JP2015154433A - Communication monitoring device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve the problem that when an appliance device is installed with a constitution where two lines at an LAN side and WAN side are drawn out of one router/switch, packets from the same IP may arrive from both two lines due to the setting mistake of the router or switch, resulting in the occurrence of a failure in the appliance device or the stop of communication caused by the occurrence of a failure in a network.SOLUTION: A monitoring device for monitoring communication flowing in four lines, that is, an LAN side line and a WAN side line of an appliance device and an LAN connection line and a WAN connection line for the appliance drawn out of a router/switch is configured to determine the matching of a communication session and a reception packet or the matching of mutual communication sessions, and to change the policy of the passage/disposal or routing of each communication session in accordance with the matching such that it is possible to continue or stop a communication service or an appliance service for each communication session.

Description

  The present invention relates to a communication monitoring device, and more particularly to a monitoring device that monitors communication flowing through an appliance device.

  A WAN acceleration device for accelerating communication using a WAN (Wide Area Network), an IDS (Intrusion Detection System) for enhancing the security of a data center or a base, or a Web for accelerating the response of a Web server Various appliances such as high-speed devices are becoming widely used.

  It is common to install and operate an appliance device at the boundary between an outside network such as a WAN or the Internet and an inside network such as a data center or LAN of a base. If an abnormal packet flows into the appliance device due to a setting error or attack, the appliance device may behave unexpectedly. A failure may occur in the network due to an unexpected behavior of the appliance device.

  In order to prevent such a network failure, a monitoring device that monitors a packet flowing into the appliance device and discards the packet when an abnormality is detected may be installed together with the appliance device.

  For example, an apparatus for determining whether to permit access to a second terminal based on information stored in a fixed-length packet including an access request from the first terminal to the second terminal is disclosed. (Patent Document 1).

JP-A-10-215248

  When installing the appliance device as a configuration that pulls out two lines on the LAN side and two lines on the WAN side from a single router / switch (router or switch), it can be Packets may arrive from both of the two lines. In such a case, there has been a problem that a failure occurs in the appliance device or communication is stopped due to a network failure.

  In order to solve the above-described problems, a communication device and a packet monitoring method in the communication device according to the present invention are the LAN connection drawn from the transfer device installed on the network connecting the LAN and the WAN. First line for WAN connection, second line for WAN connection drawn from the transfer device, third line on the LAN side drawn from the appliance device, and fourth line on the WAN side drawn from the appliance device And a storage unit comprising connection management information for designating a routing destination of a packet received from the transfer device or appliance device for each of the first line, the second line, the third line, and the fourth line. The consistency of the received packet is determined based on the source information of the packet and the destination information of the packet. And a calculation unit that passes the packet to a routing destination when it is determined to be consistent, and changes the routing destination when it is determined as inconsistent. .

  According to the present invention, the monitoring device includes a LAN side line of the appliance device, a WAN side line of the appliance device, a LAN connection line for the appliance drawn from the router / switch, and a WAN connection line for the appliance drawn from the router / switch. It is possible to monitor the communication flowing through the four lines. Furthermore, it is possible to monitor the consistency between communication sessions that flow through four lines and received packets, and it is possible to monitor the consistency between communication sessions that flow through four lines, and communication sessions that flow through four lines. It is possible to specify continuation / stop of the communication service or appliance service according to the consistency between the received packet and the received packet.

The system block diagram which has the apparatus in this Embodiment. FIG. 2 is a functional block diagram of a monitoring apparatus 200 in Embodiment 1. Explanatory drawing of the subject which the monitoring apparatus in Example 1 tends to solve. Explanatory drawing of the structure which the monitoring apparatus in Example 1 implement | achieves newly. Explanatory drawing of the function which the monitoring apparatus in Example 1 implement | achieves newly. Packet format diagram. FIG. 6 is a functional block diagram of a monitoring apparatus 700 in Embodiment 2. The flowchart figure which creates a new entry in a connection management table. The flowchart figure which judges the consistency of an entry and a received packet. The flowchart figure which judges the consistency of entries. The flowchart figure which reads the entry which corresponds to a received packet.

  A typical form for carrying out the present invention is as follows. Example 1 describes a basic form. In the second embodiment, a mode in which the monitoring unit and the appliance unit are combined into one device will be described.

  First, the problem to be solved by the present invention will be described with reference to FIGS.

