JP2014132496A - Quarantine network system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique to construct a flexible security environment in which a security level and connection restrictions are taken into account.SOLUTION: A quarantine apparatus 10 determines security policies applied to client terminals 8, 52, and 72 respectively on the basis of inventory information acquired from the client terminals. The security policy is defined being separated into a basic policy, a group policy, and a network policy on the basis of respective identification information preliminarily registered in the quarantine apparatus 10 for the client terminals 8, 52, and 72 and group information grouping the identification information. The basic policy, the group policy, and the network policy are made to correspond to an execution item for quarantine and a simulation mode. On the basis of the simulation mode, it is determined whether quarantine and authentication are executed or not.

Description

  The present invention relates to a quarantine network system.

  This type of quarantine network system attempts to improve network security by performing quarantine on various terminals installed in the network.

  For example, conventionally, when a new user terminal is to be connected to a network, a first prior art is known in which the connection restriction is canceled after checking the virus countermeasure status of the user terminal (see Patent Document 1). In this prior art, when a connection request is made from a user terminal to the network, the anti-virus status is checked on the anti-virus terminal, and if anti-virus measures are taken, the connection restriction is canceled and connection to the network is established. To give permission. On the other hand, if the virus countermeasure has not been taken, the network range to which the user terminal can be connected is limited.

  A second prior art is known in which information systems are set in accordance with a predetermined security policy for various terminals in a corporate network (see Patent Document 2). In the second prior art, a security policy corresponding to user attribute information or management information acquired in advance from a client terminal or an administrator terminal is defined, and the client terminal is quarantined based on this security policy. Do access control.

JP 2005-216253 A JP 2006-184936 A

  However, the first prior art described above only performs quarantine on the user terminal that has sent the connection request, and based on the information sent from the user terminal, the individual security policy (which Such as quarantine items to be applied) or individual security policies based on information managed by the user management device cannot be operated. In addition, in order for the quarantine apparatus to function, a network component device having an authentication function is necessary as a premise thereof, and the configuration of the network itself is limited accordingly.

  On the other hand, in the second prior art, the security policy is defined based on the information sent from the client terminal or the information managed by the user management apparatus. It is thought that it is possible to take flexible anti-virus measures.

  However, the second prior art has a problem that the setting based on the security policy cannot be executed due to the configuration in the network. Generally, in order to operate the network stably, it is required that the restrictions on the network that can be connected to the client terminal and the application of an appropriate security policy cooperate with each other. The presence or absence of restrictions differs depending on the presence or absence of the authentication function of the switch to which the client terminal is connected. However, in the second prior art method, since the quarantine apparatus cannot grasp what kind of switch the client terminal to be quarantined is connected to, the switch between the switch with the authentication function and the switch without the authentication function. A security policy cannot be individually applied to each client terminal connected thereto. Therefore, in the second prior art method, it is difficult to operate in a state where a switch with an authentication function and a switch without an authentication function coexist in the network.

  Therefore, an object of the present invention is to provide a technique for constructing a flexible security environment in consideration of security levels and network connection restrictions.

  In order to solve the above-described problem, according to one aspect of the present invention, a quarantine network system including a quarantine apparatus that quarantines a client terminal connected to a network, the quarantine apparatus includes a plurality of predefined quarantine apparatuses. Group policy information registered for each security policy group in association with a unique security policy and a specific simulation mode that defines the execution items of quarantine and whether or not authentication is performed, and group policy information Apart from the security policy for each security policy group, one of the security policy groups is included in the basic policy information that defines the basic security policy and simulation mode in the network, and the identification information of each client terminal. If the identification information of the client terminal to be quarantined is registered in the asset ledger information when executing the quarantine, the security policy associated with the identification information Quarantine by applying a security policy specific to the group, and determine whether to authenticate the client terminal subject to quarantine according to the simulation mode specific to the security policy group, while the client terminal subject to quarantine If the identification information is not registered in the asset ledger information, quarantine is performed by applying the basic security policy, and whether to authenticate the client terminal subject to quarantine according to the basic simulation mode is determined. A quarantine network system is provided.

