JP2017212705A - Communication controller, communication system, communication control method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve a security level of network security on the wide-area network side, using a simpler method.SOLUTION: A communication controller 11 controls communication via an own network NW1 and other networks NW2, 3 differing from the own network, each of all networks functioning as an autonomous system. A control unit, on the basis of a plurality of types of conditions including a regulation condition for limiting at least communication between the own network and the other networks and a permission condition for permitting at least communication inside the own network, sets a regulation condition on the basis of a request using communication satisfying the permission condition; and limits one or both of communication corresponding to the regulation condition and communication against the permission condition.SELECTED DRAWING: Figure 1

Description

  Embodiments described herein relate generally to a communication control device, a communication system, a communication control method, and a program.

2. Description of the Related Art Conventionally, a communication device (communication control device) that communicates communication in a network including a plurality of nodes according to a communication rule defined by the network administrator is known. There is a related technology called OpenFlow (registered trademark). In OpenFlow, the controller centrally manages the switches of each node (see Patent Document 1 and Non-Patent Document 1).
By the way, cyber attacks on devices and systems connected to the network are increasing, which is a big threat on a global scale. On the other hand, the network user implements measures for protecting the devices and systems used or managed by the network user or the network on the network user side.

Special table 2014-526810 gazette

“OpenFlow Switch Specification Version 1.3.1,” The Open Networking Foundation, (2013), [online], [searched January 7, 2016], Internet <https://www.opennetworking.org/images /stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.3.1.pdf>

  However, conventional network security measures are mainly implemented on the network user side, and it has been difficult to increase the security level on the wide area network side.

  The problem to be solved by the present invention is to provide a communication control device, a communication system, a communication control method, and a program capable of increasing the security level of the network security on the wide area network side by a simpler method.

  In order to achieve the above object, a communication control apparatus according to one aspect of the present invention is a communication control apparatus that controls communication through a local network that functions as an autonomous system and another network different from the local network, The permission condition based on a plurality of conditions including at least a restriction condition for restricting communication between the local network and the other network and at least a permission condition for permitting communication within the local network. The control unit is configured to set the restriction condition based on a request by communication satisfying the condition and restrict one or both of communication corresponding to the restriction condition and communication contrary to the permission condition.

  In the communication control device according to an aspect of the present invention, the restriction condition includes a condition for selecting a specific packet as a discard target, and the permission condition is for permitting communication by the specific packet. Condition is included.

  In the communication control device according to one aspect of the present invention, the restriction condition includes a condition for specifying a packet having anonymity, and the control unit specifies the packet having anonymity. In addition, a communication packet that meets the conditions for satisfying the permission condition is identified, and identification information is given to the packet.

  In the communication control device according to one aspect of the present invention, the control unit performs control so as to permit communication of the packet to which the identification information is added.

  In addition, a communication control device according to an aspect of the present invention is arranged at a boundary portion with the other network in the own network configured to include a router that transfers the communication packet.

  Further, in the communication control device according to one aspect of the present invention, the control unit acquires routing information of the router from at least some or all of the routers included in the own network, and based on the acquired routing information The communication from the other network side toward the local network side is permitted or restricted according to the source address of the communication.

  In the communication control apparatus according to an aspect of the present invention, the control unit responds to the request notified from the transmission source of the request using a unidirectional communication procedure under authenticated communication. The restriction condition is set.

  Further, in the communication control apparatus according to one aspect of the present invention, the control unit restricts transfer of the packet based on identification information that identifies a packet sent to an address space that should be unused in the address space. A blocking request for requesting to be acquired is acquired, and communication using the packet corresponding to the blocking request is controlled based on a predetermined processing rule.

  Further, in the communication control apparatus according to an aspect of the present invention, the control unit is a search packet for searching for a terminal without specifying a destination based on the specification information, the packet for limiting the transfer, Alternatively, it is identified whether the packet is a DDoS attack rebound packet, and communication using the packet corresponding to the blocking request is controlled based on the identification result and the processing rule.

  A communication system according to an aspect of the present invention includes: the communication control device; a communication amount of a communication packet that satisfies the restriction condition among the conditions; and a communication packet that violates the permission condition among the conditions. A counting unit that counts the amount of communication according to the type of condition for each communication path; and a charging control unit that outputs a value determined from the amount of communication counted by the counting unit.

  In the communication system according to an aspect of the present invention, the restriction condition includes one or both of a condition for discarding the packet and a condition for maintaining anonymity of the packet.

  In the communication system according to an aspect of the present invention, the permission condition includes a condition for permitting communication by the packet, a condition for permitting transfer of the packet, a condition for permitting a communication partner for communication by the packet, A condition for indicating an authentication level of a transmission source node which is a packet transmission source or a transmission source entity of the packet, and a part or all of a condition for indicating the soundness of the transmission source are included.

  The communication system according to one aspect of the present invention includes a switch unit having a plurality of connection ports connected to a device other than the device itself, and the communication path is specified by the connection port of the switch unit.

  In the communication system according to an aspect of the present invention, the communication path is specified by a condition for permitting communication by the packet and a reverse path determined by a condition for permitting transfer of the packet.

  In the communication system according to an aspect of the present invention, the counting unit includes at least one count value of a coefficient determined for each condition and the number of packets and the amount of information received for each communication path. Based on the above, the communication amount is calculated.

  Further, a communication control method according to an aspect of the present invention is a communication control method for controlling communication through a local network that functions as an autonomous system and another network different from the local network, and at least the local network A request by communication satisfying the permission condition based on a plurality of types of conditions including a restriction condition for restricting communication with the other network and at least a permission condition for permitting communication within the own network. The restriction condition is set based on the restriction condition, and one or both of communication corresponding to the restriction condition and communication contrary to the permission condition are restricted.

  In addition, a program according to an aspect of the present invention provides a computer of a communication control device that controls communication through a local network that functions as an autonomous system and another network different from the local network, at least the local network and the other network. Based on a request by a communication satisfying the permission condition based on a plurality of types of conditions including a restriction condition for restricting communication with the network and at least a permission condition for permitting communication within the own network. The restriction condition is set, and a step for restricting one or both of communication corresponding to the restriction condition and communication contrary to the permission condition is executed.

  According to one aspect of the present invention, the security level of network security on the wide area network side can be increased by a simpler method.

1 is a configuration diagram showing a communication system according to a first embodiment. It is a figure which shows the structural example of the communication system which concerns on this embodiment. It is a flowchart which shows the procedure of the process for implementing the security measure of an IoT apparatus. It is a figure which shows eMLBR11. It is a figure which shows an example of the discard table. It is a figure which shows an example of the anonymity flag setting table 1127. It is a figure which shows an example of the packet type table 1122. It is a figure which shows an example of the SCOPE table 1123. It is a figure which shows an example of the MLB table 1124. It is a figure which shows an example of the routing table 1125. FIG. 5 is a diagram illustrating an example of a QoS table 1126. FIG. It is a figure which shows the packet header of IPv4. It is a figure which shows the packet header of IPv6. It is a figure which shows the conditions regarding the setting of the authentication flag F1. It is a state transition diagram regarding the setting of the authentication flag F1 in eMLBR11. It is a state transition diagram regarding the setting of the authentication flag F1 in iMLBR12 and bMLBR13. It is a figure which shows the conditions regarding the setting of the anonymous flag F2. It is a state transition diagram regarding the setting of the anonymous flag F2. It is a figure which shows the relationship between the function element arrange | positioned in each MLBR10, and the effect by it. It is a figure for demonstrating the process by the combination of a 1st rule, a 2nd rule, and a 6th rule. It is a figure which shows the structural example which deployed only bMLBR13. It is a figure which shows the outline | summary of the communication system of a 1st modification. It is a figure which shows the structure of the communication system 1 of 2nd Embodiment. It is a figure which shows the outline | summary of a communication system. It is a figure which shows bMLBA13A. An example of the MLB table 1324 is shown. It is a figure which shows the conditions regarding the setting of the authentication flag F1. It is a figure for demonstrating the method to restrict | limit the communication by the packet to which the address of the dark net of 3rd Embodiment was designated. It is a figure which shows a sequence when a search packet is detected by the fixed point observation system 85. FIG. It is a flowchart which shows the procedure of the accounting process with respect to the unauthorized packet of 4th Embodiment. It is a flowchart which shows the procedure of the update process of a 2nd rule. It is a flowchart which shows the procedure of the update process of a 2nd rule.

  Hereinafter, embodiments of a communication control device, a communication system, a communication control method, and a program according to the present invention will be described with reference to the drawings.

(First embodiment)
FIG. 1 is a diagram illustrating a configuration of a communication system 1 according to the present embodiment. The communication system 1 forms a network NW1. The network NW1 is connected to one or more other networks that can communicate with each other. The network NW2, the network NW3, the network NW4, and the network NW6 are examples of other networks. Each of network NW1, network NW2, network NW3, network NW4, and network NW6 functions as an autonomous system. In the following description, the network NW1, the network NW2, the network NW3, the network NW4, the network NW6, and the like may be collectively referred to as a network NW. For example, each network NW is independently managed by a different provider (ISP (Internet Service Provider)) or the like, and communication rules (policy or the like) defined by the administrator are different. For example, the networks NW are connected to each other, and each constitutes a part of the Internet (wide area network), for example. Each network NW may be connected to various server devices and various terminal devices (such as receiving terminals) not shown.

Each network is connected to each other. In the network NW of the comparative example, an aggressive packet may flow into the network NW1 from the other network side and be affected by it. The communication system 1 of this embodiment reduces the influence of the above aggressive packets by any or all of the following methods.
Add a communication rule for restricting communication by an unauthorized packet in the communication system 1 to increase the security level of network security.
Restricting the transfer of illegal packets through the network NW1, making it difficult to search the usage status in the network NW1 from outside the network NW1.
-The advantage of introducing measures to increase the security level of the network NW can be objectively evaluated, and the introduction is promoted for each network NW.
Hereinafter, each method will be described in order.

  In each communication system according to the present embodiment, the following communication restriction is added to the communication rule (policy or the like) determined by the administrator to restrict communication using illegal packets for each communication system. The communication rules to be added are defined by dividing into the following six rules.

  The first rule defines what is not permitted to communicate in the own communication system as restricted communication. For example, the communication system 1 manages, as “discard target information”, a condition (“discard target condition”) for selecting a communication packet determined as a target to be limited as a discard target packet. The communication system 1 regulates communication to be restricted by using a black list (“discard target black list”) that lists discard target information or a “discard table” that is tabulated. The communication system 1 may store the discard target black list or the discard table in the discard target storage unit of each device. Restrictions may include those common to each device or unique to each device. Note that “discard” in the above and the following explanations restricts communication based on at least one of the destination information and the source information given to the packet, or at least one of the destination information and the source information. Such as a case where communication based on at least one of destination information is not permitted or communication based on at least one of destination information is blocked and output to a specific port is included. Collectively, it is simply called “disposal”.

  The second rule defines conditions for permitting communication in the local communication system. For example, the communication system 1 collectively manages the conditions for selecting packets by permitted communication (“communication permission conditions”) in “communication permission information”. The communication system 1 extracts permitted communication by using a white list (“communication permission white list”) in which communication permission information is listed or a tabulated “MLB table”. Details of the MLB table will be described later. The “communication permission white list” is an example of a white list.

  The third rule defines a “routing condition” for extracting a destination IP address from an IP header of a communication packet in the communication system and transferring it to the next pop node or discarding if the corresponding network address is not in the table. For example, the communication system 1 manages the routing condition as “routing information”. The communication system 1 uses a white list (“transfer permission white list”) that lists “routing information” or a “routing table” that is tabulated to transfer or discard the packet to the next pop node. To do. Since the routing table is well known, detailed description is omitted. The “transfer permission white list” is an example of a white list.

  The fourth rule defines conditions that limit what is permitted as a communication partner in the communication system. For example, the communication system 1 manages the conditions for selecting packets from limited communication partners (“communication partner permission condition”) in “communication partner permission information”. The communication system 1 extracts a limited communication partner by using a white list (“communication partner permission white list”) that lists communication partner permission information or a tabulated “QoS table”. Details of the QoS table will be described later. The “communication partner permission white list” is an example of a white list.

  The fifth rule defines a condition for clearly indicating that a packet has a relatively low network security risk due to communication in the packet.

  For example, the communication system 1 manages the conditions for selecting a transmission source that satisfies a predetermined reliability criterion (“authenticated transmission source condition”) in “authenticated transmission source information”, thereby managing the communication. It may be detected that the network security risk is relatively low. The transmission terminal (transmission node) or transmission entity (transmission source entity) that transmitted the packet is an example of the transmission source. The authenticated transmission source information includes information for specifying the transmission terminal or transmission entity that transmitted the packet.

  In the above case, the communication system 1 identifies the packet transmitted from the transmission source determined to satisfy the predetermined reliability criterion by determining the transmission source of the packet based on the authenticated transmission source information. The packet is determined to have a relatively low network security risk. The communication system 1 makes it possible to manage that the packet has a relatively low risk by indicating the result of the determination using the authentication flag F1. The communication system 1 may determine whether or not the transmission source satisfies a predetermined reliability standard by an authentication process or a quarantine process when a communication connection request is made. In that case, based on the result of the above processing, the communication system 1 determines the state of the authentication flag F1 and sets the authentication flag F1 of the packet.

  Note that when the above determination is performed and a flag corresponding to the determination result is set in the packet, the device or the receiving device that relays the packet determines whether or not the above case is true. It can replace with determination of the state of "authentication flag F1". A specific method for assigning the “authentication flag F1” to the packet will be described later.

  The sixth rule defines a condition for clearly communicating that a packet has a relatively high network security risk due to communication.

For example, the communication system 1 uses address information, e-mail address information, account information, telephone number, URL (Uniform Resource Locator), URI (Uniform Resource Identifier), URI (URN), URN for detecting a packet whose source or destination is concealed or spoofed. By collectively managing (Uniform Resource Name), domain name, or FQDN (Fully Qualified Domain Name), it may be detected that there is a network security risk due to communication or that the risk is relatively high. The communication system 1 lists a part or all of address information, e-mail address information, account information, telephone number, URL, URI, URN, domain name, and FQDN for detecting a packet whose source or destination is concealed or spoofed. Hereinafter, the converted list is collectively referred to as an address list (“anonymous address list”), and packets that satisfy the condition are extracted using the “anonymous address list”. Details of the “anonymous address list” will be described later.
In the above case, the communication system 1 determines that there is a network security risk or a relatively high risk for a packet whose source or destination is concealed or misrepresented. The risk flag RF is used to manage that the degree criterion is not necessarily satisfied. The communication system 1 may determine whether the packet is a packet in which the transmission source or destination is concealed or spoofed based on information provided from the outside. Based on the result of the determination, the communication system 1 determines the state of the risk flag RF and sets the risk flag RF of the packet. Details of the above determination will be described later.

