine control device 2 instead of the portable recording medium C2 such as a CD-ROM.

[3. Quarantine control device 2]
The quarantine control device 2 is configured by installing a quarantine control computer program P1 on a computer in which an OS (for example, Windows (registered trademark), Linux (registered trademark)) that supports network communication by TCP / IP is installed. .

FIG. 3 shows various functions as the quarantine control apparatus 2 exhibited by the computer when the quarantine control computer program P1 is executed by the computer.
As shown in FIG. 3, the quarantine control device 2 includes an inspection unit 210, a determination unit 220, a terminal information table 230, a table update unit 240, a communication monitoring unit (ARP request monitoring unit), a communication jamming unit 260, and a communication normalization unit. 270, an exception communication unit 280, and an unregistered terminal device processing unit 290.

[3.1 Terminal information table 230]
Details of the terminal information table 230 of FIG. 3 are shown in FIG. The terminal information table 230 is used to determine whether or not the communication interference process of the terminal device on the network is necessary. The terminal information table 231, the quarantine terminal information table 232, the permitted terminal information table 233, the prohibited terminal It has an information table 234, an exception information table 235, and a quarantine postponement terminal information table 236.

[3.1.1 Passed terminal information table 231]
The passed terminal information table 231 holds list information (a list of MAC addresses and IP addresses) of the quarantine target terminals 3 whose inspection result obtained by the quarantine target terminal device 3 inspecting its internal state according to a predetermined inspection policy is “pass”. It is an area to do. The terminal device registered in the passed terminal information table 231 is referred to as “passed terminal”.
The inspection result (inspection policy check result) is acquired from the quarantine target terminal (agent computer program P2) 3 by an “agent ping” function described later.

[3.1.2 Quarantine terminal information table 232]
In the quarantine terminal information table 232, the quarantine target terminal 3 and the agent program P2 in which the inspection result of the quarantine target terminal device 3 inspecting its internal state according to a predetermined inspection policy is “quarantine” (= “fail”) is installed. List of the information of the unauthorized terminal device 8 that has not been received, or other terminal devices that should be isolated and interfere with communication (either MAC address or IP address, or list of both MAC address and IP address) 232a Is an area that holds
The terminal device registered in the quarantine terminal information table 232 is referred to as “quarantine terminal”.
Further, the acquisition of the inspection result from the quarantine target terminal device 3 and the determination as to whether or not the terminal device is an unauthorized terminal device are performed by an “agent ping” function described later.

  In addition to the quarantine terminal list information 232a, the quarantine terminal information table 232 includes an area 232b for storing the presence / absence of an agent ping response for each quarantine terminal apparatus. This area 232b is for recording whether or not there is a response from the agent function (function by the agent computer program) of the terminal device when the terminal device is confirmed by the agent ping function. By providing this area 232b, it is possible to distinguish whether the quarantine terminal is quarantined based on the inspection result or because the agent ping response cannot be made because the agent computer program is not installed. Can do.

[3.1.3 Quarantine postponement terminal information table 236]
The grace isolation terminal information table 236 holds information related to the terminal apparatus 3 that is registered in the isolation terminal information table 232 and should be suspended after no response is received from the quarantine target terminal apparatus 3 by the agent function. It is an area.
The isolation postponement terminal information table 236 holds either a MAC address or an IP address, or both a MAC address and an IP address, as information for specifying a terminal apparatus to be postponed.

FIG. 5 is a diagram illustrating an example of the quarantine postponement terminal information table 236. The grace isolation terminal information table 236 associates the MAC address and the IP address, which are information for identifying the terminal device to be isolated, the grace state indicating the grace period, and the start time when the current grace state is started. Hold.
In the grace state, four states of “when discovered”, “before grace”, “when finished”, and “when activated” are defined. Each of these states will be described later.

[3.1.4 Permitted terminal information table 233]
Returning to FIG. 4, the permitted terminal information table 233 is an area that always holds list information (a list of MAC addresses or IP addresses) of terminal devices that are permitted to perform normal network communication. Here, the terminal device registered in the permitted terminal information table 233 is referred to as “permitted terminal”.

The permitted terminal may be a fixture such as the printer 7 or a terminal device 8 equipped with an OS that does not support the agent computer program P2. In addition, the permitted terminal may include the quarantine target terminal device 3. For terminal devices that are permitted terminals, communication is permitted regardless of the inspection result or the presence or absence of the inspection result.
The authorized terminal information is acquired from the quarantine management server 4 by a “management communication function” described later.

[3.1.5 Prohibited terminal information table 234]
The prohibited terminal information table 234 is an area for holding list information (a list of MAC addresses or IP addresses) of terminal devices that unconditionally prohibit (disturb) normal communication. Here, the terminal device registered in the prohibited terminal information table 234 is referred to as a “prohibited terminal”. For terminal devices that are prohibited terminals, it is determined that interference processing is necessary regardless of the inspection result received from the terminal device.
The prohibited terminal information is acquired from the quarantine management server 4 by a “management communication function” described later.

[3.1.6 Exception information table 235]
The exception information table 235 includes list information (list of IP addresses) of exceptional communication partners that can communicate even from the quarantine target terminal 3 whose inspection result of the quarantine target terminal is “quarantine” (= “fail”). It is an area to hold.
The exception information table is acquired from the quarantine management server 4 by a “management communication function” described later.

[3.1.7 Capture information about terminal information table]
Of the tables 231, 232, 233, 234, 235, and 236 that constitute the terminal information table 230, the passed terminal information table 231, the quarantine terminal information table 232, and the grace terminal information table 236 are based on the agent ping response. The contents of the table are updated, and these tables 231 and 232 are collectively referred to as a first table 230a.
Among the tables 231 to 235, the permitted terminal information table 233, the prohibited terminal information table 234, and the exception information table 235 are acquired from the quarantine management server 4, and these tables 233, 234, and 235 are stored. The generic name is the second table 230b.

In addition, among the tables 231 to 236 constituting the terminal information table 230, the passed terminal information table 231 and the permitted terminal information table 233 have information regarding terminal devices that do not interfere with communication, and these tables 231. , 233 are collectively referred to as a non-disturbance target information table.
Further, out of the tables 231 to 236, the quarantine terminal information table 232 and the prohibited terminal information table 234 have information on terminal devices that interfere with communication. These tables 232 and 234 are collectively referred to as obstruction targets. This is called an information table.

[3.2 Main functions of quarantine controller]
The main functions of the quarantine control apparatus 2 are an agent ping function, a communication function for management performed with the quarantine management server 4, and a network communication control function for performing communication disturbance processing in the network. This is realized by each unit shown in FIG.

[3.2.1 Agent ping function (inspection result transmission request function) of quarantine controller]
The quarantine control apparatus 2 has “agent ping” as a unique network protocol. The agent ping requests the quarantine target device 3 to transmit inspection results.
Processing related to the agent ping is performed by the inspection unit (agent ping function unit) 210 illustrated in FIG.

  The inspection unit 210 includes an agent ping transmission unit (inspection result transmission request unit) 211 that transmits an agent ping (inspection result transmission request). The agent ping transmission unit 211 transmits an agent ping to a terminal device that requires a test result.

  The agent ping transmission timing and the like are managed by the agent ping transmission management unit 212. For example, the agent ping transmission is periodically performed for terminal devices (including unauthorized terminal devices) registered in the passed terminal information table 231, the quarantine terminal information table 232, and the grace terminal information table 236, It is also performed when the communication monitoring unit 250 captures that communication data from a terminal device unknown to the quarantine control device 2 (a terminal device not registered in any terminal information table) is flowing on the network. Details of these agent ping transmission timings will be described later.

  When the quarantine target apparatus 3 (the agent computer program) receives a request from the agent ping, the inspection result is transmitted as an “agent ping response”. This response is received by the agent ping response reception unit (inspection result reception unit) 213 of the inspection unit 210.

The quarantine control device 2 analyzes the agent ping response, determines the state of the terminal device based on the received inspection result, and stores the information (IP address and / or MAC address) of the terminal device in the passed terminal information table. 231 or the isolated terminal information table 232. Note that the terminal device registered in the accepted terminal information table 231 is registered in the quarantine postponement terminal information table 236 in principle. Even if the agent ping is transmitted, the terminal device 8 that does not respond to the agent ping is stored in the quarantine terminal information table 232 or the quarantine grace terminal information table 236 based on the result of the determination as to whether or not to quarantine later. It is registered in either.
The determination of the terminal device is performed by the determination unit 2 of the quarantine control device 2, and the registration to the information table is performed by the table update unit 240 (see FIG. 3).

  Further, the inspection unit 210 includes an agent ping start request reception unit (start request reception unit) 214 that receives a request to start transmission of an agent ping from the quarantine target terminal device 3. When the quarantine control device 2 receives the agent ping start request, the agent ping is transmitted to the quarantine target terminal device 3 that has transmitted the start request.

[3.2.2 Communication function for management of quarantine controller 2]
The quarantine control apparatus 2 exchanges each content of the second table 230b (permitted terminal information table 233, prohibited terminal information table 234, exception information table 235) of the terminal information table 230 with the quarantine management server 4. It can be carried out. The exchange of the second table 230b is performed by the second table update unit (management communication unit) 242 of the quarantine control device 2 (see FIG. 3).
The second table update unit 242 stores the contents of the second table 230b acquired from the quarantine management server 4 in the tables 233, 234, and 235 of the second table 230b of the quarantine control device 2.

  The contents of the second table 230b are maintained by the administrator on the quarantine management server 4 as will be described later, and transmitted from the quarantine management server 4 to the quarantine control apparatus 2 in response to a request from the administrator. Further, the quarantine control device 2 (the second table updating unit 242) may acquire the second table 230b from the quarantine management server 4 as necessary.