  According to the quarantine network system of the present invention, it is possible to construct a flexible security environment considering security levels and network connection restrictions.

It is a figure showing roughly the composition of the quarantine network system in this embodiment. It is a block diagram which shows roughly the functional structure of a quarantine apparatus. It is a table | surface which shows the content of a security policy roughly. It is a table | surface which shows the asset register memorize | stored in the asset register setting part. It is a table | surface which shows roughly the group policy set in the security policy group setting part. It is a table | surface which shows roughly the network policy set in the security policy group setting part. It is a sequence diagram which shows each process of the quarantine and authentication implemented by a quarantine apparatus and a switching hub. It is a flowchart which shows the process which determines the security policy applied with respect to a client terminal by a quarantine apparatus.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 is a diagram schematically showing a configuration of a quarantine network system in the present embodiment. For example, the quarantine network system shown in FIG. 1 is applied in a corporate network.

  The quarantine network system has, for example, a basic network 1, in which a quarantine device 10, an authentication device 20, a monitoring device 21, a log management device 22, and the like are arranged. In the network 1, for example, a server 28 (file server, application server, data server, etc.) to be accessed by the user is arranged.

  In the network 1, there are segments 1X and 1Y as peripheral portions thereof. Among them, one segment 1X is connected to the backbone network 1 via, for example, a switching hub 30 that does not have an authentication function, and the other segment 1Y passes through a switching hub 40 that has an authentication function. Connected. In addition, a plurality of client terminals 8, 52, 54, etc. are arranged in the segment 1X, and a plurality of client terminals 62, 64, 72, 74, etc. (reference numerals are illustrated) are also arranged in the segment 1Y. Yes.

  The quarantine apparatus 10 executes quarantine on the client terminals 8, 52 to 74, and the like. Further, when authentication of the client terminals 8, 52 to 74, etc. is required, the quarantine apparatus 10 causes the switching hub 40 (with an authentication function) to execute these authentications.

  The quarantine apparatus 10 defines a basic policy 10a as a basic security policy that is commonly used in the network 1 (including the segments 1X and 1Y). In the quarantine apparatus 10, the client terminals 52 to 74 connected to the network 1 are divided into a plurality of groups and a security policy is set for each group, or the client terminals 52 to 74 are classified according to the network range. It is possible to set a security policy for each network. These security policies for each small unit are defined as, for example, a group policy 10b and a network policy 10c, respectively. In addition, the quarantine apparatus 10 stores identification information for individually identifying the client terminals 52 to 74 as asset ledger 10d (asset ledger information).

  Note that the quarantine apparatus 10 may be a single apparatus or may be configured by a plurality of apparatuses. At this time, for example, quarantine may be executed on the client terminals 8, 52 to 74, etc. while performing load sharing among a plurality of apparatuses.

  The switching hubs 30 and 40 are relay apparatuses having data transfer functions such as layer 2 and layer 3 of an OSI (Open Systems Interconnection) reference model. The switching hubs 30 and 40 relay the data transmitted from the quarantine device 10 and the client terminals 8, 52 to 74, the authentication device 20, the monitoring device 21, the log management device 22, the server 28, etc. to the destination device or terminal. Or relay to another network.

  Further, in the present embodiment, the switching hub 40 is connected to the connection destination client terminals 62 to 74 and the like, for example, an authentication method compliant with a communication standard of, for example, a Web authentication method or IEEE (Institut of Electrical and Electronics Engineers) 802.1x, It has a function of performing authentication using various authentication methods such as an authentication method based on the RADIUS (Remote Authentication Dial In User Service) protocol.

  Further, the switching hub 40 has a function of limiting a network range to which the client terminals 62 to 74 can be connected according to the authentication result. For example, the switching hub 40 limits the network range by dynamically setting a VLAN (Virtual LAN) for the ports to which the client terminals 62 to 74 and the like are connected. The switching hub 40 sets a VLAN accessible only to a limited range until the authentication is successful, and sets the VLAN accessible to the entire network 1 when the authentication is successful. Note that the VLAN may be the same before and after authentication. On the other hand, the switching hub 30 does not have the function of performing the above authentication, and does not authenticate the connection destination client terminals 8, 52, 54, and the like.

