JP2017175462A - Communication control device, communication control method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To execute the security measure of IoT equipment with a simple method.SOLUTION: Based on information obtained from a switch unit having a plurality of physical ports, a communication control device generates control information which controls the switch unit. The communication control device includes: in communication through the switch unit, a specific information acquisition unit which acquires specific information specifying at least one of a target device, which performs communication by limiting a communication opposite party, and communication by the target device; an identification information acquisition unit which acquires the identification information which identifies the communication specified based on the specific information; and an output control unit which generates route information which determines the destination of a packet, received by the switch unit, to be output from the switch unit, in a manner to permit and transfer communication, in which the set of the transmission source information and the destination information, given to the packet received by the switch unit, is included in the set of the transmission source information and the destination information determined based on the identification information, so as to include the route information in the control information.SELECTED DRAWING: Figure 1

Description

  Embodiments described herein relate generally to a communication control device, a communication control method, and a program.

2. Description of the Related Art Conventionally, there is known a centralized control type communication control apparatus that controls communication in a network including a plurality of nodes according to a communication rule defined by the network administrator. There is a related technology called OpenFlow (registered trademark). In OpenFlow, the controller centrally manages the switches of each node (see Patent Document 1 and Non-Patent Document 1).
By the way, the number of IoT devices connected to the network tends to increase. There is a need for measures to reduce security concerns in IoT devices.

Special table 2014-526810 gazette

“OpenFlow Switch Specification Version 1.3.1,” The Open Networking Foundation, (2013), [online], [searched January 7, 2016], Internet <https://www.opennetworking.org/images /stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.3.1.pdf>

  However, although various security measures have been taken in devices connected to a network such as a terminal device such as a personal computer or a server device, there are IoT devices that cannot take the same security measures.

  The problem to be solved by the present invention is to provide a communication control device, a communication control method, and a program for implementing security measures for IoT devices by a simple method.

  In order to achieve the above object, a communication control apparatus according to one aspect of the present invention is a communication control apparatus that generates control information for controlling the switch unit based on information obtained from a switch unit having a plurality of physical ports. In the communication via the switch unit, based on the specific information acquisition unit that acquires specific information that specifies at least one of the target device that communicates with limited communication partners or the target device, and the specific information Based on the identification information, a set of an identification information acquisition unit that acquires identification information for identifying the specified communication and transmission source information and destination information given to the packet received by the switch unit is determined. The switch unit for the packet received by the switch unit so that the communication included in the pair of the source information and the destination information is transferred as permitted. And generates path information for determining the output destination, a communication control apparatus and an output control unit to include the route information in the control information.

  Further, the communication control device according to one aspect of the present invention transmits communication permission information indicating that communication is permitted between the target device and a communication partner of the target device from the target device to the communication partner. A WL management unit that generates the communication based on the identification information is divided into communication and communication addressed to the target device from the communication partner.

  In the communication control device according to an aspect of the present invention, the output control unit determines a set of transmission source information and destination information attached to a packet received by the switch unit based on the identification information. Route information for restricting the transfer of communications not included in the set of transmission source information and destination information is generated by the switch unit.

  Further, in the communication control device according to an aspect of the present invention, the output control unit is configured to perform communication addressed to the communication partner from the target device and the target from the communication partner based on the generated communication permission information. The route information for determining the output destination from the switch unit is generated separately from the communication addressed to the device.

  In the communication control device according to one aspect of the present invention, the WL management unit generates a communication permission white list indicating that communication is permitted between the target device and a communication partner of the target device. The communication permission white list is included in the control information, the generated communication permission information is used as an element of the communication permission white list, and the output control unit is associated with the generated communication permission information. Generating the route information for the communication to be made.

  In the communication control apparatus according to an aspect of the present invention, the WL management unit generates a communication partner permission white list indicating that the communication partner permission is permitted, and includes the communication partner permission white list in the control information. Further, communication partner permission information indicating permission as the communication partner is divided into communication addressed to the communication partner of the target device from the target device and communication addressed to the target device from the communication partner of the target device. The communication partner permission information is generated based on the identification information, and the generated communication partner permission information is used as an element of a communication partner permission white list. The output control unit communicates with the target device based on the communication partner permission information. Route information for determining an output destination corresponding to the communication addressed to the target device from the partner is generated.

  In the communication control device according to an aspect of the present invention, the output control unit sends the path information to the switch unit to control the switch unit.

  Further, in the communication control apparatus according to one aspect of the present invention, the output control unit is configured such that a set of layer 3 transmission source information and destination information extracted from identification information given to the received packet is the communication partner. The identification information of the port that received the packet, or the packet was transmitted, that matches at least one of the layer 3 source information and destination information of the communication partner permission information stored in the permission white list When the lower layer identification information including the logical identification information of the port matches the lower layer identification information of the communication permission information stored in the communication permission white list, the received packet is transferred to a desired destination. Thus, the output destination of the received packet is determined.

  In the communication control device according to an aspect of the present invention, the specific information acquisition unit is based on part or all of the target device, a communication entity in the target device, and a communication service of the target device. The specific information determined in this way is acquired.

  Further, in the communication control apparatus according to an aspect of the present invention, the identification information acquisition unit includes, as identification information given to the received packet, a layer 1 identifier, a layer 2 address, a layer 3 address of a communication layer, Then, identification information including part or all of the port number of the layer 4 protocol is acquired.

  Further, in the communication control device according to one aspect of the present invention, the identification information acquisition unit includes a part or all of authentication processing, quarantine processing, and layer 3 address assignment processing resulting from a communication request from the target device. The identification information is acquired from the result.

  Further, in the communication control device according to one aspect of the present invention, the identification information acquisition unit is configured to transmit a packet transmitted from the target device or the entity, or a communication protocol used in communication by the target device or the entity. The identification information is acquired by monitoring.

  In the communication control apparatus according to an aspect of the present invention, the WL management unit causes the switch unit to make a determination based on the identification information given to the received packet and the information on the communication partner permission white list, When the switch unit determines that the received packet is sent to the target device, the output control unit is configured to output the received packet toward the target device. Control the switch section.

  In the communication control device according to one aspect of the present invention, the output control unit acquires the identification information by controlling the switch unit so that a communication partner of the target device exists within a range in which security can be ensured. The unit acquires the identification information in a state where a communication partner of the target device exists within a range in which security can be ensured.

  Further, in the communication control apparatus according to one aspect of the present invention, the output control unit includes a combination of transmission source information and destination information extracted from the identification information given to the received packet, wherein the communication partner permission whitelist When the mismatch state that does not match any of the pair of the transmission source information and the destination information of the communication partner permission information stored in the communication partner permission information occurs, the received packet is not transferred.

  In the communication control device according to an aspect of the present invention, the output control unit notifies the occurrence of the mismatch state when the occurrence of the mismatch state satisfies a predetermined condition.

  Further, in the communication control device according to one aspect of the present invention, the specific information acquisition unit is configured to use the candidate target device based on manufacturer information extracted from a layer 2 address of a candidate target device that is a candidate for the target device. The specific information determined by verifying the legitimacy is acquired.

  In the communication control device according to an aspect of the present invention, the specific information acquisition unit acquires the specific information determined based on a result of performing a port scan on a candidate target device that is a candidate for the target device. To do.

  In the communication control device according to an aspect of the present invention, the specific information acquisition unit is based on a result of monitoring a packet transmitted by a candidate target device that is a candidate for the target device or a communication protocol to be used. The determined specific information is acquired.

  In the communication control device according to an aspect of the present invention, the specific information acquisition unit is used in a packet transmitted from a candidate target device that is a candidate for the target device or in communication by the candidate target device. The specific information is determined based on a monitoring result of the communication protocol, and the determined specific information is acquired.

  In the communication control device according to an aspect of the present invention, the specific information acquisition unit is determined based on a directory service and a rule-based result based on a communication request of a candidate target device that is a candidate for the target device. The specific information is acquired.

  Further, in the communication control device according to one aspect of the present invention, the identification information acquisition unit is configured to transmit a packet transmitted from the target device or the entity, or a communication protocol used in communication by the target device or the entity. The identification information is acquired by monitoring.

  In the communication control device according to an aspect of the present invention, the identification information acquisition unit is determined based on a result of a directory service and a rule base based on a communication request of a candidate target device that is a candidate for the target device. The obtained identification information is acquired.

  In the communication control device according to an aspect of the present invention, the WL management unit may receive the communication permission information from the communication permission white list when communication corresponding to the communication permission information has not occurred for a predetermined period. When the communication corresponding to the communication partner permission information does not occur for a predetermined period, the communication partner permission information is deleted from the communication partner permission white list.

  The communication control method according to an aspect of the present invention is a communication control method for generating control information for controlling the switch unit based on information obtained from a switch unit having a plurality of physical ports, the switch unit In the communication via the communication apparatus, a specific information acquisition unit for acquiring specific information for specifying at least one of a target device that communicates by limiting a communication partner or communication by the target device, and a communication specified based on the specific information A pair of source information and destination determined based on the identification information is a set of identification information acquisition unit for acquiring identification information and source information and destination information given to the packet received by the switch unit Determine the output destination from the switch unit for the packet received by the switch unit so that the communication included in the information set is transferred as permitted. And it generates route information, and an output control unit to include the route information in the control information, a communication control method causing a computer to function with.

  In addition, a program according to an aspect of the present invention provides a computer of a communication control device that generates control information for controlling the switch unit based on information obtained from a switch unit having a plurality of physical ports via the switch unit. In communication, a specific information acquisition unit that acquires specific information that specifies at least one of a target device that communicates by limiting a communication partner or the target device, and a communication that is specified based on the specific information are identified. An identification information acquisition unit that acquires identification information, and a combination of transmission source information and destination information given to a packet received by the switch unit is determined based on the identification information, and transmission source information and destination information The output destination from the switch unit for the packet received by the switch unit is transferred so that the communication included in the set is permitted. And generates path information constant to an output control unit to include the route information in the control information, a program for causing to function.

  According to one aspect of the present invention, it is possible to provide a communication control device, a communication control method, and a program that implement security measures for IoT devices by a simple method.