  FIG. 1 shows a configuration diagram of a system having a monitoring apparatus to which the present invention is applied.

  The monitoring apparatuses 200A to 200C have two lines for routers / switches (routers or switches) 202A to 202C installed on communication lines that connect the LANs 110, 120, and 130 and the WAN 140 in a plurality of bases. It is connected. Furthermore, the monitoring devices 200A to 200C are connected to the appliances 201A to 201C by two lines.

  Routers / switches 202A-C and WAN 140 are connected by access lines 191, 192, 193. A plurality of terminals 111 to 113, 121 to 123, and 131 to 133 are connected to the LANs 110, 120, and 130 at each site. In addition, the number of terminals, devices, and networks may include an appropriate number other than illustrated.

  FIG. 3 shows an explanatory diagram of the problem to be solved by the present invention.

  The appliance 201 is installed in a configuration in which a LAN-side line 302 and a WAN-side line 303 are drawn from one router / switch 202. The router / switch 202 is connected to the LANs 110, 120 and 130 via the router 300, and is connected to the WAN 140 via the router 301.

  First, the case where the setting of policy routing / switching (policy routing or switching) in the router / switch 202 is correct (310) will be described.

  Note that the correct setting means that the router / switch 202 is configured so that a packet exchanged between the WAN 140 and the appliance 201 passes through the line 303, and the LAN 110, 120, 130 and the appliance 201 This means that the router / switch 202 is set to be routed so that a packet exchanged between the two passes through the line 302.

  Packets from the LANs 110, 120, and 130 enter the router / switch 202 via the router 300, and arrive at the appliance 201 through the LAN side line 302. Then, a packet from the appliance 201 to the WAN 140 enters the router / switch 202 through the WAN-side line 303, and exits to the WAN 140 through the router 301.

  On the other hand, a packet from the WAN 140 enters the router / switch 202 via the router 310 and arrives at the appliance 201 via the WAN-side line 303. Packets from the appliance 201 to the LANs 110, 120, and 130 enter the router / switch 202 through the LAN-side line 302 and pass through the router 300 to the LANs 110, 120, and 130.

  Next, a case where the policy routing / switching setting of the router / switch 202 is incorrect (320) will be described.

  Here, if the setting is incorrect, the routing that the packet exchanged between the WAN 140 and the appliance 201 passes through the line 303 is not set in the router / switch 202, and the LAN 110, 120 , 130 and the appliance 201 are not set in the router / switch 202 so that a packet passing through the line 302 is exchanged. If the setting is incorrect, packets from the LANs 110, 120, and 130 arrive at the appliance 201 via both the lines 302 and 303, and packets from the WAN 140 pass through both the lines 302 and 303. Or arrive at the appliance 201.

  If the settings are incorrect, packets from the LANs 110, 120, and 130 enter the router / switch 202 via the router 300, but then arrive at the appliance 201 via the LAN-side line 302, or the WAN side May arrive at the appliance 201 via the line 303. The appliance 201 receives a packet from the LAN from both the LAN side line 302 and the WAN side line 303. Then, the appliance 201 generates a problem by receiving an unexpected packet. In some cases, the problem of the appliance 201 may stop the network.

  Similarly, if the setting is wrong, a packet from the WAN 140 enters the router / switch 202 via the router 300, but then arrives at the appliance 201 via the LAN side line 302 or Sometimes, it arrives at the appliance 201 through the line 303. The appliance 201 receives a packet from the WAN from both the LAN side line 302 and the WAN side line 303. Then, the appliance 201 generates a problem by receiving an unexpected packet. In some cases, the problem of the appliance 201 may stop the network.

  Next, the configuration to which the present invention is applied and the function thereof will be described with reference to FIGS.

  FIG. 4 shows a configuration including a monitoring apparatus 200 to which the present embodiment is applied.

  First, a conventionally known monitoring device 401 introduced in an in-path configuration is shown between the appliance 400 and the router 403. Also, a conventionally known monitoring device 402 that is introduced in an out-path configuration by connecting to a single line drawn from the router 404 is shown.

  The first conventionally known monitoring device 401 monitors the packet 405 received from the LANs 110, 120, and 130 via the appliance 400 and also monitors the packet 406 received from the WAN 140 via the router 403. On the other hand, the second conventionally known monitoring device 402 monitors packets 407 received from the LANs 110, 120, and 130 via the appliance 400 and also monitors packets 408 received from the WAN 140 via the router 404. These monitoring devices 401 and 402 can only monitor two types of packets, packets coming from the WAN side of the appliance 400 and packets coming from the WAN via the router 404.