[3.2.3 Communication jamming function of quarantine controller 2]
The quarantine control apparatus 2 includes a communication disturbing unit 260 that performs communication obstruction for a terminal device that requires communication obstruction processing (see FIG. 3). The communication disturbing process is not performed for a terminal device (permitted terminal) whose MAC address or IP address is registered in the permitted terminal information table 233 or a terminal device (passed terminal) whose test result is passed.
On the contrary, the communication interference process is performed on the terminal device (prohibited terminal) registered in the prohibited terminal information table 234 or the terminal device (isolated terminal) whose inspection result is isolation (= fail).
For terminal devices that do not respond to the agent ping and whose test results cannot be specified, and terminal devices other than the accepted terminals among the terminal devices registered in the quarantine postponement terminal information table 236, as a result of the determination regarding the grace period, If it is determined that it should be, the communication jamming process is performed as an isolated terminal. On the other hand, the communication interruption process is not performed on the terminal device (isolation grace terminal) determined to be graceful.

  However, when the communication partner of the prohibited terminal or the quarantine terminal is a device registered in the exception information table 235, the communication disturbance process is not performed only for the communication. For such exceptional communication permission, the quarantine control device 2 includes an exception communication unit 280 (see FIG. 3).

  In addition, the quarantine control device 2 can normalize communication when there is no need for the interference processing for the terminal device that has once performed the communication interference processing. For such communication normalization, the quarantine control device 2 includes a communication normalization unit 270 (see FIG. 3).

[4. Quarantine target terminal device 3]
The quarantine target terminal device 3 is configured by installing an agent computer program P2 for inspecting the internal state of the computer in accordance with a predetermined inspection policy in a computer in which an OS supporting network communication by TCP / IP is installed. Yes.

FIG. 6 shows various functions as the quarantine target terminal device 3 exhibited by the computer when the agent computer program P2 is executed by the computer.
As illustrated in FIG. 6, the quarantine target terminal device 3 includes an inspection control unit 310, an inspection policy reception unit 320, and an inspection unit 330.

The inspection control unit 310 performs control related to inspection processing such as timing at which the quarantine target terminal device 3 performs inspection according to a predetermined inspection policy. The inspection is performed, for example, periodically or as needed.
The inspection policy receiving unit 320 acquires an inspection policy from the quarantine management server 4 in advance. Note that the inspection policy receiving unit 320 may acquire the inspection policy when performing the inspection. Further, it is not necessary for the quarantine target terminal device 3 and the quarantine management server 4 to directly communicate at the time of inspection.

  The inspection unit 330 inspects the internal state of the computer (the quarantine target terminal device 3) in which the agent computer program P2 is installed according to a predetermined inspection policy (quarantine policy).

  As the inspection policy, for example, whether or not the agent computer program P2 is the latest, whether or not an event is being transmitted from the agent to the quarantine management server 4, whether or not the automatic logon setting of the OS is disabled, and the screen saver setting of the OS And whether the password lock is enabled, whether the software specified by the administrator is installed in the quarantine target terminal device 3, and the software specified to be prohibited from use by the administrator is installed in the quarantine target terminal device 3 Whether the anti-virus software real-time scanning function is enabled, whether the anti-virus software, the engine of the software, and the pattern file of the software are the latest, O Whether the latest OS monthly patch is applied, whether the specified file on the quarantine target terminal device 3 exists (or does not exist), whether the quarantine target terminal device 3 Whether the specified OS registry key exists (or does not exist).

  The inspection execution unit 331 of the inspection unit 330 in the quarantine target terminal device 3 inspects the internal state of the quarantine target terminal device 3 according to the inspection policy. This inspection is performed periodically or as needed.

  The inspection unit 330 includes an agent ping reception unit (inspection result transmission request reception unit) 332 that receives an agent ping from the quarantine control device 2 via a network, an agent ping response generation unit 333 that generates an agent ping response from the inspection result, When the agent ping is received, an agent ping response transmission unit (inspection result transmission unit) 334 that transmits an agent ping response to the quarantine control apparatus 2 is provided.

  The inspection unit 330 of the quarantine target terminal device 3 includes an agent ping start request transmission unit (start request transmission unit) 335 that actively requests the quarantine control device 2 to start transmission of the agent ping. Once the quarantine target terminal device 3 receives the agent ping, the quarantine target terminal device 3 can acquire the MAC address and IP address of the quarantine control device 2 from the agent ping. A request to start transmission can be made to the quarantine control apparatus 2.

  For example, when the quarantine target terminal device 3 inspects itself, the agent ping transmission start request can be made each time the result is different from the previous inspection result. When the inspection result changes by the quarantine target terminal device 3 actively requesting the start of agent ping transmission, the quarantine control device 2 can immediately grasp the change in the result.

[5. Quarantine management server 4]
The quarantine management server (quarantine management computer) 4 is configured by installing a quarantine management computer program P3 on a computer in which an OS supporting network communication by TCP / IP is installed.

FIG. 7 shows various functions as the quarantine management server 4 exhibited by the computer when the quarantine management computer program P3 is executed by the computer.
As illustrated in FIG. 7, the quarantine management server 4 includes a table creation unit 410, a table transmission unit 420, an inspection policy generation unit 430, and an inspection policy transmission unit 440.

The table creation unit 410 is for the administrator to create and / or manage the second table 230b (permitted terminal information table 233, prohibited terminal information table 234, exception information table 235).
The table transmission unit 420 is for transmitting the created second table 230b to the quarantine control apparatus 2.

The inspection policy generation unit 430 is for the administrator to create and / or manage an inspection policy.
The inspection policy transmission unit 440 is for transmitting the created inspection policy to the quarantine target terminal device 2.

[6. Various processes in the quarantine system]
[6.1 ARP: Address Resolution Protocol]
One of the TCP / IP protocols supported by the OS installed in the quarantine control device 2 and the quarantine target terminal device 3 is ARP (Address Resolution Protocol). This ARP is a protocol for acquiring the MAC address of a terminal from the IP address of a certain terminal. ARP is a function supported by the OS, but will be described below because it is used in the quarantine system 1.

  FIG. 8 shows an outline sequence of ARP. Here, terminal A and terminal B having the IP address and the MAC address shown in FIG. 8 are assumed. FIG. 8 shows a process in which the terminal A acquires the MAC address of the terminal B from the IP address of the terminal B. It is assumed that terminal A has previously acquired the IP address of terminal B from DNS or the like.

  First, terminal A checks whether there is an entry for terminal B in its ARP table. If there is no entry, in order to acquire the MAC address of the terminal B, an Ethernet frame carrying an ARP request packet is broadcast to the network (step S1-1).

  All terminals in the same network segment including terminal B enter the IP address and MAC address of the transmission source (= terminal A) in their ARP table when receiving the ARP request packet (from terminal A). This entry is deleted if there is no communication with terminal A for a certain time. If terminal A has already been entered, the MAC address is overwritten with the latest information (step S1-2).

  The terminal that is requested for ARP (= terminal B) creates an ARP response packet in which its own IP address and MAC address are set in the transmission source information, and sends the ARP response packet to the original transmission source (= terminal A). It transmits to (step S1-3).

When the terminal A receives the ARP packet (from the terminal B), the terminal A enters the IP address and MAC address of the transmission source (= terminal B) in its ARP table (step S1-4).
As described above, a certain terminal A can acquire the MAC address of another terminal B on the network.

[6.2 ARP request packet monitoring processing]
9 and 10 are processes in which the communication monitoring unit 250 of the quarantine control device 2 monitors and captures an ARP packet flowing on the network, and the determination unit 220 determines whether or not the communication blocking unit 260 needs to block communication. Shows the flow.

  The communication monitoring unit (ARP request monitoring unit) 250 of the quarantine control device 2 includes an ARP request capturing unit 251 that captures broadcast ARP request packets that flow on the network (see FIG. 3). When the ARP request capturing unit 251 receives the broadcast ARP request packet (step S2-1), the transmission source IP address and MAC of the packet are determined from the ARP request packet received by the ARP request analysis unit 252 of the communication monitoring unit 250. An address and a destination IP address are acquired (step S2-2). Note that the destination MAC address cannot be known from the ARP request.

  When the analysis unit 252 acquires the transmission source information and the transmission destination information, the transmission source confirmation processing (step S2-3) and the transmission destination confirmation processing (steps S2-4 and S2-5) are performed by the quarantine control device 2. This is performed by the unit 220 and the like, and it is determined whether or not communication obstruction is necessary for each of the transmission source and the transmission destination of the ARP request, and obstruction processing is performed if necessary.

In addition, the determination unit 220 includes a first determination unit 220a that performs determination using the terminal information table 230, a second determination unit 220b that performs determination using agent ping, and a grace process that performs a quarantine grace determination process described later. Part 220c. In the transmission source confirmation process and the transmission destination confirmation process, determinations by the determination units 220a and 220b are performed.
As the destination confirmation process, a destination IP address confirmation process (step S2-4) and a destination MAC address confirmation process (step S2-5) are performed.

[6.2.1 Source Confirmation Process (Step S2-3)]
In the transmission source confirmation process, first, the first determination unit 220a confirms whether or not the transmission source IP address or MAC address of the ARP request is registered in the prohibited terminal information table 234 (step S2-3-1). That is, it is determined whether or not the transmission source is a prohibited terminal.
If registered, the process proceeds to step S2-3-7, and if not registered, the process proceeds to step S2-3-2.

In step S <b> 2-3-2, the first determination unit 220 a confirms whether the transmission source IP address or MAC address of the ARP request is registered in the quarantine terminal information table 232. That is, it is determined whether the transmission source is an isolated terminal.
If registered, the process proceeds to step S2-3-7, and if not registered, the process proceeds to step S2-3-3.