1 is a configuration diagram showing a communication system according to a first embodiment. It is a figure which shows the structural example of the communication system which concerns on this embodiment. It is a flowchart which shows the procedure of the process for implementing the security measure of an IoT apparatus. It is a figure which shows eMLBR11. It is a figure which shows an example of the discard table. It is a figure which shows an example of the packet type table 1122. It is a figure which shows an example of the SCOPE table 1123. It is a figure which shows an example of the MLB table 1124. It is a figure which shows an example of the routing table 1125. FIG. 5 is a diagram illustrating an example of a QoS table 1126. FIG. It is a flowchart which shows the procedure of the process which concerns on the security measure of the IoT apparatus in eMLBR11. It is a flowchart which shows the procedure of the process which concerns on the security measure of the IoT apparatus in eMLBR11. It is a figure which shows the change at the time of the accumulation packet number observed in each node. FIG. 3 is a diagram showing a security measure procedure for a data terminal 18 in the communication system 1. It is a figure shown about a part of manufacturer information example contained in a MAC address. It is a figure for demonstrating the setting of QoS. It is a figure for demonstrating the setting of QoS. It is a figure which shows the state transition of the display screen control of the WEB server 52. FIG. It is a figure which shows the example of the display screen of the WEB server. It is a figure which shows the example of the display screen of the WEB server. It is a figure which shows the example of the display screen of the WEB server. It is a figure which shows the example of the display screen of the WEB server. It is a figure which shows the example of the display screen of the WEB server. It is a figure which shows the example of the display screen of the WEB server. It is a figure which shows eMLBR11 in 4th Embodiment. It is a figure for demonstrating the setting of QoS in this embodiment. It is a flowchart which shows the procedure of the process which concerns on the security measure of the IoT apparatus in eMLBR11 in this embodiment. It is a figure which shows eMLBR11 in 5th Embodiment. It is a figure for demonstrating the setting of QoS in this embodiment.

  Hereinafter, embodiments of a communication control device, a communication control method, and a program according to the present invention will be described with reference to the drawings.

FIG. 1 is a diagram illustrating a configuration of a communication system 1 including a communication control device according to the present embodiment.
The communication system 1 forms a network NW1. The network NW1 is connected to one or more other networks that can communicate with each other. Network NW2, network NW3, and network NW4 are examples of other networks. In the following description, the network NW1, the network NW2, the network NW3, the network NW4, and the like may be collectively referred to as a network NW. For example, each network NW is managed independently by different ISPs (Internet Service Providers) or the like, and communication rules (policies or the like) defined by the administrator are different. For example, the networks NW are connected to each other, and each constitutes a part of the Internet, for example.

In each communication system of the present embodiment, each communication rule is divided into the following four rules.
The first rule defines what is not permitted to communicate in the own communication system as restricted communication. For example, the communication system 1 manages, as “discard target information”, a condition (“discard target condition”) for selecting a communication packet determined as a target to be limited as a discard target packet. The communication system 1 regulates communication to be restricted by using a black list (“discard target black list”) that lists discard target information or a “discard table” that is tabulated. The communication system 1 may store the discard target black list or the discard table in the discard target storage unit of each device. Restrictions may include those common to each device or unique to each device. Note that “discard” in the above and the following description restricts communication based on destination information given to the packet, does not allow communication based on destination information, or blocks communication based on destination information. Alternatively, a case where communication based on destination information is interrupted and output to a specific port is included, and these are collectively referred to as “discard”.

  The second rule defines conditions for permitting communication in the local communication system. For example, the communication system 1 collectively manages the conditions for selecting packets by permitted communication (“communication permission conditions”) in “communication permission information”. The communication system 1 extracts permitted communication by using a white list (“communication permission white list”) in which communication permission information is listed or a tabulated “MLB table”. Details of the MLB table will be described later. The “communication permission white list” is an example of a white list.

  The third rule defines a “routing condition” for determining a transfer destination of a communication packet in the own communication system. For example, the communication system 1 manages the routing condition as “routing information”. The communication system 1 controls communication using a “routing table” in which “routing information” is tabulated.

  The fourth rule defines conditions that limit what is permitted as a communication partner in the communication system. For example, the communication system 1 manages the conditions for selecting packets from limited communication partners (“communication partner permission condition”) in “communication partner permission information”. The communication system 1 extracts a limited communication partner by using a white list (“communication partner permission white list”) that lists communication partner permission information or a tabulated “QoS table”. Details of the QoS table will be described later. The “communication partner permission white list” is an example of a white list.

  The communication system 1 controls the communication using some or all of the above rules.

  In the following description of the present embodiment, when both the communication permission white list of the second rule and the communication partner permission white list of the fourth rule are described without being distinguished, they are simply referred to as “white list”. Further, all or part of the communication permission information of the second rule, the routing information of the third rule, and the communication partner permission information of the fourth rule are collectively referred to as route information. In addition, a specific device that communicates with communication partners limited in the communication system 1 is referred to as a target device, and information that specifies either the target device or communication by the target device is referred to as specific information. For example, the specific information includes information for generating communication permission information or communication partner permission information.

  Information for identifying a specific device or communication may be referred to as identification information. For example, when the identification information given to the received packet is acquired, the layer 1 identifier, the layer 2 (L2) address, the layer 3 (L3) address (IP address), and the layer 4 ( L4) Information including part or all of the port number of the protocol is included in the identification information. Further, the identification information for specifying a specific communication partner includes the IP address or URL (Uniform Resource Locator) of each device. The routing information of the third rule may be defined by the destination IP address as the identification information.

  The communication system 1 includes an eMLBR (egress Multi Layer Binding Router) 11, an iMLBR (ingress MLBR) 12, a bMLBR (border MLBR) 13, a relay device 14, and a management host 15. In the following description, eMLBR11, iMLBR12, and bMLBR13 may be collectively referred to as MLBR10. Each MLBR 10 functions as a communication node of the communication system 1. The communication system 1 configures a network NW1 with a plurality of MLBRs 10. The MLBRs 10 in the network NW1 may be directly connected to each other or may be connected via the relay device 14 or the like.

  Terminals such as a terminal device 17 operated by a user and various data terminals 18 collectively called IoT (Internet of Things) and the like are connected to the communication system 1 so that they can communicate with each other. For example, the terminal device 17 and the data terminal 18 perform desired communication due to requests from each terminal or the like via the eMLBR 11 or the like. Various data terminals 18 collectively referred to as IoT and the like are examples of target devices.

  The management host 15 may perform basic settings in the communication system 1 and monitor the state of each MLBR 10. Furthermore, the management host 15 may function as a cooperation server and function as an HRS (Home RADIUS Server) that performs authentication and quarantine of the terminal device 17 and the like. Further, the management host 15 may be configured to store a communication history detected by an IDS (Intrusion Detection System) / IPS (Intrusion Prevention System) or the like. The management host 15 may function as a protocol monitor that monitors the communication protocol. Further, the management host 15 may be configured to perform a port scan for a specific device.

  Similar to the communication system 1, the communication system 2 forms a network NW2. The communication system 2 includes an eMLBR 21, an iMLBR 22, a bMLBR 23, and a management device 25. The communication system 3 forms a network NW3. The communication system 3 includes an eMLBR 31, an iMLBR 32, a bMLBR 33, and a management device 35. EMLBR21, iMLBR22, bMLBR23, management device 25 in communication system 2, and eMLBR31, iMLBR32, bMLBR33, and management device 35 in communication system 3, eMLBR11, iMLBR12, and bMLBR13 in communication system 1, Each corresponds to the management host 15.

  The communication system 4 forms a network NW4. Unlike the communication system 1, the communication system 4 does not include the MLBR 10 and includes a router or the like different from the MLBR 10.

  Hereinafter, the communication system 1 includes a data terminal 18 such as an IoT device, and when relaying communication by the data terminal 18, security measures for communication by the data terminal 18 that is an IoT device are taken by taking security measures for the communication. An example of a method for reducing anxiety is illustrated. The data terminal 18 may be various types of communication terminals.

  Examples of security concerns in IoT device communication include the following. As a first concern, there is an increasing risk of cyber attacks targeting IoT devices, which may infect IoT devices with malware. The second concern is the risk that an IoT device infected with malware will attempt to connect to a C & C server or the like. The third concern is the risk that an IoT device infected with malware will operate abnormally without performing its full function. As a fourth concern, there is a risk that an IoT device infected with malware attacks other devices or transmits illegal packets.

  In addition, it is assumed that the malware infection mentioned as the first anxiety described above is transmitted via the network as in the case where the malware is embedded by a search packet or the like for the IoT device. In addition, for example, various patterns are assumed such as when a back door (back door, intrusion port) for malware or remote operation is embedded in the manufacturing stage of the IoT device. Until now, various measures for preventing infection such as malware have been taken for general terminal devices, but these methods may not always be applied to IoT devices.

  For example, it is known that many general-purpose terminal devices such as personal computers can use IEEE802.1X authentication by a function such as an OS. By using IEEE802.1X authentication, it is possible to limit the range of allowed communication. On the other hand, some IoT devices cannot use IEEE802.1X authentication. For IoT devices that can use IEEE802.1X authentication, IEEE802.1X authentication can be applied in the same way as general-purpose terminal devices, but for IoT devices that cannot use IEEE802.1X authentication, the same method as general-purpose terminal devices is used. Can not do it. The IoT device exemplified in the following description is an example of a communication terminal device that cannot use IEEE802.1X authentication, for example.

Accordingly, the communication system 1 pays attention to the following points and implements countermeasures against malware infection of the IoT devices.
First, many IoT devices often communicate with a specific communication partner, and communication destinations are often limited.
Second, it can be determined from the attribute information indicated by the device that the device is an IoT device.
Third, it is possible to easily change the network settings so that the IoT device communicates with limited communication partners.
Fourth, the above first to third results are appropriately reflected in the eMLBR 11.

  In the communication system 1, in addition to the above points of interest, the following points are noted to ensure communication integrity.

  The communication system 1 checks the authenticity and soundness of terminals such as the terminal device 17 and the data terminal 18, and determines the quality of service (QoS) that imposes band limitation, communication partner limitation, and the like according to the result. .

  The communication system 1 manages the correspondence between the MAC address and the IP address using a physical port or (secure) channel held and managed by the MLBR 10 as a key. For example, the communication system 1 determines that a packet that does not satisfy the above-described correspondence is not permitted to be discarded, and discards the packet. Note that “packet” in the following description includes a frame such as a so-called MAC frame in which a MAC header and a trailer are added to the packet in layer 2, and these are collectively referred to simply as “packet”.

(MLBR10)
There are a plurality of types of MLBRs 10 constituting the communication system 1, and the configurations and uses thereof are different from each other. The eMLBR 11 installed at the egress on the user network side, the iMLBR 12 installed at the end (edge) on the user side of the network NW 1, and the bMLBR 13 arranged at the border between other networks , MLBR10 is an example. By arranging each type of MLBR 10 as described above, for example, even if a packet spoofing a large number of source IP addresses is sent from an external network, the attack packet in which bMLBR13 or the like deviates from the reverse path of the routing table. Shut off. Further, the bMLBR 13 or the like performs processing more accurately by combining and using information other than the source IP address when executing the processing. For example, information other than the source IP address includes the IP address of the terminal device 17 that requested the discard of the attack packet or the communication terminal actually attacked, the port number of the layer 4 (L4) such as TCP, the control flag, etc. May be included.

