JP2018032975A - Relay device, communication system, relay method, and relay program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a relay device capable of controlling communication according to the day of the week and time of operation.SOLUTION: A relay device includes storage means for storing the list of frames to be the object of first processing after received by the relay device, analytic means for collating the received frame with the list, and control means performing first processing to the received frame if it conforms to the listed frame when collated by the analytic means, otherwise performing second processing to the received frame. Multiple lists exist according to the day of the week and time, and the analytic means collates the received frame and a list corresponding to the day of the week and time of operation.SELECTED DRAWING: Figure 7

Description

  The present invention relates to a relay device, a communication system, a relay method, and a relay program for relaying data in data communication.

  In recent years, everything is connected to the Internet as generically called IoT (Internet of Things). For example, a factory or plant control network that has been communicating with a unique protocol is newly connected to the Internet.

  By connecting to the Internet in this way, various benefits such as new added value and device management can be obtained. On the other hand, from malicious persons using means such as unauthorized access and DoS attack (Denial of Service attack) You are also under threat.

  However, for example, it is not easy to take measures against threats from a malicious person on each of equipment such as machine tools, sensors, and cameras installed in factories and plants. This is because machine tools, sensors, cameras, and other devices may not have a function for taking such measures in the first place.

  Therefore, it is important that the relay device that relays communication of these devices, not the devices themselves, has a security function for dealing with threats from malicious persons.

  Under such circumstances, for example, Patent Document 1 discloses a network switch that stores in advance a list of packets that match permitted communication restrictions and allows communication of packets that match the list.

Japanese Patent Laying-Open No. 2015-050767 Japanese Patent Laid-Open No. 2014-1201381

  However, the apparatus according to Patent Document 1 has a problem that a specific terminal does not want to communicate during normal times but cannot cope with communication only at a certain time on a certain day of the week. In addition, when the communication volume for a specific port in the regular communication flow increases or decreases compared to normal times, the regular communication flow is blocked, or communication control including detour and bandwidth control cannot be performed. There was a problem.

  In this regard, for example, in Patent Document 2, a list in which the correspondence between the user's operation and the abnormality that occurred when the operation was performed is generated together with the date and time when the abnormality occurred, and the abnormality is based on the list. An invention that warns a user operation with high probability of occurrence is disclosed. However, in the invention according to Patent Document 2, the date and time described in the list is a past time, and the data in the list is merely an accumulation of past results, so the operation is controlled according to the schedule after the current time. Not what you want. Furthermore, the list to be referred to is not switched according to the current date and time.

  Therefore, an object of the present invention is to provide a relay device that can control communication according to the day of the week and the time of operation. Further, the present invention provides a relay device capable of performing control such as blocking, detouring, bandwidth control, monitoring and the like for the regular communication flow when the communication volume in the regular communication flow increases or decreases compared with the normal time. For the purpose.

  According to a first aspect of the present invention, a relay device that stores a list of frames to be subjected to first processing after reception by the relay device, and compares the received frame with the list When the received frame matches the frame described in the list at the time of verification by the analyzing unit and the analyzing unit, the first processing is performed on the received frame, and when the received frame does not match, Control means for performing a second process on the received frame, and a plurality of lists exist according to the day of the week and time, and the analysis means includes a list corresponding to the received frame and the day of the week and time of operation, A relay device is provided that is characterized by collating.

  According to a second aspect of the present invention, a relay device that stores a list of frames to be subjected to the first processing after reception by the relay device, and compares the received frame with the list When the received frame matches the frame described in the list at the time of verification by the analyzing unit and the analyzing unit, the first processing is performed on the received frame, and when the received frame does not match, Control means for performing a second process on the received frame, and a plurality of lists exist according to the traffic during operation, and the analysis means corresponds to the received frame and traffic during operation. There is provided a relay device characterized by collating with a list.

  According to a third aspect of the present invention, there is provided a communication system including the relay device and a setting terminal connected to the relay device, wherein the setting terminal accepts an operation from a user. Accordingly, there is provided a communication system characterized in that a part or all of the contents of the respective processes and the contents of the list are changed.

  According to a fourth aspect of the present invention, there is provided a relay method used in a relay device, the step of storing a list of frames to be subjected to first processing after reception by the relay device, and the received frame When the received frame matches the frame described in the list at the time of checking with the list and the analysis means, the first processing is performed on the received frame, and the received frame does not match Includes a step of performing a second process on the received frame, and the list includes a plurality of lists according to a day of the week and a time, and the analysis means corresponds to the received frame and a day of the week and a time of operation. A relay method is provided which is characterized by collating with the list.

  According to a fifth aspect of the present invention, there is provided a relay program for causing a computer to function as a relay device, wherein the computer stores a list of frames to be subjected to first processing after being received by the relay device. A storage unit; an analysis unit that collates the received frame with the list; and when the received frame matches the frame described in the list at the time of the collation by the analysis unit, the received frame includes the first frame If the received frame does not match, the received frame includes a control unit that performs a second process. The list includes a plurality of lists according to a day of the week and a time, and the analyzing unit includes the received frame. And a relay program that functions as a relay device that collates the list corresponding to the day and time of operation.