In step S2-3-3, the first determination unit 220a checks whether the transmission source IP address or MAC address of the ARP request is registered in the permitted terminal information table 233. That is, it is determined whether the transmission source is a permitted terminal.
If registered, the process proceeds to step S2-4-1 (destination IP address confirmation processing), and no interference processing is performed on the transmission source. If not registered, the process proceeds to step S2-3-4.

In step S2-3-4, the first determination unit 220a checks whether the transmission source IP address or the MAC address of the ARP request is registered in the passed terminal information table 231. That is, it is determined whether the transmission source is a passing terminal.
If registered, the process proceeds to step S2-4-1 (source IP address confirmation processing), and no interference processing is performed on the source. If not registered, the process proceeds to step S2-3-5.

When the process comes to step S2-3-5, it is determined that the transmission source is a terminal device that is not registered in the terminal information table 230 and is unknown to the quarantine control device 2.
Therefore, in step S2-3-5, an agent ping is performed on an unknown transmission source, and an attempt is made to acquire the inspection result of the transmission source (terminal device) necessary to determine whether communication should be interrupted. . Details of the processing in step S2-3-5 will be described later.

The result of performing the agent ping on the transmission source of the ARP request is determined by the second determination unit 220b. If the determination result is an isolation determination, the process proceeds to step S2-3-7. If the determination result is a pass determination, the process proceeds to step S2-4-1 (destination IP address confirmation process), and no interference process is performed on the transmission source.
Further, if the determination result is the isolation postponement determination, the process proceeds to step S2-4-1 as in the case of the pass determination, and the interference process for the transmission source is not performed.

  In step S2-3-7, processing for transmitting a pseudo ARP response is performed by the communication disturbing unit 260 of the quarantine control apparatus 2. In order to perform this processing, the communication disturbing unit 260 includes a pseudo ARP response transmission unit 261 and a pseudo ARP response transmission management unit 262.

The pseudo ARP response transmitted here is generated as an ARP response in which the address portion is set as shown in FIG. That is, the IP address of the source terminal of the ARP request is set as the “source IP address” of the pseudo ARP response, and the MAC address of the quarantine controller 2 is set as the “source MAC address” of the pseudo ARP response.
Also, broadcast addresses are set as the “destination IP address” and “destination MAC address” of the pseudo ARP response, respectively. Therefore, the pseudo ARP response is broadcast to the network.

  When the pseudo ARP response transmission unit 261 broadcasts the pseudo ARP response, the MAC address of the transmission source terminal is assigned to all the communication partner terminal devices on the network with which the transmission source terminal of the ARP request may communicate. As a result, it is made to learn by mistake.

For this reason, the MAC address of the quarantine control apparatus 2 is erroneously set as the transmission destination for all packets destined for the transmission source terminal transmitted from the communication partner terminal apparatus. The transmission source terminal of the ARP request cannot receive the packet because the MAC address is incorrect. On the other hand, since the MAC address of the packet destined for the transmission source terminal of the ARP request is that of the quarantine control apparatus 2, all the packets can be received by the quarantine control apparatus 2. The quarantine control apparatus 2 collects and discards packets in which such a MAC address is set as a transmission destination. Therefore, communication between the transmission source terminal of the ARP request and its counterpart can be interrupted.
In addition, since the quarantine control device 2 sends a pseudo ARP “response” as the disturbance processing, it is not necessary to receive an ARP response from another terminal device 3, and an increase in communication load can be avoided.

  When the pseudo ARP response transmission in step S2-3-7 ends, the transmission source confirmation process (step S2-3) ends, and the process proceeds to the transmission destination IP address confirmation process S2-4.

[6.2.2 Destination IP Address Confirmation Process (Step S2-4)]
In the transmission destination IP address confirmation process, first, the first determination unit 220a confirms whether or not the transmission destination IP address of the ARP request is registered in the prohibited terminal information table 234 (step S2-4-1). That is, it is determined whether or not the transmission destination is a prohibited terminal.
If registered, the process proceeds to step S2-6, and if not registered, the process proceeds to step S2-4-2.

In step S2-4-2, the first determination unit 220a checks whether or not the transmission destination IP address of the ARP request is registered in the quarantine terminal information table 232. That is, it is determined whether the transmission destination is an isolated terminal.
If registered, the process proceeds to step S2-6, and if not registered, the process proceeds to step S2-4-3.

In step S2-4-3, the first determination unit 220a checks whether or not the transmission destination IP address of the ARP request is registered in the permitted terminal information table 233. That is, it is determined whether or not the transmission destination is a permitted terminal.
If it is registered, the APR request packet confirmation process is terminated because the disturbance process for the transmission destination is unnecessary. If not registered, the process proceeds to step S2-4-4.

In step S2-4-4, the first determination unit 220a checks whether or not the destination IP address of the ARP request is registered in the passed terminal information table 231. That is, it is determined whether or not the transmission destination is a passing terminal.
If it is registered, the APR request packet confirmation process is terminated because the disturbance process for the transmission destination is unnecessary. If not registered, the process proceeds to step S2-4-5.

When the process comes to step S2-4-5, it is determined that the transmission destination is a terminal device that is not registered in the terminal information table 230 and is unknown to the quarantine control device 2.
Therefore, in step S2-4-5, an ARP request shown in FIG. 12 is transmitted to an unknown transmission destination. The process of step S2-4-5 is performed by the unregistered terminal apparatus processing unit 290 (see FIG. 3) of the quarantine control apparatus 2. The unregistered terminal device processing unit 290 includes an APR request transmission unit 291. The ARP request transmission unit 291 has an ARP request packet in which an address is set as shown in FIG. 12 in order to obtain an unknown destination MAC address. Broadcast.

  After transmitting the ARP request packet of FIG. 12, the quarantine control apparatus 2 waits for an ARP response packet for the ARP request packet for a certain period (step S2-4-6). If the quarantine control apparatus 2 does not receive the ARP response packet even after waiting for a certain period, the APR request packet confirmation process is terminated, and if the ARP response packet is received within the certain period, step S2-4-8 Proceed to

  In step S2-4-6, when the ARP response is received, the quarantine control apparatus 2 acquires the MAC address of the unknown transmission destination from the ARP response (step S2-4-8), and confirms the transmission destination MAC address. Control goes to step S2-5.

[6.2.3 Destination MAC Address Confirmation Process (Step S2-5)]
In the transmission destination MAC address confirmation process, first, the first determination unit 220a confirms whether or not the transmission destination MAC address of the ARP request is registered in the prohibited terminal information table 234 (step S2-5-1). That is, it is determined whether or not the transmission destination is a prohibited terminal.
If registered, the process proceeds to step S2-6, and if not registered, the process proceeds to step S2-5-2.

In step S2-5-2, the first determination unit 220a checks whether or not the transmission destination MAC address of the ARP request is registered in the quarantine terminal information table 232. That is, it is determined whether the transmission destination is an isolated terminal.
If registered, the process proceeds to step S2-6, and if not registered, the process proceeds to step S2-5-3.

In step S2-5-3, the first determination unit 220a checks whether or not the transmission destination MAC address of the ARP request is registered in the permitted terminal information table 233. That is, it is determined whether or not the transmission destination is a permitted terminal.
If it is registered, it is not necessary to perform the disturbing process for the transmission destination, so the ARP request packet monitoring process is terminated. If not registered, the process proceeds to step S2-5-4.

In step S2-5-4, the first determination unit 220a checks whether or not the transmission destination MAC address of the ARP request is registered in the passed terminal information table 231. That is, it is determined whether or not the transmission destination is a passing terminal.
If it is registered, it is not necessary to perform the disturbing process for the transmission destination, so the ARP request packet monitoring process is terminated. If not registered, the process proceeds to step S2-5-5.

When the processing has come to step S2-5-5, it is determined that the transmission destination is a terminal device that is not registered in the terminal information table 230 and is unknown to the quarantine control apparatus 2. Become.
Therefore, in step S2-5-5, an agent ping is performed on an unknown destination, and an attempt is made to acquire the inspection result of the destination (terminal device) necessary to determine whether or not communication should be interrupted. . Details of the processing in step S2-5-5 will be described later.

The result of performing the agent ping to the transmission destination of the ARP request is determined by the second determination unit 220b. If the determination result is a quarantine determination, the process proceeds to step S2-6. If the determination result is a pass determination, the ARP request packet monitoring process is terminated because there is no need to perform an interference process for the transmission destination.
Further, if the determination result is the isolation postponement determination, the ARP request packet monitoring process is terminated without performing the interference process for the transmission destination as in the case of the pass determination.

  In step S2-6, a pseudo ARP response is transmitted by the pseudo ARP response transmission unit 261 of the communication disturbing unit 260.

The pseudo ARP response transmitted here is generated as an ARP response in which the address portion is set as shown in FIG. That is, the IP address of the destination terminal of the ARP request is set as the “source IP address” of the pseudo ARP response, and the MAC address of the quarantine controller 2 is set as the “source MAC address” of the pseudo ARP response.
Also, broadcast addresses are set as the “destination IP address” and “destination MAC address” of the pseudo ARP response, respectively. Therefore, the pseudo ARP response is broadcast to the network.

  When the pseudo ARP response transmission unit 261 broadcasts the pseudo ARP response, the MAC address of the destination terminal is assigned to all the communication partner terminals on the network with which the destination terminal of the ARP request may communicate. As a result, it is made to learn by mistake.