  On the other hand, the monitoring apparatus 200 to which the present invention is applied came from the LAN 110, 120, 130 via the router 202, the packet 410 received from the WAN 140 via the router 202, and the LAN side of the appliance 201. A total of four types of packets are monitored: the packet 411 and the packet 412 coming from the WAN side of the appliance 201. In this way, by using the monitoring device 200 that can monitor four types of packets, a system different from the conventionally known monitoring devices 401 and 402 that monitor two types of packets can be assembled.

  FIG. 5 is an explanatory diagram of functions realized by the monitoring apparatus 200 to which the present invention is applied.

  First, a conventionally known monitoring device 501 introduced in an in-path configuration is shown between the appliance 500 and the router 502.

  When the conventionally known monitoring apparatus 501 determines that the packet received from the WAN side of the appliance 500 has an inconsistency such as the IP address of the WAN side terminal being used as the source IP address, Is discarded (503).

  Similarly, the conventionally known monitoring device 501 determines that a packet received from the WAN 140 via the router 502 has an inconsistency, for example, the IP address of the terminal on the LAN side is used as the transmission source IP address, and is abnormal. Then, the packet is discarded (504).

  The conventionally known monitoring apparatus 501 uses the IP address of the terminal on the LAN side as the source IP address for the packet received from the WAN side of the appliance 500 and sends the source to the packet received from the WAN 140 via the router 502. If the IP address is consistent, for example, the IP address of the WAN terminal is used, and if it is determined to be normal, the packet is passed (505).

  As described above, the conventionally known monitoring apparatus 501 determines consistency between the packet from the WAN side and the packet from the WAN side of the appliance, and discards the packet according to the matching / mismatch of the determination result. Alternatively, packet passing processing is performed.

  On the other hand, the monitoring apparatus 200 to which the present invention is applied has the consistency of the packets 507 received from the LANs 110, 120, and 130 and the WAN 140 via the router 202, and if it is determined to be normal, the appliance extracted from the router 202 The packet is passed between the LAN connection line for the appliance and the LAN side line of the appliance 201, and the packet is passed between the WAN connection line for the appliance drawn from the router 202 and the WAN side line of the appliance 201. (509).

  The monitoring apparatus 200 to which the present invention is applied, for example, applies two kinds of passage methods when it is determined that there is an inconsistency in the packets received from the LANs 110, 120, and 130 or the WAN 140 via the router 202 and that the packets are abnormal.

  First, the packet 508 is passed between the appliance LAN connection line drawn from the router 202 and the WAN side line of the appliance 201, and the appliance WAN connection line drawn from the router 202 and the LAN of the appliance 201 are passed. The path between the appliance 201 and the router 202 may be reversed by passing the packet 508 between the side lines (511).

  Second, the packet 506 may be passed between the appliance LAN connection line drawn out from the router 202 and the appliance WAN connection line drawn out from the router 202 (510). That is, the packet 506 is passed only through the monitoring device 200 and not passed through the appliance device 201.

  As described above, the monitoring device 200 to which the present invention is applied includes a packet from the LAN side of the router, a packet from the WAN side of the router, a packet from the LAN side of the appliance, and a packet from the WAN side of the appliance. On the other hand, consistency can be determined, and different routings can be performed according to consistency / inconsistency of the determination result. That is, the monitoring apparatus 200 to which the present invention is applied can realize a function different from that of the conventionally known monitoring apparatus 501.

  Note that the conventionally known monitoring device 501 only passes or discards the packet in accordance with matching / mismatching. That is, since the monitoring apparatus 501 discards the packet when an abnormality is detected, the appliance service and the communication service are stopped. On the other hand, the monitoring apparatus 200 to which the present invention is applied performs different routing according to matching / mismatching. Therefore, the monitoring device 200 can continue the appliance service and the communication service even when an abnormality is detected.

  FIG. 2 shows a functional block diagram of the monitoring devices 200A to 200C to which the present invention is applied.

  The apparatus 200 includes an operation unit 290 that performs various operations such as packet input / output and reading / writing of the storage unit 280. The calculation unit 290 includes connection registration units 210 and 211, an abnormal entry detection unit 240, inconsistent packet detection units 212 and 213, communication blocking units 214 and 215, a routing unit 216, an alarm generation unit 220, A change unit 271.