  The client terminals 8, 52 to 74, etc. are terminals such as notebook type PCs (Personal Computers), desktop type PCs, portable terminals, etc., and may be any ones with a predetermined OS installed. The client terminals 8, 52 to 74, etc. access the server 28 via the switching hubs 30, 40 or accept user's work by user operations using these.

  In this embodiment, the client terminals 52 to 74 other than the client terminal 8 are defined by being divided into a plurality of groups. For example, the client terminals 52, 54, etc. are defined as “group M (reference numeral 50 in the figure)”, and the client terminals 62, 64, etc. are defined as “group N (reference numeral 60 in the figure)”. Further, the client terminals 72, 74, etc. are defined as “Group L (reference numeral 70 in the figure)”. On the other hand, the client terminal 8 does not belong to any group. Such grouping can be arbitrarily set, for example, by the administrator of the network 1 in advance by department, floor, user type, etc. in the office.

  In any case, the quarantine apparatus 10 can set a group policy that defines a policy corresponding to each group, or can set a basic policy that is commonly applied in the network 1. The quarantine apparatus 10 can set a network policy to which the above group policy is applied for each network range. Quarantine by the quarantine apparatus 10 is performed on the client terminals 52 to 74 and the like based on the above policy.

  The authentication device 20 is a server for authenticating an account input to the client terminal by the above authentication method. In the authentication device 20, for example, authentication information necessary for authentication such as a user ID, a password, information on the client terminal, and a MAC (Media Access Control) address defined in the client terminal is registered in advance.

  When the authentication device 20 receives the authentication information from the client terminal 62 via the switching hub 40, the authentication device 20 collates this with the previously registered authentication information and transmits the authentication result to the client terminal 62. At this time, the switching hub 40 sets the client terminal 62 as a VLAN accessible to the entire network 1 or blocks the connection according to the authentication result. Similar to the quarantine apparatus 10, the authentication apparatus 20 may be a single apparatus or a plurality of apparatuses. Or when the function as a server for authentication is mounted in the switching hub 40, you may authenticate the client terminals 62-74 etc. by the switching hub 40, without using the authentication apparatus 20. FIG.

  The monitoring device 21 includes the quarantine device 10, the switching hubs 30 and 40, the client terminals 8, 52 to 74, etc., the authentication device 20, the log management device 22, and the server 28 arranged in the network 1. When a failure occurs in any of the devices, this is notified to a management terminal (not shown) or a communication state is notified in response to a request from the management terminal. The management terminal is a device that manages the network 1.

  The log management device 22 is a server device for storing data processed by the authentication device 20, the monitoring device 21, and the server 28, such as the quarantine device 10, the switching hubs 30 and 40, and the client terminals 8 and 52 to 74. . For example, data related to the quarantine executed by the quarantine apparatus 10 and system information mounted thereon are stored.

  The server 28 is a general server device shared as a work target by a plurality of users in the network 1 as a work target by the user. For example, a user who uses the client terminal 74 cannot access the server 28 unless authentication by the switching hub 40 is successful in advance.

  FIG. 2 is a block diagram schematically showing a functional configuration of the quarantine apparatus 10. The quarantine apparatus 10 is arranged in the network 1 in addition to executing the quarantine of software installed in the client terminals 8 and 52 to 74 described above, and causing the switching hub 40 to perform authentication of the client terminals. Data logs are sent to various devices and failure information is notified. Hereinafter, these functional configurations will be described.

  The quarantine apparatus 10 includes a system setting unit 100, a customization setting unit 105, an authentication switch information setting unit 110, a security policy group setting unit 120, an asset ledger setting unit 130, a security policy group setting unit 140 for each OS, and a security policy quarantine unit 150. A hardware failure detection unit 160, a log storage unit 170, a client program storage unit 180, and a security policy information management database 300.