For this reason, the MAC address of the quarantine control apparatus 2 is erroneously set as the transmission destination for all packets destined for the transmission destination terminal transmitted from the communication partner terminal apparatus. Further, the destination terminal of the ARP request cannot receive the packet because the MAC address is incorrect.
On the other hand, since the MAC address of the packet for the destination terminal of the ARP request is that of the quarantine control device 2, all the packets can be received by the quarantine control device 2. The quarantine control apparatus 2 collects and discards packets in which such a MAC address is set as a transmission destination. Therefore, communication between the transmission destination terminal of the ARP request and its counterpart can be interrupted.
In addition, since the quarantine control device 2 sends a pseudo ARP “response” as the disturbance processing, it is not necessary to receive a response from another terminal device 3, and an increase in communication load can be avoided.

  When the pseudo ARP response transmission in step S2-6 ends, the ARP request packet monitoring process ends.

[6.2.4 Agent ping process (steps S2-3-5, S2-5-5, etc.)]
FIG. 14 shows the agent ping process. In the agent ping process, first, the agent ping transmission unit 211 transmits the agent ping to the terminal device (the agent computer program P2) that is the target of the determination as to whether or not to isolate (step S3-1).

  The agent ping response reception unit 213 waits for a certain period of time (agent ping response) from the agent computer program P2 of the terminal device (step S3-2). If there is a response within a certain period, the process proceeds to step S3-3, and if there is no response after waiting for a certain period, the process proceeds to step S3-11.

  If the agent ping response packet received in step S3-2 is normal, the process proceeds to step S3-4. If the agent ping response is invalid, the process proceeds to step S3-8.

The agent ping response received by the agent ping response receiving unit 213 is determined by the second determination unit 220b (see FIG. 3) of the determination unit 220 whether or not it should be isolated. The second determination unit 220b determines whether or not to isolate by confirming the “inspection result” included in the agent ping response (step S3-4).
When the received inspection result indicates “pass”, the process proceeds to step S3-5, and when it indicates “isolation” (= “failure”), the process proceeds to step S3-8.

In step S3-5, the first table update unit 241 registers the IP address and MAC address of the quarantine target terminal device 3 that has transmitted the agent ping response in the quarantine postponement terminal information table 236. At this time, the first table updating unit 241 sets the grace state of the quarantine target terminal device 3 to “before grace”, and registers the time at the time of registration as the start time.
The term “before grace” means that there is no need for grace separation at the present stage because it has been accepted, but it will be quarantined when the operation state is changed to the stop state or when it is changed from the stop state to the operation state in the future. This is a setting for the quarantine control device 2 to recognize that the terminal device 3 requires a grace period.
The stopped state refers to a state in which the function of the terminal device is completely stopped by stopping the OS of the terminal device, for example, the power is turned off.
The operating state is a state in which the OS of the terminal device is activated and at least the agent program is activated and functions as the terminal device.

  In step S3-6 performed after step S3-5, the first table updating unit 241 registers the IP address and MAC address of the quarantine target terminal device 3 that has transmitted the agent ping response in the passed terminal information table 231. The process proceeds to step S3-7. In step S3-6, if the IP address or MAC address to be registered in the passed terminal information table 231 is already registered in the passed terminal information table 231, the IP address or MAC address to be registered is changed. Overwrite the passed terminal information table 231.

  When the process comes to step S3-7, the second determination unit 220b determines that the quarantine target terminal device 3 that has transmitted the agent ping response is “pass”, and ends the agent ping process.

  In step S3-8, the first table updating unit 241 checks whether or not the quarantine target terminal device 3 is registered in the quarantine postponement terminal information table 236, and if registered, the quarantine target terminal device 3 relates to the quarantine target terminal device 3. Delete information. This is because there is no need for a grace period for the quarantine terminal.

  In step S3-9 performed after step S3-8, the first table updating unit 241 registers the IP address and MAC address of the quarantine target terminal device 3 that has transmitted the agent ping response in the quarantine terminal information table 232. The process proceeds to step S3-10. In step S3-9, if the IP address or MAC address to be registered in the isolated terminal information table 232 is already registered in the isolated terminal information table 232, the IP address or MAC address to be registered is set. The quarantine terminal information table 232 is overwritten.

  When the process comes to step S3-10, the second determination unit 220b determines that the quarantine target terminal device 3 that has transmitted the agent ping response is “quarantine”, and ends the agent ping process.

  In step S3-2, if there is no response even after waiting for an agent ping response for a certain period of time, the process proceeds to step S3-11 and a grace period is determined. In the quarantine grace determination of this step S3-11, it is determined whether or not the quarantine target terminal device 3 is to be quarantined. The processing content will be described later.

  If the isolation postponement determination is performed in step S3-11, the process proceeds to step S3-12. If the determination result is isolation, the process proceeds to step S3-8. If the result of the determination is that there is a grace period, the process proceeds to step S3-13.

When the process comes to step S3-13, the second determination unit 220b determines that the quarantine target terminal device 3 that has transmitted the agent ping response is “quarantine grace”, and ends the agent ping process.
As described above, in the agent ping process, based on the agent ping response from the terminal device, it is determined whether or not the terminal device is a passing terminal that satisfies a predetermined condition for the inspection result.

[6.2.4.1 Isolation grace determination process (step S3-11)]
FIG. 15 is a flowchart showing the isolation postponement determination process in step S3-11 in FIG. This grace period determination process does not apply to any of prohibited terminals, quarantine terminals, permitted terminals, and accepted terminals in the ARP request packet monitoring process shown in FIGS. 9 and 10, and in the agent ping process, The quarantine target terminal device 3 determined as having no agent ping response transmission by the second determination unit 220b is targeted.

  In this quarantine grace determination process, first, the grace process unit 220c of the determination unit 220 refers to the quarantine grace terminal information table 236, and the IP address and / or the quarantine target terminal device 3 for which no agent ping response was transmitted in the agent ping process. Alternatively, it is confirmed whether or not the MAC address is registered (step S3-11-1). That is, it is determined whether or not the target terminal device 3 is a grace isolation terminal.

If not registered, the first table updating unit 241 registers the IP address and / or MAC address of the quarantine target terminal device 3 in the quarantine postponement terminal information table 236 (step S3-11-2). At this time, the grace state of the terminal device is set to “at the time of discovery”, and the set current time is registered as the start time.
“At the time of discovery” is a grace state set when a terminal device 3 that is not registered in the terminal information table 230 and does not transmit an agent ping response is registered in the quarantine grace terminal information table 236. The quarantine control apparatus 2 is in a state where the terminal program in this state is not installed, or the agent program will be started immediately after the OS is started when the operating state is changed from the stopped state ("Starting"). In addition, it is not possible to determine whether the agent program has ended (“ending”) immediately before the OS is ended when the operating state is changed to the stopped state. The first table updating unit 241 sets “at the time of discovery” as the postponement state so that it can be recognized that the terminal is in such a state.

After step S3-11-2, the grace processing unit 220c determines that the quarantine target terminal device 3 is to be quarantined (step S3-11-3) and returns.
On the other hand, when the quarantine target terminal device 3 is registered in the quarantine grace terminal information table 236 in step S3-11-1, the grace processing unit 220c confirms the grace state (step S3-11-4). In the case of “before grace”, the process proceeds to step S3-11-5.
In step S3-11-5, the grace state of the terminal device in the quarantine grace terminal information table 236 is changed from “before grace” to “ending”, and the set current time is registered as the start time. After step S3-11-5, the grace processing unit 220c determines that the quarantine target terminal device 3 is to quarantine (step S3-11-3) and returns.

  In steps S3-11-4 and S3-11-5, when the terminal device is changed from the operating state to the stopped state, the grace state is not changed from "before grace" to "being finished" but is stopped. In some cases, when such a terminal device is in an operating state, the grace state is changed to “ending” in order to enable appropriate grace isolation.

When it is determined in step S3-11-4 that the grace state of the quarantine target terminal device 3 is not “before grace”, in step S3-11-6, the grace state is further confirmed, and “finishing” The process proceeds to step S3-11-7.
Note that “being terminated” is set when the terminal device is in a state where it is determined that the agent program has been terminated immediately before the OS is stopped when the terminal device is stopped from the operating state, as described above. A grace state. That is, the terminal device whose grace state is set to “being finished” is a state immediately before the OS is stopped and the agent program is finished.
The terminal device in this state cannot transmit an agent ping response because the OS is activated but the agent program is terminated.

  The determination as to whether or not the state of the terminal device corresponds to “being completed” is performed in a periodic agent ping execution process (FIG. 20) for a passing terminal described later. In this process, when the terminal device that has passed is no longer transmitting the agent Ping response, it is determined that the state determined to be “before grace” has changed to the state determined to be “ending”.

In step S3-11-7, the grace processing unit 220c refers to the start time of the corresponding current state, and determines whether or not the elapsed time from the start time to the current time is within a predetermined first grace time. Determine.
If the elapsed time is within the first grace time, the grace processing unit 220c proceeds to step S3-11-3, determines that the quarantine target terminal device 3 is to quarantine, and returns.

Since the terminal device in the “ending” state will eventually be stopped, in FIG. 9, the terminal device will not be captured by capturing the ARP request in step S 2-1. It is set to the time to stop.
Even if the target terminal device is stopped, the information registered in the quarantine postponement terminal information table 236 is maintained as it is. Therefore, the grace state is also maintained as “ending”.

On the other hand, if the elapsed time is not within the first grace period, the first table updating unit 241 changes the grace state of the terminal device in the quarantine grace terminal information table 236 to “active” (step S3-11- 8) Register the changed current time as the start time. Next, the grace processing unit 220c proceeds to step S3-11-3, determines that the quarantine target terminal device 3 is to quarantine, and returns.
Note that “being activated” means that, as described above, when the terminal device changes from the stopped state to the operating state, the agent program is not started yet immediately after the OS starts operating, and is determined to start from now on. This is the grace state set when.
The terminal device in this state cannot transmit an agent ping response because the OS is activated but the agent program is terminated.