  Each MLBR 10 in the communication system 1 will be described with reference to FIG. FIG. 2 is a diagram illustrating a configuration example of the communication system 1. Details of the MLBR 10 in the communication system 1 will be described in order.

(EMLBR11)
The eMLBR 11 (communication device) includes a controller 111 (control unit), an IF unit 113, an IF unit 114, a switch unit 112 (transfer unit), and a storage unit 115. The combination of the controller 111 and the storage unit 115 is an example of a communication control device.

  The IF unit 113 is an interface with the terminal device 17 or the data terminal 18. For example, when communicating with the terminal device 17 or the data terminal 18 by wire, the IF unit 113 is provided corresponding to the physical port to which the communication line is connected, and switches the packet acquired from the communication line via the physical port. The packet that is output to 112 and transferred by the switch unit 112 is output to a communication line connected to the physical port. Further, for example, when wirelessly communicating with the terminal device 17 or the data terminal 18, the IF unit 113 is provided corresponding to a (secure) channel of wireless communication, and switches a packet acquired from a specific (secure) channel. The packet that is output to 112 and transferred by the switch unit 112 is output to a specific (secure) channel or a wired physical port. Hereinafter, physical ports and (secure) channels are collectively referred to as connection ports.

  The IF unit 114 is an interface when communicating with other MLBR 10 or the like. For example, the IF unit 114 is provided corresponding to the physical port to which the communication line is connected, and outputs a packet acquired from the communication line to the switch unit 112 via the physical port. Further, the packet transferred from the switch unit 112 is output to a communication line connected to the physical port.

  The switch unit 112 transfers a packet between the IF unit 113, the IF unit 114, the controller 111, and the like based on the conditions set by the controller 111. For example, the switch unit 112 controls the transfer of the packet based on each header information from the layer 2 (L2) to the layer 4 (L4) of the protocol stack, physical port identification information, and the like. Details of the packet transfer process will be described later.

  The storage unit 115 includes a nonvolatile storage device such as a ROM (Read Only Memory), an EEPROM (Electrically Erasable and Programmable Read Only Memory), and an HDD (Hard Disk Drive), and a volatile memory such as a RAM (Random Access Memory) register. Realized by a storage device. The storage unit 115 stores a program for causing the eMLBR 11 to function, a plurality of tables for controlling the switch unit 112, communication history information, and the like.

  For example, the first storage unit 1151, the second storage unit 1152, the third storage unit 1153, and the fourth storage unit 1154 are examples of the plurality of tables. The first storage unit 1151 stores a first rule (discard target blacklist) that defines conditions for restricting transfer of received packets (received data) received by the eMLBR 11. The received packet includes header information and data (received data). The second storage unit 1152 stores a second rule (communication permission white list) that defines conditions for permitting transfer of received packets. The third storage unit 1153 stores a third rule (routing table, route information) that defines a routing condition for determining a packet transfer destination. The fourth storage unit 1154 stores a fourth rule (communication partner permission white list, route information) that defines conditions for permitting only communication with a limited communication partner.

  The controller 111 includes a processor such as a CPU (Central Processing Unit). The controller 111 stores at least one of information obtained from the switch unit 112 having a plurality of physical ports and information of a plurality of tables stored in the storage unit 115 by a program stored in the storage unit 115. Based on this, the switch unit 112 is controlled. For example, the controller 111, based on various information acquired from the management host 15, requests from the terminal device 17 or the data terminal 18, and the like, the first storage unit 1151, the second storage unit 1152, the third storage unit 1153, the fourth storage. The storage unit 1154 is updated as necessary, and the transfer process of the switch unit 112 is changed. More specifically, as will be described later, the first rule stored in the first storage unit 1151 is stored in the discard table 1121 in the switch unit 112, and the second rule stored in the second storage unit 1152 is stored in the switch unit 112. The third rule stored in the MLB table 1124 is registered in the routing table 1125 in the switch unit 112, and the fourth rule is registered in the QoS table 1126 in the switch unit 112. To control.

  Communication messages in the communication system 1 are communicated as frames or packets. Identification information for identifying the frame or packet including the communication message is added to the header information of the frame or packet.

  The specific information acquisition unit 1111 specifies specific information for specifying a target device such as the data terminal 18 that communicates by limiting communication partners in communication via the switch unit 112 or specific information for specifying communication by the target device such as the data terminal 18 At least one of the above is acquired. Details of the specific information will be described later.

  The identification information acquisition unit 1112 acquires identification information for identifying communication specified based on the specific information. The identification information acquisition unit 1112 may acquire identification information from the result of a part or all of the authentication process, the quarantine process, and the layer 3 address assignment process caused by the communication request from the data terminal 18. Details of the method for acquiring the identification information will be described later.

  The WL management unit 1113 extracts conditions for permitting communication, generates a white list, and manages the conditions. This white list includes one or both of the communication permission white list of the second rule and the communication partner permission white list of the fourth rule.

  The output control unit 1114 generates routing information for selecting an output port of the switch unit 112 having a plurality of output ports. Details of the WL management unit 1113 and the output control unit 1114 will be described later.

(IMLBR12)
The iMLBR 12 includes a controller 121, an IF unit 123, an IF unit 124, a switch unit 122, and a storage unit 125.

(BMLBR13)
The bMLBR 13 includes a controller 131, an IF unit 133, an IF unit 134, a switch unit 132, and a storage unit 135.

  As described above, each MLBR 10 includes a controller and a switch unit. The controller of the MLBR 10 controls the controller and the switch unit of its own device based on the information acquired from the controllers of the other MLBR 10.

(Terminal device 17)
The terminal device 17 is a computer including a CPU and a storage device such as a ROM, EEPROM, HDD, RAM, or register, and functions as a terminal or a server depending on a program to be executed. For example, the terminal device 17 is a general-purpose terminal such as a personal computer or a tablet. The CPU of the terminal device 17 may cause the terminal device 17 to function as IDS / IPS by executing a program. In this case, the terminal device 17 may receive packets that exceed a predetermined communication amount or frequency by IDS / IPS that is mounted on the terminal device 17 or connected to a local area network to which the terminal device 17 is connected, Abnormal behavior or known attack pattern (signature), unknown attack pattern predicted from known attack pattern, or malware expected from known malware or known malware, known exploit code (for program security) As an attack packet based on an unknown exploit code predicted from a known exploit code). In the above detection, a honey pot may be installed. A honeypot is a decoy that attracts attack packets for unauthorized access and diverts the attack. Obtaining virus and worm samples, investigating unauthorized access methods and trends from recorded operation logs and communication logs, etc. It is used for. For example, when the terminal device 17 detects an attack packet, the terminal device 17 blocks the connection to the network NW1.
The eMLBR 11 may send a message to the iMLBR 12 requesting that the transfer of the attack packet in the network NW1 be interrupted. For example, the iMLBR 12 may accept a message requesting that the transfer of the attack packet be interrupted as a discard request message requesting that the attack packet be discarded, and discard the attack packet. In the following description, a message requesting to interrupt the transfer of attack packets is referred to as DRM (Dropping Request Message). For example, the terminal device 17 adds verification data or an authentication code indicating the legitimacy and completeness of its own device to the DRM and transmits it to the eMLBR 11. Further, the DRM is bucket-relayed between the MLBRs 10 so as to approach the transmission source address of the attack packet, and each MLBR 10 that has received the DRM registers it in the first storage unit as the first rule described above.

(Data terminal 18)
The data terminal 18 is a computer including a CPU and storage devices such as a ROM, an EEPROM, an HDD, a RAM, and a register, and is a so-called IoT device that functions as a terminal or a server according to a program to be executed. Assume that the data terminal 18 illustrated in the following description communicates using an IPv4 packet as a packet type and cannot use IEEE802.1X authentication. For example, the data terminal 18 includes various sensors connected to the network, smart meters, connected cars (cars), printers, televisions, refrigerators, smart home appliances, M2M (Machine to Machine) devices, network cameras, vending machines, and the like. Generic terminology for all terminals. The communication partners of these terminals are often limited to specific addresses or URLs.

(Process for controlling the switch unit to implement security measures for IoT devices)
With reference to FIG. 3, processing for implementing security measures for the IoT device will be described. FIG. 3 is a flowchart showing a processing procedure for implementing security measures for the IoT device.

The communication system 1 registers the IoT device as a terminal that performs bidirectional communication in the communication system 1 (S10).
In the communication system 1, for example, the above process (S10) is realized as a combination of a plurality of processes described below.
First, the communication system 1 specifies a target IoT device that limits a communication partner (S11).
Next, the communication system 1 acquires identification information (first identification information) that can identify the target specified above (S12).
Next, the communication system 1 acquires identification information (second identification information) that can identify the target communication partner specified above (S13).
Next, the communication system 1 is for limiting the communication partner of the packet transmitted from the target specified as the target to be limited based on the identification information (first identification information and second identification information) acquired above. A communication partner permission whitelist element (first element) is generated (S14).
Next, the communication system 1 limits the communication partner of the packet transmitted to the target specified as the target to be limited based on the identification information (first identification information and second identification information) acquired above. The communication partner permission white list element (second element) is generated (S15).
Next, the communication system 1 adds the first element and the second element to the communication partner permission white list (S16).
The communication system 1 performs the process (S20) for protecting actual communication based on the first element and the second element after registration in the communication partner permission white list.
As a result, the communication system 1 implements security measures for the IoT device.

[One more specific example]
The following description exemplifies a case where the MLBR 10 is configured by applying the OpenFlow (registered trademark) technology.

(Distributed controller)
Each node of OpenFlow includes an OpenFlow switch unit controlled by an OpenFlow controller. In the general OpenFlow technology, one OpenFlow controller centrally manages a plurality of OpenFlow switches.
Instead, the MLBR 10 of this embodiment includes a controller 111 and a switch unit 112, and the controller 111 provided for each MLBR 10 manages the switch unit 112. The controller 111 may function independently of other MLBR 10 controllers, or may function in conjunction with each other. This is different from the general OpenFlow configuration. Hereinafter, the difference will be mainly described.

For example, the controller 111 includes a specific information acquisition unit 1111, an identification information acquisition unit 1112, a WL management unit 1113, an output control unit 1114, a management unit 1115, a packet-in 1116, a packet-out 1117, and The flow change output unit (Flow-Mod) 1118 is provided.
The packet-in 1116 receives information from the switch unit 112. The packet out 117 outputs the packet and its destination information to the switch unit 112. The flow change output unit (Flow-Mod) 1118 outputs information for changing the setting of the switch unit 112 to the switch unit. Details of other configurations of the switch unit 112 will be described later.