  When the above determination is performed and a flag corresponding to the determination result is set in the packet, the device or the receiving device that relays the packet determines whether the above case is true or not. Instead of determining the state of the flag RF. A specific method for assigning the “risk flag RF” to the packet will be described later.

  Note that the fifth rule does not indicate that communication of the packet is encouraged unlike the white list. Further, the sixth rule does not indicate that communication of the packet should be restricted unlike the black list. Both the fifth rule and the sixth rule define that the result of determination according to a predetermined determination criterion is indicated in the packet. Since a flag indicating the determination result is provided in the packet as described above, the terminal device on the receiver side determines whether or not the packet should be received by referring to the flag. It becomes possible. In the communication system 1, the terminal device on the receiver side is caused to perform the packet processing based on the result of the determination based on the designation of the receiver. Thus, the communication system 1 supports the realization of a safe and secure Internet environment while maintaining the Internet culture having features such as autonomous decentralization and self-responsibility.

  The communication system 1 controls the communication using some or all of the above rules.

  In the following description of the present embodiment, when the communication permission white list of the second rule, the transfer permission white list of the third rule, and the communication partner permission white list of the fourth rule are described without being distinguished, simply “ White list. Further, all or part of the communication permission information of the second rule, the routing information of the third rule, and the communication partner permission information of the fourth rule are collectively referred to as route information. In addition, a specific device that communicates with communication partners limited in the communication system 1 is referred to as a target device, and information that specifies either the target device or communication by the target device is referred to as specific information. For example, the specific information includes information for generating communication permission information or communication partner permission information.

  Information for identifying a specific device or communication may be referred to as identification information. For example, when the identification information given to the received packet is acquired, the layer 1 identifier, the layer 2 (L2) address, the layer 3 (L3) address (IP address), and the layer 4 ( L4) Information including part or all of the port number of the protocol is included in the identification information. Further, the identification information for specifying a specific communication partner includes the IP address or URL (Uniform Resource Locator) of each device. The routing information of the third rule may be defined by the destination IP address as the identification information.

  In the following description of the present embodiment, the case of IPv4 (Internet Protocol version 4) will be described as an example, but the same method as the processing shown in the present embodiment is applied to the case of IPv6 (Internet Protocol version 6). can do.

  The communication system 1 includes an eMLBR (egress Multi Layer Binding Router) 11, an iMLBR (ingress MLBR) 12, a bMLBR (border MLBR) 13, a relay device 14, and a management host 15. In the following description, eMLBR11, iMLBR12, and bMLBR13 may be collectively referred to as MLBR10. Each MLBR 10 functions as a communication node of the communication system 1. The communication system 1 configures a network NW1 with a plurality of MLBRs 10. The MLBRs 10 in the network NW1 may be directly connected to each other or may be connected via the relay device 14 or the like.

  Terminals such as a terminal device 17 operated by a user and various data terminals 18 collectively called IoT (Internet of Things) and the like are connected to the communication system 1 so that they can communicate with each other. For example, the terminal device 17 and the data terminal 18 perform desired communication due to requests from each terminal or the like via the eMLBR 11 or the like. Various data terminals 18 collectively referred to as IoT and the like are examples of target devices.

  The management host 15 may perform basic settings in the communication system 1 and monitor the state of each MLBR 10. Furthermore, the management host 15 may function as a cooperation server and function as an HRS (Home RADIUS Server) that performs authentication and quarantine of the terminal device 17 and the like. Further, the management host 15 may be configured to store a communication history detected by an IDS (Intrusion Detection System) / IPS (Intrusion Prevention System) or the like. The management host 15 may function as a protocol monitor that monitors the communication protocol. Further, the management host 15 may be configured to perform a port scan for a specific device. Further, the management host 15 may receive the analysis result of the result of capturing the communication state of the network, and may control the MLBR 10 based on the analysis result.

  Similar to the communication system 1, the communication system 2 forms a network NW2. The communication system 2 includes an eMLBR 21, an iMLBR 22, a bMLBR 23, and a management host 25. The communication system 3 forms a network NW3. The communication system 3 includes an eMLBR 31, an iMLBR 32, a bMLBR 33, and a management host 35. EMLBR21, iMLBR22, bMLBR23, management host 25 in the communication system 2, eMLBR31, iMLBR32, bMLBR33, and management host 35 in the communication system 3 are the eMLBR11, iMLBR12, and bMLBR13 in the communication system 1, respectively. Each corresponds to the management host 15.

  The communication system 4 of the comparative example forms a network NW4. Unlike the communication system 1, the communication system 4 does not include the MLBR 10, and includes a router having technical characteristics different from the technical characteristics of the MLBR 10. The communication system 4 is connected to the network NW1 via one border router (not shown) in the network NW4.

  Hereinafter, an example of a network security measure for communication performed using packets in the communication system 1 will be described. The communication system 1 shown below may be applied, for example, when the transmission terminal is authenticated as a connection request source that should allow communication, or when the communication connection request source is quarantined.

(Authentication of sending terminal)
As an authentication method for authenticating a transmission terminal as a connection request source that should permit communication, a different method can be taken depending on the type of the terminal device. For example, if the transmission terminal is a general-purpose personal computer or the like, it is known that many of them can use IEEE802.1X authentication by a function such as an OS (Operating System). If the transmission terminal is general-purpose, IEEE802.1X authentication can be used to limit the range of allowed communication or indicate that the transmission source has been authenticated.
On the other hand, some IoT devices cannot use IEEE802.1X authentication. For IoT devices that can use IEEE802.1X authentication, IEEE802.1X authentication can be applied in the same way as general-purpose terminal devices, but for IoT devices that cannot use IEEE802.1X authentication, the same method as general-purpose terminal devices is used. Can not do it. The IoT device exemplified in the following description is an example of a communication terminal device that cannot use IEEE802.1X authentication, for example.

Therefore, in the communication system 1, for the IoT device, the terminal device is authenticated by one of the following methods.
As a first method, since most IoT devices communicate with a specific communication partner, a terminal device that requests communication connection to the specific communication partner is authenticated as a valid IoT device.
As a second method, it is determined from the attribute information transmitted by the device that the device is an IoT device. For example, the MAC address of the device may be the above attribute information, and the terminal device may be authenticated as a valid IoT device based on the attribute information.

  The communication system 1 manages the correspondence between physical ports or (secure) channels, MAC addresses, and IP addresses held and managed by the MLBR 10. For example, the communication system 1 determines that a packet that does not satisfy the above-described correspondence is not permitted to be discarded, and discards the packet. Note that “packet” in the following description includes a frame such as a so-called MAC frame in which a MAC header and a trailer are added to the packet in layer 2, and these are collectively referred to simply as “packet”.

(MLBR10)
There are a plurality of types of MLBRs 10 constituting the communication system 1, and the configurations and uses thereof are different from each other. The eMLBR 11 installed at the egress on the user network side, the iMLBR 12 installed at the end (edge) on the user side of the network NW 1, and the bMLBR 13 arranged at the border between other networks , MLBR10 is an example. By arranging each type of MLBR 10 as described above, for example, even if a packet spoofing a large number of source IP addresses is sent from an external network, the attack packet in which bMLBR13 or the like deviates from the reverse path of the routing table. Shut off. Further, the bMLBR 13 or the like performs processing more accurately by combining and using information other than the source IP address when executing the processing. For example, information other than the source IP address includes the IP address of the terminal device 17 that requested the discard of the attack packet or the communication terminal actually attacked, the port number of the layer 4 (L4) such as TCP, the control flag, etc. May be included.

  Each MLBR 10 in the communication system 1 will be described with reference to FIG. FIG. 2 is a diagram illustrating a configuration example of the communication system 1. Details of the MLBR 10 in the communication system 1 will be described in order.

(EMLBR11)
The eMLBR 11 (communication control device) includes a controller 111 (control unit), an IF unit 113, an IF unit 114, a switch unit 112 (transfer unit), and a storage unit 115. The combination of the controller 111 and the storage unit 115 is an example of a communication control device.

  The IF unit 113 is an interface with the terminal device 17 or the data terminal 18. For example, when communicating with the terminal device 17 or the data terminal 18 by wire, the IF unit 113 is provided corresponding to the physical port to which the communication line is connected, and switches the packet acquired from the communication line via the physical port. The packet that is output to 112 and transferred by the switch unit 112 is output to a communication line connected to the physical port. Further, for example, when wirelessly communicating with the terminal device 17 or the data terminal 18, the IF unit 113 is provided corresponding to a (secure) channel of wireless communication, and switches a packet acquired from a specific (secure) channel. The packet that is output to 112 and transferred by the switch unit 112 is output to a specific (secure) channel or a wired physical port. Hereinafter, physical ports and (secure) channels are collectively referred to as connection ports.

  The IF unit 114 is an interface when communicating with other MLBR 10 or the like. For example, the IF unit 114 is provided corresponding to the physical port to which the communication line is connected, and outputs a packet acquired from the communication line to the switch unit 112 via the physical port. Further, the packet transferred from the switch unit 112 is output to a communication line connected to the physical port. The connection with the other MLBR 10 or the like may be a wireless line.

  The switch unit 112 transfers a packet between the IF unit 113, the IF unit 114, the controller 111, and the like based on the conditions set by the controller 111. For example, the switch unit 112 controls the transfer of the packet based on each header information from the layer 2 (L2) to the layer 4 (L4) of the protocol stack, physical port identification information, and the like. Details of the packet transfer process will be described later.

  The storage unit 115 includes a nonvolatile storage device such as a ROM (Read Only Memory), an EEPROM (Electrically Erasable and Programmable Read Only Memory), and an HDD (Hard Disk Drive), and a volatile memory such as a RAM (Random Access Memory) register. Realized by a storage device. The storage unit 115 stores a program for causing the eMLBR 11 to function, a plurality of tables for controlling the switch unit 112, communication history information, and the like.

  For example, the first storage unit 1151, the second storage unit 1152, the third storage unit 1153, the fourth storage unit 1154, the fifth storage unit 1155, and the sixth storage unit 1156 are examples of the plurality of tables. The first storage unit 1151 stores a first rule (discard target blacklist) that defines conditions for restricting transfer of received packets (received data) received by the eMLBR 11. The received packet includes header information and data (received data). The second storage unit 1152 stores a second rule (communication permission white list) that defines conditions for permitting transfer of received packets. The third storage unit 1153 stores a third rule (routing table, route information, transfer permission white list) that defines a routing condition for determining a packet transfer destination. The fourth storage unit 1154 stores a fourth rule (communication partner permission white list, route information) that defines conditions for permitting only communication with a limited communication partner. The fifth storage unit 1155 stores a fifth rule that defines a condition (authenticated transmission source information) for selecting a transmission source that satisfies a predetermined reliability criterion. The sixth storage unit 1156 stores a sixth rule that defines a condition (anonymous address list) for detecting a packet whose source or destination is concealed or spoofed.

  The controller 111 includes a processor such as a CPU (Central Processing Unit). The controller 111 stores at least one of information obtained from the switch unit 112 having a plurality of physical ports and information of a plurality of tables stored in the storage unit 115 by a program stored in the storage unit 115. Based on this, the switch unit 112 is controlled. For example, the controller 111, based on various information acquired from the management host 15, requests from the terminal device 17 or the data terminal 18, and the like, the first storage unit 1151, the second storage unit 1152, the third storage unit 1153, the fourth storage. The storage unit 1154, the fifth storage unit 1155, and the sixth storage unit 1156 are updated as necessary, and the transfer process of the switch unit 112 is changed. More specifically, as will be described later, the first rule stored in the first storage unit 1151 is stored in the discard table 1121 in the switch unit 112, and the second rule stored in the second storage unit 1152 is stored in the switch unit 112. In the MLB table 1124, the third rule stored in the third storage unit 1153 is stored in the routing table 1125 in the switch unit 112, and the fourth rule stored in the fourth storage unit 1154 is stored in the QoS table in the switch unit 112. The fifth rule stored in the first storage unit 1155 is stored in the MLB table 1124 in the switch unit 112, and the sixth rule stored in the sixth storage unit 1156 is stored in the anonymous flag setting table 1127 ( Registered in the second flag setting means) and referred to when controlling the transfer of each table packet. At that time, the information of the packet header is appropriately changed according to the function of each table.

  Communication messages in the communication system 1 are communicated as frames or packets. Identification information for identifying the frame or packet including the communication message is added to the header information of the frame or packet.

  The specific information acquisition unit 1111 specifies specific information for specifying a target device such as the data terminal 18 that communicates by limiting communication partners in communication via the switch unit 112 or specific information for specifying communication by the target device such as the data terminal 18 At least one of the above is acquired. Details of the specific information will be described later.

  The identification information acquisition unit 1112 acquires identification information for identifying communication specified based on the specific information. The identification information acquisition unit 1112 may acquire identification information from the result of a part or all of the authentication process, the quarantine process, and the layer 3 address assignment process caused by the communication request from the data terminal 18. Details of the method for acquiring the identification information will be described later.

  The WL management unit 1113 extracts conditions for permitting communication, generates a white list, and manages the conditions. This white list includes one or both of the communication permission white list of the second rule and the communication partner permission white list of the fourth rule.

  The output control unit 1114 generates routing information for selecting an output port of the switch unit 112 having a plurality of output ports. Details of the WL management unit 1113 and the output control unit 1114 will be described later.

  The management unit 1115 manages the result of the authentication process of the transmission source acquired by the identification information acquisition unit 1112 or the result of the quarantine process. Further, the management unit 1115 extracts, from these results, transmission source authentication information related to the authenticated transmission source or the transmission source of the packet in which no abnormality is found in the quarantine processing result, and stores it in the fifth storage unit 1155. Write.

  In addition, the management unit 1115 acquires information related to “authenticated transmission source conditions” and the like provided from an external device, and writes the information in the fifth storage unit 1155. In addition, the management unit 1115 acquires information related to an “anonymous address list” provided from an external device, and writes the information in the sixth storage unit 1156.