In step S3-11-8, the reason why the grace state can be changed from “being finished” to “being activated” is as follows.
For example, when a terminal device that is a passing terminal changes from an operating state to a stopped state and tries to start up as much as possible, the agent program is still started even though the OS is in the operating state as described above. If not, it is captured by capturing the ARP request in step S2-1 of the ARP request packet monitoring process (FIG. 9).
Here, since the passing terminal is deleted from the passing terminal information table when it enters the stop state, the terminal device in a state that can be determined to be “starting up”, which was the passing terminal, is in each of the ARP request packet monitoring processes. In the determination, all are determined to be unregistered, and the grace period determination process is started.

As described above, when the passing terminal is in the stopped state, the grace state registered in the quarantine grace terminal information table 236 is changed to “being completed”, so the steps S3-11-6 to S3-11- Proceed to 7. When the terminal device is restarted after being turned off by turning off the power, etc., when the terminal device is in the stopped state, it is not captured by the ARP request. Many times have passed. Since the grace state is not updated during the period from the stop state to the start-up, it remains “ending”.
Therefore, when the grace state is in the state of “ending” and the terminal device has been stopped for a longer period of time than the first grace time set to the extent that the terminal device is surely stopped, the operation state is again set through the stop state. Therefore, it can be determined that activation has started.
As described above, in step S3-11-8, the postponement state can be changed from “being completed” to “being activated”.

If it is determined in step S3-11-6 that the grace state is “starting up” or “at the time of discovery”, the process proceeds to step S3-11-9, and the grace processing unit 220c displays the corresponding current state. The start time is referred to, and it is determined whether or not the elapsed time from the start time to the current time is within a predetermined second grace period.
If the elapsed time is within the second grace time, the grace processing unit 220c proceeds to step S3-11-3, and determines that the determination result is to be quarantined for the quarantine target terminal device 3 and returns.
On the other hand, if the elapsed time is not within the second grace time, the grace processing unit 220c proceeds to step S3-11-10, and determines that the quarantine target terminal device 3 does not grace the isolation, and returns.

  The second grace period is set to a time slightly longer than the time necessary for the terminal device in the stopped state to be in the operating state in which at least the agent is activated after the OS is activated. Therefore, in this step S3-11-9, it is determined whether the terminal device in the stopped state is “starting up” or “at the time of discovery” based on the second grace period, Until it becomes, it is postponed to isolate within the second grace period. A terminal device whose grace state is “starting up” and was originally a passing terminal is determined to be a passing terminal within the second grace period. This is because if the terminal is determined to be a pass terminal and registered in the pass terminal information table, the process does not proceed.

  As described above, the grace processing unit 220c determines whether or not to perform the quarantine grace for the quarantine target terminal device 3 that is determined not to transmit the agent ping response by the second determination unit 220b.

[6.2.4.2 Agent ping protocol]
FIG. 16 shows the sequence of the agent ping protocol and the data structure of the agent ping.
Here, the agent ping sent by the quarantine control device 2 is referred to as an “agent ping request”.

  The entity of the agent ping packet is obtained by storing necessary information such as the type and inspection result (check result) described later in the data part of a normal IP packet.

There are three types of agent ping packets: an agent ping request packet (step S4-2), an agent ping response packet (step S4-3), and an agent ping start request packet (step S4-1).
In order to distinguish these three packets, the agent ping has a flag value area of “type” as its data structure. As shown in FIG. 17, the type includes information indicating three types of “request”, “response”, and “start request”, and any one of the information is stored in the “type” area of the agent ping packet.

In the agent ping data structure shown in FIG. 16, the protocol version indicates version information of the agent ping protocol.
In addition to the protocol version and type, the agent ping response includes information related to the inspection result.

  As illustrated in FIG. 16, the information regarding the inspection result includes an agent ID, a check result (inspection result), and a policy file update date and time. The agent ID is an identifier of the agent computer program P2 and is composed of an arbitrary length ASCII character string. The check result is a flag value indicating an inspection result by the quarantine target terminal 3 and includes information indicating “pass” and “quarantine” as illustrated in FIG. 18, and either information is stored in the “check result” area. The The policy file update date / time indicates the update date / time of the inspection policy used for the inspection.

[6.2.4.3 Agent ping start request]
The agent ping is regularly executed by the quarantine control device 2. However, if the result of the inspection that the quarantine target terminal device 3 performs regularly or when necessary is different from the previous value (for example, when the quarantine target terminal device 3 changes from a state to be isolated to a pass state), the quarantine control device 2 Therefore, it is impossible to change the quarantine control accordingly.

Therefore, the quarantine target terminal device 3 can request the quarantine control device 2 to start transmission of the agent ping when such a change in the inspection result occurs or when necessary.
In particular, in the quarantine target terminal device 3, when the agent computer program P2 is activated, and the user of the quarantine target terminal device 3 requests the agent computer program P2 to perform the inspection, and the inspection is completed. Sometimes, the agent ping start request transmission unit 335 always makes an agent ping start request. FIG. 19 shows a sequence of this agent ping start request.

[6.3 Periodic Agent Ping Process for Passed Terminals]
As shown in FIG. 20, the agent ping transmission management unit 212 (see FIG. 3) of the quarantine control device 2 periodically pings the terminal devices registered in the passed terminal information table 231, It is determined whether or not the obstruction processing is necessary and the table 230 is maintained.

In the periodic agent ping process, first, the management unit 212 refers to the passed terminal information table 231 (step S5-1).
If there is a passing terminal whose internal state is to be confirmed in the passing terminal information table 231, the process proceeds to step S5-3. If the states of all the terminal devices on the passing terminal information table 231 are confirmed, the periodic agent The ping process is terminated (step S5-2).

  In step S5-3, the agent ping transmission unit 211 transmits an agent ping request to a terminal device (passed terminal) that needs state confirmation (step S5-3).

  The agent ping response receiving unit 213 waits for a certain period of time for an agent ping response from a terminal device (state confirmation target terminal device) that needs state confirmation (step S5-4). If there is no response after waiting for a certain period, the process proceeds to step 5-5, and if there is a response within the certain period, the process proceeds to step S5-8.

  In step S5-5, it is determined whether or not to resend the agent ping request to the state confirmation target terminal device that does not respond. If the number of retransmissions in the sequence is less than the maximum number of transmissions designated from the outside of the quarantine control device 2, the process returns to step S5-3. On the other hand, if the number of retransmissions in the sequence has reached the maximum number of transmissions, the process proceeds to step S5-6.

  When the processing has come to step S5-6, it means that there is no agent ping response from the state confirmation target terminal device that was a successful terminal, so the IP address and MAC address of the terminal device are obtained from the accepted terminal information table 231. Delete and proceed to step S5-7.

  In step S5-7, the grace state of the terminal device in the quarantine grace terminal information table 236 is changed to “ending”. When the terminal device is registered as a passing terminal in the agent ping process, the terminal device is registered in the quarantine terminal device information table 236 with the grace state “before grace” (step S3-5 in FIG. 14). The terminal device that was a successful terminal has a grace state of “before grace”, and is changed from “before grace” to “ending” in step S5-7.

The reason why the terminal device registered as a passing terminal does not send the agent ping response is that the agent program ends when the OS is started immediately before the OS is stopped when the operating state is changed to the stopped state. It is thought that the majority is due to this.
For this reason, when the registration as a successful terminal is deleted in step S5-6, it can be determined that the terminal device is in a state immediately before the OS is stopped and the agent program has ended. 7, the grace state is changed from “before grace” to “ending”.

  In step S5-8, it is determined whether the received agent ping response is normal. If normal, the process proceeds to step S5-9, and if invalid, the process proceeds to step S5-10.

  In step S5-9, the second determination unit 220b confirms the “policy check result” included in the agent ping response. If the “policy check result” means “pass”, the process returns to step S5-2, and if it means “isolation”, the process proceeds to step S5-10.

In step S5-10, the IP address and MAC address of the state confirmation target terminal device are deleted from the passed terminal information table 231, and the process proceeds to step S5-11.
In step S5-11, the IP address and MAC address of the status check target terminal device are registered in the quarantine terminal information table 232, and the process proceeds to step S5-12.

In step S5-12, a pseudo ARP response is broadcast in order to disturb the communication of the state confirmation target terminal device determined to be isolated, and the process returns to step S5-2.
As shown in FIG. 21, the pseudo ARP response transmitted here includes the “source IP address” as the IP address of the state confirmation target terminal device, the “source MAC address” as the MAC address of the quarantine control device 2, and “transmission”. A broadcast address is set in each of “destination IP address” and “destination MAC address”.
As described above, the pseudo ARP response is broadcasted, so that all terminal devices in the network erroneously recognize and learn the MAC address of the source of the captured ARP request.

[6.4 Periodic agent ping process for isolated terminals]
As shown in FIG. 22, the agent ping transmission management unit 212 (see FIG. 3) of the quarantine control device 2 periodically pings the terminal devices registered in the quarantine terminal information table 231, It is determined whether or not the obstruction processing is necessary and the table 230 is maintained.

First, the management unit 212 refers to the isolated terminal information table 232 and proceeds to step S6-2 (step S6-1).
If there is a quarantine terminal whose internal state is to be confirmed in the quarantine terminal information table 232, the process proceeds to step S6-3. If the state of all terminal devices on the quarantine terminal information table 232 is confirmed, the periodic agent ping The process ends (step S6-2).

  In step S6-3, the agent ping transmission unit 211 transmits an agent ping request to a terminal (state confirmation target terminal device) whose state needs to be confirmed, and proceeds to step S6-4.

  In step S6-4, an agent ping response from the state confirmation target terminal device is waited for a certain period. If there is no response after waiting for a certain period, the process proceeds to step S6-5, and if there is a response within the certain period, the process proceeds to step S6-8.