  The controller of the MLBR 10 controls at least the switch unit of its own device to ensure the security of the communication. Note that the controllers of the MLBR 10 may function as a distributed controller by communicating with each other, in which case, for example, DRMs are sequentially transferred. As described above, the DRM is information for limiting transfer in each MLBR 10. The MLBR 10 adds a restriction condition for restricting the transfer without changing the transfer information configured until the DRM is notified, and deletes it individually in units of the restriction condition. As a result, the communication system 1 changes only the restriction condition for restricting the transfer while maintaining the transfer rule in the network NW.

(Example of switch part)
A more specific example of the switch unit will be described with reference to FIGS. FIG. 4 is a diagram showing the eMLBR 11. The switch unit 112 includes a discard table 1121, a packet type table 1122, a SCOPE table 1123, an MLB table 1124, a routing table 1125, and a QoS table 1126 as a flow table at each stage. 5 to 10 are diagrams illustrating examples of the discard table 1121, the packet type table 1122, the SCOPE table 1123, the MLB table 1124, the routing table 1125, and the QoS table 1126, respectively.

(Examples of various tables in the switch section)
In the switch unit 112, the discard table 1121 stores a necessary number of flow entries of packets to be discarded. The flow entry of the packet to be discarded corresponds to the first rule (black list) which is a condition for restricting the transfer of the packet. For example, as shown in FIG. 5, the discard table 1121 drops packets that match the stored flow entries. Packets that do not match the stored flow entry are subject to selection processing by the packet type table 1122. The restriction information defined in the flow entry may be one IP address or a network address including a plurality of IP addresses. In addition, by specifying destination IP address, destination port number, source port number, packet length, packet type, TCP control flag, etc. in combination as appropriate, other general users trying to send to the same destination IP address as the attack packet Hindering the communication can be suppressed. For example, as a flow entry of the discard table 1121, a network address corresponding to an area where transfer is restricted is defined as a match condition. The discard table 1121 restricts transfer of a packet to which a transmission source IP address included in the address space indicated by the network address is assigned. “129.168.3.0/24” shown in FIG. 5 is an example of a network address when described in IPv4.

  The packet type table 1122 stores packets that are not discarded by the discard table 1121 and packets acquired from the controller as packets to be processed, and stores a flow entry for each packet type. For example, as shown in FIG. 6, the flow entry stored in the packet type table 1122 includes a packet that specifies an IPv4 packet, a packet that specifies an IPv6 packet, and a packet that is transmitted to the controller. The thing which specifies that is included. For example, the action corresponding to the type of each packet is defined as follows in the packet type table 1122. The packet type table 1122 includes ICMPv6 (Internet Control Message Protocol for IPv6) addressed to the own MLBR 10, or ARP (Address Resolution Protocol), ICMP (Internet Control Message Protocol), DHCP (Dynamic Host Configuration Protocol), DRP (Dropping Request Message Protocol). ), RIP (Routing Information Protocol), OSPF (Open Shortest Path First), BGP (Border Gateway Protocol), UPnP (Universal Plug and Play), DNS (Domain Name System), SIP (Session Initiation Protocol), etc. Are packets addressed to the controller 111 (Packet-In), IPv4 packets other than the above are subject to processing by the MLB table 1124, and IPv6 packets other than the above are subject to processing by the SCOPE table 1123. The DRP is a standard in which verification data or an authentication code is added to the DRM. Details of DRP will be described later. The packet type table 1122 updates each table in Flow-Mod if necessary based on the determination result by the controller 111 among the packets addressed to the controller 111, and packets that need to be transferred to other MLBRs are: Return to the switch unit 112 (Packet-Out).

  The SCOPE table 1123 determines whether or not routing of the packet is permitted by determining whether or not the scope (SCOPE) has deviated from the packet specified as the IPv6 packet by the packet type table 1122. For example, as shown in FIG. 7, when it is determined that the source IP address and the destination IP address of the packet belong to the same scope (global address, unique local address, link local address, etc.) and routing is permitted, the SCOPE table 1123 sets the packet as a target of processing by the MLB table 1124. On the other hand, when it is determined that there is a deviation in the scope of the packet and routing is not permitted, the SCOPE table 1123 discards the target packet.

  The MLB table 1124 permits a packet to be transferred to a packet identified as an IPv4 packet by the packet type table 1122 or a packet identified as an IPv6 packet to permit routing according to the SCOPE table 1123. This corresponds to the second rule (communication permission white list) which is a condition for specifying whether or not the packet should be. The MLB table 1124 functions as a communication permission white list for checking whether the packet is a spoofed packet by combining the MAC address of the IoT device or the host, the IP address, and the identification information of the connection port of the eMLBR 11, but from the IoT device It can also be determined whether or not the packet is transmitted. For example, as shown in FIG. 8, an input port number (IN_Port) of the switch unit 112, a MAC address and an IP address assigned to the IoT device, and the like are set in the match condition. For example, when it is determined that the packet is a packet transmitted from the IoT device (upper part of FIG. 8), the packet transits to the QoS table 1126 (FIG. 10), and whether the destination address is permitted as a communication partner is the QoS table 1126. When the corresponding communication partner permission white list exists in the QoS table 1126, the QoS table 1126 sets the packet as a target of transfer processing by the routing table 1125 (upper row in FIG. 10).

  As shown in FIG. 9, when the MLB table 1124 (FIG. 8) determines that the packet is not a spoofed packet, the routing table 1125 outputs the packet to the physical port defined by the routing table 1125. However, if the routing table 1125 determines that the packet is addressed to the IoT device (upper part of FIG. 9), the packet transits to the QoS table 1126 (FIG. 10), and the transmission source is the communication partner of the IoT device. If there is a corresponding communication partner permission white list, it is determined as a transfer processing target (middle in FIG. 10). When the routing table 1125 specifies that the packet is not a packet to be transferred (lower part in FIG. 9), the packet may be a target of discard processing according to the third rule of the routing table 1125.

  The QoS table 1126 sets a desired QoS for the packet determined by the MLB table 1124 as a packet transmitted from the IoT device or a packet transmitted to the IoT device. The condition set as QoS corresponds to the fourth rule (communication partner permission white list). For example, as shown in FIG. 10, the desired QoS in the QoS table 1126 includes destinations that exceed the permitted range by permitting packet transfer when the source address and destination address match the match condition. (Restricted in FIG. 10) is included. Details thereof will be described later.

(Processing related to security measures for IoT devices)
FIG. 11A and FIG. 11B are flowcharts showing a processing procedure related to security measures for the IoT device in the eMLBR 11.

  First, in the eMLBR 11, the controller 111 acquires a packet from the switch unit 112 via the packet in 1116 (S105).

  Next, the specific information acquisition unit 1111 determines whether or not the packet acquired from the switch unit 112 includes specific information such as a target device that limits a communication partner (S111). When it is determined by the determination in S111 that the specific information such as the target device that limits the communication partner is included, the specific information acquisition unit 1111 acquires the specific information such as the target device that limits the communication partner (S112). .

  Next, the WL management unit 1113 determines whether or not a condition for generating communication permission information (element) to be added to the communication permission white list is satisfied (S113).

  If the determination in S113 determines that the condition for generating the communication permission information to be added to the communication permission white list is satisfied, the WL management unit 1113 generates the communication permission information (S114). Details of the process for generating the communication permission information will be described later.

  Next, the WL management unit 1113 determines whether the generated communication permission information is registered as the second rule in the second storage unit 1152 (S115). When it is determined that the generated communication permission information is not registered in the second storage unit 1152, the WL management unit 1113 writes the generated communication permission information in the second storage unit 1152, and adds and updates it as a second rule. (S116). As described above, every time the second rule is changed due to the addition of the communication permission information, the WL management unit 1113 transmits the new second rule information to the switch unit 112 via the flow change output unit 1118. To do.

  On the other hand, when it is determined that the condition for generating the communication permission information to be added to the communication permission white list is not satisfied by the determination of S113, the communication permission information generated by the determination of S115 is registered in the second storage unit 1152. When the determination is made, or when the process of S116 is completed, the WL management unit 1113 determines whether there is communication permission information after a predetermined period has elapsed (S117). For example, when the communication corresponding to the communication permission information has not occurred for a predetermined period of the communication permission information registered in the second storage unit 1152, that is, the state where the communication packet does not arrive, the WL management unit 1113 Or after a predetermined period of time has passed since it has not arrived, the communication permission information in the above case is deleted from the second rules stored in the second storage unit 1152 (S118). As described above, every time the second rule is changed due to the deletion of the communication permission information, the WL management unit 1113 transmits the new second rule information to the switch unit 112 via the flow change output unit 1118. To do.

  The switch unit 112 of the eMLBR 11 performs a transfer process using the updated second storage unit 1152.

  On the other hand, when it is determined by the determination in S111 that the identification information acquisition unit 1112 does not include the specific information such as the target device that limits the communication partner, the identification information acquisition unit 1112 determines that the packet acquired from the switch unit 112 is the communication of the specified target. It is determined whether or not the other party's identification information is included (S121). When it is determined that the identification information of the target communication partner specified by the determination in S121 is included, identification information such as the specified target device is acquired (S122).

  After finishing the process of S122 or when it is determined that the identification information of the target communication partner specified by the determination of S121 is not included, the identification information acquisition unit 1112 receives the packet acquired from the switch unit 112. Then, it is determined whether or not the identification information of the specified communication partner is included (S131). When it is determined that the identification information of the target communication partner specified by the determination in S131 is included, the identification information acquisition unit 1112 acquires the identification information of the specified target device or the like (S132).

  After finishing the processing of S132 or when it is determined that the identification information of the target communication partner specified by the determination of S131 is not included, the WL management unit 1113 adds the communication to be added to the communication partner permission white list. It is determined whether or not a condition for generating partner permission information (element) is satisfied (S141).

  When it is determined in S141 that the condition for generating communication partner permission information to be added to the communication partner permission white list is satisfied, the WL management unit 1113 generates communication partner permission information. For example, the WL management unit 1113 determines that the condition for generating the communication partner permission information is satisfied at the stage where the identification information is generated in S122 and S132, respectively. Details of the processing for generating communication partner permission information will be described later.

  Next, the WL management unit 1113 determines whether or not the generated communication permission information is registered as the fourth rule in the fourth storage unit 1154 (S161). When it is determined that the generated communication partner permission information is not registered in the fourth storage unit 1154, the WL management unit 1113 writes the generated communication partner permission information in the fourth storage unit 1154 and adds it as a fourth rule. Update (S162). As described above, each time the fourth rule is changed due to the addition of the communication partner permission information, the WL management unit 1113 sends the new fourth rule information to the switch unit 112 via the flow change output unit 1118. Send.