  The system setting unit 100 sets network information for the quarantine apparatus 10. Specifically, an operator or an administrator who manages the quarantine apparatus 10 accesses the system setting unit 100 to set an IP address, DNS (Domain Name System), proxy, etc., host name registration, NTP (Network Time). Setting of time information using Protocol) is performed. Moreover, UPS (Uninterruptable Power Supply) can be set.

  The system setting unit 100 may perform various processes according to the settings of the system provided in the quarantine apparatus 10. For example, it is preferable to perform backup processing for data recorded in the security policy information management database 300 and recovery processing (restoration) at the time of failure. Further, regarding the data backup process, a periodic backup process may be performed using an external storage medium (not shown), NAS (Network Attached Storage), or the like. On the other hand, regarding the recovery process, the optimum data necessary for restoration may be automatically acquired from the backed up data.

  The customization setting unit 105 sets or changes the display format displayed on the display of the client terminals 8, 52 to 74, and the like. Specifically, the display format of a warning message to be notified to the client terminals 8, 52 to 74, etc. when the content indicated in the quarantine item is not satisfied is set or changed. In addition, the display format displayed on the display of the client terminals 8, 52 to 74, such as message information, operation buttons, a logo indicating an application, copyright information, and language display, is set or changed.

  The authentication switch information setting unit 110 sets information used when the switching hub 40 authenticates the client terminals 62 to 74 and the like. Specifically, the name (host name) of the switching hub 40, a URL (Uniform Resource Locator) indicating the location of the authentication page, and notification from the switching hub 40 to the client terminals 62 to 74 when authentication is successful or unsuccessful. Set information such as response messages.

  The asset ledger setting unit 130 stores identification information for individually identifying the client terminals 8, 52 to 74, and the like. In addition, group information that defines a plurality of pieces of identification information divided into a common group from the stored identification information is stored. Specifically, the asset ledger setting unit 130 stores IP addresses and MAC addresses set in the client terminals 52, 54, 62, 64, 72, and 74 as identification information, and the group M shown in FIG. 1 as group information. , N, L are stored. The identification information and the group information are stored in association with each other. For example, the identification information indicating the client terminals 52 and 54 and the like is stored in association with the group M.

  The security policy group setting unit 120 sets the basic policy 10a, the group policy 10b, and the network policy 10c described above. Each security policy defines a quarantine execution item for the client terminals 8, 52 to 74, and a simulation mode indicating whether or not the client terminals 8, 52 to 74 are authenticated. The basic policy 10a, the group policy 10b, and the network policy 10c are set in consideration of the security level for the client terminals 8, 52 to 74, etc. by an administrator or worker who manages the network 1.

  The basic policy 10a is a security policy commonly used in the network 1, and the group policy 10b and the network policy 10c are set based on this security policy. The group policy 10b is a security policy in which a quarantine execution item and a simulation mode are defined for each of the groups M, N, and L stored in the asset ledger setting unit 130.

  The network policy 10c is a security policy in which the network range to which the client terminals 8, 52 to 74, etc. belong and the group policy are defined in association with each other. Specifically, the range of IP addresses that can be set (assigned) to the client terminals 8, 52 to 74, etc. in the network 1 is divided into a plurality, and information indicating each range is associated with each group policy. It has been.

  The security policy group setting unit 140 for each OS sets a security policy for each type of OS installed in the client terminals 8, 52 to 74, and the like. Specifically, the quarantine execution items defined in the basic policy 10a and the group policy 10b are defined for each OS. Thus, for example, even when different types of OSs are installed in the client terminals 52 and 54 that perform quarantine based on the common group policy 10b, they can be flexibly adapted according to the characteristics and version information of each OS. Can be quarantined.

  The security policy quarantine unit 150 determines a security policy to be applied based on the identification information stored in the asset ledger setting unit 130, and executes quarantine on the client terminals 8, 52 to 74, and the like.

  The hardware failure detection unit 160 detects when a failure has occurred in the hardware installed in the quarantine apparatus 10. More specifically, the hard disk drive, voltage, firmware, and the like in the quarantine apparatus 10 are monitored, and these abnormalities and failures are detected.