  In step S6-5, it is determined whether to resend the agent ping request to the state check target terminal device. If the number of retransmissions in the sequence is less than the maximum number of transmissions designated from outside the quarantine control device, the process returns to step S6-3. If the number of retransmissions in the sequence has reached the maximum number of transmissions, the process proceeds to step S6-6.

In step S6-6, when the status confirmation target terminal device has not responded in the previous polling (that is, the value in the “presence / absence of agent ping response” column of the isolated terminal information table 232 indicates “no response”). If so, the process returns to step S6-2. Here, “previous polling” refers to “periodic agent ping processing for isolated terminals” performed previously, and so on.
When the status confirmation target terminal device has responded in the previous polling (that is, when the value in the “presence / absence of agent ping response” column of the quarantine terminal information table 232 indicates “response present”), step S6 Proceed to -7.

  When the processing has come to step S6-7, the IP address and / or MAC address of the state confirmation target terminal device is deleted from the quarantine terminal information table 232, and the process returns to step S6-2. There is a high possibility that the terminal device that was “response” in the previous polling could not respond within the range of normal operation such as machine stop at night. Therefore, it is possible to avoid storing the terminal device as a quarantine terminal in the quarantine terminal information table 232 by deleting it from the quarantine terminal information table 232. it can.

  In step S6-8, it is determined whether the received agent ping response is normal. If normal, the process proceeds to step S6-9. If invalid, the process returns to step S6-2.

  In step S6-9, the second determination unit 220b confirms the “policy check result” included in the agent ping response. If the “policy check result” means “quarantine”, the process proceeds to step S6-10, and if it means “pass”, the process proceeds to step S6-11.

  In step S6-10, the value of the “agent ping response presence / absence column” of the status check terminal device in the quarantine terminal information table 232 is updated to a value indicating “response present”, and the process returns to step S6-2.

In step S6-11, the IP address and / or MAC address of the state confirmation target terminal device is deleted from the quarantine terminal information table 232, and the process proceeds to step S6-12.
In step S6-12, the IP address and MAC address of the state confirmation target terminal device are registered in the passed terminal information table 232, and the process proceeds to step S6-13.

As described above, since the state confirmation target terminal device that has been determined to be an isolated terminal has changed to a passing terminal, in step S6-13, the normalization ARP of the communication normalization unit 270 is canceled in order to cancel the disturbance processing for the state confirmation target terminal. The response transmitter 271 (see FIG. 3) broadcasts a normal ARP response and returns to step S6-13.
As shown in FIG. 23, the normal ARP response transmitted here includes the “source IP address” of the IP address of the state confirmation target terminal device, the “source MAC address” the MAC address of the state confirmation target terminal device, “ A broadcast address is set for each of “destination IP address” and “destination MAC address”.

  By broadcast transmission of the normal ARP response, all terminals in the network can correctly learn the MAC address of the state check target terminal device, and thus can communicate normally with the state check target terminal device.

[6.5 Regular Agent Ping Process for Quarantine Postponed Terminals]
As shown in FIG. 24, the agent ping transmission management unit 212 (see FIG. 3) of the quarantine control device 2 periodically pings the terminal devices registered in the quarantine postponement terminal information table 236. Then, it is determined whether or not obstruction processing is necessary, and the table 230 is maintained.

First, the management unit 212 refers to the grace isolation terminal information table 236 and proceeds to step S20-2 (step S20-1).
If there is a quarantine terminal registered in the grace period terminal information table 236 in a grace state other than “before grace”, the process proceeds to step S20-3, and the statuses of all terminal devices on the grace period terminal information table 236 are displayed. If confirmed, the periodic agent ping process is terminated (step S20-2).

  In step S20-3, the agent ping transmission unit 211 transmits an agent ping request to a terminal (state confirmation target terminal device) whose state needs to be confirmed, and proceeds to step S20-4.

  In step S20-4, an agent ping response from the state confirmation target terminal device is waited for a certain period. If there is no response after waiting for a certain period, the process proceeds to step S20-5, and if there is a response within the certain period, the process proceeds to step S20-8.

  In step S20-5, it is determined whether to resend the agent ping request to the state check target terminal device. If the number of retransmissions in the sequence is less than the maximum number of transmissions designated from outside the quarantine control device, the process returns to step S20-3. If the number of retransmissions in the sequence has reached the maximum number of transmissions, the process proceeds to step S20-6.

In step S20-6, isolation postponement determination is performed. In the isolation postponement determination of step S20-6, it is determined whether or not to perform the isolation postponement for the state confirmation target terminal device.
FIG. 25 is a flowchart showing the isolation postponement determination process in step S20-6 in FIG. In step S20-6, since the terminal device whose grace state is “before grace” is excluded, the terminal device is limited to the terminal devices whose grace state is “ending”, “starting up”, and “when discovered”.
Note that steps S20-6-1, S20-6-2, S20-6-4, S20-6-5, and S20-6-6 in the flowchart of FIG. 25 are the same as steps S3-11-6 in FIG. ~ S3-11-10, and step S20-6-3 in FIG. 25 is the same as step S3-11-3 in FIG.

  If the isolation postponement determination is performed in step S20-6, the process proceeds to step S20-7. If the isolation postponement determination results in isolation, the process proceeds to step S20-10 described later. If the result of the determination is that there is a grace period, the process returns to step S20-2.

In step S20-8, it is determined whether the received agent ping response is normal. If normal, the process proceeds to step S20-9, and if invalid, the process proceeds to step S20-10.
Here, when there is an agent ping response from the state confirmation target terminal device, it can be determined that the state confirmation target terminal device is in an operating state. That is, it can be determined that this state confirmation target terminal device is erroneously registered in the quarantine postponement terminal information table 236.

  Therefore, in step S20-9, the second determination unit 220b confirms the “policy check result” included in the agent ping response. If the “policy check result” means “quarantine”, the process proceeds to step S20-10, and if it means “pass”, the process proceeds to step S20-13.

In step S20-10, information related to the state confirmation target terminal device is deleted from the quarantine postponement terminal information table 236. This is because there is no need for a grace period for the quarantine terminal.
In step S20-11 performed after step S20-10, the first table update unit 241 registers the IP address and MAC address of the state confirmation target terminal device that has transmitted the agent ping response in the quarantine terminal information table 232. The process proceeds to step S20-12.
In step S20-12, a pseudo ARP response is broadcast in order to disturb the communication of the state confirmation target terminal device determined to be isolated, and the process returns to step S20-2. Note that the processing in step S20-12 is the same as that in step S5-12 in FIG.

On the other hand, in step S20-13 which proceeds when it is determined as “passed” in step S20-9, the grace state of the state confirmation target terminal device in the quarantine grace terminal information table 236 is changed to “before grace”.
Furthermore, in step S20-14, the IP address and MAC address of the state confirmation target terminal device are registered in the passed terminal information table 232, and the process proceeds to step S20-2.

  As described above, by performing the periodic agent ping process for the grace terminal, the grace state is erroneously determined as “ending”, “starting up”, and “when discovered”, and the grace terminal information table The terminal device registered in H.236 and in the operating state can be found. Furthermore, it is possible to optimize the processing for each terminal device by determining whether or not the state confirmation target terminal device determined to be in the operating state is an isolated terminal.

[6.6 Inspection of internal status of quarantined terminal device]
FIG. 26 shows an inspection processing procedure according to the inspection policy by the inspection control unit 310 of the quarantine target terminal device 3.

  When a predetermined inspection trigger occurs (step S7-1), the inspection execution unit 331 executes an inspection (policy check) of the internal state of the quarantine target terminal device 3 according to the inspection policy (step S7-1).

  The inspection trigger includes, for example, when the agent computer program P2 is started, manual execution by the user of the quarantine target terminal device 3, and periodic execution by the control unit 310 of the agent computer program P2.

When the inspection (policy check) result is different from the previous inspection (step S7-3), the agent ping start request transmission unit 335 transmits the agent ping start request to the quarantine controller 2 (step S7-5). ). However, since the IP address and the MAC address of the quarantine control device 2 are acquired by the agent ping from the quarantine control device 2, the agent ping start request cannot be transmitted unless the agent ping has been received so far (step S7- 4).
Thereafter, when an agent ping request is received from the quarantine control device, the inspection result is transmitted to the quarantine control device 2 as an agent ping response.

[6.7 Second Table Registration Process]
As shown in FIG. 27, in the table generation unit 410 (see FIG. 7) of the quarantine management server 4, the administrator can input the table information of the second table 230b from the input device (step S8-1).
The input table information of the second table 230b is transmitted to the quarantine controller 2 by the table transmission unit 420 (see FIG. 7) (step S8-2).

  As shown in FIG. 28, in the quarantine control apparatus 2, the second table update unit 232 (see FIG. 3) receives the table information of the second table 230b (step S9-1), and the contents of the second table area 230b Is updated (step S9-2).

[6.8 Communication jamming processing]
[6.8.1 Interfering method]
FIG. 29 shows the data structure of the above-described pseudo ARP response packet. In this pseudo ARP response packet, the IP address of the terminal device to be disturbed is stored in the first area D1 where the source IP address is stored, and the MAC address of the quarantine controller 2 is stored in the second area D2 where the source MAC address is stored. A broadcast address is stored in each of the third area D3 that stores the destination IP address and the fourth area D4 that stores the destination MAC address.
The quarantine control device 2 broadcasts this pseudo ARP response, so that the communication with the terminal device to be disturbed is performed. Note that the second area D2 in which the source MAC address is stored may be the MAC address of another device for packet collection / discarding instead of the MAC address of the quarantine control device 2. That is, the second area only needs to store a fake MAC address other than the correct MAC address of the interference target terminal.