(IMLBR12)
The iMLBR 12 includes a controller 121, an IF unit 123, an IF unit 124, a switch unit 122, and a storage unit 125. The first storage unit 1251, the second storage unit 1252, the third storage unit 1253, the fourth storage unit 1254, the fifth storage unit 1255, and the sixth storage unit 1256 included in the storage unit 125 are examples of the plurality of tables. It is. The first storage unit 1251 stores a first rule (discard target blacklist) that defines conditions for restricting transfer of received packets (received data) received by the iMLBR 12. The received packet includes header information and data (received data). The second storage unit 1252 stores a second rule (communication permission white list) that defines conditions for permitting transfer of received packets. The third storage unit 1253 stores a third rule (routing table, route information) that defines a routing condition for determining a packet transfer destination. The fourth storage unit 1254 stores a fourth rule (communication partner permission white list, route information) that defines conditions for permitting only communication with a limited communication partner. The fifth storage unit 1255 stores “a fifth rule that defines a condition (authenticated transmission source information) for selecting a transmission source that satisfies a predetermined reliability criterion. The sixth storage unit 1256 stores the transmission source or the destination. 6th rule which defined the conditions (anonymous address list) for detecting the packet which concealed or spoofed.

  The authenticated transmission source information corresponding to the fifth rule is one that satisfies a predetermined reliability criterion among the terminals registered in the MLB table 1224, and corresponds to a white list. The predetermined reliability standard indicates, for example, a predetermined standard used for IEEE802.1X authentication or quarantine, and simple authentication standards such as ARP reflection for IoT devices are not applied.

  If the packet satisfies the predetermined reliability criterion, the authentication flag F1 is set by the eMLBR11. Even if the terminal device arbitrarily transmits a packet in which the authentication flag F1 is set to the eMLBR11 or iMLBR12, the eMLBR11 or iMLBR12 that has received the packet resets the set authentication flag F1. An authentication level or a quarantine level may be added to the MLB table 1124 or may be provided separately as an authentication / quarantine table. The management host 15 may periodically re-authenticate and re-quarantine each terminal device to update the authentication level, the quarantine level, and the authentication / quarantine table.

  On the other hand, the anonymous address list includes an IP address or a camouflaged email address, a camouflaged account, a camouflaged phone number, a camouflaged URI, a camouflaged URN, a camouflaged domain name, or a camouflaged FQDN This is to identify a packet having. For the packet corresponding to this, the risk flag FR is set by eMLBR11, iMLBR12, or bMLBR13.

  The controller 121 includes, for example, a processor such as a CPU, a volatile or nonvolatile storage device, and the like. The controller 121 stores at least one of information obtained from the switch unit 122 having a plurality of physical ports and information of a plurality of tables stored in the storage unit 125 by a program stored in the storage unit 125. Based on this, the switch unit 122 is controlled. For example, the controller 121, based on various information acquired from the management host 15, requests from the terminal device 17 or the data terminal 18, and the like, the first storage unit 1251, the second storage unit 1252, the third storage unit 1253, the fourth. The storage unit 1254, the fifth storage unit 1255, and the sixth storage unit 1256 are updated as necessary, and the transfer process of the switch unit 122 is changed. The switch unit 122 includes a discard table 1221, a packet type table 1222, a SCOPE table 1223, an MLB table 1224, a routing table 1225, a QoS table 1226, and an anonymous flag setting table 1227 as flow tables at each stage. For example, the first rule stored in the first storage unit 1251 is stored in the discard table 1221 in the switch unit 122, and the second rule stored in the second storage unit 1252 is stored in the MLB table 1224 in the switch unit 122. The third rule stored in the storage unit 1253 is stored in the routing table 1225 in the switch unit 122, the fourth rule stored in the fourth storage unit 1254 is stored in the QoS table 1226 in the switch unit 122, and the fifth storage unit 1255. The stored fifth rule is registered in the MLB table 1224 in the switch unit 122, and the sixth rule stored in the sixth storage unit 1256 is registered in the anonymous flag setting table 1227 in the switch unit 122 to control packet transfer. To do.

(BMLBR13)
The bMLBR 13 includes a controller 131, an IF unit 133, an IF unit 134, a switch unit 132, and a storage unit 135.
The first storage unit 1351, the second storage unit 1352, the third storage unit 1353, the fourth storage unit 1354, the fifth storage unit 1355, and the sixth storage unit 1356 included in the storage unit 135 are examples of the plurality of tables. It is. The first storage unit 1351 stores a first rule (discard target blacklist) that defines conditions for restricting transfer of received packets (received data) received by the bMLBR 13. The received packet includes header information and data (received data). The second storage unit 1352 stores a second rule (communication permission white list) that defines conditions for permitting transfer of received packets. The third storage unit 1353 stores a third rule (routing table, route information) that defines a routing condition for determining a packet transfer destination. The fourth storage unit 1354 stores a fourth rule (communication partner permission white list, route information) that defines conditions for permitting only communication with a limited communication partner. The fifth storage unit 1355 stores a fifth rule that defines a condition (authenticated transmission source information) for selecting a transmission source that satisfies a predetermined reliability criterion. Specifically, MLBR10 which carried out mutual authentication corresponds. The sixth storage unit 1356 stores a sixth rule that defines a condition (anonymous address list) for detecting a packet whose source or destination is concealed or spoofed.

  The controller 131 includes, for example, a processor such as a CPU, a volatile or nonvolatile storage device, and the like. The controller 131 stores at least one of information obtained from the switch unit 132 having a plurality of physical ports and information of a plurality of tables stored in the storage unit 135 by a program stored in the storage unit 135. Based on this, the switch unit 132 is controlled. For example, the controller 131, based on various information acquired from the management host 15, requests from the terminal device 17 or the data terminal 18, and the like, the first storage unit 1351, the second storage unit 1352, the third storage unit 1353, the fourth storage. The storage unit 1354, the fifth storage unit 1355, and the sixth storage unit 1356 are updated as necessary, and the transfer process of the switch unit 132 is changed. The switch unit 132 includes a discard table 1321, a packet type table 1322, a SCOPE table 1323, an MLB table 1324, a routing table 1325, a QoS table 1326, and an anonymous flag setting table 1327 as flow tables at each stage. For example, the first rule stored in the first storage unit 1351 is stored in the discard table 1321 in the switch unit 132. The second rule stored in the second storage unit 1352 is stored in the MLB table 1324 in the switch unit 132. The third rule stored in the storage unit 1353 is stored in the routing table 1325 in the switch unit 132, the fourth rule stored in the fourth storage unit 1354 is stored in the QoS table 1326 in the switch unit 132, and the fifth storage unit 1355. The stored fifth rule is registered in the MLB table 1324 in the switch unit 132, and the sixth rule stored in the sixth storage unit 1356 is registered in the anonymous flag setting table 1227 in the switch unit 132 to control packet transfer. To do.

  As described above, each MLBR 10 includes a controller and a switch unit. The controller of the MLBR 10 controls the controller and the switch unit of its own device based on the information acquired from the controllers of the other MLBR 10.

(Terminal device 17)
The terminal device 17 is a computer including a CPU and a storage device such as a ROM, EEPROM, HDD, RAM, or register, and functions as a terminal or a server depending on a program to be executed. For example, the terminal device 17 is a general-purpose terminal such as a personal computer or a tablet. The CPU of the terminal device 17 may cause the terminal device 17 to function as IDS / IPS by executing a program. In this case, the terminal device 17 may receive packets that exceed a predetermined communication amount or frequency by IDS / IPS that is mounted on the terminal device 17 or connected to a local area network to which the terminal device 17 is connected, Abnormal behavior or known attack pattern (signature), unknown attack pattern predicted from known attack pattern, or malware expected from known malware or known malware, known exploit code (for program security) As an attack packet based on an unknown exploit code predicted from a known exploit code). In the above detection, a honey pot may be installed. A honeypot is a decoy that attracts attack packets for unauthorized access and diverts the attack. Obtaining virus and worm samples, investigating unauthorized access methods and trends from recorded operation logs and communication logs, etc. It is used for. For example, when the terminal device 17 detects an attack packet, the terminal device 17 blocks the connection to the network NW1.
The eMLBR 11 may transmit a message requesting to interrupt the forwarding of the attack packet in the network NW1 to the iMLBR 12, the bMLBR 13, and the like. For example, the iMLBR 12 or the like may accept a message requesting that the attack packet transfer be interrupted as a discard request message requesting that the attack packet be discarded, and discard the attack packet. In the following description, a message requesting to interrupt the transfer of attack packets is referred to as DRM (Dropping Request Message). For example, the terminal device 17 adds verification data or an authentication code indicating the legitimacy and completeness of the terminal device to the DRM and transmits it to the eMLBR 11 or the like. Further, the DRM is bucket-relayed between the MLBRs 10 so as to approach the transmission source address of the attack packet, and each MLBR 10 that has received the DRM registers it in the first storage unit as the first rule described above.

(Data terminal 18)
The data terminal 18 is a computer including a CPU and storage devices such as a ROM, an EEPROM, an HDD, a RAM, and a register, and is a so-called IoT device that functions as a terminal or a server according to a program to be executed. Assume that the data terminal 18 illustrated in the following description communicates using an IPv4 packet as a packet type and cannot use IEEE802.1X authentication. For example, the data terminal 18 includes various sensors connected to the network, smart meters, connected cars (cars), printers, televisions, refrigerators, smart home appliances, M2M (Machine to Machine) devices, network cameras, vending machines, and the like. Generic terminology for all terminals. The communication partners of these terminals are often limited to specific addresses, URLs, URIs, or URNs.

(Process for controlling the switch unit to implement security measures for terminal devices)
With reference to FIG. 3, the process for implementing the security measure of a terminal device is demonstrated. FIG. 3 is a flowchart illustrating a processing procedure for implementing security measures for the terminal device.

The communication system 1 registers the terminal device as a terminal that performs bidirectional communication in the communication system 1 (S10).
In the communication system 1, for example, the above process (S10) is realized as a combination of a plurality of processes described below.
First, the communication system 1 specifies a target terminal device that limits communication partners (S11).
Next, the communication system 1 acquires identification information (first identification information) that can identify the target specified above (S12).
Next, the communication system 1 acquires identification information (second identification information) that can identify the target communication partner specified above (S13).
Next, the communication system 1 determines the communication partner of the packet transmitted from the target specified as the target to be limited based on the identification information (first identification information and second identification information) acquired above. An element (first element) of the communication partner permission white list for limiting is generated (S14).
Next, the communication system 1 limits the communication partner of the packet transmitted to the target specified as the target to be limited based on the identification information (first identification information and second identification information) acquired above. The communication partner permission white list element (second element) is generated (S15).
Next, the communication system 1 adds the first element and the second element to the communication partner permission white list (S16).
Next, the communication system 1 selects a transmission source (terminal device) that satisfies a predetermined reliability criterion from the target terminal devices identified in S11, and adds the identification information to the authentication list (S18).
Next, the communication system 1 acquires an address list of nodes that are allowed to communicate using an anonymous address from the monitoring apparatus of an authorized organization that can be trusted. For example, the management host 15 generates and registers an anonymous address list from the distributed node address list (S19).
Next, the communication system 1 performs a process for protecting actual communication based on the first element and the second element after registration in the communication partner permission white list (S20), and increases the reliability of the packet. The flag shown is set in the packet (S22).
Thereby, the communication system 1 implements security measures for the terminal device.

[One more specific example]
The following description exemplifies a case where the MLBR 10 is configured by applying the OpenFlow (registered trademark) technology.

(Distributed controller)
Each node of OpenFlow includes an OpenFlow switch unit controlled by an OpenFlow controller. In the general OpenFlow technology, one OpenFlow controller centrally manages a plurality of OpenFlow switches.
Instead, the MLBR 10 of this embodiment includes a controller 111 and a switch unit 112, and the controller 111 provided for each MLBR 10 manages the switch unit 112. The controller 111 may function independently of other MLBR 10 controllers, or may function in conjunction with each other. This is different from the general OpenFlow configuration. Hereinafter, the difference will be mainly described.

For example, the controller 111 includes a specific information acquisition unit 1111, an identification information acquisition unit 1112, a WL management unit 1113, an output control unit 1114, a management unit 1115, a packet-in 1116, a packet-out 1117, and The flow change output unit (Flow-Mod) 1118 is provided.
The packet-in 1116 receives information from the switch unit 112. The packet out 117 outputs the packet and its destination information to the switch unit 112. The flow change output unit (Flow-Mod) 1118 outputs information for changing the setting of the switch unit 112 to the switch unit. Details of other configurations of the switch unit 112 will be described later.

  The controller of the MLBR 10 controls at least the switch unit of its own device to ensure the security of the communication. Note that the controllers of the MLBR 10 may function as a distributed controller by communicating with each other, in which case, for example, DRMs are sequentially transferred. As described above, the DRM is information for limiting transfer in each MLBR 10. The MLBR 10 adds a restriction condition for restricting the transfer without changing the transfer information configured until the DRM is notified, and deletes it individually in units of the restriction condition. As a result, the communication system 1 changes only the restriction condition for restricting the transfer while maintaining the transfer rule in the network NW.

(Example of switch part)
A more specific example of the switch unit will be described with reference to FIGS. FIG. 4 is a diagram showing the eMLBR 11. The switch unit 112 includes a discard table 1121, a packet type table 1122, a SCOPE table 1123, an MLB table 1124, a routing table 1125, a QoS table 1126, and an anonymous flag setting table 1127 as flow tables at each stage. 5A to 10 are diagrams illustrating examples of the discard table 1121, the anonymous flag setting table 1127, the packet type table 1122, the SCOPE table 1123, the MLB table 1124, the routing table 1125, and the QoS table 1126.

(Examples of various tables in the switch section)
In the switch unit 112, the discard table 1121 stores a necessary number of flow entries of packets to be discarded. The flow entry of the packet to be discarded corresponds to the first rule (black list) which is a condition for restricting the transfer of the packet. For example, as shown in FIG. 5A, the discard table 1121 drops a packet that matches the stored flow entry. Packets that do not match the stored flow entry are subject to selection processing by the packet type table 1122. The restriction information defined in the flow entry may be one IP address or a network address including a plurality of IP addresses. Furthermore, by specifying destination IP address, destination port number, source port number, packet length, packet type, TCP control flag, etc., in combination as appropriate, other general users who are trying to send to the same destination IP address as the attack packet Hindering the communication can be suppressed. For example, as a flow entry of the discard table 1121, a network address corresponding to an area where transfer is restricted is defined as a match condition. The discard table 1121 restricts transfer of a packet to which a transmission source IP address included in the address space indicated by the network address is assigned. “129.168.3.0/24” illustrated in FIG. 5A is an example of a network address when described in IPv4.