  On the other hand, if it is determined in S141 that the condition for generating the communication partner permission information to be added to the communication partner permission white list is not satisfied, the communication partner permission information generated in S161 is registered in the fourth storage unit 1154. When it is determined that the communication is permitted, or when the process of S162 is completed, the WL management unit 1113 determines whether there is communication partner permission information for which a predetermined period has elapsed (S171). For example, when the communication corresponding to the communication partner permission information has not occurred for a predetermined period among the communication partner permission information registered in the fourth storage unit 1154, the WL management unit 1113 receives the communication packet. The communication partner permission information in the above-described case is deleted from the fourth rule stored in the fourth storage unit 1154 after the predetermined time period has passed since it has not been reached or after it has not arrived (S172). . As described above, each time the fourth rule is changed due to the deletion of the communication partner permission information, the WL management unit 1113 sends the new fourth rule information to the switch unit 112 via the flow change output unit 1118. Send.

  The switch unit 112 of the eMLBR 11 performs a transfer process using the updated fourth storage unit 1154.

  The controller 111 performs processing related to security measures for the IoT device according to the above-described procedure.

(Details of processing related to security measures for IoT devices)
As described above, processing related to security measures for IoT devices is roughly divided into processing for acquiring specific information, processing for acquiring identification information, processing for generating communication permission information, and output control processing.

(Configuration example used for functional verification)
An example of the configuration used for function verification will be described, and processing for generating communication permission information will be described. FIG. 12 is a diagram illustrating an example of a function verification model of the communication system according to the present embodiment.

As shown in the figure, the data terminal 18, the management host 15, and the pseudo HRS 51 are connected to the port 3 of the eMLBR 11 via the L2 switch device 41, and the mail is sent to the port 4 via the L2 switch device 42. The server 53 is connected, the web server 52 is connected to the port 5, and the management host 61 is connected to the port 6.
In addition to the controller 111 being connected to the switch unit 112, a mail server 53 is connected via the L2 switch device 42.

Each device in the communication system 1 configured as described above functions as follows.
First, the pseudo HRS 51 is an authentication server of the data terminal 18 and can execute Nmap (Network Mapper) or the like.

(Process to acquire specific information)
FIG. 13 is a diagram showing a procedure of security measures for the data terminal 18 in the communication system 1.
The pseudo HRS 51 performs a port scan for the data terminal 18 using Nmap or the like (S202), and notifies the eMLBR 11 of the result (S204). In the result of the port scan, as attribute information of the data terminal 18, for example, the MAC address of the port connected to the L2 switch device 41 of the data terminal 18, the open L4 port address, the OS of the data terminal 18 and the execution Application programs etc. are included. For example, the pseudo HRS 51 includes text data indicating attribute information in the payload portion of the ICMP packet, transmits a notification to the eMLBR 11 as an ICMP request, and causes the eMLBR 11 to make a determination.

  The controller 111 of the eMLBR 11 receives the attribute information of the data terminal 18 notified from the pseudo HRS 51 via the switch unit 112. The specific information acquisition unit 1111 of the controller 111 extracts the specific information from the result of performing the port scan on the candidate data terminal 18A (candidate target device) that is the candidate of the data terminal 18, that is, the attribute information of the data terminal 18. (S206). The specific information acquisition unit 1111 holds, for example, manufacturer information of an IoT device that is a candidate for the data terminal 18 in advance, and compares the manufacturer information with the extracted specific information to attribute the data terminal 18. Information is determined (S208).

  Note that the manufacturer information of the IoT device that is a candidate for the data terminal 18 may be configured to be held by the pseudo HRS 51 instead of the specific information acquisition unit 1111. In this case, the pseudo HRS 51 determines the attribute information of the data terminal 18 based on the manufacturer information, and transmits the determination result and the specific information of communication by the IoT device to the controller 111. The specific information acquisition unit 1111 of the controller 111 acquires the determination result and the specific information of communication by the IoT device.

  Note that the manufacturer information of the IoT device that is a candidate for the data terminal 18 may be held by an external server managed by the manufacturer or the communication carrier instead of the specific information acquisition unit 1111. . In this case, the pseudo HRS 51 determines the attribute information of the data terminal 18 based on the manufacturer information held by the external server, and transmits the determination result and the specific information of communication by the IoT device to the controller 111. The specific information acquisition unit 1111 of the controller 111 acquires the determination result and the specific information of communication by the IoT device.

(Details of processing for obtaining manufacturer information included in the MAC address)
FIG. 14 is a diagram illustrating a part of the manufacturer information example included in the MAC address. As shown in the figure, the upper 24 bits of the MAC address are assigned as unique information (vendor code) that can identify the manufacturer. The specific information acquisition unit 1111 compares a part of the MAC address extracted from the attribute information of the data terminal 18 with a part of the MAC address as manufacturer information of the stored IoT device. If they do not match as a result of the comparison, the specific information acquisition unit 1111 determines that the candidate data terminal 18A is not eligible as the data terminal 18. The specific information acquisition unit 1111 extracts and acquires specific information from the attribute information of the data terminal 18 only for the candidate data terminal 18A having the same manufacturer information.
If the manufacturer information extracted from the attribute information does not exist in the vendor code table, the specific information acquisition unit 1111 determines that the connected device is an unknown host.

  As described above, when the specific information acquisition unit 1111 determines based on the manufacturer information, a terminal indicating manufacturer information different from the manufacturer information of the original manufacturer can be determined as a camouflaged terminal. .

(Process to acquire identification information)
Next, the identification information acquisition unit 1112 transmits a mail transmission request to the mail server 53 after the specific information is acquired by the specific information acquisition unit 1111 (S210). The transmission request for the mail addressed to the mail server 53 is a request to send a mail for acquiring the identification information of the communication partner of the data terminal 18 to the management host 15. The mail server 53 sends a mail for acquiring the identification information of the communication partner of the data terminal 18 to the management host 15 (S212). Further, the mail server 53 may send a mail for notifying that the data terminal 18 has been detected to the mail address of the administrator (S214). Instead of sending mail addressed to the administrator's email address, the mail server 53 sends a notification that the data terminal 18 has been detected to the administrator's portable terminal using a short message service. May be. Alternatively, the identification information acquisition unit 1112 may send a notification to the administrator's portable terminal using a short message service.

  The management host 15 acquires a mail from the mail server 53 (S216), and tries to connect to the address or URL of the WEB server 52 described in the mail (S218). The WEB server 52 receives the communication start request, transmits information determined based on the URL or address to the management host 15, and obtains predetermined information from the management host 15 (S220).

  Next, the WEB server 52 transmits information including the IP address or network address received from the management host 15 to the controller 111 of the eMLBR 11 (S230). The controller 111 acquires information from the WEB server 52 as identification information of the communication partner of the data terminal 18 (S234).

  As described above, the controller 111 performs the process of acquiring the specific information (communication permission white list) and the process of acquiring the communication partner identification information (communication partner permission white list) for each data terminal 18. Communication permission information for the data terminal 18 is generated (S236).

(Whitelist management)
Next, white list management will be described. The WL management unit 1113 collectively manages communication permission information for communication from the data terminal 18 specified based on the specific information in a communication permission white list. For example, in the WL management unit 1113, the communication permission information includes items of a match condition and an action. The communication permission information includes the following set. As a first match condition, a part of the specified target “IP address or network address”, “MAC address”, “physical port number or (secure) channel number of the switch unit 112”, “L4 port number” or Includes everything. As the second matching condition, the “IP address or network address”, “MAC address”, “physical port number or (secure) channel number of the switch unit 112”, “L4 port number” of the specified target communication partner Includes some or all. The set of match conditions includes the transmission source information of communication via eMLBR11.

  The WL management unit 1113 adds communication permission information based on the acquired identification information as an element of the communication permission white list. For example, the WL management unit 1113 determines that the received packet is sent from the communication data terminal 18 specified based on the specific information (from IoT) to the determination unit included in the switch unit 112, and the identification information A communication permission white list is generated so as to be determined based on the information of the communication permission white list (S242). For example, the combination of the MLB table 1124, the routing table 1125, and the QoS table 1126 described above is an example of the determination unit.

  Furthermore, the WL management unit 1113 is communication permission information for limiting the communication partner of communication specified based on the specific information to the data terminal 18, and communicates communication partner permission information based on the acquired identification information. Add as an element of the opponent permission whitelist.

  Further, the WL management unit 1113 indicates that the received packet is sent to the communication data terminal 18 specified based on the specific information (toIoT) to the determination unit included in the switch unit 112. The communication partner permission white list is generated so that the determination is made based on the above and further whether the packet is permitted as the communication partner (S244).

(Output control processing)
When the output control unit 1114 determines from the determination result by the determination unit that it is sent from the data terminal 18 of the communication specified based on the specific information and is destined for the communication partner permitted as the communication partner. In addition, the output unit of the switch unit 112 is controlled so that the received packet is output to the output destination determined to be transmitted to the communication partner.

  For example, when the output control unit 1114 determines that the communication is from the IoT device as follows, the output control unit 1114 controls the switch unit 112 as follows. When the MLB table 1124 determines that the packet is a packet transmitted from the IoT device from the transmission source IP address, the transmission source MAC address, and the like, the packet is subject to QoS control based on the QoS table 1126. To.

  FIG. 15 is a diagram for explaining the QoS setting of a packet transmitted from IoT. For example, as shown in FIG. 15, the QoS table 1126 sets a desired QoS for a packet that is determined by the MLB table 1124 to be a packet transmitted from the IoT device, and places the packet in the routing table. 1125 is the target of the transfer process. In this case, the routing table 1125 outputs the packet to a desired output port if it is determined as an appropriate communication partner set by the QoS table 1126. On the other hand, when the QoS table 1126 specifies that the packet is not a packet to be transferred with respect to the packet determined by the MLB table 1124 as the packet transmitted from the IoT device, the QoS table 1126 You may discard according to the 4th rule.

  Furthermore, when the output control unit 1114 determines from the result of the determination by the determination unit that it is sent from the data terminal 18 of the communication specified based on the specific information and is destined for the permitted communication partner. Then, the packet output 113 is controlled so that a predetermined transmission source MAC address and destination MAC address are added to the received packet and output to the output destination determined to transmit toward the communication partner.

For example, when the output control unit 1114 determines that the communication is to the IoT device as follows, the output control unit 1114 controls the switch unit 112 as follows.
When the routing table 1125 determines that the packet is a packet transmitted to the IoT device from the destination IP address, the packet is set as a QoS control target based on the QoS table 1126.

  FIG. 16 is a diagram for explaining the QoS setting of a packet sent to the IoT. For example, as shown in FIG. 16, the routing table 1125 sets a desired QoS for a packet that is determined not to be a forged packet by the MLB table 1124, and sets the packet to the communication partner of the QoS table 1126. Applicable for judgment. In this case, when the QoS table 1126 is determined to be a packet from a communication partner permitted by the QoS table 1126, the QoS table 1126 also functions to output the packet to a desired output port corresponding to the destination IoT device. Note that when the QoS table 1126 determines that the packet is not a packet to be transferred, the packet may be discarded according to the QoS table 1126.