By broadcast transmission of the pseudo ARP response, the terminal devices around the quarantine control device 2 receive the pseudo ARP response and use the MAC address of the quarantine control device (or the MAC of another device as the MAC address of the target terminal device to be disturbed). (Address) is mistakenly recognized and learned.
As a result, all data packets transmitted from the surrounding terminal devices to the interference target terminal device reach the quarantine control device 2 (or another device). The quarantine control apparatus discards the data packet, so that the data packet does not reach the disturbance target terminal apparatus. As a result, two-way communication (TCP) or one-way communication (UDP) from the communication partner to the disturbance target terminal device is not established between the disturbance target terminal device and the communication partner, resulting in interference.

FIG. 30 shows the flow of ARP from the time when an ARP request packet is transmitted from the terminal A to be blocked until the blocking is established.
First, an ARP request packet for acquiring the MAC address of terminal B is transmitted from terminal A (step S10-1). Thereby, the terminal B once correctly learns the MAC address of the terminal A.
The ARP request packet is captured by the quarantine control device 2 (step S10-2).

  Terminal B transmits a normal ARP response to terminal A (step S10-3). Thereby, the terminal A learns the MAC address of the terminal B.

The quarantine control apparatus 2 performs agent ping if necessary based on the captured ARP request packet, and determines that the terminal A is an interference target terminal that needs to be disturbed (step S10-4).
Then, as shown in FIG. 30, the quarantine control apparatus 2 broadcasts a pseudo ARP response with the source MAC address as its own MAC address and the source IP address as the IP address of the terminal A (step S10). -5). As a result, all terminals on the network including the terminal B (except the terminal A) learn the MAC address of the terminal A by mistake, and the interference is established.

  Although the pseudo ARP response is broadcast, since the IP address of the target terminal device to be disturbed is set as the destination IP address, the target terminal device cannot be received.

  In FIG. 31, contrary to FIG. 30, since the communication partner (non-disturbance target terminal) B communicates with the interference target terminal device A, the communication partner B sends out an ARP request, and the interference is established. The flow of ARP until is shown.

  First, an ARP request packet for acquiring the MAC address of terminal A is transmitted from terminal B, which is a communication partner (step S11-1). This ARP request packet is captured by the quarantine control apparatus 2.

  Terminal A transmits a normal ARP response to terminal B (step S11-2). Thereby, the terminal B once correctly learns the MAC address of the terminal A.

Since the MAC address of the terminal A is unknown, the quarantine control apparatus 2 transmits an ARP request to the terminal A by the ARP request transmission unit 291 (see FIG. 3) of the unregistered terminal apparatus processing unit 290 (Step S11-3). ).
Then, since the terminal A transmits an ARP response to the quarantine control apparatus 2 (step S11-4), the terminal A receives this by the ARP response receiving unit 292. Thereby, the quarantine control apparatus 2 can acquire the MAC address of the terminal A.

Then, the quarantine control apparatus 2 performs agent ping if necessary, and determines that the terminal A is an obstruction target terminal that needs to be obstructed (step S11-5).
Then, as shown in FIG. 29, the quarantine control apparatus 2 broadcasts a pseudo ARP response with the source MAC address as its own MAC address and the source IP address as the IP address of the terminal A (step S11). -6). As a result, all terminals on the network including the terminal B (except the terminal A) learn the MAC address of the terminal A by mistake, and the interference is established.

  Although the pseudo ARP response is broadcast, since the IP address of the target terminal device to be disturbed is set as the destination IP address, the target terminal device cannot be received.

  By performing the interference processing as described above, even if the ARP table of the interference target terminal device is statically set and the interference target terminal device is configured not to transmit the ARP request packet, the communication is performed. Communication can be interrupted by having the other party mislearn.

[6.8.2 Periodic transmission of pseudo ARP response packet]
As shown in Step 10-6 and Step S11-7 of FIGS. 30 and 31, the quarantine control apparatus 2 periodically broadcasts pseudo ARP response packets. The contents of the ARP table learned by each terminal device are automatically deleted if there is no communication with the communication partner for a certain period. Therefore, the pseudo ARP response transmission management unit 262 of the quarantine control device 2 periodically broadcasts a pseudo ARP response for interfering with the communication of the terminal device registered in the prohibited terminal information table 234 or the quarantine terminal information table 232. To do.

[6.8.3 Relay function]
Among the data packets sent to the quarantine control device 2 (or other collection / discard device) addressed to the interference target terminal device, the IP address of the transmission source (= terminal devices around the quarantine control device) is the exception information. When registered in the table 235, the communication relay unit 281 of the quarantine control device 2 (or other collection / discard device) transfers the data packet to the disturbance target terminal device without discarding the data packet. That is, even if it is a disturbance target terminal device, communication is established only with the terminal device designated as an exception (not disturbed).

By allowing exception communication, resources (such as OS monthly patch (hotfix)) and anti-virus software pattern files for improving the internal state of the quarantine target terminal device 3 determined to be a quarantine terminal are specified. When the terminal is in an in-house server or a server on the Internet, the isolation terminal can acquire the resource or file.
In other words, by registering a server with the resource or file in the exception information table, the resource or file can be acquired from the server via the network, and the internal state of the isolated terminal can be easily improved. .

  If exception communication is not permitted, resources for improving the internal state must be obtained offline, such as a CD-ROM, and the effort for improving the internal state will increase significantly, but allow exception communication. Thus, such trouble is reduced.

[6.9 Postponement of communication interference processing]
FIG. 32 is a sequence diagram for explaining a postponement of execution of communication interference processing when the terminal A, which is a passing terminal, changes from the operating state to the stopped state and then enters the operating state again.
In FIG. 32, the terminal A, which is a passing terminal in which the OS and the agent program are both activated and in an operating state, is registered as a passing terminal in the passing terminal information table 231 of the quarantine control apparatus 2 and is stored in the grace terminal information table 236. The grace state is registered as “Before Grace”.

Therefore, as shown in FIG. 32, even if the ARP request packet (step S12-1) of the terminal A is captured by the quarantine control device 2 and is subject to the ARP request packet monitoring process, it is registered in the passing terminal. The processing is finished as it is.
In addition, when a periodic agent ping request (step S12-2) is received from the quarantine control apparatus 2, since the terminal A is a passing terminal, an agent ping response is transmitted (step S12-3). Finish.

Here, when the process for the terminal A to change from the operating state to the stopped state is started, first, the agent program ends first with the OS activated (step S12-4).
At this time, if a periodic agent ping request (step S12-5) is received from the quarantine control apparatus 2, the terminal A cannot transmit an agent ping response because the agent program has ended.
Then, in the periodic agent ping execution process, after waiting for an agent ping response for a predetermined period and resending the agent ping request a predetermined number of times, if there is no response, the information of the terminal A is deleted from the passed terminal information table 231 and the grace period The grace state of the terminal information table 236 is changed to “ending” (steps S5-3 to S5-7 in FIG. 20).
Therefore, the information of the terminal A in the accepted terminal information table 231 of the quarantine control device 2 is deleted from the accepted terminal information table 231 and the grace state in the quarantine grace terminal information table 236 is registered as “ending” (step S12). -6).

  After that, since the terminal A is not registered as a passing terminal or an isolated terminal, the terminal A is not a target of the periodic agent ping execution process. Further, when it becomes a target of the ARP request packet monitoring process, the isolation grace period is determined in the agent ping process (FIG. 14). At this time, since the grace state in the quarantine grace terminal information table 236 is registered as “being completed”, quarantine grace is subsequently performed within the range of the first grace time (step S3-11-1 in FIG. 15). S3-11-7). That is, the terminal A is graced to be isolated as an isolated terminal even if the agent ping response cannot be transmitted due to the termination of the agent program (the execution of the disturbing process is delayed).

  Thereafter, when the OS ends (step S12-7), the terminal A enters a stopped state. During the period of the stop state, the registered content of the grace period terminal information table 236 for the terminal A is maintained.

Further, when the process for the terminal A to change from the stopped state to the operating state is started after a while, the OS is first started prior to the agent program (step S12-8).
In this state, when the ARP request packet (step S12-9) of the terminal A is captured by the quarantine control device 2 and is subject to the ARP request packet monitoring process, the terminal A is registered as a passing terminal and an isolated terminal. In the agent ping process, the grace period is determined (step S3-11 in FIG. 14).
At this time, the grace state in the quarantine grace terminal information table 236 is registered as “being finished”, and the first grace time is longer than the period from the start time to the current time when it is “finished”. If it is longer, the grace state is changed to “active” (step S12-10).

  As described above, since the first grace period is a period of time lag from the end of the agent program to the end of the OS, once the terminal A is stopped, the elapsed time is normally The first grace time will be exceeded.

  The terminal A is quarantined during the second grace period after the grace state in the quarantine grace terminal information table 236 is registered as “active” (steps S3-11-3 and S3-in FIG. 15). 11-6, S3-11-9). That is, the terminal A is graced to be isolated as an isolated terminal even if the agent ping response cannot be transmitted because the agent program has not yet been activated (the execution of the disturbing process is delayed).

Thereafter, when the agent program is activated (step S12-11) and the ARP request packet (step S12-12) is captured by the quarantine control device 2 and subjected to ARP request packet monitoring processing, the terminal A 2 sends an agent ping request (step S12-14) to the agent ping request (step S12-13).
As a result, the quarantine control apparatus 2 registers the terminal A as a successful terminal and registers the grace state as “before grace” in the quarantine grace terminal information table 236 (step S12-15).