  These functional blocks may be provided in an LSI such as an ASIC (Application Specific Integrated Circuit) as a fixed circuit, or in a CPU (Central Processing Unit) or NP (Network Processor) as a program module. It may be provided.

  The monitoring device 200 is connected to the LAN side NIC 204 of the appliance device 201 via the line (3), connected to the WAN side NIC 203 of the appliance device 201 via the line (4), and connected to the appliance extracted from the router / switch 202. The router / switch 202 is connected via the LAN connection line (1) and the appliance WAN connection line (2).

  Packets from the LANs 110, 120, and 130 pass through the line (1) via the router / switch 202 and arrive at the monitoring device 200. The packet from the WAN 140 passes through the line (2) via the router / switch 202 and arrives at the monitoring device 200. A packet from the appliance 201 to the LANs 110, 120, and 130 arrives at the monitoring device 200 through the line (3). A packet from the appliance 201 to the WAN 140 passes through the line (4) and arrives at the monitoring device 200.

  The storage unit 280 includes a storage medium / memory for recording information. The storage unit 280 includes a connection management table 250 and a policy 270.

  The connection management table 250 records a LAN / WAN side IP / port number as a session detection condition for each entry, and designates discard / pass of matching packets and a routing destination for every four lines. In the connection management table 250, for each entry 251-N (N = 1, 2, 3,... M), a LAN IP 252 representing a LAN side IP number, a WAN IP 253 representing a WAN side IP number, and a LAN side port A session detection condition including a LAN port 254 representing a number and a WAN port 255 representing a WAN port number is recorded.

  Based on the policy 270 specified by the external terminal 230 via the changing unit 271, the changing unit 271 routes routing destinations Route1 to 4 (256 to 259) and discard / passing Drop1 to 4 (260 to 263) that match the session detection condition. ) Is designated for each of the lines (1) to (4) that received the packet.

  When connection registration units 210 and 211 receive a packet that does not have a matching entry in connection management table 250, connection registration units 210 and 211 create a new entry in connection management table 250.

  The abnormal entry detection unit 240 detects two entries having the same LAN side IP and WAN side IP from the connection management table 250, and changes the setting of discard / pass and routing destination.

  The inconsistent packet detectors 212 and 213 check the consistency between the source IP / port number and destination IP / port number of the received packet and the LAN / WAN side IP / port number of the matching entry in the connection management table 250. When it is determined that there is a mismatch, the discard / pass and routing destination are changed.

  The communication blocking units 214 and 215 discard the packet in accordance with the discard / passage described in the entry in the connection management table 250 that matches the received packet.

  In accordance with the routing destination described in the entry in the connection management table 250 that matches the received packet, the routing unit 216 sends the received packet to the LAN side line (3) of the appliance 204, the WAN side line (4) of the appliance, The data is transferred to either the appliance LAN connection line (1) drawn from the router / switch or the appliance WAN connection line (2) drawn from the router / switch.

  The alarm generation unit 220 generates an alarm based on the detection results of the inconsistent packet detection units 212 and 213 and the abnormal entry detection unit 240 and notifies the external terminal 230 of the alarm.

  FIG. 6 shows a format diagram of a packet transmitted and received by the apparatus.

  The packet includes a MAC header 600, an IP header 610, a TCP header 620, a TCP option header 630, and a payload 650.

  The MAC header 600 includes a DMAC 601 that represents a destination MAC address, an SMAC 602 that represents a source MAC address, and a Type 603 that represents a MAC frame type.

  The IP header 610 includes an IP length 611 representing the packet length excluding the MAC header, a protocol 612 representing the protocol number, a SIP 613 representing the transmission source IP address, and a DIP 614 representing the destination IP address.

  The TCP header 620 includes a src. port 621 and dst. a port 622; a SEQ 623 representing a transmission sequence number; an ACK 624 representing a reception sequence number; a flag 625 representing a TCP flag number; and a tcp hlen 626 representing a TCP header length.

  The TCP option header 630 includes an option kind 631 representing an option type, an option length 632 representing an option length, and left_edge_1 to 4 (633, 633) used to notify the transmission terminal of the location of the data portion where the data has been partially received from where. 635, 637, 639), right_edge_1-4 (634, 636, 638, 640). In some cases, left_edge_1 to 4 (633, 635, 637, 639) and right_edge_1 to 4 (634, 636, 638, 640) are used to notify the positions of data portions that could not be received partially. Further, the TCP option header 630 may be used for information exchange between devices when starting TCP communication.