  When the hardware failure detection unit 160 detects a failure, the hardware failure detection unit 160 notifies the monitoring device 21 and the log management device 22 illustrated in FIG. 1 of the occurrence of the failure. As a technique for notifying the occurrence of a failure, it is preferable to notify using, for example, Syslog, SNMP (Simple Network Management Protocol), mail or the like. Note that the hardware failure detection unit 160 may collect the operation information of the quarantine apparatus 10. By collecting the operation information, for example, an administrator or an operator can check the failure status of the quarantine apparatus 10.

  The log storage unit 170 stores quarantine information such as the execution contents and execution time of the quarantine executed by the security policy quarantine unit 150, and stores operation information collected by the hardware failure detection unit 160. The stored information may be notified from the log storage unit 170 to the log management apparatus 22 shown in FIG. At this time, for example, notification is preferably performed using Syslog, SNMP (Simple Network Management Protocol), e-mail, or the like.

  The client program storage unit 180 stores a program for checking the security state. This program is installed in advance in the client terminals 8, 52 to 74, etc. before quarantine or authentication is performed. In each client terminal 8, 52 to 74, etc., when the security state is inspected according to the above program, the inspection result is notified to the quarantine apparatus 10.

  The program may be in a Web application format or a program file format that can be executed by each of the client terminals 8, 52 to 74, and the like. Further, as a technique for installing the program in the client terminals 8, 52 to 74, etc., an agent type that is installed from the quarantine apparatus 10 or an agentless type that does not require installation may be used. Further, in the case of the Web application format, the connection destination client terminals 62 to 74 and the like may be automatically guided (redirected) to the client program storage unit 180 by the switching hub 40 having an authentication function.

  The security policy information management database 300 includes the system setting unit 100, customization setting unit 105, authentication switch information setting unit 110, asset ledger setting unit 130, security policy group setting unit 120, security policy group setting unit 140 for each OS, Information set (stored) by the security policy quarantine unit 150, the hardware failure detection unit 160, the log storage unit 170, and the client program storage unit 180 is stored and read when these are executed. Or updated.

  FIG. 3 is a table schematically showing the contents of the security policy. This table is displayed, for example, on the display of the administrator terminal connected to the quarantine apparatus 10, and a security policy is created by the operation of the administrator.

  The table shown in FIG. 3 is divided into three upper stages and one lower stage. Of these, the three large levels shown at the top indicate quarantine execution items that are applied to each type of OS, for example. Further, the lower one level shown at the bottom shows a simulation mode that defines the mode of whether or not to perform authentication. This will be described in more detail below.

  In the table of FIG. 3, the leftmost column shown in the top three rows indicates the type of OS, and here, for example, “OS1” to “OS3” are shown in ascending order. In the second column from the left, “quarantine items (execution items)” are shown for each OS, and quarantine execution items corresponding to the OS1 to OS3 are shown. In the third column from the left, a column of “execution content” is shown for each OS, and the execution content for “quarantine item” is shown here. The “edit” column shown in the rightmost column indicates that the execution items and execution contents shown in the “quarantine item” and “execution content” columns can be edited for each OS. For example, when an administrator selects “Edit” shown on the display, the execution item and execution content of the quarantine can be edited.

Here, items that can be quarantined by the quarantine apparatus 10 (“quarantine items”) include, for example, the following.
(1) Confirmation of OS permission status (2) Confirmation of OS patch application status (3) Presence or absence of installation of antivirus software and data version to be applied (4) Confirmation of security status managed by OS (5) Application status of the firewall (6) Confirmation of the presence of software that is not permitted to install (method for searching physical files, OS management areas such as registries)
(7) Confirmation of existence of software to be installed (method for retrieving physical file, method for retrieving OS management area such as registry)
(8) Confirmation of energy saving mode setting status (9) Confirmation of screen saver password setting status (10) Confirmation of OS password setting status (11) Confirmation of client terminal registered in asset ledger (10d) Table showing simulation mode In the right column, whether or not quarantine and authentication are executed is shown. Here, as an example, items of “none (normal operation)”, “simulation (quarantine OK regardless of the quarantine result)”, and “simulation (no switch authentication)” are shown. “None (normal operation)” indicates, for example, a case where both quarantine and authentication are performed on a client terminal connected to the network 1. In addition, “simulation (quarantine is ok regardless of the quarantine result)” indicates a case where authentication is executed even if the authentication result is NG. “Simulation (no switch authentication)” indicates a case where only quarantine is executed. In the simulation mode, for example, the administrator can select one of the above items displayed on the display. Moreover, you may enable it to set simulation mode for every quarantine item here.