Thus, according to the quarantine control device 2 of the present embodiment, the terminal device 3 to be quarantined is provided with the grace processing unit 220c for suspending execution of the interference processing by the communication interference unit 260 for a predetermined time. For example, even if the agent program is still running and the agent ping response cannot be sent, the agent program is in a state in which the agent program is in operation when a subsequent agent ping request is made by delaying a predetermined time. Can respond. As a result, it is possible to prevent the terminal device from being determined as an execution target of the interference process even though the terminal is a successful terminal, and to more appropriately determine the terminal device that should interfere with the communication.
In addition, even if the terminal device that is not a passable terminal is delayed, even if the execution of the interference process is delayed, the terminal device is isolated from being subjected to the interference process after the grace period elapses.

  In this embodiment, if there is no response even after waiting for an agent ping response for a certain period in step S3-2, the process proceeds to step S3-11, and the grace processing unit 220c performs a grace period determination. In the quarantine grace determination of step S3-11 performed by the grace processing unit 220c, it is determined whether or not the quarantine target terminal device 3 is graced for the quarantine, that is, the execution of the disturbing process. For this reason, it is possible to reliably identify the terminal device 3 that is being activated and in which the agent program is not yet operating, and to postpone the execution of the disturbance process.

  In addition, the quarantine control device 2 according to the present embodiment requires the quarantine postponement terminal information table 236 included in the terminal information table 230 in which information for specifying the terminal device 3 that should postpone the jamming process is registered, and the jamming process is necessary. And a table updating unit 240 that deletes information related to the terminal device 3 to be determined from the quarantine grace terminal information table 236 only when it is determined that the grace processing unit 220c is the grace terminal information table 236. It is configured to determine whether or not to delay execution of the disturbance process for the terminal device 3 registered in the above.

  In this case, since the information on the terminal device 3 is deleted from the grace isolation terminal information table 236 only when it is determined that the obstruction processing is necessary, the registered information may be changed depending on the activation or termination of the terminal device 3. Not deleted. Therefore, even if the terminal device 3 registered in the isolation grace terminal information table 236 changes from the operating state to the stopped state and then enters the operating state again, it is registered in the terminal information table. For this reason, if execution of the obstruction processing is delayed at the end, it can also be delayed at startup.

FIG. 33 (a) is a sequence diagram for explaining a mode of postponement of the communication jamming process when the terminal B in which the agent program is not installed is connected to the network for the first time and changes from the stopped state to the operating state. .
First, the OS is started by starting processing for the terminal B to change from the stopped state to the operating state (step S13-1).
Next, when the ARP request packet (step S13-2) of the terminal B is captured by the quarantine control device 2 and subjected to the ARP request packet monitoring process, the terminal B is not registered as a passing terminal or an isolated terminal. Therefore, isolation postponement determination is performed in the agent ping process (step S3-11 in FIG. 14). At this time, since the terminal B is not registered in the quarantine postponement terminal information table 236, the grace state is registered as “at the time of discovery” and the current time is registered as the start time (step S13-3). Execution of communication interruption processing is delayed.

Note that since the agent program is not installed in the terminal B, the terminal B is not registered as a passing terminal even if it is a target of the ARP request packet monitoring process. Therefore, for example, after being registered in the quarantine postponement terminal information table 236 in step S202, if the ARP request packet monitoring process is to be performed after the elapse of the second grace period (step S13-4), the terminal B Is not registered as a passing terminal or a quarantine terminal, and therefore, a grace period is determined in the agent ping process (step S3-11 in FIG. 14).
As a result of the quarantine determination, since the grace state is “at the time of discovery” and the elapsed time from the start time to the current time is equal to or longer than the second grace time, the terminal B is determined not to suspend the quarantine. (Step S3-11-10 in FIG. 15).

As a result, the terminal B is determined to be a quarantine terminal, and is deleted from the quarantine postponement terminal information table 236 and registered in the quarantine terminal information table 232 in step S13-5 (step S3-8 in FIG. 14, Step S3-9).
In this way, when the terminal B in which the agent program is not installed is captured for the first time by the ARP request packet monitoring process, the terminal B is suspended from executing the isolation, that is, the communication blocking process. However, when the second grace period or more elapses, this terminal B is determined as a terminal that is not normal, and is subject to communication interference processing.

  FIG. 33B is a sequence diagram for explaining a mode of postponement of communication interference processing when the terminal A to be a passing terminal is connected to the network for the first time and changes from the stopped state to the operating state. This terminal A is assumed to be in a state where an agent program is installed and it is determined as a passing terminal.

First, the OS is started by starting processing for the terminal A to change from the stopped state to the operating state (step S14-1).
Next, when the ARP request packet (step S14-2) of the terminal A is captured by the quarantine control device 2 and is subjected to the ARP request packet monitoring process, the terminal A is not registered as a passing terminal or an isolated terminal. Therefore, isolation postponement determination is performed in the agent ping process (step S3-11 in FIG. 14). At this time, since terminal A is not registered in the quarantine postponement terminal information table 236, the grace state is registered as “at the time of discovery” and the current time is registered as the start time (step S14-3). Execution of communication interruption processing is delayed.

After that, the agent program of the terminal A is activated (step S14-4), and when the ARP request packet (step S14-5) is captured by the quarantine controller 2 and subjected to the ARP request packet monitoring process, the terminal A In response to the agent ping request (step S14-6) from the quarantine control apparatus 2, an agent ping response (step S14-7) is transmitted.
As a result, the quarantine control apparatus 2 registers the terminal A as a passing terminal and registers the grace state from “when discovered” to “before grace” in the quarantine grace terminal information table 236 (step SS14-8).

  As described above, when the terminal device 3 determined not to respond to the agent ping request is not registered in the quarantine postponement terminal information table 236, the terminal device 3 is registered in the quarantine postponement terminal information table 236. Therefore, even when a terminal device 3 that is not registered in the grace isolation terminal information table 236 is activated and receives an agent ping request, execution of the interference processing is delayed for a certain period of time, so that the stationary terminal device 3 is subjected to the interference processing. Execution can be prevented.

  In addition, this invention is not limited to the said embodiment, A various deformation | transformation is possible. For example, the communication monitoring unit 250 may monitor other types of IP packets instead of ARP requests flowing through the network. In this case, what is necessary is just to determine the necessity of disturbance with respect to the transmission source and / or transmission destination of another type of IP packet.

  The embodiment disclosed this time should be considered as illustrative in all points and not restrictive. The scope of the present invention is defined by the terms of the claims, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.

2 Quarantine control device 3 Terminal device 211 Agent ping transmission unit (inspection result transmission request unit)
220 determination unit 220a first determination unit 220b second determination unit 220c grace processing unit 236 isolation grace terminal information table (terminal information table)
240 Table update unit 260 Communication jamming unit

Claims (7)

A quarantine control device that interferes with communication of a terminal device connected to a network,
An inspection result transmission requesting unit for requesting the terminal device to transmit an inspection result in which the terminal device inspects the internal state in accordance with a predetermined inspection policy;
Based on a response of the terminal device to the transmission request for the inspection result, a determination unit that determines whether the terminal device is a passing terminal that satisfies a predetermined condition for the inspection result;
When the determination unit determines that the terminal is not an acceptable terminal, a communication disturbance unit that executes a communication disturbance process of the terminal device;
A quarantine control device comprising: a grace processing unit for suspending execution of the interference processing by the communication interference unit for a predetermined time.   2. The quarantine control device according to claim 1, wherein when the determination unit determines that the terminal device is not the acceptable terminal, the grace processing unit determines whether or not to suspend execution of the obstruction processing. A terminal information table in which information for specifying the terminal device for which the jamming process should be suspended is registered;
A table updating unit that registers information about the terminal device in the terminal information table when the terminal device determined by the determination unit as not being the passing terminal is not registered in the terminal information table;
The table update unit deletes, from the terminal information table, information related to the terminal device that is determined not to be the successful terminal after registration by the determination unit and that is determined not to postpone execution of interference processing by the grace processing unit. ,
The quarantine control device according to claim 2, wherein the grace processing unit causes the communication jamming unit to perform a jamming process for the terminal device deleted from the terminal information table.   Whether the grace processing unit graces the execution of the interference process when it is determined that the terminal device is not the successful terminal by determining that the terminal device does not respond to the inspection result transmission request. The quarantine control apparatus according to claim 2 or 3, wherein the determination is performed.   The table update unit, when determining that the terminal device is not the passing terminal by determining that there is no response of the terminal device to the transmission request of the inspection result, information for specifying the terminal device The quarantine control apparatus according to claim 3 or 4, which is registered in the terminal information table. A quarantine control computer program for causing a computer to function as a quarantine control device connected to the network, which executes a quarantine method for interfering with communication of a terminal device connected to the network,
An inspection result transmission request step for requesting the terminal device to transmit an inspection result obtained by inspecting the internal state of the terminal device according to a predetermined inspection policy;
A determination step of determining whether or not the terminal device is a passing terminal that satisfies a predetermined condition for the inspection result, based on a response of the terminal device to the transmission request for the inspection result;
If it is determined that the terminal is not an acceptable terminal, a communication blocking step for performing a communication blocking process of the terminal device,
A quarantine control computer program comprising a grace processing step of suspending the execution of the communication blocking step for a predetermined time when it is determined in the determining step that the terminal is not an acceptable terminal. A quarantine control device connected to a network is a quarantine method for interfering with communication of a terminal device connected to the network,
An inspection result transmission request step for requesting the terminal device to transmit an inspection result obtained by inspecting the internal state of the terminal device according to a predetermined inspection policy;
A determination step of determining whether or not the terminal device is a passing terminal that satisfies a predetermined condition for the inspection result, based on a response of the terminal device to the transmission request for the inspection result;
If it is determined that the terminal is not an acceptable terminal, a communication blocking step for performing a communication blocking process of the terminal device,
A quarantine method comprising a grace processing step of gracefully executing the communication blocking step for a predetermined time when it is determined in the determination step that the terminal is not an acceptable terminal.

Images