  When the connection registration units 210 and 211 described above receive a packet directed from the LAN to the WAN on the LAN connection line for appliance (1) drawn from the router / switch or the WAN side line (4) of the appliance, An entry having a LAN side IP / port number and a WAN side IP / port number that match the packet source IP / port number and destination IP / port number is searched from the connection management table 250, and if there is no such entry, a new entry is registered. To do. Further, when the connection registration units 210 and 211 receive a packet from the WAN to the LAN on the WAN connection line (2) for the appliance drawn from the router / switch or the LAN side line (3) of the appliance, Search the connection management table 250 for an entry having the WAN side IP / port number and the LAN side IP / port number that match the packet source IP / port number and the destination IP / port number, and newly register if there is no such entry. To do.

  FIG. 8 is a flowchart for creating a new entry in the connection registration units 210 and 211.

  First, the connection registration units 210 and 211 determine whether the direction of the received packet is from LAN to WAN (step 801). That is, it is determined whether or not the packet is received through the lines (1) and (4).

  When the direction of the received packet is from LAN to WAN, the connection registration units 210 and 211 determine the LAN IP / port 252/254 that matches the source IP / port number of the received packet and the destination IP / port number of the received packet. It is determined whether or not the entry 251 having the matching WAN IP / port 253/255 exists in the connection management table 250 (step 802).

  If the entry 251 exists in the connection management table 250, the process ends without doing anything (step 807).

  When the entry 251 does not exist in the connection management table 250, the connection registration units 210 and 211 determine the LAN IP / port 252/254 that matches the source IP / port number of the received packet and the destination IP / port number of the received packet. Is newly created in the connection management table 250 (step 803).

  In step 801, when the direction of the received packet is from WAN to LAN, that is, in the case of a packet received via the lines (2) and (3), the connection registration units 210 and 211 send the source IP / port number of the received packet. It is determined whether or not an entry 251 having a LAN IP / port 252/254 that matches the destination IP / port number of the received packet exists in the connection management table 250 (step 804). .

  If the entry 251 exists in the connection management table 250, the process ends without doing anything (step 807).

  When the entry 251 does not exist in the connection management table 250, the connection registration units 210 and 211 determine the WAN IP / port 253/255 that matches the source IP / port number of the received packet and the destination IP / port number of the received packet. An entry 251 having a LAN IP / port 252/254 that matches is newly created in the connection management table 250 (step 805).

  The line (1) connected between the LAN 110, 120, and 130 via the router 202 and the WAN 140 by the entry recorded in the connection management table 250 and the new entry creation process of the connection registration units 210 and 211. Between the line (2) connected via the router 202, the line (3) connected to the LAN NIC of the appliance 201, and the line (4) connected to the WAN NIC of the appliance 201, a total of 4 One line can be monitored.

  When the inconsistent packet detectors 212 and 213 receive a packet from the LAN to the WAN on the LAN connection line for appliance (1) drawn from the router / switch or the WAN side line (4) of the appliance, The connection management table 250 is searched for an entry having the WAN side IP / port number and the LAN side IP / port number that match the source IP / port number and the destination IP / port number of the packet. If an entry having a WAN side IP / port number and a LAN side IP / port number that match the source IP / port number and destination IP / port number of the received packet is found in the connection management table 250, the inconsistent packet detection unit 212, 213 determines that there is a mismatch, and changes the discard / pass and routing destination.

  Further, when a packet directed from the WAN to the LAN is received on the appliance WAN connection line (2) drawn from the router / switch or the LAN side line (3) of the appliance device, the source IP / port number of the received packet is received. Then, the connection management table 250 is searched for an entry having the LAN side IP / port number and the WAN side IP / port number that match the destination IP / port number. If an entry having a LAN side IP / port number and a WAN side IP / port number that match the source IP / port number and destination IP / port number of the received packet is found, the inconsistent packet detectors 212 and 213 Judged as inconsistent, discard / pass and change routing destination.

  FIG. 9 shows a flowchart for changing the discard / passage and routing destination described in the entry when the inconsistent packet detectors 212 and 213 determine that the received packet is inconsistent.

  First, the mismatch packet detection units 212 and 213 determine whether the direction of the received packet is from LAN to WAN (step 901). That is, it is determined whether or not the packet is received through the lines (1) and (4).