  For example, as shown in FIG. 5B, the anonymous flag setting table 1127 holds an anonymous address list, and an anonymous flag F2 is set for a packet whose source address or destination address matches any address in the anonymous address list. Set and reset anonymous flag F2 for packets that do not match. Anonymous address list includes, for example, address spoofing (spoofing) among addresses requested from monitoring devices of specific accreditation bodies, e-mail addresses used in a disposable type, and information left as forwarding history information It may be formed including the source address of the received e-mail. An example of detection that the transfer history information includes suspicion is an inconsistency in the correspondence between an email server such as an SMTP (Simple Mail Transfer Protocol) server and the IP address and domain name of the email server. . The anonymous address list may include an IP address, an e-mail address, a telephone number, account information, a URL, a URI, a URN, a domain name, an FQDN, and the like that can specify the source or destination of the packet. When the processing based on the anonymous address list is not performed, the anonymous flag setting table 1127 sets the processing result of the discard table 1121 as a processing target of the packet type table 1122 in the next stage.

  The packet type table 1122 is a packet that remains without being discarded by the discard table 1121, and includes a packet in which the anonymous flag is set as necessary by the anonymous flag setting table 1127, and a packet to be processed from the controller. The flow entry for each packet type is stored. For example, as shown in FIG. 6, the flow entry stored in the packet type table 1122 includes a packet that specifies an IPv4 packet, a packet that specifies an IPv6 packet, and a packet that is transmitted to the controller. The thing which specifies that is included. For example, the action corresponding to the type of each packet is defined as follows in the packet type table 1122. The packet type table 1122 includes ICMPv6 (Internet Control Message Protocol for IPv6) addressed to the own MLBR 10, or ARP (Address Resolution Protocol), ICMP (Internet Control Message Protocol), DHCP (Dynamic Host Configuration Protocol), DRP (Dropping Request Message Protocol). ), RIP (Routing Information Protocol), OSPF (Open Shortest Path First), BGP (Border Gateway Protocol), UPnP (Universal Plug and Play), DNS (Domain Name System), SIP (Session Initiation Protocol), NTP (Network Time) Packets used for communication control by each protocol such as Protocol) are packets addressed to the controller 111 (Packet-In), IPv4 packets other than the above are subject to processing by the MLB table 1124, and IPv6 packets other than the above are processed. SCOPE table To be processed by the system 1123. The DRP is a standard in which verification data or an authentication code is added to the DRM. Details of DRP will be described later. The packet type table 1122 updates each table in Flow-Mod if necessary based on the determination result by the controller 111 among the packets addressed to the controller 111, and packets that need to be transferred to other MLBRs are: Return to the switch unit 112 (Packet-Out).

  The SCOPE table 1123 determines whether or not routing of the packet is permitted by determining whether or not the scope (SCOPE) has deviated from the packet specified as the IPv6 packet by the packet type table 1122. For example, as shown in FIG. 7, when it is determined that the source IP address and the destination IP address of the packet belong to the same scope (global address, unique local address, link local address, etc.) and routing is permitted, the SCOPE table 1123 sets the packet as a target of processing by the MLB table 1124. On the other hand, when it is determined that there is a deviation in the scope of the packet and routing is not permitted, the SCOPE table 1123 discards the target packet.

  The MLB table 1124 permits a packet to be transferred to a packet identified as an IPv4 packet by the packet type table 1122 or a packet identified as an IPv6 packet to permit routing according to the SCOPE table 1123. Specify whether or not the packet should be. The specific condition corresponds to the second rule (communication permission white list). The MLB table 1124 functions as a communication permission white list for checking whether the packet is a spoofed packet by combining the MAC address of the IoT device or the host, the IP address, and the identification information of the connection port of the eMLBR 11, but from the IoT device It can also be determined whether or not the packet is transmitted. For example, as shown in FIG. 8, an input port number (IN_Port) of the switch unit 112, a MAC address and an IP address assigned to the IoT device, and the like are set in the match condition. For example, when it is determined that the packet is a packet transmitted from the IoT device (upper part of FIG. 8), the packet transits to the QoS table 1126 (FIG. 10), and whether the destination address is permitted as a communication partner is the QoS table 1126. When the corresponding communication partner permission white list exists in the QoS table 1126, the QoS table 1126 sets the packet as a target of transfer processing by the routing table 1125 (upper row in FIG. 10). FIG. 8 shows an example of the MLB table 1124.

  Further, the MLB table 1124 may set the authentication flag F1 in accordance with the fifth rule for packets determined to be permitted to be transferred (each stage except the lower stage in FIG. 8). The authentication flag F1 may indicate an authentication level or a quarantine level.

  As shown in FIG. 9, when the MLB table 1124 (FIG. 8) determines that the packet is not a spoofed packet, the routing table 1125 outputs the packet to a physical port defined by the routing table 1125. However, if the routing table 1125 determines that the packet is addressed to the IoT device (the upper part of FIG. 9), the packet transits to the QoS table 1126 (FIG. 10), and the transmission source is the communication partner of the IoT device. If there is a corresponding communication partner permission white list, it is set as a transfer process target (middle in FIG. 10). When the routing table 1125 specifies that the packet is not a packet to be transferred (lower part in FIG. 9), the packet may be a target of discard processing according to the third rule of the routing table 1125.

  The QoS table 1126 sets a desired QoS for the packet determined by the MLB table 1124 as a packet transmitted from the IoT device or a packet transmitted to the IoT device. The condition set as QoS corresponds to the fourth rule (communication partner permission white list). For example, as shown in FIG. 10, the desired QoS in the QoS table 1126 includes destinations that exceed the permitted range by permitting packet transfer when the source address and destination address match the match condition. (Restricted in FIG. 10) is included.

(Authentication process using authentication flag F1 based on the fifth rule)
Each device (receiving terminal) such as the MLBR 10, the terminal device 17, and the data terminal 18 in the communication system 1 communicates by using the authentication flag F1 (first flag) based on the above-mentioned fifth rule, thereby connecting the communication. It is possible to detect that the request source is authenticated or that the packet transmitted from the connection request source is quarantined by receiving the packet. By reflecting the determination result for the communication connection request in the authentication flag F1, the receiving terminal or receiving entity that has received the packet can perform authentication processing and quarantine of the transmission source that has transmitted the packet based on the state of the authentication flag F1. Processing can be performed indirectly. In the following description, a receiving terminal or receiving entity that receives a packet may be referred to as a receiving terminal. The terminal device 17 and the data terminal 18 provided on the packet receiving side are an example of a receiving terminal. By using such an authentication flag F1, it is possible to reduce the load caused by packet authentication processing and quarantine processing at the receiving terminal. Hereinafter, an example will be described.

  In the network NW1 configured by the MLBR 10, communication is performed using a packet with the authentication flag F1. For example, the eMLBR 11 performs authentication processing and quarantine processing on the received packet, and reflects the results of the authentication processing and quarantine processing in the authentication flag F1. In the following description, the state in which the authentication flag F1 is set indicates a case where the transmission source that transmitted the packet satisfies a predetermined condition.

As described above, the MLB table 1124 sets the authentication flag F1 to the packet that permits transfer, and discards the packet that does not permit transfer.
Note that the MLBR 10 can communicate a packet without the authentication flag F1 mixed with a packet with the authentication flag F1. In that case, a packet to which the authentication flag F1 is not assigned is determined to have the same reliability as the authentication flag F1 in the reset state.

  FIG. 11A is a diagram illustrating an IPv4 packet header. As shown in FIG. 11A (a), an IPv4 packet header includes a version, a header length, a service type (Type of Service), a total length, an identifier, a flag, a fragment position, a lifetime, a protocol, a checksum, a source address, It consists of fields for destination address and extended information. This packet header is followed by a payload portion for assigning data designated by the upper protocol.

  FIG. 11A (b) shows the service type field among the above. The bit arrangement in the service type field is assigned a priority of 3 bits, a delay of 1 bit, a transfer amount, reliability, and 2 bits of spare bits. Here, the authentication flag F1 and the risk flag RF are assigned to 2 bits of the spare bit, respectively.

  By determining the state of the authentication flag F1 set in this way, the receiving terminal or the like can indirectly determine the transmitting terminal or transmitting entity that is the packet communication source and authenticate it. In the following description, a transmitting terminal or transmitting entity that is a packet communication source may be simply referred to as a transmitting terminal or the like. The terminal device 17 and the data terminal 18 provided on the packet transmitting side are examples of the transmitting terminal.

  The receiving terminal or the like may include receiving means for selectively receiving a packet in which the authentication flag F1 is set in the packet header of the received packet so as to indicate that the network security risk is relatively low. Good. Note that the receiving terminal as described above includes an eMLBR 11 and a firewall.

(Setting method of authentication flag F1)
The authentication flag F1 will be described with reference to FIGS. FIG. 12 is a diagram showing conditions regarding the setting of the authentication flag F1. FIG. 13 is a state transition diagram regarding the setting of the authentication flag F1 in the eMLBR11.

  The eMLBR 11 sets the authentication flag F1 without depending on the state of the authentication flag F1 of the received packet. The eMLBR 11 sets an authentication flag F1 by detecting a packet from a transmission terminal that satisfies a predetermined authentication level and / or quarantine level (<eF1SET>). On the other hand, the eMLBR 11 resets the authentication flag F1 by detecting a packet from an unauthenticated transmitting terminal (<eF1RST>).

  In some cases, such as when the eMLBR 11 is not provided, the iMLBR 12 and the bMLBR 13 receive a packet that does not pass through the eMLBR 11, and set or change the state of the authentication flag F1.

  FIG. 14 is a state transition diagram regarding the setting of the authentication flag F1 in the iMLBR 12 and the bMLBR 13. The MLBR 10 performs an authentication process between the MLBRs 10 prior to communication.

  As shown in FIG. 12 described above, the iMLBR 12 sets the authentication flag F1 by detecting a packet from a transmitting terminal that satisfies a predetermined authentication level and / or quarantine level (<iF1SET>). On the other hand, the iMLBR 12 resets the authentication flag F1 by detecting a packet from an unauthenticated transmitting terminal (<iF1RST>). Further, the iMLBR 12 determines that the state in which the verification of the message authentication (AH) added to the packet transferred between the eMLBR 11 and the iMLBR 12 has failed can be performed as an unauthorized rewrite of the authentication flag F1. When the iMLBR 12 detects the above state (<eF1RST>), the iMLBR 12 regards the packet as an invalid packet and resets the authentication flag F1 of the packet. Note that if the above condition is not met, the iMLBR 12 holds the state of the authentication flag F1 and transfers the packet.

  Further, the bMLBR 13 may set the authentication flag F1 by detecting a packet from a transmitting terminal that satisfies a predetermined authentication level and / or quarantine level (<bF1SET>). On the other hand, the bMLBR 13 resets the authentication flag F1 by detecting a packet from an unauthenticated transmitting terminal (<bF1RST>). The bMLBR 13 determines that the state where the verification of the message authentication between the iMLBR12 and the bMLBR13 and between the bMLBR13 and the bMLBR13 has failed can be performed as an unauthorized rewrite of the authentication flag F1. When the bMLBR 13 detects the above state (<bF1RST>), the bMLBR 13 regards the packet as an invalid packet and resets the authentication flag F1 of the packet. If the above condition is not met, the bMLBR 13 holds the state of the authentication flag F1 and transfers the packet.

  By receiving the packet with the authentication flag F1 reset as described above, the receiving terminal or the like detects that the packet does not satisfy at least the reliability equivalent to the packet with the authentication flag F1 set. Can do.

  Note that if the state of the authentication flag F1 set by the eMLBR 11 is rewritten while being transferred to the receiving terminal or the like, there is a risk that the state indicated by the authentication flag F1 cannot be trusted. In order to avoid such a risk, for example, when a state in which unauthorized rewriting can be performed is detected in the relay route of the packet, the MLBR 10 determines that the authentication flag F1 is set in the packet. The state may be reset.

(Apparatus using authentication flag F1)
Devices other than the eMLBR11 and the MLBR10 are examples of devices that use the authentication flag F1. Applications for detecting the set state of the authentication flag F1 include applications used by eMLBR11, receiving terminals, and other devices such as firewalls as criteria for selecting and receiving packets. For detecting the reset state of the authentication flag F1, devices such as IDS (Intrusion Detection System), IPS (Intrusion Prevention System), and DPI (Deep Packet Inspection) are contaminated or illegal with malware such as cyber attacks and cyber crimes. There is an application in which a low-reliability packet that is preferentially inspected when inspecting a packet is used as received history data.

  As described above, in the communication system 1, the authentication flag F1 indicating that the network security risk due to communication is a relatively low packet is provided at a predetermined position of the packet header of the packet. The switch unit 112 or the like of the MLBR 10 indicates that the above risk is relatively low for a packet having an authentication flag F1 and transmitted from a transmission source that satisfies a predetermined reliability standard. Thus, the authentication flag F1 can be set.

  In addition, the switch unit 112 is provided with a flag (first flag) indicating that the communication connection request source is authenticated or the connection request source is quarantined as the authentication flag F1, and the communication request for communication An MLB table 1124 for setting the state of the flag is included according to the determination result. The MLB table 1124 is an example of a first flag setting unit.

By using the authentication flag F1 shown above, the following can be implemented.
[1] IDS or IPS reduces the processing of IDS or IPS by performing DPI or the like preferentially from the authentication flag F1 not set.
[2] Rather than immediately receiving a packet for which the authentication flag F1 is not set, after confirming that there is no abnormality by performing DPI, the packet is taken into an internal network or a computer.
[3] In an organization with a high required security level or a system used in the organization, reception of a packet for which the authentication flag F1 is not set is rejected and discarded.
As shown in the above example, depending on whether or not the authentication flag F1 is set, how to process the packet is left to the determination on the receiver side, that is, the setting of the receiving device or the like.

(Regarding the generation of the communication permission white list of the second rule)
The communication permission white list of the second rule is generated by the following method, for example.
First, uRPF ((unicast Reverse Path Forwarding (RFC3704))), which is known as one of algorithms for a router to forward a packet, will be described.When a router receives a packet, it detects the destination IP address of the packet. The routing control is performed to determine the next hop node of the packet and the output interface (connection port) by referring to the routing table.The uRPF is an application of this routing control function. The router determines whether or not the packet has followed the original route by querying the routing table for the source IP address of the router, and if the router does not have a corresponding network address in the routing table, Discard the packet as an address spoofing packet In this way, the uRPF routing algorithm can be used as a packet filtering technique, which has a strict mode and a loose mode. Filtering is performed by combining the interface that received the message and the source IP address, whereas the latter filters only by the source IP address.

  If the uRPF that refers to the routing table is set at the edge of the Internet user side, it is possible to block address spoofed packets that are out of the routing table. As described above, uRPF can be applied to a configuration that uses a path that ensures symmetry in the communication direction.