  In this manner, the security policy shown in FIG. 3 can set “quarantine execution items” and “simulation mode” for the basic policy 10a and the group policy 10b, respectively. Thereby, even if the switching hub 30 that does not have the authentication function is arranged in the network, the quarantine apparatus 10 can cause the switching hub 40 that has the authentication function to perform authentication based on the simulation mode. . Further, depending on the security level, even the switching hub 40 having an authentication function can connect the client terminal to the network 1 without authenticating the client terminal.

  FIG. 4 is a table showing the asset ledger 10d stored in the asset ledger setting unit 130. In the asset ledger 10d, identification information and group information for individually identifying the client terminals 8, 52 to 74, etc. are registered in association with each other. In this embodiment, “asset ID”, “asset name”, “IP address”, “MAC address”, and “computer name” are shown as identification information, and “security policy group name” is shown as group information. It is shown.

  In the column of “asset ID” in the leftmost column in FIG. 4, numbers assigned to client terminals registered in the asset register 10d as information assets are shown. Here, the serial number for each client terminal is indicated from “1”.

  In the column of “Asset Name” in the second column from the left, names defined for the client terminals 8, 52 to 74, etc. are shown. In FIG. 4, “client terminal 52”, “client terminal 62”, etc. are shown as asset names as an example.

  In the third column and the fourth column from the left, columns of “IP address” and “MAC address” are shown, respectively, and the IP address and MAC address set for the client terminals 8, 52 to 74, etc. are shown. Expressed in correspondence with the asset name. In the column of “Computer Name” in the fifth column from the left, host names defined for the client terminals 8, 52 to 74, etc. are shown.

  The “security policy group name” in the rightmost column indicates a group name that defines a plurality of client terminals as a common group. For example, the client terminal 52 belongs to the group M, and the client terminal 62 belongs to the group N. Each group information corresponds to a group policy set by the security policy group setting unit 120.

  FIG. 5 is a table schematically showing the group policy 10 b set by the security policy group setting unit 120. In the group policy 10b, a security policy is defined for each group information defined in the asset ledger 10d.

  In the table shown in FIG. 5, columns of “group ID”, “security policy group name”, “security policy”, and “simulation mode” are shown.

  In the column “Group ID” in the leftmost column, the identification numbers for the security policy group names shown in the adjacent columns are shown in ascending order.

  In the column “security policy” in the third column from the left, information indicating the security policy applied to each security policy group name is shown. Here, it is indicated that the “security policy for group M” is applied to the client terminals belonging to the group M, but for example, an identification number indicating each security policy may be indicated. .

  The “simulation mode” column in the rightmost column shows the simulation mode defined in the above security policy. For example, only the quarantine is performed on the client terminals belonging to the group M, and the authentication of the client terminals is not performed. In addition, quarantine and authentication are performed on client terminals belonging to the group N. At this time, authentication is performed regardless of the security state of the client terminal. Similarly, client terminals belonging to the last group L are quarantined and authenticated. However, authentication is performed only when the client terminal satisfies security (quarantine execution item).

  FIG. 6 is a table schematically showing the network policy 10 c set by the security policy group setting unit 120. In the group policy 10b, the client terminals 52 to 74 are divided into three groups M, N, and L, and a unique security policy is defined for each group. In the network policy 10c, a unique security policy is defined for each IP address range. A security policy is defined.

  In the table shown in FIG. 6, columns of “group ID”, “network name”, “IP address range”, and “security policy group name” are shown.

  In the “group ID” column in the leftmost column, the identification numbers corresponding to the “network name” shown in the adjacent column are shown in ascending order. In the “network name” column, a name for identifying each network range is shown.