  When the direction of the received packet is from LAN to WAN, the inconsistent packet detectors 212 and 213 have the WAN IP / port 253/255 that matches the source IP / port number of the received packet and the destination IP / port of the received packet. It is determined whether or not an entry 251 having a LAN IP / port 252/254 that matches the number exists in the connection management table 250 (step 902).

  If the entry 251 exists in the connection management table 250, the process ends without doing anything (step 907).

  If the entry 251 exists in the connection management table 250, the inconsistent packet detectors 212 and 213 determine that the packet is inconsistent and the routing destinations Route1 to 4 (256 to 259) of the detected entry are determined. And the policy of discard / pass Drop1-4 (260-263) is changed (step 903).

  In step 901, if the direction of the received packet is from the WAN to the LAN, that is, if it is a packet received on the lines (2) and (3), the inconsistent packet detectors 212 and 213 specify the source IP / It is determined whether or not an entry 251 having a LAN IP / port 252/254 that matches the port number and a WAN IP / port 253/255 that matches the destination IP / port number of the received packet exists in the connection management table 250 (step) 904).

  If the entry 251 exists in the connection management table 250, the process ends without doing anything (step 907).

  If the entry 251 exists in the connection management table 250, the inconsistent packet detectors 212 and 213 determine that the packet is inconsistent and the routing destinations Route1 to 4 (256 to 259) of the detected entry are determined. And the policy of discard / pass Drop1-4 (260-263) is changed (step 905).

  In the above-described inconsistent packet detectors 212 and 213, the communication session on the four lines (1) to (4) is changed by the process of discarding / passing and changing the routing destination when an abnormal packet that cannot be matched is detected. It becomes possible to monitor the consistency of received packets.

  In the connection management table 250, the abnormal entry detection unit 240 discards / passes each entry when the LAN IP 252 and the LAN port 254 of one entry 251 match the WAN IP 253 and the WAN port 255 of another entry 251. Change the routing destination settings. Furthermore, when the WAN IP 253 and the WAN port 255 of a certain entry 251 match the LAN IP 252 and the LAN port 254 of another entry 251, the abnormal entry detection unit 240 discards / passes each entry and sets a routing destination. To change.

  FIG. 10 shows a flowchart for changing the discard / passage and routing destination described in the entry when the inconsistency between entries is detected in the abnormal entry detection unit 240.

  First, the abnormal entry detection unit 240 determines whether the LAN IP 252 and the LAN port 254 of one entry 251 match the WAN IP 253 and the WAN port 255 of another entry 251 in the connection management table 250. (Step 1001).

  If not, the process proceeds to step 1003 described later.

  If they match, the abnormal entry detection unit 240 determines that the abnormal entries are inconsistent, and the routing destinations Route1 to 4 (256 to 259) and the discard / passage Drop1 to 4 (260 to 260) of the two entries 251 are determined. 263) policy is changed (step 1002).

  Further, the abnormal entry detection unit 240 determines whether or not the WAN IP 253 and the WAN port 255 of a certain entry 251 match the LAN IP 252 and the LAN port 254 of another entry 251 in the connection management table 250 (Step 251). 1003).

  If not, the process ends (step 1005).

  If they match, the abnormal entry detection unit 240 determines that the abnormal entries are inconsistent, and the routing destinations Route1 to 4 (256 to 259) and the discard / passage Drop1 to 4 (260 to 260) of the two entries 251 are determined. 263) policy is changed (step 1004).

  In the abnormal entry detection unit 240 described above, when the abnormal entries that cannot be matched are detected, the discard / pass and the process of changing the routing destination are performed, so that the communication sessions in the four lines (1) to (4) It becomes possible to monitor consistency.

  The communication blocking units 214 and 215 and the routing unit 216 have routing destinations Route 1 to 4 (256 to 259) and discard / passing Drops 1 to 4 (260 to 263) described in the entry 251 in the connection management table matching the received packet. The packet is processed according to the policy.

  FIG. 11 is a flowchart for reading out the entry 251 matching the received packet from the connection management table 250 in the communication blocking units 214 and 215 and the routing unit 216.

  The communication blocking units 214 and 215 and the routing unit 216 determine whether the direction of the received packet is from the LAN to the WAN (step 1101). That is, it is determined whether or not the packet is received through the lines (1) and (4).