  As another example, if the network NW4 (for example, a lower provider) is connected to the network NW1 via one border router, the same as above by setting uRPF on the border router. The effect can be expected.

  By the way, as in the case described below, it may not be appropriate to use a general uRPF.

(Case 1) When applied to a configuration using a route in which the symmetry of the communication direction is not guaranteed.
As a case where the present invention is applied to a configuration using a route in which the symmetry of the communication direction is not guaranteed, there is a case where a plurality of border routers are held and connected to a plurality of providers through a plurality of routes like a higher provider. For example, in the network of the higher provider configured as described above, the packet transfer path changes depending on the network state (failure occurrence, congestion, etc.), and thus the symmetry of the communication direction may not be guaranteed. In such a case, if uRPF is set, a non-illegal packet having a source IP address that does not exist in the routing table, that is, a packet from a good user transferred from a detour route that is not the best route is erroneously discarded. there is a possibility.

(Case 2) When an address spoofing packet can be transmitted from the same network address space as the network address space defined in the routing table.
The uRPF determines the validity of the source IP address by querying the routing table. The countermeasure using only uRPF has an incompleteness that it passes through an address spoof packet in the same network address space as the network address space defined in the routing table.

For the above (Case 1) and (Case 2), the communication system 1 adopts the following method.
For example, “e-uRPF” meaning a uRPF equivalent function is mounted on the bMLBR 13 so that the bMLBRs 13 in the same network NW1 function as if they share the routing table information. In e-uRPF, instead of a general routing table, a dedicated communication permission white list is used as described above. For example, the bMLBRs 13 can share the communication permission white list information with each other. As described above, the communication permission white list is information different from the route information used for routing. The bMLBR 13 refers to this communication permission white list by the e-uRPF instead of the general routing table, and determines route information (reverse route) that can be handled in the same manner as the route information indicating the reverse route in the uRPF.

  In the router of the comparative example, the routing table is held as different information independently so as to ensure the best route property for each router, and the routing table is not shared between routers. On the other hand, in e-uRPF, even if the reverse path is determined in such a way that uRPF refers to the routing table by using the information of the communication permission white list shared between bMLBR13, it is the same as that Functions can be realized.

  In the MLBR 10, the first rule to the sixth rule can be appropriately combined, and information different from information registered in a general routing table can also be used. That is, the MLBR 10 restricts address spoofing packets in the same network address space as the network address space defined in the routing table, even when it cannot be restricted by the uRPF that refers only to the general routing table. Can do. According to this, in the communication system 1, it is possible to contain the attack packet in the backward path of the e-uRPF even if the packet is addressed for all bits. As a result, a packet indicating a discard request is transmitted from the terminal device 17 that has become a damaged node to the network NW, so that the packet is transferred by each MLBR 10 and reaches the desired MLBR 10. As a result, in the communication system 1, it becomes possible to block a packet due to the cyber attack when approaching the attack node of the cyber attack.

  As described above, a specific example for using the e-uRPF under the configuration using the path in which the symmetry of the communication direction is not guaranteed will be described. Here, the aggregate mode (aggregate mode) of e-uRPF applied to the structure connected with another network with a some path | route is illustrated.

  In the e-uRPF aggregate mode, the bMLBR 13 in the network NW1 may share the path control information. The bMLBR 13 exchanges, for example, one or both of RIB (Routing Information Base) and FIB (Forwarding Information Base) as route control information by a predetermined routing protocol. For example, the predetermined routing protocol may be an extension of the function of iBGP (interior Border Gateway Protocol) to exchange RIB or FIB.

  As described above, the bMLBRs 13 sharing the path control information generate a communication permission white table of the second rule based on the information and register it in the MLB table. The bMLBR 13 makes it possible to discard a packet out of the communication permission white table as an address spoofing packet.

(About anonymous flag F2 (second flag))
The MLBR 10 may use the anonymous flag F2. For example, the switch unit 112 of the eMLBR 11 sets the anonymous flag F <b> 2 using the anonymous flag setting table 1127. The anonymous flag F2 may be assigned to the same position as the risk flag RF in FIG.

  FIG. 15 is a diagram illustrating conditions regarding the setting of the anonymous flag F2. FIG. 16 is a state transition diagram regarding the setting of the anonymous flag F2.

  In the anonymous flag setting table 1127, at least an anonymous address list in the address space managed by itself is set. The anonymity flag setting table 1127 detects that the source IP address or the destination IP address of the packet is set so as to conceal the connection path in the received packet to be processed, and the above result is determined based on the result of the detection. If it is a corresponding packet (<F2SET>), the anonymous flag F2 is set. On the other hand, the anonymous flag setting table 1127 does not set the anonymous flag F2 even if a packet other than the above is detected. If the above condition is not met, the state of the anonymous flag F2 is maintained and the packet is transferred. To do.

  The receiving terminal or the like in the communication system 1 refers to the above-mentioned anonymous flag F2 and determines that the packet in which the anonymous flag F2 is set is a packet in which the transmission source or the destination is concealed or spoofed. May be treated as having a relatively high risk.

  The receiving device or the like has the above risk because the packet header of the received packet has the authentication flag F1 reset and it cannot be determined that the network security risk is relatively low, and the anonymous flag is set. A packet inspection means for selectively inspecting one or both of the packets determined to be relatively high may be provided. The receiving device or the like sets the authentication flag F1 in the packet header of the received packet, sets the packet that is determined to have a relatively low network security risk, and sets the anonymous flag, and has the above risk or there is a risk. Packet inspection means for selectively inspecting one or both of the packets determined to be relatively high may be provided.

  As described above, the switch unit 112 uses the anonymous flag setting table to indicate the anonymous flag F2 indicating that the source IP address or the destination IP address of the packet is set so as to hide the connection route as the risk flag RF. In 1127, the packet is set. Thereby, the communication system 1 can easily inspect the packet even when the authentication flag F1 and the anonymous flag F2 are used.

  Further, by using this anonymous flag F2, it is possible for a receiving terminal or the like to easily detect that the communication has the following characteristics. For example, a receiving terminal or the like detects communication using an anonymization network composed of a large number (several thousand) nodes in order to anonymize a communication connection path. Each of the above nodes has a so-called Proxy function and a function for encrypting communication between nodes connecting a plurality of nodes. The proxy function is to convert the source IP address of the received packet to another IP address and transmit it, convert the destination IP address of the reply packet to the source IP address and return it to the source node. Is. As an example of a network that anonymizes a communication connection path as described above, the Tor (The Onion Router, Tor) standard is known. A terminal device functioning as a Tor standard client requests a Tor server that provides a Tor standard communication service to start communication connection, and when permitted by the Tor server, the terminal device via the Tor server passes the target communication partner. Send the packet to. The terminal device described above can conceal the connection path by performing communication through such a procedure.

  One of the major problems facing the Internet infrastructure is an increase in the number of entries in the routing table of the border router. When viewed from the provider unit or the network unit functioning as an autonomous system, the maximum is estimated to be about 6k entries. With the latest TCAM (Ternary Content-Addressing Memory) chip used in wire-speed routing processing, etc., 128k entries can be registered in units of basic headers (80B (bytes)) from L1 to L4. The maximum number of entries expected for each provider can be accommodated.

  Furthermore, if uRPF or e-uRPF is set in a network such as many lower providers, and there is an entry for an address spoofing packet that has not been detected for a certain period in a certain MLBR 10, the entry is stored in the MLBR 10 It can be deleted from the communication permission white list (reverse path information) in the MLB table. The MLBR 10 can expect the number of entries required for each provider to be smaller than the above-mentioned maximum number by performing the aggregation of the backward path information together. As described above, in the communication system 1, the cost burden associated with including the MLB table in the MLBR 10 may be reduced.

(Regarding the introduction of MLBR10 and its effects)
With reference to FIG. 17, the introduction study of each MLBR 10 having the above-described functional elements and the effect of each configuration example will be described. FIG. 17 is a diagram showing the relationship between the functional elements arranged in each MLBR 10 and the effects obtained thereby. As shown in the figure, there are seven combinations in which the functional elements are arranged in the three types of MLBR 10 as shown in the figure. An example of an introduction form of functional elements suitable for each combination is shown in FIG. This is an example in which the attack packet blocking effect by the functional elements, the introduction cost, and the return on investment ratio are estimated for each introduction form.

  For example, when the functional elements are arranged only in the first introduction form, that is, the eMLBR 11, the “authentication / quarantine / QoS setting” as the first functional element and the “MLB table (L1 to L3) as the second functional element”. ”” May be arranged in the eMLBR 11. The “MLB table (L1 to L3)” of the second functional element realizes a function of detecting the coincidence of information from the layer 1 (L1) to the layer 3 (L3).

  In the case of the first introduction mode, the communication system 1 can block a packet that spoofs an address (effect A-1). However, there are cases where a packet flowing from another network NW or a packet that has passed through another eMLBR 11 in the same network NW1 cannot be blocked. On the other hand, the integrity of terminal devices that are allowed to communicate is ensured, IoT devices infected with malware are prevented from being infected by search packets sent to unspecified majority, and contaminated IoT devices are The effect that the functional elements are arranged in the eMLBR 11 serving as the entrance of the network NW can be obtained in that it can be rendered harmless.

  Further, for example, when the functional elements are arranged only in the third introduction form, that is, bMLBR13, “MLB table (L3)” as the third functional element and “discard from the accreditation body” as the fourth functional element. “Request” may be arranged in the bMLBR 13. The “MLB table (L3)” of the third functional element realizes a function of detecting a match of layer 3 (L3) information by e-uRPF, for example. The “discard request from the accreditation body” as the fourth functional element may be a discard request when the bMLBR 13 receives the DRM generated based on the fixed point observation data on the Internet.

  In the case of this third introduction mode, the communication system 1 can block a packet that spoofs an address from another network with an e-uRPF (effect A-1). However, since measures in the eMLBR 11 cannot be taken, it is impossible to block attacks within the own network NW, and it is not possible to completely block spoofing within the e-uRPF. On the other hand, other network NWs in that packets addressed to an unspecified number of people are blocked, or communication using anonymous addresses is clearly indicated (anonymized addresses are visualized) using the anonymous flag F2. The effect which has arrange | positioned the functional element in bMLBR13 used as the entrance / exit can be acquired.

  In addition, for example, when functional elements are arranged in the fifth introduction form, that is, eMLBR11 and bMLBR13, the combination of both the first introduction form and the third introduction form described above, As a functional element, it may be arranged in the eMLBR 11 so as to accept a “discard request from a damaged node (terminal device)”.

  In the case of the fifth introduction mode, the communication system 1 can block a packet spoofing an address (effect A-1). In addition, it is possible to block packets that attack without spoofing addresses or packets addressed to an unspecified number of people, or to clearly indicate that communication is using anonymous addresses using the anonymous flag F2. It is possible to obtain the effect of arranging the functional elements in the bMLBR 13 serving as the gateway to the NW. However, a packet that has passed through another eMLBR 11 in the same network NW1 cannot be blocked.

  Further, for example, when the functional elements are arranged in the seventh introduction form, that is, in all the MLBRs 10, the functional elements in the case of the fifth introduction form are also arranged in the iMLBR 12. In the case of the seventh introduction mode, the communication system 1 can obtain the effect that all of the effects A-1 to A-4 shown in FIG. 17 and the contaminated IoT device can be rendered harmless.

  In addition to the introduction forms shown in the above description, there are a second introduction form, a fourth introduction form, and a sixth introduction form. However, as shown in the figure, the introduction cost increases as the number of target devices increases. The introduction cost is 10 for all three types of MLBR 10, and the cost is assumed to be 6 for eMLBR11, iMLBR12, and bMLBR13, taking into consideration the expected equipment cost, the number of installations, and installation / operation costs. : Allocated at a ratio of 3: 1.

  Further, the blocking effect varies depending on the functional elements of the introduction form. By increasing the blocking effect, the network security achievement level can be increased. The blocking effect indicates that when each functional element functions as expected, the attack packet can be blocked approximately by “○”, the score is 2, and the case where an event that cannot be blocked can occur is indicated by “△”. The score is set to 1, the case where it does not contribute to the blocking of the attack packet is indicated by “−”, and the score is set to 0, and the evaluation is made in three stages.

The reach level of network security is not necessarily proportional to the introduction cost. For this reason, it may be determined as appropriate according to the target level of network security and the ratio of return on investment (investment ratio).
However, the higher the ratio of countermeasures to the entire network NW, the more remarkable the effect of the countermeasures.

(An example of a combination of the first rule, the second rule, and the sixth rule)
A combination of the first rule, the second rule, and the sixth rule will be described with reference to FIG. FIG. 18 is a diagram for explaining processing based on a combination of the first rule, the second rule, and the sixth rule.
Communication of packets corresponding to the first rule is restricted.
On the other hand, a packet that does not correspond to the first rule and a packet that corresponds to the second rule is permitted to communicate. Further, anonymity flag F2 is set for a packet that is allowed to communicate as described above, and the packet corresponding to the sixth rule is set, and an anonymity flag F2 is set for a packet not corresponding to the sixth rule. It communicates without it.
In addition, communication of packets that do not meet the first rule or the second rule is restricted. For example, in the MLBR 13, the controller 131 controls the switch unit 132 to process the packet as described below by combining the rules with respect to the received packet as described above.

  For example, the controller 131 permits communication corresponding to the communication permission condition set as the second rule. In accordance with the communication permission condition, the controller 131 causes the MLB table 1321 of the switch unit 132 to transition a packet corresponding to the communication permission condition to a predetermined table, and discards a packet not corresponding to the communication permission condition, that is, a packet spoofing an address. A predetermined process such as performing is performed.

  Further, the controller 131 causes a packet corresponding to the restriction condition (anonymous address list) set as the sixth rule to be communicated with a condition. The controller 131 sets the anonymous address list in the anonymous flag setting table 1327 in accordance with the regulation condition set as the sixth rule. The anonymous flag setting table 1327 of the switch unit 132 sets and forwards the anonymous flag F2 to a packet satisfying the sixth rule, that is, a packet corresponding to the anonymous address list, and does not satisfy the sixth rule condition. That is, the anonymous flag F2 is reset and transferred to a packet not corresponding to the anonymous address list.

  The switch unit 132 may permit and transfer the packet with the anonymous flag F2 (identification information) as described above.