  According to the present invention, it is possible to perform appropriate processing during relaying.

It is a figure showing the basic composition of each whole embodiment of the present invention. It is a figure which shows the example of communication for every day of the week and time in the 1st Embodiment of this invention. It is a figure which shows the list of the permission lists for every day of the week and time in the 1st Embodiment of this invention. It is a figure which shows the example of the permission list | wrist in the 1st Embodiment of this invention. It is a figure which shows the example of the permission list | wrist in the 1st Embodiment of this invention. It is a figure which shows the example of operation | movement setting in the 1st Embodiment of this invention. It is a figure which shows the structural example of the relay apparatus in the 1st Embodiment of this invention. It is a flowchart which shows the operation | movement flow of the relay apparatus in the 1st Embodiment of this invention. It is a flowchart which shows the operation | movement flow of the relay apparatus in the 1st Embodiment of this invention. It is a figure which shows the example of communication for every communication amount in the 2nd Embodiment of this invention. It is a figure which shows the list | wrist of the permission list | wrist for every traffic in the 2nd Embodiment of this invention. It is a figure which shows the example of the permission list | wrist in the 2nd Embodiment of this invention. It is a figure which shows the example of the permission list | wrist in the 2nd Embodiment of this invention. It is a figure which shows the structural example of the relay apparatus in the 2nd Embodiment of this invention. It is a flowchart which shows the operation | movement flow of the relay apparatus in the 2nd Embodiment of this invention. It is a flowchart which shows the operation | movement flow of the relay apparatus in the 2nd Embodiment of this invention. It is a figure which shows the example of communication for every day of the week, time, and communication amount in the 3rd Embodiment of this invention. It is a figure which shows the list of the permission lists for every day of the week, time, and communication volume in the 3rd Embodiment of this invention. It is a figure which shows the example of the permission list | wrist in the 3rd Embodiment of this invention. It is a figure which shows the example of the permission list | wrist in the 3rd Embodiment of this invention. It is a figure which shows the example of the permission list | wrist in the 3rd Embodiment of this invention. It is a figure which shows the structural example of the relay apparatus in the 3rd Embodiment of this invention. It is a flowchart which shows the operation | movement flow of the relay apparatus in the 3rd Embodiment of this invention. It is a flowchart which shows the operation | movement flow of the relay apparatus in the 3rd Embodiment of this invention.

<Outline of each embodiment of the present invention>
First, the outline of each embodiment of the present invention will be described.

  In the embodiment of the present invention, information specifying communication destinations considered to have no problem is used as a list (such a list is hereinafter referred to as a “permission list”), and a frame matching this permission list is transferred. A method of permitting and discarding frames that do not match the permission list is adopted.

  Here, in the present invention, a plurality of permission lists are prepared. For example, a permission list for 8:30 to 17:29 of each day of the week and a permission list for 17:30 to 8:29 of each day of the week are prepared according to the day of the week and time. This makes it possible to provide a security switch that switches the communication control method according to the day of the week and the time.

  Alternatively, a permission list when the communication amount is normal and a permission list when the communication amount is abnormal are prepared according to the communication amount. As a result, it is possible to provide a security switch capable of performing control such as blocking a normal communication flow when an abnormality is found in the communication amount.

  Furthermore, the embodiment of the present invention also provides a function of automatically generating at least a part of such a permission list.

  Specifically, a registration period and an operation period are provided in the relay device. Then, the permission list is automatically generated by adding the frame input to the relay apparatus during the registration period to the permission list. At this time, the automatically generated permission list may be manually added or deleted by a user operation.

  Thereafter, the registration period is switched to the operation period, and the frame input to the relay apparatus is compared with the permission list automatically generated during the registration period. If they match, the frame is passed, and if they do not match, the frame is discarded.

  Accordingly, automatic generation of a permission list and security management by the permission list can be performed.

  The above is the outline of the embodiment of the present invention.

Next, embodiments of the present invention will be described in detail with reference to the drawings. Here, three embodiments of the present invention will be described below.
First, the first embodiment is a mode in which a permission list is generated for each day of the week and time, and the permission list to be referred to is switched according to the day of the week and time during operation.
Next, in the second embodiment, a permission list is generated for each communication amount, and the permission list to be referred to is switched according to the communication amount during operation.
Furthermore, in the third embodiment, a permission list is generated for each day of the week / time / communication amount, and the permission list to be referred to is switched according to the day of the week / time / communication amount during operation.
Hereinafter, these three embodiments will be described in order.

<First Embodiment>
Hereinafter, a first embodiment of the present invention will be described in detail with reference to FIGS. 1 to 8-2.

  Referring to FIG. 1, the present embodiment includes a security switch 100, a plurality of communication terminals 10-1 to 10-n (these are also collectively referred to herein as “communication terminal 10”), a setting terminal 50, a firewall 500, and the Internet. 700 is included. (The security switch is also referred to as a “relay device” in this specification.)

  Here, the security switch 100 is a security switch for relaying communication between the communication terminals 10 and communication via the firewall 500 and the Internet 700 by the communication terminal 10.