  The column “IP address range” in the third column from the left shows an IP address indicating a network range. For example, one of 10 IP addresses from IP_50 to IP_59 is any IP address. The set client terminal belongs to “network 1” shown in the network name column.

  The “security policy group name” column in the rightmost column shows a group name corresponding to the above group policy. Accordingly, the security policy defined for “group M” is implemented for the client terminals belonging to the network 1.

  Note that the IP address range shown in FIG. 6 may be indicated by a network segment (network space) in which the network 1 is divided into a plurality of segments, such as the segments 1X and 1Y shown in FIG. This network segment may divide the network 1 into a plurality of sub-networks using, for example, a subnet mask, and may indicate a range of IP addresses that can be set for client terminals belonging to each sub-network.

FIG. 7 is a sequence diagram showing quarantine and authentication processes performed by the quarantine apparatus 10 and the switching hub 40. FIG. 8 is a flowchart showing processing for determining a security policy to be applied to the client terminals 8, 52 to 74 by the quarantine apparatus 10. In FIG. 7, quarantine and authentication processes when the basic policy 10a, the group policy 10b, and the network policy 10c are applied will be described using the client terminals 8, 52, and 72.
[Security status check]
Step S10: The client terminal 8 checks the security state from the client program storage unit 180 of the quarantine apparatus 10 using, for example, power-on, restart, or download from the Web screen as a trigger (not shown as a sequence step). Get the program. Similarly, the client terminals 52 and 72 also acquire the above-mentioned program using, for example, power-on, restart, or download from the Web screen as a trigger (steps S12 and S14).

Step S16: The client terminal 8 executes security status inspection according to the program, and uploads event information including the inspection result and identification information of the client terminal 8 to the quarantine apparatus 10. Similarly, the client terminals 52 and 72 are executed according to the program, and the event information is uploaded to the quarantine apparatus 10 (steps S18 and S20).
[Apply security policy]
Step S22: The quarantine apparatus 10 individually determines a security policy to be applied to each of the client terminals 8, 52, 72 based on the uploaded event information. Hereinafter, the process of individually determining security policies (contents of step S22) will be described with reference to the flowchart shown in FIG.
[See Figure 8: Flowchart of security policy decision processing]
Step S220: The quarantine apparatus 10 receives (acquires) the event information sent from the client terminals 8, 52, 72 as described above.

  Step S222: The quarantine apparatus 10 determines whether or not the identification information included in the received event information corresponds to the security group. In other words, the quarantine apparatus 10 identifies the identification information included in the event information from the identification information stored in the asset ledger setting unit 130, and the identified identification information is registered in association with any group information. If yes (Yes), the group policy is applied (step S224) and the client terminal is quarantined.

  For example, the identification information of the client terminal 52 is registered in the asset ledger 10d shown in FIG. 4 and corresponds to one of the security groups (here, group M). Therefore, the quarantine apparatus 10 applies a group policy unique to “group M” to the client terminal 52.

  On the other hand, when the identified identification information is not registered in association with any group information (step S222: No), the process proceeds to the next step S226.

  Step S226: The quarantine apparatus 10 determines whether or not the identification information is registered in the network policy shown in FIG. Specifically, based on the IP address set in the client terminal as the identification information, it is determined whether or not it is included in the IP address range or network segment (network space) of any one of the networks 1-3. To do.

  When the IP address of the client terminal is included in the IP address range or the network segment (Yes), the network policy is applied to the client terminal (step S228), and this process ends. On the other hand, when the IP address of the client terminal is not included in the IP address range (No), the quarantine apparatus 10 applies the basic policy to the client terminal (step S230) and ends this process.

  For example, when the IP address set in the client terminal 72 is “IP_70” shown in FIG. 6 and the IP address set in the client terminal 8 is “IP_8” not shown in FIG. Since the IP address belongs to the IP address range shown in “network 3” (step S226: Yes), the network policy is applied.