  As described above, the controller 131 receives a communication packet that satisfies the permission condition based on a plurality of types of restriction conditions, and sets the restriction condition based on a request by the received packet. The plurality of conditions include at least a first rule (regulation condition) for restricting communication between the network NW1 and another network, and a second rule (permit condition) for permitting communication within the network NW1. Is included. The controller 131 receives a communication packet satisfying the second rule based on a plurality of types of restriction conditions, sets the first rule based on a request by the received packet, and sets a communication packet corresponding to the first rule. Limit packets. Alternatively, the controller 131 may limit communication packets that violate the second rule. Such a controller 131 may restrict one or both of communication corresponding to the first rule and communication contrary to the second rule.

  The restriction conditions include conditions for selecting a specific packet to be discarded (discard conditions according to the first rule), and the permission conditions are conditions for permitting communication by a specific packet (according to the second rule). Communication permission conditions).

  In addition, for example, the regulation condition may include a condition for specifying a packet having anonymity (an anonymous address list according to the sixth rule, etc.). For example, the controller 131 corresponds to an anonymous address list for specifying a packet having anonymity, further identifies a communication packet that satisfies the condition of the second rule, and assigns an anonymous flag F2 to the packet. May be.

  As described above, the bMLBR 13 is deployed at the boundary between the eMLBR 31 and the network NW1 including routers such as iMLBR 32 and other networks. For example, the bMLBR 13 is arranged at the boundary with the other network NW in the network NW1.

  The controller 131 acquires routing information of the router from at least some or all of the MLBRs 10 included in the network NW1. Based on the acquired routing information, the controller 131 may permit or restrict communication from the other network side toward the network NW1 side according to the transmission source address of the communication. For example, the controller 131 extracts route information indicating the communication route permitted by each router based on the acquired routing information, and generates a communication permission white list (e-uRPF) indicating a communication permission condition. The controller 131 controls the switch unit 132 based on the generated communication permission white list.

  The controller 131 responds to the request notified by using the unidirectional communication procedure from the transmission source that has transmitted the request for setting the restriction condition under the communication authenticated as described above. The above-mentioned regulation conditions may be set. For example, when transmitting the request, the terminal device 17 and the MLBR 10 transmit the above-described DRM using UDP. In the DRM transmission described above, the communication path (transmission path) includes the same path as the communication path in which a large number of attack packets to be discarded are transmitted, that is, the band attack is performed. The most effective route among the communication routes matches the route from which the attack packet arrives. That is, the DRM is transmitted in the opposite direction to the attack packet. In this way, the terminal device 17 and the MLBR 10 transmit the request (DRM) using UDP (unidirectional), thereby avoiding the influence of traffic in the direction opposite to the transmission direction and transmitting the DRM to a desired destination. can do. Note that the terminal device 17 and the MLBR 10 use a TPM (Trusted Platform Module) to indicate the authenticity and completeness (not tampered) of the transmitted DRM when transmitting the DRM in one direction using UDP. An authentication code indicating the authenticity and completeness of the platform, OS, and IDS / IPS of the terminal device 17 is added to the eMLBR 11 using a hardware security module (HSM). Further, the terminal device 17 and the MLBR 10 may add message authentication (AH) between the iMBLR 12 and the bMLBR 13 and between the bMLBR 13 by using a shared key exchanged at the time of mutual authentication or an update key thereof.

  According to the above-described embodiment, the controller of the MLBR 10 controls communication via its own network (for example, the network NW1) that functions as an autonomous system and another network different from the own network (network NW1). The MLBR 10 performs the permission based on a plurality of types of conditions including at least a restriction condition for restricting communication between the own network and another network and at least a permission condition for permitting communication within the own network. The restriction condition is set based on a request by communication satisfying a condition, and one or both of communication corresponding to the restriction condition and communication that violates the permission condition are restricted. Thereby, MLBR10 can raise the security level of the network security by the side of a wide area network by a simpler method.

(First modification of the first embodiment)
As a first modification of the first embodiment, a configuration example in which the return on investment has an advantage will be described. As shown in FIG. 17 above, the configuration in which only the bMLBR 13 is deployed has the best return on investment among the above seven introduction forms. In the present modification, a configuration example in which only bMLBR13 of MLBR10 is deployed is illustrated. FIG. 19 is a diagram illustrating a configuration example in which only the bMLBR 13 is deployed. The difference from FIG. 1 will be mainly described.

  The communication system 1 configuring the network NW1 enables communication within the own network NW1 functioning as an autonomous system, or via the own network NW1 and another network having a different policy from the network NW1.

  The communication system 1 includes an eR (egress router) 11B, an iR (ingress router) 12B, a bMLBR 13, a relay device 14, and a management host 15. That is, the communication system 1 includes an eR (egress router) 11B and an iR (ingress router) 12B instead of the eMLBR 11 and the iMLBR 12. eR11B, iR12B, and bMLBR13 function as communication nodes of the communication system 1. The communication system 1 may include at least the bMLBR 13, and the network NW1 may be configured by a part of eR11B and iR12B or a combination thereof. The eR11B and iR12B can be configured by a general router or switch. The eR11B is installed at an exit (egress) on the user network side, and the iR12B is installed at a user side entrance (ingress) end (edge) of the network NW1.

  For example, like the communication system 1, the communication system 2 forms a network NW2. The communication system 2 includes an eR 21B, iR 22B, bMLBR 23, and a management host 25. The communication system 3 forms a network NW3. The communication system 3 includes an eR 31B, iR 32B, bMLBR 33, and a management host 35. ER21B, iR22B, bMLBR23, management host 25 in communication system 2, and eR31B, iR32B, bMLBR33, and management host 35 in communication system 3, eR11B, iR12B, bMLBR13 in communication system 1, Each corresponds to the management host 15.

FIG. 20 is a diagram illustrating an overview of a communication system according to a first modification.
The terminal device 17 is accommodated in the eR11B. The packet transmitted from the terminal device 17 reaches the bMLBR 13 via the eR11B and iR12B. The bMLBR 13 performs the same determination as the determination shown in the first embodiment on the arrived packet, and transfers the packet to another network NW2 or the like as necessary.
The bMLBR 13 receives a packet from another network such as the network NW2, performs the above-described determination on the received packet, and transfers the packet to the iR 12B side as necessary. The transferred packet reaches the terminal device 17 via iR12B and eR11B.

  As described above, the bMLBR 13 functions as a border router of the network NW1. When the bMLBR 13 performs packet determination and transfer processing as described above, the controller 131 controls communication via the bMLBR 13 based on at least the first rule and the second rule.

  As a first rule, the controller 131 generates a discard target blacklist for restricting specific communication based on a discard request from a terminal device (for example, the management host 15) having a predetermined reliability, and discards it. This is reflected in the table 1321. For example, the terminal device 17 to be managed has its attribute information managed by the management host 15. The management host 15 transmits a request for restricting specific communication to the controller 131 based on a discard request from the terminal device 17 or the like that is a damaged node. The controller 131 generates a discard target black list based on the discard request and reflects it in the discard table 1321.

  As the second rule, the controller 131 generates a communication permission white list that permits communication in which the source address is included in the backward path according to the routing table of a part or all of the bMLBR 13 in the own network NW1, and stores it in the MLB table. Reflected in 1324. For example, the communication permission white list generated by the controller 131 corresponds to an e-uRPF aggregate mode or an e-uRPF loose mode. The MLB table stores information corresponding to either the aggregate mode or the loose mode of the e-uRPF.

  As a sixth rule, the controller 131 conceals the source route and reflects the address of the communication node that communicates in the anonymous address list.

  The controller 131 receives a request by communication satisfying the permission condition corresponding to the second rule in accordance with each of the above rules, sets the restriction condition as the first rule based on the request, and the restriction set as the first rule. Restrict communication that meets the conditions. For example, according to the restriction condition set as the first rule, the controller 131 causes the discard table 1321 of the switch unit 132 to discard the packet corresponding to the restriction condition and pass the packet not corresponding to the restriction condition. Note that the controller 131 and the switch unit 132 may perform processing based on a combination of the first rule, the second rule, and the sixth rule shown in FIG.

  As described above, the controller 131 receives a communication packet that satisfies the permission condition based on a plurality of types of restriction conditions, and sets the restriction condition based on a request by the received packet. The plurality of conditions include at least a first rule (regulation condition) for restricting communication between the network NW1 and another network, and a second rule (permit condition) for permitting communication within the network NW1. Is included. The controller 131 receives a communication packet satisfying the second rule based on a plurality of types of restriction conditions, sets the first rule based on a request by the received packet, and sets a communication packet corresponding to the first rule. Limit packets.

  As described above, the bMLBR 13 is deployed at the boundary between the network NW1 including routers such as eR31B and iR32B, and other networks. For example, the bMLBR 13 is arranged at the boundary with the other network NW in the network NW1.

  The controller 131 acquires the routing information of the router from at least a part of the routers such as eR31B, iR32B, and bMLBR13 included in the network NW1. The controller 131 may restrict communication from the other network side to the network NW1 side based on the acquired routing information.

  The controller 131 responds to the request notified by using the unidirectional communication procedure from the transmission source that has transmitted the request for setting the restriction condition under the communication authenticated as described above. The above-mentioned regulation conditions may be set. For example, the terminal device 17 and the routers such as eR31B, iR32B, and bMLBR13 transmit the above-mentioned DRM with AH or the like using UDP when transmitting the above request. In the transmission of the DRM described above, the communication path (transmission path) includes the same path as the communication path through which many attack packets to be discarded are transmitted. The most effective route among the communication routes matches the route from which the attack packet arrives. That is, the DRM is transmitted in the opposite direction to the attack packet. In this way, the routers such as the terminal device 17 and eR31B, iR32B, and bMLBR13 send a request (DRM) in UDP (unidirectional) to avoid the influence of traffic in the direction opposite to the transmission direction and to The DRM is transmitted to the destination, and the receiving side MLBR 10 can confirm that the received DRM has not been forged or altered.

  According to the above modification, in addition to the same effects as those of the first embodiment, the communication system 1 is realized by security measures centering on the border router bMLBR13, and the network on the wide area network side The security level of security can be increased by a simpler method.

(Second modification of the first embodiment)
A second modification of the first embodiment will be described. In the first embodiment, an example is shown in which the MLBR 10 authenticates a transmission terminal or the like by using the authentication flag F1 for communication using an IPv4 packet. In this modification, instead of this, an example in which the transmission terminal or the like is authenticated using the authentication flag F1 for communication using IPv6 packets will be described.

  FIG. 11B is a diagram illustrating an IPv6 packet header. For example, as shown in FIG. 11B, the authentication flag F1 may be assigned to a spare bit in a traffic class field of an IPv6 packet header of IPv6. In the traffic class field, information specifying QoS at the time of transmission is stored. However, the MLBR 10, the receiving terminal, and the like may process the authentication flag F1 in the same manner as QoS.

  According to the above modification, in addition to the same effects as those of the first embodiment, the same effect as that of IPv4 can be obtained in the case of IPv6.

(Second Embodiment)
A second embodiment will be described. In the first embodiment, a method for increasing the security level of network security by configuring each network using the MLBR 10 has been exemplified and the effects thereof have been described. On the other hand, in the second embodiment, a method for increasing the security level of network security while suppressing initial investment will be described. Hereinafter, a description will be given focusing on differences from the first embodiment.

  There are issues specific to security measures when introducing and deploying a network security infrastructure. The first problem is that investment in security measures does not directly generate profits. The second problem is that investment for building a security infrastructure for network security has to be cautious because there are no successful examples that have been established in the past “security measures to protect yourself”.

  In view of these problems, the present embodiment will describe a technique that can reduce the risk of network security while further suppressing initial investment and within the range of the initial investment. The introduction scenario shown below provides a high return on investment, and anyone can easily recognize the effect.

FIG. 21 is a diagram illustrating a configuration of the communication system 1 according to the present embodiment.
The communication system 1 includes eR11B, iR12B, and bR (border Router) 13B instead of eMLBR11, iMLBR12, and bMLBR13, and further includes a bMLBA (border MLB Adapter) 13A (communication control device), a relay device 14, and And the management host 15.

  Each device of eR11B, iR12B, and bR13B is a communication node having a technology different from that of MLBR10, and functions as a so-called router. For example, the communication system 1 forms a network NW1 with the plurality of routers. The routers in the network NW1 may be directly connected to each other or may be connected via the relay device 14 or the like.

  The bMLBA 13A is provided at the front stage of the bR 13B arranged on a connection line that connects the network NW1 and a network NW other than the network NW1 (hereinafter referred to as another network). The bMLBA 13A controls communication via the network NW1 and another network. Details of the bMLBA 13A will be described later.

  The management host 15 may perform basic settings in the communication system 1 and monitor the state of each device in the communication system 1. Furthermore, the management host 15 may function as a cooperation server, and may function as an HRS responsible for authentication and quarantine of the terminal device 17 and the like. The management host 15 may be configured to store a communication history detected by IDS / IPS or the like. The management host 15 may function as a protocol monitor that monitors the communication protocol. Further, the management host 15 may be configured to perform a port scan for a specific device.

  Similar to the communication system 1, the communication system 2 forms a network NW2. The communication system 2 includes an eR 21B, iR 22B, bR 23B, bMLBA 23A, and a management host 25. The communication system 3 forms a network NW3. The eR 21B, iR 22B, bR 23B, bMLBA 23A, and management host 25 in the communication system 2 correspond to the eR 11B, iR 12B, bR 13B, bMLBA 13A, and the management host 15 in the communication system 1, respectively. For example, the communication system 3 includes an eMLBR 31, an iMLBR 32, a bMLBR 33, and a management host 35.

  A configuration example of the communication system 1 will be described with reference to FIGS. 22 and 23. FIG. 22 is a diagram showing an outline of a communication system. FIG. 23 is a diagram showing the bMLBA 13A.

  The terminal device 17 is accommodated in the eR11B. The packet transmitted from the terminal device 17 reaches bR13 via eR11B and iR12B. The bR 13 performs the packet transfer process and transmits the packet to the bMLBA 13A so that the packet is transmitted to another network as necessary. The bMLBA 13A receives the packet transmitted from the bR 13, performs a desired process, and transmits it to another network as necessary.

  The bMLBA 13A receives a packet from another network, processes the packet, and transfers the packet to the bR 13B side as necessary. The transferred packet reaches the terminal device 17 via bR13B, iR12B, and eR11B.

  As described above, the bMLBA 13A is provided on the other network side than the bR 13B functioning as a border router of the network NW1.

  When the bMLBA 13A processes the packet as described above, the controller 131 controls communication via the bMLBA 13A based on at least the first rule and the second rule.