  When the direction of the received packet is from LAN to WAN, the communication blockers 214 and 215 and the routing unit 216 have the LAN IP / port 252/254 that matches the source IP / port number of the received packet and the destination IP of the received packet. The entry 251 having the WAN IP / port 253/255 that matches the / port number is read from the connection management table 250 (step 1102).

  On the other hand, in step 1101, when the direction of the received packet is from WAN to LAN, that is, in the case of a packet received on the lines (2) and (3), the communication blocking units 214 and 215 and the routing unit 216 An entry 251 having the WAN IP / port 253/255 that matches the source IP / port number and the LAN IP / port 252/254 that matches the destination IP / port number of the received packet is read from the connection management table 250 (step 1103).

  In the case of a normal received packet with consistency, for example, it is described as passing in Drops 1 to 4 (260 to 263) of the read entry 251 and (3) to Routes 1 to 4 (256 to 259), respectively. (4), (1), (2), line (1) to line (3), line (2) to line (4), line (3) to line (1), line ( 4) routed to be transferred to line (2).

  In the case of an abnormal received packet that cannot be matched, for example, it is described as passing in Drops 1 to 4 (260 to 263) of the read entry 251 and (4), (4 to (256 to 259) respectively. 3), (2), (1), line (1) to line (4), line (2) to line (3), line (3) to line (2), line (4 ) To the line (1). Thereby, the communication function and the appliance function are maintained in the session in which the abnormality is detected.

  In the case of an abnormal received packet that cannot be matched, for example, Drop 1 to 4 (260 to 263) of the read entry 251 are described as passing, passing, discarding, and discarding, respectively, and Routes 1 to 4 (256). ˜259) are respectively described as (2), (1), −, −, and are passed through between the line (1) and the line (2). As a result, in the session where an abnormality is detected, the appliance function is stopped, but the communication function can be maintained.

  In the case of an abnormal received packet that cannot be matched, for example, discard is described in Drops 1 to 4 (260 to 263) of the read entry 251 and is received by any of the lines (1) to (4). Regardless of it is discarded. As a result, both the appliance function and the communication function can be stopped in the session in which an abnormality is detected.

  By the packet processing in the communication blocking units 214 and 215 and the routing unit 216 described above, it is possible to continue or stop the communication service or the appliance service according to the consistency between the communication session flowing through the four lines and the received packet.

  The function of the monitoring apparatus 200 according to the first embodiment may be mounted on the monitoring function-equipped appliance 700 as one function block.

  FIG. 7 shows an example of a block diagram of the appliance 700 with a monitoring function. The monitoring device 200 is mounted on the appliance 700 with a monitoring function as the monitoring unit 701 and the appliance device 202 is mounted on the appliance 700 with a monitoring function.

200 Monitoring Device 110, 120, 130 Network 111, 121, 131 Terminal 191, 192, 193 Line 210, 212 Processing Unit 250 Table 251 Entry 801 Flowchart Branching Process 803 Flowchart Step

Claims (14)