As described above, the output control unit 1114 controls the switch unit 112 so that the communication partner of the data terminal 18 exists within a range in which security can be ensured (S250).
In this case, the identification information acquisition unit 1112 allows communication in a state where the communication partner of the data terminal 18 exists within a range in which security can be ensured, and generates communication partner permission information to be stored in the communication partner permission white list. It is assumed that the identification information for acquiring is acquired.

  The output control unit 1114 sets the source information and the destination information of the communication partner permission information stored in the communication partner permission white list as a set of the transmission source information and the destination information extracted from the identification information given to the received packet. When a mismatch state that does not match any one of the sets occurs, the output destination of the received packet is determined so as not to relay the received packet to a predetermined destination. As a result, the data terminal 18 can communicate with the management host 61 existing within the limited range, but cannot communicate with the host B existing outside the limited range. As a result, even if the data terminal 18 is infected with malware and tries to access the C & C server, the communication is blocked by the eMLBR 11.

  Note that the output control unit 1114 may notify the occurrence of the mismatch state when the occurrence of the mismatch state satisfies a predetermined condition.

  FIG. 17 is a diagram showing state transition of display screen control of the WEB server 52. 18 to 23 are diagrams showing examples of display screens of the WEB server 52. For example, the WEB server 52 provides two designation methods as predetermined information for limiting the communication partner of the data terminal 18. The WEB server 52 causes the display unit of the management host 15 to display a selection page (FIG. 18 or FIG. 21) for specifying address information for limiting the communication partner of the data terminal 18.

When the method for specifying the address information is selected, the WEB server 52 receives the result of selecting the specified method from the management host 15 and displays a page (FIG. 19) for inputting the IP address of the communication partner to be limited. 15 is displayed.
Next, the WEB server 52 receives an IP address from the management host 15 and then causes the management host 15 to display an input result (FIG. 20) of the IP address of the communication partner to be limited.

On the other hand, when the method for designating the network address is selected, a page (FIG. 22) for inputting the network address of the communication partner to be limited is displayed on the management host 15.
Next, the WEB server 52 accepts one of the network addresses from the management host 15 and then causes the management host 15 to display the input result of the network address of the communication partner to be limited (FIG. 23).

According to the present embodiment, the controller 111 generates control information for controlling the switch unit 112 based on information obtained from the switch unit 112 having a plurality of physical ports. The specific information acquisition unit 1111 acquires specific information (communication permission information) for specifying at least one of the data terminal 18 and the communication by the data terminal 18 that communicates by limiting communication partners in communication via the switch unit 112. The identification information acquisition unit 1112 acquires identification information (communication partner permission information) for identifying a communication partner specified based on the specific information. The output control unit 1114 generates route information for determining an output destination from the switch unit 112 for the packet received by the switch unit 112, and includes the route information in the control information. At that time, the output control unit 1114 includes transmission source information in which a pair of transmission source information and destination information given to the packet received by the switch unit 112 is determined based on identification information (communication partner permission information) Route information and communication partner permission information are generated so that communication included in the pair with the destination information is transferred as permitted.
Thereby, the controller 111 can implement the security countermeasure of the data terminal 18 which is an IoT apparatus by a simple method.

  In addition, the output control unit 1114 is configured so that a combination of transmission source information and destination information given to a packet received by the switch unit 112 is determined based on identification information (communication partner permission information) and destination information Route information and communication partner permission information may be generated so that the switch unit restricts transfer of communication packets that are not included in the information pair.

In addition, the WL management unit 1113 transmits communication permission information (communication partner permission information) indicating that communication is permitted between the data terminal 18 and the communication partner from the data terminal 18 to the communication partner and the communication partner. May be generated separately from the communication addressed to the data terminal 18 based on the identification information.
In addition, the WL management unit 1113 may generate a communication partner permission white list indicating permission as a communication partner, and include the communication partner permission white list in the control information.

Further, the WL management unit 1113 transmits communication partner permission information indicating permission as a communication partner of the data terminal 18 from the data terminal 18 to the communication partner of the data terminal 18 and from the communication partner of the data terminal 18 to the data terminal. It may be generated separately based on the identification information separately for communication addressed to 18.
The WL management unit 1113 may include the communication partner permission white list in the control information by using the communication partner permission information as an element of the communication partner permission white list.

  The output control unit 1114 may generate route information for determining an output destination corresponding to communication addressed to the data terminal 18 from the communication partner of the data terminal 18 based on the communication partner permission information.

  Further, the output control unit 1114 sets the layer 3 transmission source information and the destination information extracted from the identification information given to the received packet, in the communication partner permission information layer 3 stored in the communication partner permission white list. The identification information of the lower layer including the identification information of the port that received the packet or the logical identification information of the port to which the packet was transmitted matches the at least one of the pair of the transmission source information and the destination information. An output destination of the received packet is determined so as to relay the received packet to a desired destination when the identification information of the lower layer of the communication permission information stored in the list matches.

  Thereby, the security measure of an IoT apparatus can be implemented by a simple method.

(Modification of the first embodiment)
A modification of the first embodiment will be described. In the first embodiment, it has been described that the IP address or network address of one communication partner is set for each data terminal 18, but in this modification, instead of this, communication partners for a plurality of data terminals 18 are set. A method for making it possible to set an IP address or a network address of a network.

The following cases are assumed for the correspondence.
(1) A case where communication is limited from a plurality of data terminals 18 to a common host.
(2) A case where communication is limited from a plurality of data terminals 18 to different hosts.

  Also in these cases, the controller 111 can ensure the communication security of the IoT device by creating a white list similar to the above-described white list. In addition, when registering a plurality of IP addresses or a plurality of network addresses in the controller 111, it is possible to simplify the work incidental to network management, especially in a large-scale system, by taking in the above collectively. Can do.

  For example, the identification information acquisition unit 1112 notifies the management host 61 of the detection result of the identification information of the data terminal 18. In response to the notification, the management host 61 associates the detection result of the identification information of the data terminal 18 with IP address information or a network address that identifies the communication partner. The management host 61 transmits to the controller 111 IP address information or a network address that identifies a communication partner associated with the detection result of the identification information of the data terminal 18. The identification information acquisition unit 1112 of the controller 111 may determine the identification information of the specified communication based on the command acquired from the management host 61.

  Thereby, according to the communication system 1 of the modification of 1st Embodiment, while there exists an effect similar to 1st Embodiment, the provision operation | work of the identification information with respect to the several data terminal 18 is simplified. be able to.

(Second Embodiment)
A second embodiment will be described. The first embodiment described above exemplifies a case where manufacturer information extracted from the layer 2 address of the candidate data terminal 18A or specific information based on a result of performing a port scan on the candidate data terminal 18A is acquired. . In the present embodiment, instead of this, a case where specific information determined based on a result of monitoring either a packet transmitted by the candidate data terminal 18A or a communication protocol to be used is illustrated. This point is different from the first embodiment described above. Hereinafter, this point will be mainly described.

(Process to acquire specific information)
The specific information acquisition unit 1111 specifies a target whose communication partner should be limited based on a packet transmitted by the candidate data terminal 18A or a result of monitoring a communication protocol to be used, and acquires information on the specified target.
For example, the specific information acquisition unit 1111 monitors a communication protocol such as UPnP or SIP and specifies a target based on the result. For example, the specific information acquisition unit 1111 may apply a technique known as UPnP snooping as a technique for monitoring UPnP. The specific information acquisition unit 1111 may detect a SIP communication start request (INVITE) by applying a technique known as SIP snooping as a technique for monitoring SIP.
When UPnP or SIP is used, information indicating the communication partner is included in the connection start request for communication. The specific information acquisition unit 1111 may acquire the detection target, the type of communication protocol, the URL (address) of the communication partner, and the like from information included in the connection start request for communication.

  Further, the specific information acquisition unit 1111 specifies a target whose communication partners should be limited based on a packet transmitted to the candidate data terminal 18A or a monitoring result of a communication protocol used in communication by the candidate data terminal 18A. To obtain information on the identified target.

  Note that the pseudo HRS 51 may monitor the packet or the communication protocol. In this case, the pseudo HRS 51 monitors a packet passing through the point at a predetermined position in the network. In this case, the pseudo HRS 51 detects, from the detected packets, a packet that transmits a communication message transmitted by the candidate data terminal 18A or a packet that transmits a communication message transmitted to the candidate data terminal 18A.

(Process to acquire identification information)
The identification information acquisition unit 1112 acquires identification information by monitoring a packet transmitted from the data terminal 18 or the entity or a communication protocol used in communication by the data terminal 18 or the entity.

  For example, the identification information acquisition unit 1112 monitors a communication protocol such as DHCP, ARP, UPnP, or SIP, and specifies a target based on the result. For example, the identification information acquisition unit 1112 may apply a technique known as DHCP snooping as a technique for monitoring DHCP. As a technique for monitoring ARP, a technique known as ARP snooping may be applied. As a technique for monitoring UPnP, a technique known as UPnP snooping may be applied. The identification information acquisition unit 1112 may detect a SIP communication start request (INVITE) by applying a technique known as SIP snooping as a technique for monitoring SIP.

  Further, the identification information acquisition unit 1112 monitors communication protocols such as DNS, UPnP, and SIP, and identifies a target communication partner based on the result. For example, the identification information acquisition unit 1112 may apply a technique known as DNS snooping as a technique for monitoring DNS. As a technique for monitoring UPnP, a technique known as UPnP snooping may be applied. The identification information acquisition unit 1112 may apply a technique known as SIP snooping as a technique for monitoring SIP.

  For example, the identification information acquisition unit 1112 acquires identification information determined based on a packet transmitted by the candidate data terminal 18A or a result of monitoring a communication protocol used in the communication.

  The identification information is determined based on part or all of the data terminal 18 (node), the communication entity in the data terminal 18, and the communication service of the data terminal 18. The identification information acquisition unit 1112 acquires at least one of the above information as specific information.

As described above, according to the second embodiment, the specific information acquisition unit 1111 is used in a packet transmitted from the candidate data terminal 18A that is a candidate of the data terminal 18 or communication by the candidate data terminal 18A. Specific information is determined based on the monitoring result of the communication protocol, and the determined specific information is acquired. In addition, the packet transmitted from the data terminal 18 or the entity or the communication protocol used in the communication by the candidate data terminal 18A or the entity is monitored to obtain the identification information.
As a result, the specific information and the identification information are determined based on the monitoring result of the packet or the communication protocol used in communication by the candidate data terminal 18A, and the security measures for the IoT device are implemented in a simple manner.

(Third embodiment)
A third embodiment will be described. The first embodiment described above exemplifies a case where manufacturer information extracted from the layer 2 address of the candidate data terminal 18A or specific information based on a result of performing a port scan on the candidate data terminal 18A is acquired. . In the present embodiment, instead of this, a case where specific information is acquired using a directory service and a rule-based system is illustrated. This point is different from the first embodiment described above. Hereinafter, this point will be mainly described.