(BMLBA13A)
The bMLBA 13A includes a controller 131, an IF unit 133, an IF unit 134, a switch unit 132A, and a storage unit 135A. Each of the controller 131, the IF unit 133, and the IF unit 134 corresponds to the code attached to the above-described bMLBR13.
The first storage unit 1351, the second storage unit 1352, the fifth storage unit 1355, and the sixth storage unit 1356 included in the storage unit 135A are examples of the plurality of tables. The fifth storage unit 1355 stores a fifth rule that defines a condition (authenticated transmission source information) for selecting a transmission source that satisfies a predetermined reliability criterion. Specifically, the terminal device 17 that has been mutually authenticated. Other bMLBA13A etc. correspond. The sixth storage unit 1356 stores a sixth rule that defines a condition (anonymous address list) for detecting a packet whose source or destination is concealed or spoofed.

  The controller 131 includes, for example, a processor such as a CPU, a volatile or nonvolatile storage device, and the like. The controller 131 stores at least one of information obtained from the switch unit 132A having a plurality of physical ports and information of a plurality of tables stored in the storage unit 135 by a program stored in the storage unit 135. Based on this, the switch unit 132A is controlled. For example, the controller 131, based on various information acquired from the management host 15, requests from the terminal device 17 or the data terminal 18, and the like, the first storage unit 1351, the second storage unit 1352, the fifth storage unit 1355, the sixth storage. The storage unit 1356 is updated as necessary, and the transfer process of the switch unit 132A is changed.

  The switch unit 132A includes a discard table 1321, a packet type table 1322, a SCOPE table 1323, an MLB table 1324, and an anonymous flag setting table 1327 as the flow table of each stage. For example, the first rule stored in the first storage unit 1351 is stored in the discard table 1321 in the switch unit 132, and the second rule stored in the second storage unit 1352 is stored in the MLB table 1324 in the switch unit 132A. The fifth rule stored in the storage unit 1355 is registered in the MLB table 1324 in the switch unit 132A, and the sixth rule stored in the sixth storage unit 1356 is registered in the anonymous flag setting table 1227 in the switch unit 132A. Control the transfer of The switch unit 132A permits or restricts communication through the network NW1 and other networks NW except for the network NW1 by the above control.

FIG. 24 shows an example of the MLB table 1324.
The MLB table 1324 permits transfer of a packet specified as an IPv4 packet by the packet type table 1322 or a packet specified as an IPv6 packet that permits routing by the SCOPE table 1323. Specify whether or not the packet should be. The specific condition corresponds to the second rule (communication permission white list). The MLB table 1324 functions as a communication permission white list (e-uRPF aggregate mode or loose mode) for checking whether the packet is a spoofed packet.

(Setting method of authentication flag F1)
The authentication flag F1 will be described with reference to FIG. 25 and FIG. FIG. 25 is a diagram showing conditions regarding the setting of the authentication flag F1. For the state transition of the authentication flag F1 in the eMLBR 31, see FIG. 13 described above.
The MLB table 1324 sets the authentication flag F1 in accordance with the fifth rule with respect to the packet determined to be permitted to be transferred (each stage except the lower stage in FIG. 8B).

  As described above, the controller 131 of the bMLBA 13A controls the controller 131 and the switch unit 132A of the own device based on the information acquired from the other bMLBA 13A or the controller of the MLBR 10, respectively.

(Terminal device 17)
The terminal device 17 is a computer including a CPU and a storage device such as a ROM, EEPROM, HDD, RAM, or register, and functions as a terminal or a server depending on a program to be executed.
For example, the terminal device 17 may transmit a message requesting to interrupt the transfer of the attack packet in the network NW1 to the eR 11B. For example, the eR11B, iR12B, and bR13B relay a message requesting to interrupt the attack packet transfer to the bMLBA 13A. The bMLBA 13A may accept the message as a discard request message requesting that the attack packet be discarded, and discard the attack packet. For example, the terminal device 17 adds verification data or an authentication code indicating the legitimacy and completeness of the terminal device to the DRM and transmits it to the eR 11B. Furthermore, the DRM is transferred to the bMLBA 13A provided at a position approaching the transmission source address of the attack packet, and each bMLBA 13A that has received the DRM registers it in the first storage unit as the first rule described above.

(Process for the bMLBA 13A to control the switch unit and implement security measures for the terminal device)
The bMLBA 13A performs the process shown in FIG. 3 described above as a process for implementing security measures for the terminal device as described below.

The communication system 1 registers the terminal device to be managed as a terminal that performs bidirectional communication in the communication system 1 (S10).
In the communication system 1, for example, the above process (S10) is realized as a combination of a plurality of processes described below.
First, the management host 15 of the communication system 1 identifies a target terminal device (for example, the terminal device 17) whose communication partner is limited (S11).
Next, the management host 15 of the communication system 1 acquires identification information (first identification information) that can identify the target specified above (S12).
Next, the management host 15 of the communication system 1 acquires identification information (second identification information) that can identify the communication partner of the target identified above (for example, the terminal device 17) (S13).
Next, the bMLBA 13A in the communication system 1 receives the identification information (first identification information and second identification information) acquired from the management host 15 as described above. bMLBA 13A is a communication for limiting a communication partner of a packet transmitted from a target specified as a target to be limited based on the identification information (first identification information and second identification information) acquired above. An element (first element) of the partner permission white list is generated (S14).
Next, the bMLBA 13A performs communication for limiting the communication partner of the packet transmitted to the target specified as the target to be limited based on the identification information (first identification information and second identification information) acquired above. An element (second element) of the partner permission white list is generated (S15).
Next, the bMLBA 13A adds the first element and the second element to the communication partner permission white list (S16).
Next, the bMLBA 13A selects a transmission source (terminal device) that satisfies a predetermined reliability criterion from the target terminal devices identified in S11, and adds the identification information to the authentication list (S18).
Next, the communication system 1 acquires an address list of nodes that are allowed to communicate using an anonymous address from the monitoring apparatus of an authorized organization that can be trusted. For example, the management host 15 generates an anonymous address list from the distributed node address list and registers it in the bMLBA 13A (S19).
Next, after registering the communication partner permission white list, the communication system 1 performs processing for protecting actual communication based on the first element and the second element by the bMLBA 13A (S20). A flag indicating the reliability is set in the packet (S22).
Thereby, the communication system 1 implements security measures for the terminal device. For more specific processing, the same processing as in the first embodiment can be applied.
Further, the first rule discard list has a predetermined condition such that a packet whose destination IP address is the IP address of a router such as bR13B or a packet that designates a specific port address used by bR13B is discarded. May be registered. Thereby, a packet that flows into the network NW1 from another network side and attacks bR13B or the like can be blocked by the bMLBA 13A.
The bMLBA 13A can be configured without providing a routing function as described above. As a result, when a failure occurs in bMLBA 13A, bMLBA 13A can be bypassed and the service as a provider can be continued without stopping.

  According to the embodiment, in addition to having the same effect as that of the first embodiment, the controller 131A of the bMLBA 13A uses the specific information for specifying the packet sent to the address space that should be unused in the address space. A network on the wide area network side is obtained by acquiring a blocking request for requesting to restrict the transfer of the packet based on the communication, and controlling communication by the packet corresponding to the blocking request based on a predetermined processing rule. The security level of security can be increased by a simpler method.

(Third embodiment)
A third embodiment will be described. The communication system 1 according to the third embodiment regulates that an illegal packet is transferred within the network NW1, and makes it difficult to search the usage status in the network NW1 from outside the network NW1. . With reference to FIG. 26, a specific method for restricting communication by a packet in which an invalid destination address is designated will be described. FIG. 26 is a diagram for explaining a method of restricting communication by a packet in which a darknet address is specified.

  The address space in the network is divided into an address space (live net LN) to which an address usable for communication is assigned and an address space (dark net DN) to which no address is assigned so as to be usable for communication. It is done. That is, there is a possibility that a terminal device or the like actually exists in the live net LN, and there is no possibility that a terminal device or the like actually exists in the dark net DN.

  Therefore, the packets sent to the dark net DN should not originally exist, but in reality, a large amount is observed. For example, according to the analysis of observation results at the fixed point observation facility 8 (fixed point observation system 85 (FIG. 1)) provided on the Internet, it is known that various types of attack packets that can be determined are flying on the Internet. It has been. For example, as an example of such a packet, a site that has a vulnerability (security hole) that can be a IoT device that can be infected by malware or a cyber attack destination from a bounce packet of a DDoS attack or an IoT device that is infected by malware Packets that search brute force etc. are known. Hereinafter, the packet searched for by the brute force is referred to as a search packet.

  As described above, the fixed-point observation system of the comparative example observes the packet transmitted to the Internet and analyzes the result, thereby obtaining the address of the dark net within the network address range related to the network user. The network user is notified that the communication (packet) to be used has been detected.

  On the other hand, the fixed point observation system 85 of this embodiment is connected to the network NW3 as shown in FIG. 1, for example, and is transmitted to an unused address space (dark net DN) on the network NW3. Observe the packet.

  FIG. 27 is a diagram showing a sequence when a search packet is detected by the fixed point observation system 85.

  The fixed point observation system 85 observes the packet transmitted to the network NW (S851). For example, the fixed point observation system 85 observes at least a packet addressed to the dark net DN of the network NW3 flowing into the network NW3 from the network NW6.

  Next, the fixed point observation system 85 analyzes the observation result (S852), determines whether or not a packet addressed to the dark net DN is detected (S853), and if not detected, repeats the processing from S851. If a packet addressed to the dark net DN is detected, the fixed point observation system 85 notifies the detection result to the management host of each network NW (S854). The management host of each network NW includes a management host 15 of the network NW1, a management host 25 of the network NW2, a management host 35 of the network NW3, and the like. In the following description, the network management host 15 will be described as an example. The packet addressed to the dark net DN is one in which at least one of the transmission source IP address and the destination IP address is included in the dark net DN.

  For example, the management host 15 receives a notification from the fixed point observation system 85 that a packet addressed to the dark net DN has been detected (S151). The notification includes information for specifying the packet or communication using the packet.

  The management host 15 acquires the above notification (S151), and blocks each of the devices specified by the notification with respect to the MLBR 10 or bMLBA 13A (hereinafter collectively referred to as MLBR 10 or the like). (S152). The blocking request includes information for specifying a packet to be blocked or communication using the packet.

  The MLBR 10 or the like obtains the blocking request (S101), adds a condition for blocking communication using the packet to be blocked to the condition of the first rule of the own apparatus (S102), and switches the own device The switch unit is controlled so as to cut off the communication (S103).

(Specifying search packets)
The search packet includes a packet transmitted for the purpose of searching for a new malware infection destination or cyber attack destination. A case where a search packet is transmitted from the terminal or the IoT device using a terminal operated by the mastermind or an IoT device infected with malware is known. The search packet as described above is confined in the network address space described in the routing table of the passing router, and is transmitted in a brute force manner to the destination in the address space.

  Malware is a generic term for software that performs harmful activities such as information leakage, data destruction, and infection to other computers, such as viruses, worms, Trojan horses, spyware, and bots.

  For example, the fixed point observation system 85 detects malware by analyzing a packet detected by a honeypot installed in a fixed point observation facility or the like. The fixed point observation system 85 extracts a packet having the above characteristics from packets detected by a honeypot or the like, and captures a malware specimen from the extracted packet. In capturing the malware specimen, it is analyzed whether it is a known malware or a new malware predicted from the known malware. The fixed point observation system 85 determines whether or not it is a search packet by the above processing, and specifies the search packet.

(Specifying rebound packet of DDoS attack)
The rebound packet of the DDoS attack is a packet that is returned from the attacked side with the source IP address as the destination IP address when the attack packet is transmitted while randomly changing the source IP address of the attack packet.

  TCP, ICMP, ICMPv6, DNS, NTP, and the like are known as protocols that return a response in response to a request. The mastermind uses a packet transmitted in response to the request to execute a DDoS (Distributed Denial of Service) attack in which a large amount of attack packets are sent to the target site while randomly changing the source IP address. At that time, a large number of response packets are transmitted from the attacked target site to the destination IP address (source IP address of the request packet) determined by the request packet, and some of these response points are fixed-point observation system 85. Captured by Note that the source IP address of the response packet is the IP address of the attacked site, and the destination IP address is often random. The destination IP address of the response packet is determined by the source IP address set in the received attack packet. However, if the response packet is spoofed to be a random address, it is random as described above.

  In particular, by performing the above-described processing in bMLBR13 (or bMLBA13A), a packet in which a darknet DN address is set as a source IP address or a destination IP address among packets flowing into network NW1 from another network NW Can be blocked from flowing into the network NW1.

  Further, by performing the above-described processing in bMLBR 13 (or bMLBA 13A), among the packets transmitted from network NW1 to another network NW, a packet in which the address of the dark net DN is set as the source IP address or the destination IP address Can be blocked from being transmitted from the network NW1.

With the technology of the comparative example, it was difficult to quickly block the DDoS attack and the bounce of the DDoS attack.
On the other hand, according to the communication system 1 of the embodiment, as soon as the rebound packet of the DDoS attack is observed, a DRM corresponding to the rebound packet is generated and transmitted to the MLBR 10 or the like, thereby performing the DDoS attack. Can be cut off. The DRM corresponding to the rebound packet was observed by a fixed point observation system in an MLB table such as MLBR10 operating in the e-uRPF aggregate mode or loose mode with the victim node IP address as the destination IP address. The network address including the destination IP address of the rebound packet (IP address addressed to the darknet DN) is used as the source address, and this includes information such as attribute information such as the L4 port number, packet type, and control flag. . Thereby, it is possible to invalidate the DDoS attack intended to generate a rebound packet of the DDoS attack, and to reduce the willingness of the mastermind to execute the DDoS attack as described above. As a result, an IoT device that can be a stepping platform is no longer a target of a DDoS attack as described above.

  So far, while taking "security measures to protect myself", many government offices and corporate sites have been DDoS attacked, resulting in a service outage. It is assumed that these attacks could not be dealt with by the conventional “security measures to protect yourself”. If it is the communication system 1 of this embodiment, as mentioned above, such a DDoS attack can also be invalidated.

  According to the embodiment, in addition to achieving the same effect as that of the first embodiment, the controller 131 is based on identification information that identifies a packet sent to an address space that should be unused in the address space. By acquiring a blocking request for requesting to restrict the transfer of the packet, and controlling communication by the packet corresponding to the blocking request based on a predetermined processing rule, network security on the wide area network side is controlled. The security level can be increased by a simpler method.

(Fourth embodiment)
A fourth embodiment will be described. The communication system 1 according to the fourth embodiment regulates that illegal packets are transferred within the network NW1, and searches the outside of the network NW1 for the usage status in the network NW1, and detects illegal packets such as cyber attacks and cyber crimes. It makes it difficult to send. Hereinafter, as a specific example, a communication system that charges for illegal packets sent between networks will be illustrated.