A LAN connection first line drawn from a transfer device installed on a network connecting the LAN and WAN, a WAN connection second line drawn from the transfer device, and an appliance device A third line on the LAN side and a fourth line on the WAN side drawn from the appliance device,
A storage unit comprising connection management information for designating a routing destination of a packet received from the transfer device or the appliance device for each of the first line, the second line, the third line, and the fourth line;
The consistency of the received packet is determined with reference to the connection management information based on the source information of the packet and the destination information of the packet, and if it is determined to match, the packet is passed to the routing destination. And an arithmetic unit that changes the routing destination when it is determined as inconsistent,
A monitoring device comprising: The calculation unit includes a connection registration unit that creates a new entry in the connection management information, and an inconsistent packet detection unit that determines the consistency of the packet.
The source information of the packet is the IP number and port number of the source,
The monitoring apparatus according to claim 1, wherein the destination information of the packet is a destination IP number and a port number. The connection registration unit
Determining whether an entry comprising source information of the packet and destination information of the packet exists in the connection management information;
The monitoring apparatus according to claim 2, wherein when it is determined that the packet does not exist, a new entry including transmission source information of the packet and destination information of the packet is created in the connection management information. The inconsistent packet detector is
Determine the direction of reception of the packet;
When a packet is received from the first line or the fourth line and the direction of reception is from LAN to WAN, the IP number and port number of the WAN that matches the IP number and port number of the transmission source of the packet And whether or not there is an entry in the connection management information that includes a LAN IP number and a port number that match the destination IP number and port number of the packet,
When there is a matching entry, the packet is determined to be inconsistent, the routing destination of the packet is changed,
When a packet is received from the second line or the third line and the direction of reception is from WAN to LAN, the IP number and port number of the LAN that match the source IP number and port number of the packet And an entry including the WAN IP number and the port number that match the IP address and port number of the destination of the packet is determined in the connection management information,
Determining that the packet is inconsistent when there is a matching entry, and changing the routing destination of the packet;
The monitoring device according to claim 2. The calculation unit further includes an abnormal entry detection unit,
The abnormal entry detection unit
Refer to the connection management information, determine whether the LAN-side IP number and port number described in one entry matches the WAN-side IP number and port number described in another entry,
When it is determined that they match, it is determined that the certain entry and the other entry are abnormal, and the routing destination of the certain entry and the other entry is changed,
With reference to the connection management information, it is determined whether the WAN-side IP number and port number described in one entry matches the LAN-side IP number and port number described in another entry,
When it is determined that they match, the routing entry of the certain entry and the other entry is changed, assuming that the certain entry and the another entry are abnormal,
The monitoring device according to claim 2.   The arithmetic unit allows a packet determined to be matched to pass between the fourth line and the second line, or between the third line and the first line. Item 5. The monitoring device according to Item 4.   The arithmetic unit allows a packet determined to be inconsistent to pass between the fourth line and the first line or between the third line and the second line. The monitoring device according to claim 4.   The monitoring apparatus according to claim 4, wherein the arithmetic unit passes a packet determined to be inconsistent between the first line and the second line.   The monitoring apparatus according to claim 4, wherein the arithmetic unit discards a packet determined to be inconsistent. The transfer device is a switch or a router,
The appliance device is an IDS or web acceleration device,
The first line is a line for LAN connection for appliances drawn from the transfer device,
The second round is a WAN connection line for the appliance drawn from the transfer device,
The arithmetic unit further includes a communication blocking unit and a routing unit,
The routing unit selects one of the third line, the fourth line, the first line, and the second line according to a routing destination described in the entry of the connection management information that matches the packet. To the other line,
The monitoring apparatus according to claim 4, wherein the routing unit includes a communication blocking unit that discards the packet in accordance with discard / pass of the entry of the connection management information that matches the packet. A LAN connection first line drawn from a transfer device installed on a network connecting the LAN and WAN, a WAN connection second line drawn from the transfer device, and an appliance device A third line on the LAN side and a fourth line on the WAN side drawn from the appliance device,
The storage unit includes connection management information for designating a routing destination of a packet received from the transfer device or the appliance device for each of the first line, the second line, the third line, and the fourth line,
The arithmetic unit determines the consistency of the received packet based on the transmission source information of the packet and the destination information of the packet and refers to the connection management information. A packet monitoring method in a monitoring device, wherein the packet is passed through a routing destination and the routing destination is changed when it is determined that there is a mismatch. The calculation unit includes a connection registration unit that creates a new entry in the connection management information, and an inconsistent packet detection unit that determines the consistency of the packet.
The source information of the packet is the IP number and port number of the source,
The monitoring method according to claim 11, wherein the destination information of the packet is a destination IP number and a port number. The connection registration unit
Determining whether an entry comprising source information of the packet and destination information of the packet exists in the connection management information;
13. The monitoring method according to claim 12, wherein when it is determined that the packet does not exist, a new entry including transmission source information of the packet and destination information of the packet is created in the connection management information. The inconsistent packet detector is
Determine the direction of reception of the packet;
When a packet is received from the first line or the fourth line and the direction of reception is from LAN to WAN, the IP number and port number of the WAN that matches the IP number and port number of the transmission source of the packet And whether or not there is an entry in the connection management information that includes a LAN IP number and a port number that match the destination IP number and port number of the packet,
When there is a matching entry, the packet is determined to be inconsistent, the routing destination of the packet is changed,
When a packet is received from the second line or the third line and the direction of reception is from WAN to LAN, the IP number and port number of the LAN that match the source IP number and port number of the packet And an entry including the WAN IP number and the port number that match the IP address and port number of the destination of the packet is determined in the connection management information,
Determining that the packet is inconsistent when there is a matching entry, and changing the routing destination of the packet;
The monitoring method according to claim 12.

Images