(Process to acquire specific information)
(Type using directory service and rule-based system)
Hereinafter, a mode in which a directory service and a rule base system are used will be described.
The controller 111 (specific information acquisition unit 1111) of the present embodiment should limit the communication partner based on the directory service based on the communication request of the candidate data terminal 18A that is the candidate of the data terminal 18 and the rule-based search result. Identify the target.

(Directory service)
A directory service is known as a method for uniformly managing resources such as communication devices and application programs connected to a network. By using the directory service, each resource can be transferred from a user or application program to each resource using management information (directory information) that associates the name of each resource with attributes such as network location (address) and access authority. Control the action.
As a result, it is not necessary to use each resource in consideration of physical information indicating in which device each resource is arranged.

  A server that provides a directory service has a database that manages user information and resource information. For example, the controller 111 may access the directory service server using LDAP (Lightweight Directory Access Protocol).

(Rule-based system)
A rule-based system is known as a method for causing a predetermined action to be performed when an event that satisfies a predetermined condition occurs. In the rule-based system, a predetermined condition is used as a rule, and the inference engine performs a predetermined action.

  For example, the controller 111 of the eMLBR 11 may be configured to use functions of a directory service server and a rule-based system inference engine.

For example, the data terminal 18 requests the eMLBR 11 to allocate communication resources. The controller 111 of the eMLBR 11 accesses a server that provides a directory service and detects the request.
The procedure in which the data terminal 18 sends the above request is an action executed when the IoT device is connected to the network, and the conditions for detecting the action are stored in the controller 111 as a rule of the rule base system. . When the controller 111 functions as a controller of the rule-based system and detects an event that satisfies a predetermined rule, the controller 111 acquires characteristic information of the data terminal 18 that issued the request.

  Based on the acquired feature information, the controller 111 controls the switch unit 112 to enable communication requested by the data terminal 18. This control method may be the same method as in the first embodiment in which information is added to each required table.

(Transfer processing of packets transmitted from the data terminal 18 etc. in the eMLBR 11)
The data terminal 18 that has been successfully authenticated and quarantined is registered and managed in the MLB table 1124.
When the eMLBR 11 receives the packet, the eMLBR 11 checks whether the flow entry of the received packet exists in the MLB table 1124. If there is, the eMLBR 11 converts the received packet address to a global IP address or the like if it is a private IP address. AH is added, and the MAC address is rewritten and transferred to the iMLBR 12 with the specified QoS. The designated QoS may include items such as no bandwidth limitation, transfer with AH added, and bandwidth limitation.

  On the other hand, if it does not exist, the eMLBR 11 regards it as a forged packet and discards the received packet. The eMLBR 11 appropriately checks the existence of the data terminal 18 or the like via the connection port, and extends the valid period of the route information registered in the MLB table 1124.

According to the embodiment described above, a communication control device that controls the switch unit based on information obtained from a switch unit having a plurality of physical ports, the communication partner in communication via the switch unit. A specific information acquisition unit that acquires specific information for specifying a target device that communicates in a limited manner or communication by the target device; an identification information acquisition unit that acquires identification information for identifying communication specified based on the specific information; The communication permission information indicating that the communication is permitted between the target device and the communication partner is divided into communication from the target device to the communication partner and communication from the communication partner to the target device. A WL management unit that adds each of the generated communication permission information as an element of a white list that generates and stores the communication permission information, and a parameter received by the switch unit. An output control unit for associating the output destination from the switch unit with the communication permission information stored in the white list based on the specific information, and the identification information given to the received packet, The communication permission information includes a pair of transmission source information and destination information of the communication, and the output control unit includes a combination of the transmission source information and the destination information extracted from the identification information given to the received packet. And outputting the received packet from a desired physical port of the switch unit when it matches at least one of a set of transmission source information and destination information of communication permission information stored in the white list Determine the destination.
According to the modification of the embodiment described above, the identification information determined based on the result of the directory service and the rule base based on the communication request of the candidate data terminal 18A that is the candidate of the data terminal 18 is acquired. can do.

(Fourth embodiment)
A fourth embodiment will be described. In the first embodiment described above, the second rule is stored in the second storage unit 1152, the third rule is stored in the third storage unit 1153, and the fourth rule is stored in the fourth storage unit 1154, and correspondingly. Then, the case where the processing by the MLB table 1124, the QoS table 1126, and the routing table 1125 is executed is illustrated. In the present embodiment, instead of this, the third rule and the fourth rule are integrated into a QoS table / routing table 1125 so that the fourth storage unit 1154 and the QoS table 1126 are not required. 24. FIG. 24 is a diagram illustrating the eMLBR 11 of the present embodiment. FIG. 25 is a diagram for describing QoS setting in the present embodiment, instead of the above-described FIGS. 15 and 16.

  In a general router routing table as a comparative example, only the destination network address or the destination IP address is described.

  On the other hand, the communication system 1 according to the present embodiment uses the SDN technology such as OpenFlow, so that information on the transmission source such as the transmission source IP address can be defined as a match condition in the routing table indicating the path information. That is, in the description of the above-described embodiment, the QoS table 1126 and the routing table 1125 are separated. However, in the communication system 1 of the present embodiment, both are combined to form a routing table 1125 that is also used as a QoS table. Will be described.

  As shown in FIG. 25, when the packet type table 1122 determines that the packet is an IPv4 packet (lower part of FIG. 25), the packet transits to the MLB table 1124, and it is determined whether the address is not a spoofed packet. If it is determined, the process transits to the routing table 1125 also serving as a QoS table. In the same table, matching conditions are collated in order from the top, the transmission packet from the IoT device (Ipv4_src 192.168.3.250) (upper part of FIG. 25), and the destination address is a predetermined communication partner (Ipv4_dst 192.168.6.10) Then, after subtracting TTL (Time To Live) by 1 in Action, a MAC frame is generated and output from port 6 of the switch unit 112. A packet in which the destination address of the packet transmitted from the IoT device indicates a destination address other than the above is discarded (second stage from the top in FIG. 25).

  On the other hand, if the packet addressed to the IoT device (Ipv4_dst 192.168.3.250) (third level from the top in FIG. 25) is the transmission source address (Ipv4_src 192.168.6.10), a MAC frame is generated in the same way. Output from port 3 of the switch unit 112. A packet having a source address other than the above in the packet sent to the IoT device is discarded (fourth stage from the top in FIG. 25). Other packets are output from each predetermined port based on each destination address (lower row in FIG. 25).

(Processing related to security measures for IoT devices)
FIG. 26 is a flowchart illustrating a processing procedure related to security measures for the IoT device in the eMLBR 11 according to the present embodiment. FIG. 26 replaces FIG. 11B described above, and the same reference numerals are given to the same processes as those of FIG. 11B described above.

  If the processing of S105 and S111 shown in FIG. 11A is performed and it is determined by S111 that it does not include specific information such as the target device that limits the communication partner, the processing of S121 to S132 is performed as shown in FIG. Is implemented.

  After the processing of S132 is completed, or when it is determined that the identification information of the target communication partner specified by the determination of S131 is not included, the WL management unit 1113 adds the path information (elements) to be added to the routing table. ) Is determined (S141A).

  If it is determined in S141A that the condition for generating the route information (element) to be added to the routing table is satisfied, the output control unit 1114 determines the communication partner permission condition determined by the WL management unit 1113. Generate route information that specifies the route. For example, the WL management unit 1113 determines that the condition for generating the route information is satisfied at the stage where the identification information is generated in S122 and S132, respectively.

  Next, the output control unit 1114 determines whether or not the generated route information is registered in the third storage unit 1153 as the third rule (S161A). When it is determined that the generated route information is not registered in the third storage unit 1153, the output control unit 1114 writes the generated route information in the third storage unit 1153, and adds and updates it as a third rule (S162A). ). As described above, every time the third rule is changed due to the addition of the route information, the output control unit 1114 transmits the new third rule information to the switch unit 112 via the flow change output unit 1118. .

  On the other hand, if it is determined in S141 that the condition for generating the route information (element) to be added to the routing table is not satisfied, the route information generated in S161A is registered in the third storage unit 1153. When it is determined, or when the process of S162A is completed, the output control unit 1114 determines whether there is route information for which a predetermined period has elapsed (S171A). For example, the output control unit 1114 is in a state where communication corresponding to the route information among the route information registered in the third storage unit 1153 has not occurred for a predetermined period, that is, the communication packet does not arrive. Or after the predetermined period has passed since the arrival of the route information, the route information in the above case is deleted from the third rules stored in the third storage unit 1153 (S172A). As described above, every time the third rule is changed due to the deletion of the route information, the output control unit 1114 transmits the new third rule information to the switch unit 112 via the flow change output unit 1118. .

  The switch unit 112 of the eMLBR 11 performs transfer processing using the updated third storage unit 1153.

  According to the embodiment described above, the output control unit 1114 adds the communication permission information (communication permission condition) generated by the WL management unit 1113 to the same effect as the first embodiment described above. Based on this, route information for determining the output destination from the switch unit is generated by dividing the communication from the data terminal 18 to the communication partner such as the host A and the communication from the communication partner such as the host A to the data terminal 18 By including them in the elements of the routing table 1125, the third rule and the fourth rule can be integrated to form a routing table 1125 that is also used as a QoS table.

(Fifth embodiment)
A fifth embodiment will be described. In the first embodiment described above, the second rule is stored in the second storage unit 1152, the third rule is stored in the third storage unit 1153, and the fourth rule is stored in the fourth storage unit 1154, and correspondingly. Then, the case where the processing by the MLB table 1124, the QoS table 1126, and the routing table 1125 is executed is illustrated. In the present embodiment, instead of this, the third rule and the fourth rule are integrated into a QoS table / routing table 1125 so that the fourth storage unit 1154 and the QoS table 1126 are not required. FIG. 26 illustrates an eMLBR 11 that does not require the table 1124.

  FIG. 27 is a diagram illustrating the eMLBR 11 of the present embodiment. FIG. 28 is a diagram for explaining QoS setting in this embodiment instead of the above-described FIG. 15 and FIG. 16.

  In the present embodiment, the processing from S111 to S118 is deleted from the processing shown in FIG. 11A described above, and the procedure of the processing shown in FIG. 26 is referred to instead of FIG. 11B.

According to the embodiment described above, since there is no MLB table, forged packets cannot be prevented, but the communication partner of the data terminal 18 which is an IoT device can be limited as in the above-described embodiment.
Note that the connection port identifier or MAC address of the terminal 18 may be added as a matching condition in the upper part (from IoT) of the routing table 1125 also serving as the QoS table of FIG. In this case, an MLB table in which an MLB table is also added to the QoS table / routing table and a QoS table / routing table 1125 are configured, and packets spoofing an IoT device can be blocked.