  In this regard, in the present embodiment, a firewall 500 is provided between the security switch 100 and the Internet 700 as illustrated. By setting the firewall 500 according to the user's policy, it is possible to prevent malicious data such as viruses from flowing into the Internet 700 and unintentional data from flowing out to the Internet 300. it can.

  However, the firewall 500 functions in communication with devices existing on the Internet 700, but does not function in communication between the communication terminals 10. Therefore, in this embodiment, in order to prevent inappropriate communication between the communication terminals 10, a security switch 100 equipped with a security function is connected instead of a simple relay device.

  Then, the security switch 100 performs processing using the above-described permission list so as not to transfer a malicious frame. The security switch 100 is provided with a plurality of connection ports, and the communication terminals 10 and the firewall 500 are connected to the ports.

  The plurality of communication terminals 10 are terminals each having a communication function. The communication terminal 10 communicates with other communication terminals 10 via the security switch 100. Such communication is executed in accordance with a general protocol such as IP (Internet Protocol), TCP (Transmission Control Protocol), or FTP (File Transfer Protocol). There is no particular limitation on the content of data actually exchanged, that is, what the content included in the payload portion is.

  Further, for example, some communication terminals 10 may have a function of communicating with terminals existing on the Internet 700. Further, the communication terminal 10 may be realized by a terminal that is directly operated by a user, but may be realized by devices such as machine tools, sensors, and cameras installed in a factory or a plant. Further, it may be a device such as a PLC (Programmable Logic Controller) that controls the machine tool.

  The setting terminal 50 is a terminal for setting the security switch 100. The setting terminal 50 is used by an administrator who manages the present embodiment. The setting terminal 50 may be realized by a dedicated terminal for setting the security switch 100, but may be realized by a general-purpose terminal such as a personal computer to which software for setting the security switch 100 is added. Also good.

  The Internet 700 is connected to the security switch 100 via the firewall 500 so that the communication terminal 10 and the like communicate with the outside.

  The firewall 500 has a function of monitoring data transmitted to and received from the Internet 700 and discarding data considered to be malicious.

  Here, as shown in FIG. 2A, for example, in the time zone from 8:30 to 17:29 on weekdays (Monday to Friday), between the PC 10-1 and the server PC 10-3, and the PC 10-2. Only communication between the server PC 10-3 and the server PC 10-3 is permitted. On the other hand, in the time zone from 17:30 to 8:29 on weekdays (Monday to Friday), as shown in FIG. 2B, only communication is performed between the server PC 10-3 and the backup server PC 10-4. Shall be permitted.

  Therefore, a plurality of permission lists are prepared as shown in FIG. That is, it is assumed that a permission list is generated for each time zone from 8:30 to 17:29 and 17:30 to 8:29 on each day of the week, and is referred to during operation. For example, for the operation of the security switch 100 in the time zone from 8:30 to 17:29 on Sunday, a permission list “day-day” is generated, and in the time zone, a permission list “day-day” is generated. To control communication. Similarly, for the operation of the security switch 100 in the time zone from 17:30 to 8:29 on Sunday, a permission list of “day-night” is generated, and permission of “day-night” is generated in the time zone. Control communication by referring to the list. Similarly, a permission list is generated for each time period from 8:30 to 17:29 and 17:30 to 8:29 on Monday to Saturday, and the permission list is generated in a time period corresponding to each permission list. The security switch 100 is operated by referring to it.

  FIG. 4 shows an example of a permission list corresponding to a time zone of 8:30 to 17:29 on weekdays (Monday to Friday). That is, in the table of FIG. 3, an example of a permission list having names “Monday-daytime”, “Tue-daytime”, “Wednesday-daytime”, “Thursday-daytime”, and “Friday-daytime”.

  Specifically, for example, item No. 1 is that the MAC-DA (destination mac address (Destination address)) of the frame received from the receiving port 1 is “M-PC3”, and the MAC-SA (source mac address (Source address) )) Is “M-PC1”, Type is “0x0800” (IPv4), VID is “0”, IP-SA (source IP address) is “IP-PC1”, and IP-DA (destination IP address) is “ A frame with IP-PC3, protocol “6” (TCP), L4SP (source port number in the TCP header) “3000”, and L4DP (destination port number in the TCP header) “23” is shown.

  FIG. 5 shows an example of a permission list corresponding to a time zone from 17:30 to 8:29 on weekdays (Monday to Friday). That is, it is an example of a permission list of “moon-night”, “fire-night”, “water-night”, “tree-night”, and “gold-night” in the table of FIG.

  Specifically, for example, in item No. 5, the MAC-DA (destination MAC address) of the frame received from the receiving port 3 is “M-PC4”, and the MAC-SA (source MAC address) is “M-PC3”. , Type is “0x0800” (IPv4), VID is “0”, IP-SA (source IP address) is “IP-PC3”, IP-DA (destination IP address) is “IP-PC4”, and protocol is “ 6 ”(TCP), L4SP (source port number in the TCP header) is“ any ”, and L4DP (destination port number in the TCP header) is“ any ”.

  In the permission list, for example, frame information of a frame that passes through the security switch 100 is set. Specifically, frame information for specifying a frame of a protocol used in each communication terminal 10 and a frame for specifying a frame including an address indicating a destination and a transmission source used in each communication terminal 10 Information is included in the allow list.