  Providers constituting the Internet are interconnected in a hierarchical structure, and there are only 17 top-level providers in the world. Such a top-level provider is said to be Tier-1. For example, it can be expected that the number of illegal packets mixed in packets transmitted to each other can be reduced by negotiating a contract so as to limit the transmission of illegal packets between the highest level providers. In the network managed by the highest-level provider, an illegal packet is prevented from being transmitted to a network different from the network managed by the provider. For example, the top-level provider can configure the network managed by itself to prevent unauthorized packets from being sent, or to instruct unauthorized providers to prevent unauthorized packets from flowing into the subordinate providers that use the network. Limit the forwarding of bad packets to other providers and reduce the transmission of illegal packets.

  An example of a configuration for preventing unauthorized packets from being transmitted using the MLBR 10 or the like will be described. For example, assume that the provider that manages the network NW3 shown in FIG. 1 is the highest provider, and the provider that manages the network NW1 is a lower provider.

  For each of the bMLBRs 13 provided in the network NW1, at least the conditions of the first rule to the sixth rule are determined so that an illegal packet is not transmitted to another network such as the network NW3. The controller 131 of each bMLBR 13 sets the switch unit 132 so as to correspond to the condition.

  If the restriction is performed according to the conditions of the first rule to the sixth rule, it is possible to restrict illegal packets that flow out from the network NW1 to the network NW3. For example, even if an illegal packet is mixed in a packet that reaches the bMLBR 13 from within the network NW1, the bMLBR 13 blocks the illegal packet.

  In order to appropriately block illegal packets as described above, each condition of the first rule to the sixth rule is reviewed each time so that the illegal packet can be blocked as soon as an illegal packet is detected. Good.

  The above is an example of restricting unauthorized packets that flow out from the network NW1 to the network NW3. On the other hand, restricting unauthorized packets that flow out from the network NW3 to the network NW1 is also similar to the network. It can be implemented by taking on the NW3 side.

  As described above, each provider responds so that it does not transmit illegal packets to each other, thereby reducing the number of illegal packets that flow into and out of each provider. On the other hand, when at least one provider does not support this In some cases, the above situation may not occur.

  For example, if the network NW4 side does not limit the outflow of illegal packets, there is a possibility that illegal packets will flow into the network NW1 from the network NW4. In the above case, the provider managing the network NW1 needs to take measures against illegal packets flowing from the network NW4 in addition to implementing countermeasures against illegal packets that may occur in the network NW1 managed by the provider. Is done. The cost for countermeasures varies depending on the number of fraudulent packets requiring countermeasures and the frequency of occurrence. That is, it is necessary to take measures on the network NW1 side up to the other network side such as the network NW4.

  For such a situation, instead of taking over measures on the other side of the network, it is desirable to be able to make a contract between each provider so that the provider who sent the illegal packet can be charged for the cost required for the measures. . The above is an outline of the contract method. For example, it is possible to charge the amount according to the number of fraudulent packets that flow in, the frequency of occurrence, etc., and charge the amount to the provider that sent the fraudulent packets. You may take the method of doing.

  The illegal packet to be charged may be determined according to the following example, for example. FIG. 28 is a flowchart showing the procedure of charging processing for an illegal packet.

  The first example illustrates a case where the bMLBR 13 of the network NW1 managed by the provider side that has received an illegal packet counts the illegal packet.

  The switch unit 132 of the bMLBR 13 corresponds to the packet corresponding to the first rule, the packet violating the second rule, the packet violating the third rule, the packet violating the fourth rule, the packet violating the fifth rule, and the sixth rule. For some or all of the packets to be received, the number of received packets and traffic (amount of information) are counted for each received physical port for each rule described above to obtain a count value. The fifth rule includes a condition for authenticating a transmission source node or a transmission source entity of a packet, or a condition for indicating the soundness of the transmission source. The switch unit 132 is an example of a counting unit. The number of packets described above may be replaced with the detection frequency of illegal packets. In the following description, the number of packets will be described as a representative.

  The controller 131 of the bMLBR 13 causes the switch unit 132 to count illegal packets (SA131). The controller 131 acquires the count result by the switch unit 132 from the switch unit 132 (SA132), generates billing data based on the product of the count result and the coefficient determined for each rule (SA133), and outputs it. (SA134). Note that the above coefficient may have a constant value per unit quantity regardless of the number of received packets and the amount of information, and the value per unit quantity is determined according to the number and information amount. Also good. For example, the coefficient values may be classified according to the number and information amount, and values according to the classification may be set. The controller 131 is an example of a charging control unit.

  The second example illustrates a case where the bMLBR 13 of the network NW1 managed by the provider side that has received an illegal packet counts the illegal packet.

  The switch unit 132 of the bMLBR 13 includes a packet corresponding to the first rule, a packet that violates the second rule, a packet that violates the third rule, a packet that violates the fourth rule, and a packet that violates the fifth rule (for example, MLBR 10 has not been introduced). (The packet in which the authentication flag F1 is illegally set from the network NW), the packet corresponding to the sixth rule, and a part or all of the packets, the above-mentioned rule for each reverse path determined by the second rule or the third rule Every time, the number of received packets and the traffic (amount of information) are counted. The switch unit 132 is an example of a counting unit.

  The controller 131 of the bMLBR 13 causes the switch unit 132 to count illegal packets (SA131). The controller 131 acquires the count result by the switch unit 132 from the switch unit 132 (SA132), generates billing data based on the product of the count result and the coefficient determined for each rule (SA133), and outputs it. (SA134). The above coefficients can be determined by the same method as in the first example. The controller 131 is an example of a charging control unit.

  In any of the above examples, all rules are appropriately updated according to the communication status.

  FIG. 29 and FIG. 30 show an example of a flowchart showing the procedure of the update process of the second rule.

  For example, as shown in FIG. 29, the controller (such as the controller 131) of each MLBR 10 in the network NW1 receives all or part of the other MLBR 10 in the network NW1 operating with the same policy and information on the second rule. The information is exchanged and the information is shared (SB131). For example, the controller 131 updates the second rule information of the own bMLBR 13, that is, the communication permission information (SB133).

  Alternatively, as shown in FIG. 30, the controllers (such as the controller 131) of each MLBR 10 in the network NW1 exchange path information (routing tables) of other routers in the network NW1 operating with the same policy. (SC132), and information on the second rule is generated based on this (SC132). For example, the controller 131 updates its second rule information. For example, the controller 131 updates the information of the second rule of the own bMLBR 13, that is, the communication permission information (SC133).

  As a result, the controller 131 of the MLBR 10 shares the second rule directly or indirectly, recognizes the reverse path of the communication permitted based on the shared second rule, and forwards the packet of the reverse path that deviates from this. Can be limited. That is, the MLBR 10 can identify an illegal packet that specifies a reverse path different from the permitted reverse path based on the information updated as the second rule, and restricts the transfer of the illegal packet. It becomes possible. Furthermore, even an illegal packet in the reverse path can be restricted from being transferred as a packet corresponding to the first rule by a discard request from the damaged node.

  Note that the switch unit 132 may exclude the packet corresponding to the sixth rule from the above-described counting target. For example, the switch unit 132 may exclude, as a packet corresponding to the sixth rule, a packet for which the risk flag RF is set from the above counting target.

  According to the embodiment, in addition to the same effects as those of the first embodiment, in the MLBR 10, the switch unit 132 includes a communication amount of a communication packet corresponding to a restriction condition among conditions and a permission condition among conditions. The communication amount of communication packets contrary to the above is counted separately for each type of condition for each communication path. The controller 131 outputs a value determined from the communication amount counted by the switch unit 132, so that the security level of the network security on the wide area network side can be increased by a simpler method.

  Furthermore, according to the embodiment, a provider who does not agree to the contract as described above is changed to a network NW, and thus the Internet is operated based on the processing rules as described above. Compared to the above, it may occur that a lot of expenses related to operation occur. As a result, it is estimated that it is disadvantageous in terms of economy, and it may be difficult to operate as a provider that substantially uses the Internet. That is, providers that can continue to operate are naturally aggregated into providers interconnected based on the above contract. If it becomes a stage as mentioned above, each provider will be only the provider which takes care not to leak an illegal packet, and it is expected that the security level of the entire Internet will be remarkably improved.

  According to at least one embodiment described above, the communication control device is a communication control device that controls communication via a local network that functions as an autonomous system and another network different from the local network. The communication control device is based on a plurality of types of conditions including at least a restriction condition for restricting communication between the own network and the other network and at least a permission condition for permitting communication within the own network. Network security on the wide area network side by setting the restriction condition based on a request by the communication satisfying the permission condition and restricting one or both of the communication corresponding to the restriction condition and the communication contrary to the permission condition. Security level can be increased by a simpler method.

  Although several embodiments of the present invention have been described, these embodiments are presented by way of example and are not intended to limit the scope of the invention. These embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the spirit of the invention. These embodiments and their modifications are included in the scope and gist of the invention, and are also included in the invention described in the claims and the equivalents thereof.

  For example, in the above description of the embodiment, the switch unit such as the MLBR 10 has been described as “discarding” the attack packet. However, the MLBR 10 or the like does not discard the packet within each switch unit, but from a specific port. The data may be output and stored in an external storage device, and packets that violate or fall under each rule may be counted in the same device.

  In the above description of the embodiment, the IPv4 private address is used. However, the present invention is not limited to this, and the communication permission information may be composed of the IPv4 private IP address and the global IP address. Alternatively, the communication permission information may be configured with a global IP address of IPv4, the communication permission information may be configured with an IPv6 address, and the communication permission information may be configured with a layer 2 address (MAC address). .

  In the above description of the embodiment, the terminal device 17 has been described as including IDS / IPS. However, the eMLBR 11 or iMLBR 12 may be configured to include IDS / IPS. In this case, the eMLBR 11 or iMLBR 12 is configured to acquire the detection result of the IDS / IPS included in the eMLBR 11 or iMLBR 12 instead of the IDS / IPS of the terminal device 17.

1, 2, 3, 4 ... communication system, 10 ... MLBR (communication control device), 11 ... eMLBR, 11B ... eR, 12 ... iMLBR, 12B ... iR, 13 ... bMLBR, 13A ... bMLBA (communication control device), 13B ... bR, 14 ... Relay device, 15 ... Management host, 17 ... Terminal device, 18 ... Data terminal, 111, 121, 131, 131A ... Controller (control unit, charging control unit), 112, 122, 132, 132A ... Switch Unit (counting unit), 113, 114... IF unit, 115... Storage unit, NW, NW1, NW3, NW4, NW6.

Claims (17)

A communication control device that controls communication through a local network that functions as an autonomous system and another network different from the local network,
The permission condition based on a plurality of conditions including at least a restriction condition for restricting communication between the local network and the other network and at least a permission condition for permitting communication within the local network. A communication control apparatus comprising: a control unit configured to set the restriction condition based on a request by communication satisfying and to restrict one or both of communication that meets the restriction condition and communication that violates the permission condition. The restriction condition includes a condition for selecting a specific packet as a discard target, and the permission condition includes a condition for permitting communication by the specific packet.
The communication control device according to claim 1. The regulation condition includes a condition for specifying a packet having anonymity,
The controller is
It corresponds to a condition for specifying the packet having anonymity, further identifies a communication packet that satisfies the permission condition, and gives identification information to the packet.
The communication control apparatus according to claim 1 or 2. The control unit performs control to allow communication of the packet to which the identification information is attached;
The communication control apparatus according to claim 3. In the own network configured to include a router that forwards the communication packet, it is arranged at a boundary with the other network.
The communication control device according to any one of claims 1 to 4. The controller is
Obtaining routing information of the router from at least some or all of the routers included in the network;
Based on the acquired routing information, the communication from the other network side toward the local network side is permitted or restricted according to the transmission source address of the communication.
The communication control apparatus according to claim 5. The controller is
Under the authenticated communication, the restriction condition is set according to the request notified from the transmission source of the request using a one-way communication procedure.
The communication control device according to any one of claims 1 to 4. The controller is
Obtaining a blocking request for requesting to restrict the transfer of the packet based on specific information specifying a packet sent to an address space that should be unused in the address space, and the packet corresponding to the blocking request To control communication based on predetermined processing rules,
The communication control device according to any one of claims 1 to 7. The controller is
Based on the specific information, the packet that restricts the transfer is identified as a search packet that searches for a terminal without specifying a destination or a rebound packet of a DDoS attack, and corresponds to the blocking request Controlling communication by the packet based on the identification result and the processing rule.
The communication control apparatus according to claim 8. The communication control device according to any one of claims 1 to 9,
Of the above conditions, the amount of communication packets that correspond to the restriction condition and the amount of communication packets that violate the permission condition out of the conditions are counted separately for each communication route according to the condition type. A counting unit;
A charging control unit that outputs a value determined from the communication amount counted by the counting unit. The restriction condition includes one or both of a condition for discarding the packet and a condition for indicating anonymity of the packet.
The communication system according to claim 10. The permission condition includes a condition for permitting communication by the packet, a condition for permitting transfer of the packet, a condition for permitting a communication partner for communication by the packet, a transmission source node that is a transmission source of the packet or the packet A condition for authenticating the transmission source entity, a part or all of the condition for indicating the soundness of the transmission source are included,
The communication system according to claim 10 or 11. A switch unit having a plurality of connection ports connected to devices other than its own device,
The communication path is specified by a connection port of the switch unit.
The communication system according to any one of claims 10 to 12. The communication path is specified by a condition for permitting communication by the packet and a reverse path determined by a condition for permitting transfer of the packet.
The communication system according to any one of claims 10 to 12. The counting unit is
Calculating the communication amount based on a coefficient determined for each condition and a count value of at least one of the number of packets and the information amount received for each communication path;
The communication system according to any one of claims 10 to 12. A communication control method for controlling communication via a local network that functions as an autonomous system and another network different from the local network,
The permission condition based on a plurality of conditions including at least a restriction condition for restricting communication between the local network and the other network and at least a permission condition for permitting communication within the local network. A communication control method including the step of setting the restriction condition based on a request by communication satisfying and restricting one or both of communication corresponding to the restriction condition and communication that violates the permission condition. In the computer of the communication control device that controls communication through the own network that functions as an autonomous system and another network different from the own network,
The permission condition based on a plurality of conditions including at least a restriction condition for restricting communication between the local network and the other network and at least a permission condition for permitting communication within the local network. A program for executing the step of setting the restriction condition based on a request by communication satisfying the condition and restricting one or both of communication that meets the restriction condition and communication that violates the permission condition.

Images