  For example, even if an IoT device infected with malware tries to increase the number of new infection destinations by sending a so-called search packet that seeks to find other IoT devices, IoT devices can be prevented from being infected with malware. Further, even if malware is embedded in the manufacturing process of the IoT device and the like and attempts to access the C & C server, the eMLBR 11 can block communication from the IoT device to the C & C server. Since the communication system 1 operates in this way, it is possible to prevent the IoT device connected to the communication system 1 from participating in a cyber attack, or to prevent an attack into the communication system 1. The same effect can be obtained as in the case of being divided into 1126 and the MLB table.

  According to at least one embodiment described above, the communication control device is a communication control device that generates control information for controlling the switch unit based on information obtained from the switch unit having a plurality of physical ports, In communication via a communication unit, a specific information acquisition unit that acquires specific information that specifies at least one of a target device that communicates with limited communication partners or a target device, and a communication that is specified based on the specific information are identified A pair of source information and destination information given to the packet received by the switch unit, and source information and destination information determined based on the identification information The output destination from the switch unit for the packet received by the switch unit is transferred so that the communication included in the set is permitted. And generates path information constant for, by and an output control unit to include the route information to the control information, it is possible to implement security measures for IoT devices in a simple manner.

  Although several embodiments of the present invention have been described, these embodiments are presented by way of example and are not intended to limit the scope of the invention. These embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the spirit of the invention. These embodiments and their modifications are included in the scope and gist of the invention, and are also included in the invention described in the claims and the equivalents thereof.

  For example, in the above description of the embodiment, the switch unit such as the MLBR 10 has been described as “discarding” the attack packet. However, the MLBR 10 or the like does not discard the packet within each switch unit, but from a specific port. The data may be output and stored in an external storage device.

In the above description of the embodiment, the IPv4 private address is used. However, the present invention is not limited to this, and the communication permission information may be composed of the IPv4 private IP address and the global IP address. Alternatively, the communication permission information may be configured with a global IP address of IPv4, the communication permission information may be configured with an IPv6 address, and the communication permission information may be configured with a layer 2 address (MAC address). .
Furthermore, the layer 4 port number used with the communication partner may be added to the MLB table, the QoS table, or the QoS routing table. Thereby, even if the back door is embedded in the IoT device at the manufacturing stage of the IoT device or the like, unauthorized entry from the back door can be prevented, and the security of the IoT device can be further improved.

  In the above description of the embodiment, the terminal device 17 has been described as including IDS / IPS. However, the eMLBR 11 or iMLBR 12 may be configured to include IDS / IPS. In this case, the eMLBR 11 or iMLBR 12 is configured to acquire the detection result of the IDS / IPS included in the eMLBR 11 or iMLBR 12 instead of the IDS / IPS of the terminal device 17.

1, 2, 3, 4 ... Communication system, 10 ... MLBR, 11 ... eMLBR, 12 ... iMLBR, 13 ... bMLBR, 14 ... Relay device, 15 ... Management host, 17 ... Terminal device, 18 ... Data terminal, 111 ... Controller (Control unit), 112 ... switch unit, 113, 114 ... IF unit, 115 ... storage unit, NW, NW1, NW3, NW4 ... network

Claims (26)

A communication control device that generates control information for controlling the switch unit based on information obtained from a switch unit having a plurality of physical ports,
In communication via the switch unit, a specific information acquisition unit that acquires specific information that specifies at least one of a target device that communicates by limiting a communication partner or the target device, and
An identification information acquisition unit for acquiring identification information for identifying communication specified based on the specific information;
It is assumed that the communication included in the combination of the transmission source information and the destination information determined based on the identification information is a combination of the transmission source information and the destination information given to the packet received by the switch unit. An output control unit that generates route information for determining an output destination from the switch unit for a packet received by the switch unit, and includes the route information in the control information,
A communication control device comprising: Communication permission information indicating that communication is permitted between a target device and a communication partner of the target device, communication from the target device to the communication partner, and communication from the communication partner to the target device The communication control device according to claim 1, further comprising: a WL management unit that is generated based on the identification information. The output control unit
A pair of source information and destination information given to a packet received by the switch unit is a packet of a communication packet not included in the pair of source information and destination information determined based on the identification information. Generating route information that restricts transfer by the switch unit;
The communication control apparatus according to claim 2. The output control unit
A path for determining an output destination from the switch unit based on the generated communication permission information, divided into communication addressed to the communication partner from the target device and communication addressed to the target device from the communication partner. Generating information,
The communication control apparatus according to claim 2 or 3. The WL management unit
A communication permission white list indicating that communication is permitted between the target device and a communication partner of the target device is generated, the communication permission white list is included in the control information, and the generated The communication permission information as an element of the communication permission white list,
The output control unit
Generating the route information for communication associated with the generated communication permission information;
The communication control apparatus according to claim 3 or 4. The WL management unit
A communication partner permission white list indicating that the communication partner is permitted is generated, the communication partner permission white list is included in the control information, and communication partner permission information indicating that the communication partner permission is permitted, Separately generated from a target device to a communication addressed to the communication partner of the target device and from a communication partner of the target device to a communication addressed to the target device, and generated based on the identification information, and the generated communication partner permission information As an element of the communication partner permission whitelist,
The output control unit
Based on the communication partner permission information, generating path information for determining an output destination corresponding to communication addressed to the target device from a communication partner of the target device
The communication control apparatus according to claim 5. The output control unit
Sending the path information to the switch unit to control the switch unit;
The communication control apparatus according to any one of claims 2 to 6. The output control unit
A set of layer 3 source information and destination information extracted from the identification information given to the received packet is the layer 3 source information and destination of the communication partner permission information stored in the communication partner permission white list. Matches at least one of the pair with information, and
The identification information of the lower layer including the identification information of the port that has received the packet or the logical identification information of the port to which the packet was transmitted matches the identification information of the lower layer of the communication permission information stored in the communication permission white list. Determining the output destination of the received packet so as to forward the received packet to a desired destination when
The communication control device according to claim 6. The specific information acquisition unit
Obtaining the specific information determined based on a part or all of the target device, a communication entity in the target device, and a communication service of the target device;
The communication control apparatus according to claim 7 or 8. The identification information acquisition unit
As the identification information given to the received packet, the identification information including part or all of the layer 1 identifier, the layer 2 address, the layer 3 address, and the layer number of the layer 4 protocol of the communication layer is acquired.
The communication control apparatus according to claim 7 or 8. The identification information acquisition unit
Obtaining the identification information from the result of a part or all of the authentication process, the quarantine process, and the layer 3 address assignment process resulting from the communication request from the target device;
The communication control device according to claim 10. The identification information acquisition unit
Monitoring a packet transmitted from the target device or the entity or a communication protocol used in communication by the target device or the entity to obtain the identification information;
The communication control apparatus according to claim 9. The WL management unit
Let the switch unit make a determination based on the identification information given to the received packet and the information of the communication partner permission white list,
The output control unit
When the switch unit determines that the received packet is sent to the target device, the switch unit is controlled to output the received packet toward the target device. Item 9. The communication control device according to Item 8. The output control unit
By controlling the switch unit in a state where the communication partner of the target device exists in a range where security can be ensured,
The identification information acquisition unit
The communication control device according to any one of claims 7 to 13, wherein the identification information is acquired in a state in which a communication partner of the target device exists within a range in which security can be ensured. The output control unit
The combination of the transmission source information and the destination information extracted from the identification information given to the received packet is any of the combination of the transmission source information and the destination information of the communication partner permission information stored in the communication partner permission white list. To prevent forwarding of the received packet when a non-matching state that does not match
The communication control device according to claim 13. The output control unit
Informing the occurrence of the mismatch state when the occurrence of the mismatch state satisfies a predetermined condition;
The communication control device according to claim 15. The specific information acquisition unit
Obtaining the specific information determined by verifying the validity of the candidate target device based on the manufacturer information extracted from the layer 2 address of the candidate target device to be the target device candidate;
The communication control apparatus according to any one of claims 1 to 16. The specific information acquisition unit
Obtaining the specific information determined based on a result of performing a port scan on a candidate target device that is a candidate for the target device;
The communication control apparatus according to any one of claims 1 to 16. The specific information acquisition unit
Obtaining the specific information determined based on a packet transmitted by the candidate target device to be a candidate for the target device or a result of monitoring a communication protocol to be used;
The communication control apparatus according to any one of claims 1 to 16. The specific information acquisition unit
The specific information is determined based on a packet transmitted from a candidate target device that is a candidate for the target device or a monitoring result of a communication protocol used in communication by the candidate target device, and the determined specific Get information,
The communication control apparatus according to any one of claims 1 to 16. The specific information acquisition unit
Obtaining the specific information determined based on a directory service and a rule-based search result relating to a candidate target device to be a candidate for the target device;
The communication control apparatus according to any one of claims 1 to 16. The identification information acquisition unit
Monitoring a packet transmitted from the target device or the entity or a communication protocol used in communication by the target device or the entity to obtain the identification information;
The communication control device according to claim 12. The identification information acquisition unit
Obtaining the identification information determined based on a search result of a directory service and a rule base related to a candidate target device to be a candidate for the target device;
The communication control apparatus according to any one of claims 1 to 16. The WL management unit
When communication corresponding to the communication permission information does not occur for a predetermined period, the communication permission information from the communication permission white list, and when communication corresponding to the communication partner permission information does not occur for a predetermined period, Delete the communication partner permission information from the communication partner permission white list,
The communication control device according to claim 6. A communication control method for generating control information for controlling the switch unit based on information obtained from a switch unit having a plurality of physical ports,
In communication via the switch unit, a specific information acquisition unit that acquires specific information that specifies at least one of a target device that communicates by limiting a communication partner or the target device, and
An identification information acquisition unit for acquiring identification information for identifying communication specified based on the specific information;
It is assumed that the communication included in the combination of the transmission source information and the destination information determined based on the identification information is a combination of the transmission source information and the destination information given to the packet received by the switch unit. An output control unit that generates route information for determining an output destination from the switch unit for a packet received by the switch unit, and includes the route information in the control information,
Communication control method for causing a computer to function. A computer of a communication control device that generates control information for controlling the switch unit based on information obtained from the switch unit having a plurality of physical ports,
In communication via the switch unit, a specific information acquisition unit that acquires specific information that specifies at least one of a target device that communicates by limiting a communication partner or the target device, and
An identification information acquisition unit for acquiring identification information for identifying communication specified based on the specific information;
It is assumed that the communication included in the combination of the transmission source information and the destination information determined based on the identification information is a combination of the transmission source information and the destination information given to the packet received by the switch unit. An output control unit that generates route information for determining an output destination from the switch unit for a packet received by the switch unit, and includes the route information in the control information,
Program to make it function.

Images