  In addition, although the elements constituting the permission list are the device, layer 2, layer 3, and layer 4 this time, it is not always necessary to include all of them as elements as described above. You may add additional elements.

  FIG. 6 is a table showing an example of operation settings when the frames match the permission lists exemplified in FIGS. 4 and 5 and when the frames do not match. Specifically, in the table of FIG. 6, a frame whose frame matches the permission list is allowed to pass through the security switch 100 and is not notified to the setting terminal 50. On the other hand, a frame that does not match the permission list is discarded and the fact that it has been discarded is notified to the setting terminal 50.

  Next, functional blocks included in the security switch 100 according to the first embodiment will be described with reference to FIG. Referring to FIG. 7, the security switch 100 includes a frame analysis unit 110, a permission list generation unit 120, a permission list storage unit 130, a day / time management unit 140, and a communication control unit 150. Here, the frame analysis unit 110 is also referred to as “analysis unit”, the permission list storage unit 130 as “storage unit”, and the communication control unit 150 as “control unit”.

  Each time the security switch 100 receives an input frame from the outside, the frame analysis unit 110 analyzes the received input frame. Here, the analysis is to extract predetermined information (hereinafter referred to as “frame information”) from the received input frame.

  The frame information is, for example, predetermined information that is determined to be described by each protocol used for communication. As a specific example, it is necessary information of an upper layer higher than layer 3 (IP header) information depending on the number of the receiving port, layer 2 (MAC header) information, and frame type. In the present embodiment, it is possible to eliminate processing such as embedding special information or the like in the payload portion by using frame information compliant with such a general-purpose protocol.

  In this embodiment, all of the information may be used in the frame information and each list, but a combination of some information may be used. For example, only layer 2 (MAC header) information may be used, or a combination of layer 2 (MAC header) information and layer 3 (IP header) information may be used.

  Also, for example, if layer 2 (MAC header) information is used, all layer 2 (MAC header) information may be used, but a destination address (MAC-DA), which is a part thereof, A source address (MAC-SA) may be used, or a combination of these may be used.

  Two settings of “registration period setting” and “operation setting” are made in the frame analysis unit 110 by the setting terminal 50.

  Here, in the present embodiment, there are two registration periods and operation periods as described above, but setting for switching between the registration period and the operation period is performed by setting the registration period. Specifically, for example, when a list of “Monday-Noon” is generated, the registration period is 8:30 to 17:29 on Monday.

  Further, in the operation setting, what operation is to be performed is set depending on whether the frame information of the received input frame matches each list or does not match each list. For example, it can be set to pass the corresponding frame when it matches the permission list. In addition, if it does not match the permission list, it can be set to discard the corresponding frame. Here, “pass” means that the received input frame is passed through the frame analysis unit 110 and output, thereby transferring the frame to a destination corresponding to the destination address in the frame.

  In addition to this, it is also possible to set whether or not to notify when there is a match with each list or not. The notification content may only indicate that each list matches or does not match, but the frame corresponding to the frame information may be duplicated and the duplicated frame may be included in the notification. Then, for example, a virtual communication system may be created by the setting terminal 50 and a copy of the frame may be communicated in the virtual communication system so that the influence of the malicious frame can be known.

  The notification destination may be, for example, the setting terminal 50, but may be another server device or the like. Further, a frame corresponding to the frame information may be recorded inside the security switch 100 instead of or together with the notification. An administrator or the like who manages the present embodiment can grasp the communication status in the present embodiment by referring to the content of the notification or the content recorded in the security switch 100 as a log.

  In addition, the frame analysis unit 110 extracts the frame information from the received input frame and receives the current day of the week / time received from the day / time management unit 140, which will be described later, when the input frame is in the registration period. After giving data, it is passed to the permission list generation unit 120 described later.

  Further, the frame analysis unit 110 extracts the frame information from the received input frame if it is the operation period when the input frame is received. Then, the extracted frame information is compared with the permission list corresponding to the current day of the week / time among the permission lists stored in the permission list storage unit 130.

  As a result of the comparison, if the frame information matches the permission list, the operation is performed according to the corresponding operation setting. For example, if the setting is “pass, do not notify”, the frame is output by passing the frame analysis unit 110 through the frame. However, no notification is given.

  On the other hand, if the frame information does not match the permission list as a result of the comparison, the operation is performed according to the setting of the corresponding operation setting. For example, if the setting is “discard, notify”, the frame is discarded and the setting terminal 50 is notified of the discard.

  The permission list generation unit 120 starts operation when receiving frame information from the frame analysis unit 110 during the registration period. Permit list information is generated from the received frame information, and the permit list information is stored in the permit list storage unit 130.

  The permission list storage unit 130 is a storage unit that stores a permission list. The permission list stored in the permission list storage unit 130 is generated by the permission list generation unit 120 during the registration period. The permission list stored in the permission list storage unit 130 is referred to and used by the frame analysis unit 110 during the operation period.

  In the permission list, for example, frame information of a frame to be passed through the frame analysis unit 110 is set. Specifically, frame information for specifying a frame of a protocol used in each communication terminal 10 and a frame for specifying a frame including an address indicating a destination and a transmission source used in each communication terminal 10 Information is included in the allow list.