On the other hand, since the IP address of the client terminal 8 does not belong to any IP address range (step S226: No), the basic policy is applied.
[Quarantine processing]
When the security policy applied to each of the client terminals 8, 52, 72 is determined along the above flow, the quarantine apparatus 10 next executes the following quarantine process shown in FIG.
[See FIG. 7: Steps S22 and after in the sequence]
Step S24: The quarantine apparatus 10 applies the basic policy 10a to the client terminal 8 for quarantine. In addition, the quarantine apparatus 10 performs quarantine by applying the group policy 10b and the network policy 10c to the client terminals 52 and 72, respectively (step S26, step S28). At this time, the group policy 10b applied to the client terminals 52 belonging to the group M is indicated as “only quarantine is performed” in the simulation mode, and authentication by the switching hub 40 is not performed (see FIG. 5). On the other hand, since the network policy 10c applied to the client terminal 72 is a security policy corresponding to the group L, both quarantine and authentication are performed.
[Authentication process]
Step S30: The switching hub 40 requests an authentication ID from the connection destination client terminal 72. The authentication ID request may not be received from the switching hub 40 in step S30, and the authentication ID may be transmitted from the client software.

  Step S32: The client terminal 72 responds to the switching hub 40 with the requested authentication ID.

  Step S34: The switching hub 40 notifies the authentication device 20 of the acquired authentication ID.

  Step S36: The authentication device 20 performs authentication based on the notified authentication ID, and notifies the authentication result to the client terminal 72 via the switching hub 40. Note that when the authentication fails, the switching hub 40 blocks the connection of the client terminal 72. On the other hand, when the authentication is successful, the switching hub 40 releases the network restriction on the client terminal 72.

  As described above, according to the quarantine network system of the present invention, the client terminals 8, 52 to 74, etc. can be quarantined by applying various security policies, and in conjunction with this, the network Connection restrictions can be made. Therefore, it is possible to provide a flexible security environment in consideration of the security level and network connection restrictions.

10 Quarantine device 30, 40 Switching hub 8, 52, 54, 62, 64, 72, 74 Client terminal 110 Authentication switch information setting unit 120 Security policy group setting unit 130 Asset ledger setting unit 140 Security policy group setting unit 150 for each OS Security Policy Quarantine Department

Claims (4)

A quarantine network system including a quarantine device that quarantines client terminals connected to a network,
The quarantine apparatus is
For each of a plurality of pre-defined security policy groups, group policy information in which a unique security policy and a specific simulation mode that prescribes a quarantine execution item and an authentication mode are associated and registered,
Separately from the security policy for each security policy group registered in the group policy information, basic policy information that respectively defines a basic security policy and simulation mode in the network;
It has asset ledger information registered by associating one of the security policy groups with the identification information of each client terminal,
When executing the quarantine, when the identification information of the client terminal to be quarantined is registered in the asset ledger information, the security policy specific to the security policy group associated with the identification information is applied, and the quarantine is performed. While deciding whether to authenticate quarantined client terminals according to the simulation mode specific to that security policy group,
When the identification information of the client terminal to be quarantined is not registered in the asset ledger information, the client terminal to be quarantined by applying the basic security policy and to be quarantined according to the basic simulation mode A quarantine network system that determines whether or not to perform authentication. In the quarantine network system according to claim 1,
The quarantine apparatus is
Network policy information in which the network range to which the client terminal belongs and any security policy group associated and registered,
When executing the quarantine, if the network to which the client terminal to be quarantined belongs is registered in the network policy information, the security unique to the security policy group associated with the network to which the client terminal to be quarantined belongs A quarantine network system that performs quarantine by applying a policy and determines whether or not to authenticate a client terminal subject to quarantine according to a simulation mode specific to the security policy group. In the quarantine network system according to claim 1 or 2,
The quarantine apparatus is
And further includes security policy group information for each OS in which an OS (Operating System) type and a quarantine execution item are registered in association with each other.
When executing the quarantine, the quarantine is performed by applying the quarantine execution item associated with the security policy group information for each OS according to the type of OS installed in the client terminal to be quarantined. To quarantine network system. In the quarantine network system according to claim 2,
The network range to which the client terminal belongs is a range of IP (Internet Protocol) addresses that can be set in the client terminal.
Quarantine network system.