  As described above, the permission list is generated by the permission list generation unit 120 during the registration period. In addition, the permission list may be modified by “list setting” from the setting terminal 50. For example, the administrator who uses the setting terminal 50 may be able to delete a part of the permission list or add new frame information to the permission list. In this way, for example, when a new communication terminal 10 is added, it is possible to pass a frame related to the newly added communication terminal 10 without obtaining the registration period again. In addition, for example, when a part of an existing communication terminal 10 is removed, the frame information related to the removed communication terminal 10 can be deleted from the permission list without obtaining the registration period again.

  In addition, although the elements constituting the permission list are the device, layer 2, layer 3, and layer 4 this time, it is not always necessary to include all of them as elements as described above. You may add additional elements.

  The day / time management unit 140 serves as a so-called calendar, and outputs the data of the current day of the week / time.

  The communication control unit 150 actually processes the frame according to the operation setting set in the frame analysis unit 110 while referring to the permission list stored in the permission list storage unit 130 as necessary.

  Next, the operation of the present embodiment during the registration period will be described with reference to the flowchart of FIG.

  First, in step S101, the day / time of the permission list to be generated is registered. For example, when “Monday: 8:30 to 17:29” is set, 8:30 to 17:29 on Monday is a learning period and is referred to during operation from 8:30 to 17:29 on Monday. An allow list is generated.

  Next, in step S102, the security switch 100 determines whether or not the frame analysis unit 110 is set for the registration period. If the registration period is set (S102: Yes), the process proceeds to step S103. On the other hand, if it is not set in the registration period (S102: No), that is, if it is set in the operation period, the process proceeds to step S108 in FIG.

  Next, in step S <b> 103, the frame analysis unit 110 performs frame analysis and transmits frame information to the permission list generation unit 120. At this time, the actual frame is output as an output frame via the communication control unit 150.

  Next, in step S104, the day / time management unit 140 adds the current day and time data to the frame information transmitted by the frame analysis unit 110.

  Next, in step S105, the permission list generation unit 120 receives the frame information to which the current day of the week and time data is added, and generates permission list information.

  Next, in step S <b> 106, the permission list generation unit 120 transfers the generated permission list information to the permission list storage unit 130.

  Next, in step S107, the permission list storage unit 130 stores the transferred permission list information.

  Next, in step S108, the security switch 100 determines whether or not the registration period has ended. When the registration period has ended (S108: Yes), the process proceeds to step S109 in FIG. If the registration period has not ended (S108: No), the process returns to step S103.

  Next, the operation when the permission list generated and updated in this way is used in the operation period will be described with reference to FIG.

  First, in step S109, when the security switch 100 receives an input frame during the operation period, the frame analysis unit 110 extracts frame information by analyzing the received input frame.

  Next, in step S110, the day / time management unit 140 instructs the frame analysis unit 110 to select a day / time range corresponding to the current day / time. For example, if the current time is 12:30 on Monday, selection of “Monday-Noon” is instructed.

  Next, in step S111, the frame analysis unit 110 refers to the permission list corresponding to the day / time range instructed to be selected by the day / time management unit 140. For example, in the above example, the “Month-Noon” permission list is referred to.

  Next, in step S112, the frame analysis unit 110 compares the extracted frame information with the referenced permission list, and determines whether or not they match.

  When the two match (S112: Yes), the frame analysis unit 110 processes the frame corresponding to the frame information that matches the permission list according to the operation setting instruction when the frame matches the permission list (Step S112). S113). For example, if the setting is “pass, do not notify”, the frame is output by passing the frame analysis unit 110 through the frame. However, no notification is given.

  When the process of step S113 ends, the process returns to step S109, and the above-described operations are repeated for the newly received frame.

  If the two do not match (S112: No), the frame analysis unit 110 processes the frame corresponding to the frame information that does not match the permission list according to the operation setting instruction when the frame information does not match the permission list. (Step S114). For example, if the setting is “discard, notify”, the frame is discarded and the setting terminal 50 is notified of the discard.

  When the process of step S114 ends, the process returns to step S109, and the above-described operations are repeated for the newly received frame.

  According to the first embodiment, the specific terminal can be made to communicate only for a certain time on a certain day of the week, and the security can be further improved. The reason is that the permission list referred to from the permission list storage unit is switched for each day of the week and time, and the frame analysis unit compares and determines the received frame data.

  In the first embodiment, when generating a permission list for a specific day of the week / time, it is set to learn during the specific day / time at the stage of setting the first learning period. Instead, for example, the learning period is set to one week, and a permission list is generated once a week, and the permission list is divided into weekly and time units by directly operating the permission list storage unit. May be.

<Second Embodiment>
Hereinafter, a second embodiment of the present invention will be described in detail with reference to FIGS. 9 to 14-2.

  The second embodiment has the same basic configuration as that of FIG. 1 according to the first embodiment. Although illustration is omitted, a security switch 200 is provided instead of the security switch 100 of FIG.

  In the first embodiment, a permission list is generated for each day of the week and time, and the permission list to be referenced is switched according to the day of the week and time at the time of operation. On the other hand, in the second embodiment, a permission list corresponding to the traffic is generated, and the permission list to be referred to is switched according to the traffic at the time of operation.

  As shown in FIG. 9, when the communication amount is normal, only communication between the PC 10-1 and the server PC 10-3 and between the PC 10-2 and the server PC 10-3 is permitted as shown in FIG. Then. On the other hand, as shown in (B), no communication is permitted when the communication amount is abnormal.

  Therefore, as shown in FIG. 10, the permission list to be referred to is switched according to the traffic. For example, when the communication amount is 0 Mbps to 5 Mbps, the communication is controlled with reference to the permission list named “normal” used when the communication amount is normal. On the other hand, when the communication volume exceeds 5 Mbps, communication is controlled with reference to the permission list named “abnormal” used when the communication volume is abnormal. Note that the communication amount described here may be a communication amount in units of security switches or a communication amount in units of ports.

  FIG. 11 shows an example of a permission list that is referred to when the traffic is normal. That is, it is an example of the permission list with the name “normal” in the table of FIG.

  As in the table of FIG. 4 according to the first embodiment, specifically, for example, item No. 1 has a MAC-DA (destination MAC address) of a frame received from the reception port 1 of “M-PC3”, MAC-SA (source MAC address) is “M-PC1”, Type is “0x0800” (IPv4), VID is “0”, IP-SA (source IP address) is “IP-PC1”, IP-DA (Destination IP address) is “IP-PC3”, protocol is “6” (TCP), L4SP (source port number in TCP header) is “3000”, and L4DP (destination port number in TCP header) is “23”. "Indicates a frame.

  FIG. 12 shows an example of a permission list that is referred to when the traffic is abnormal. That is, it is an example of a permission list with the name “abnormal” in the table of FIG.

  In the table of FIG. 12, no data is registered. That is, when referring to the permission list in the table of FIG. 12, there is no frame that matches the permission list.

  An example of operation setting when the frames match or do not match the permission lists illustrated in FIGS. 11 and 12 is the same as FIG. Specifically, a frame that matches the permission list shown in FIG. 11 passes through the security switch 200 and is not notified to the setting terminal 50. On the other hand, a frame that does not match the permission list is discarded and notifies the setting terminal 50 that it has been discarded. When the permission list shown in FIG. 12 is referred to, since there is no frame that matches the permission list, all the frames are discarded and the setting terminal 50 is notified that the frames are discarded.

  Next, functional blocks included in the security switch 200 according to the second embodiment will be described with reference to FIG. In FIG. 13, the same components as those of the security switch 100 according to the first embodiment are denoted by the same reference numerals.

  The security switch 200 does not include the day / time management unit 140 and the communication control unit 150, but includes a communication amount monitoring unit 210, a communication amount management unit 220, and a communication control unit 230 in the first embodiment. This is different from the security switch 100 according to the above.

  The traffic monitoring unit 210 monitors the traffic of data passing through and periodically notifies the traffic management unit 220 of the traffic. The granularity to be monitored may be a physical port unit or a device unit. The range of the traffic to be monitored follows the instruction of the traffic management unit 220.

  The traffic management unit 220 sets the expected traffic during the learning period by the traffic setting unit. The setting is made with a certain width. For example, “0 Mbps or more and 5 Mbps or less” may be set, or “5 Mbps ± 20%” may be set. If the actual traffic volume is within this range, it is determined that the traffic volume is normal. If the actual traffic volume exceeds this range, it is determined that the traffic volume is abnormal. The expected traffic amount is given to the frame information when the frame information is transferred from the frame analysis unit 110 to the permission list generation unit 120. Thereafter, the expected traffic value is simultaneously stored as an attribute of the permission list when the permission list is stored in the permission list storage unit 130.

  In addition, the traffic management unit 220 periodically acquires the traffic from the traffic monitoring unit 210 and also acquires the expected data of the traffic corresponding to the permission list from the permission list storage unit 130. Further, when the communication amount obtained from the communication amount monitoring unit 210 periodically is compared with the communication amount expected value data obtained from the permission list storage unit 130, the actual communication amount is outside the range of the expected amount of communication. Instructs the selection of the permission list referred to by the frame analysis unit 110. In addition, instructions such as bandwidth control may be given to the communication control unit 230. When the actual communication amount returns within the range of the expected amount of communication, the selection of the permission list referred to by the frame analysis unit 110 and the instruction to the communication control unit 230 are performed again.

  The communication control unit 230 actually processes the frame in accordance with the operation setting set in the frame analysis unit 110. Further, communication control such as bandwidth control may be performed in accordance with an instruction from the traffic management unit 220.

  Next, the operation of the present embodiment during the registration period will be described with reference to the flowchart of FIG.

  First, in step S201, the security switch 200 determines whether or not the frame analysis unit 110 is set for the registration period. If the registration period is set (S201: Yes), the process proceeds to step S202. On the other hand, if it is not set to the registration period (S201: No), that is, if it is set to the operation period, the process proceeds to step S209 in FIG.

  Next, in step S <b> 202, the frame analysis unit 110 performs frame analysis and transmits frame information to the permission list generation unit 120. At this time, the actual frame is output as an output frame via the traffic monitoring unit 210 and the communication control unit 230.

  Next, in step S203, the traffic management unit 220 adds data of expected traffic to the frame information transmitted by the frame analysis unit 110. For example, in order to set the communication amount from 0 Mbps to 5 Mbps within the normal communication amount range, data “0 Mbps to 5 Mbps” is assigned.

  Next, in step S204, the permission list generation unit 120 receives the frame information to which the traffic amount expected value is given, and generates permission list information when the actual traffic amount is within the range of the traffic amount expected value. .

  Next, in step S <b> 205, the permission list generation unit 120 transfers the generated permission list information to the permission list storage unit 130.

  Next, in step S206, the permission list storage unit 130 stores the transferred permission list information.

  Next, in step S207, the security switch 100 determines whether or not the registration period has ended. If the registration period has expired (S207: Yes), the process proceeds to step S208. If the registration period has not ended (S207: No), the process returns to step S202.

  Next, in step S208, the user directly operates the permission list storage unit 130 to generate a permission list when the communication amount is outside the range of expected communication amount, for example, the permission list of FIG. . In addition, for example, when it is determined in advance that the permission list when the traffic is outside the range of the expected traffic is an empty list as shown in FIG. Alternatively, the permission list generation unit 120 may automatically generate a permission list when the traffic is outside the range of the expected traffic.

  The operation when the permission list generated and updated in this way is used in the operation period will be described with reference to FIG.

  First, in step S209, when the security switch 100 receives an input frame during the operation period, the frame analysis unit 110 extracts frame information by analyzing the received input frame.

  Next, in step S <b> 210, the traffic monitoring unit 210 transmits the current traffic to the traffic management unit 220.

  Next, in step S211, the communication amount management unit 220 compares the current communication amount with the range of the expected amount of communication that is an attribute of the permission list stored in the permission list storage unit 130, and performs frame analysis. The unit 110 is instructed to select a communication traffic expected value range corresponding to the current traffic. For example, when the current communication volume is 2 Mbps, the selection of “normal communication volume” which is item number 1 in the table of FIG. 10 is instructed, and when the current communication volume is 10 Mbps, the item number of the table of FIG. 2 is instructed to select “abnormal communication amount”.

  Next, in step S212, the frame analysis unit 110 refers to the permission list corresponding to the communication amount range instructed to be selected by the communication amount management unit 220 in step S211.

  Next, in step S213, the frame analysis unit 110 compares the extracted frame information with the referenced permission list, and determines whether or not they match.

  When the two match (S213: Yes), the frame analysis unit 110 processes the frame corresponding to the frame information that matches the permission list according to the operation setting instruction when the frame information matches the permission list (Step S213). S214). For example, if the setting is “pass, do not notify”, the frame is output by passing the frame analysis unit 110 through the frame. However, no notification is given.

  When the process of step S214 ends, the process returns to step S209, and the above-described operations are repeated for the newly received frame.

  When the two do not match (S213: No), the frame analysis unit 110 processes the frame corresponding to the frame information that does not match the permission list according to the operation setting instruction when the frame information does not match the permission list. (Step S215). For example, if the setting is “discard, notify”, the frame is discarded and the setting terminal 50 is notified of the discard.

  When the process of step S215 ends, the process returns to step S209, and the above-described operations are repeated for the newly received frame.

  According to the second embodiment, communication control (blocking, detouring, bandwidth control, etc.) can be performed when the communication volume of the regular communication flow exceeds a certain range as compared with the normal time. Become. The reason is that the communication amount monitored by the communication amount monitoring unit 210 is compared with the normal expected communication amount by the communication amount management unit 220, and if out of the range, the communication control unit 230 performs communication control. is there.

  In the above description, only two permission lists for cases where the communication amount is normal and abnormal are illustrated, but this embodiment is not limited to this, and there are three or more types according to the communication amount. A permission list may be generated and referenced.

<Third Embodiment>
Hereinafter, a third embodiment of the present invention will be described in detail with reference to FIGS. 15 to 21-2.

  The third embodiment has the same basic configuration as FIG. 1 according to the first embodiment. Although illustration is omitted, a security switch 300 is provided instead of the security switch 100 of FIG.

  In the first embodiment, a permission list is generated for each day of the week and time, and the permission list to be referenced is switched according to the day of the week and time at the time of operation. In the second embodiment, a permission list corresponding to the traffic volume is generated, and the permission list to be referred to is switched according to the traffic volume at the time of operation. The third embodiment generates a permission list according to these composites, that is, day of the week / time / communication volume, and refers to the permission list to be referred to according to the day of the week / time / communication volume at the time of operation. Switch.

  As shown in FIG. 15A, for example, when the communication volume is normal in the time zone from 8:30 to 17:29 on weekdays (Monday to Friday), between the PC 10-1 and the server PC 10-3 , And only communication between the PC 10-2 and the server PC 10-3 is permitted. Further, when the communication amount is normal during the weekday (Monday to Friday) from 17:30 to 8:29, as shown in FIG. 15B, the server PC 10-3 and the backup server PC 10-4 Only communication is allowed between Furthermore, if the communication amount is abnormal on weekdays (Monday to Friday), no communication is permitted as shown in FIG.

  Therefore, a plurality of permission lists are prepared as shown in FIG. That is, for each day of the week from 8:30 to 17:29 and from 17:30 to 8:29, an allowance list is generated when the traffic is normal and abnormal, and is referred to during operation. Then. For example, in order to operate the security switch 300 when the traffic is normal in the time zone from 8:30 to 17:29 on Sunday, a permission list “day-daytime-normal” is generated, and In operation, communication is controlled with reference to a permission list of “day-daytime-normal”. In addition, a permission list “day-day-abnormal” is generated for the operation of the security switch 300 when the traffic is abnormal in the time zone from 8:30 to 17:29 on Sunday. Controls communication with reference to a permission list of “day-day-abnormal”. Similarly, in order to operate the security switch 100 when the communication amount is normal in the time zone from 17:30 to 8:29 on Sunday, a permission list “day-night-normal” is generated, and the time zone During operation, communication is controlled with reference to a permission list “day-night-normal”. In addition, a permission list “day-night-abnormal” is generated for the operation of the security switch 100 when the traffic is abnormal in the time zone from 17:30 to 8:29 on Sunday. In operation, communication is controlled with reference to a permission list “day-night-abnormal”. In the same manner, a permission list for cases where the traffic is normal and abnormal is generated for each time period from 8:30 to 17:29 and from 17:30 to 8:29, from Monday to Saturday. The security switch 100 is operated by referring to the permission list in the time zone corresponding to each permission list.

  FIG. 17 shows an example of a permission list corresponding to a case where the communication amount is normal in a time zone from 8:30 to 17:29 on weekdays (Monday to Friday). That is, in the table of FIG. 16, the names “Month-Day-Normal”, “Tue-Day-Normal”, “Wed-Day-Normal”, “Thurs-Day-Normal”, “Friday-Day-Normal” It is an example of a permission list.

  Specifically, for example, in item No. 1, the MAC-DA (destination MAC address) of the frame received from the reception port 1 is “M-PC3”, and the MAC-SA (source MAC address) is “M-PC1”. , Type is “0x0800” (IPv4), VID is “0”, IP-SA (source IP address) is “IP-PC1”, IP-DA (destination IP address) is “IP-PC3”, and protocol is “ 6 ”(TCP), L4SP (source port number in the TCP header) is“ 3000 ”, and L4DP (destination port number in the TCP header) is“ 23 ”.

  FIG. 18 shows an example of a permission list corresponding to a case where the communication amount is normal in the time zone from 17:30 to 8:29 on weekdays (Monday to Friday). That is, in the table of FIG. 3, the permission list of “Month-Night-Normal”, “Tue-Night-Normal”, “Water-Night-Normal”, “Thurs-Night-Normal”, “Friday-Night-Normal” It is an example.

  Specifically, for example, in item No. 5, the MAC-DA (destination MAC address) of the frame received from the receiving port 3 is “M-PC4”, and the MAC-SA (source MAC address) is “M-PC3”. , Type is “0x0800” (IPv4), VID is “0”, IP-SA (source IP address) is “IP-PC3”, IP-DA (destination IP address) is “IP-PC4”, and protocol is “ 6 ”(TCP), L4SP (source port number in the TCP header) is“ any ”, and L4DP (destination port number in the TCP header) is“ any ”.

  FIG. 19 shows an example of a permission list that is referred to when the traffic is abnormal. That is, in the table of FIG. 16, “month-day-abnormal”, “moon-night-abnormal”, “fire-day-abnormal”, “fire-night-abnormal”, “water-day-abnormal”, “water- It is an example of a permission list with names “night-abnormal”, “tree-day-abnormal”, “tree-night-abnormal”, “gold-day-abnormal”, and “gold-night-abnormal”.

  In the table of FIG. 19, no data is registered. That is, when referring to the permission list shown in the table of FIG. 19, there is no frame that matches the permission list.

  An example of operation setting when the frames match or do not match the permission list illustrated in FIGS. 17 to 19 is the same as that of FIG. Specifically, a frame that matches the permission list shown in FIGS. 17 and 18 passes through the security switch 300 and is not notified to the setting terminal 50. On the other hand, a frame that does not match the permission list is discarded and notifies the setting terminal 50 that it has been discarded. Further, when referring to the permission list shown in FIG. 19, since there is no frame that matches the permission list, all the frames are discarded and the setting terminal 50 is notified of the discarding.

  Next, functional blocks included in the security switch 300 according to the third embodiment will be described with reference to FIG. In FIG. 20, the same components as those of the security switch 100 according to the first embodiment and the security switch 200 according to the second embodiment are denoted by the same reference numerals.

  The security switch 300 includes a frame analysis unit 110, a permission list generation unit 120, and a permission list storage unit 130 that both the security switch 100 according to the first embodiment and the security switch 200 according to the second embodiment have. . The security switch 300 includes a day / time management unit 140 included in the security switch 100 according to the first embodiment. Furthermore, the security switch 300 includes a communication amount monitoring unit 210, a communication amount management unit 220, and a communication control unit 230 that the security switch 200 according to the second embodiment has.

  Among the operations of each block of the security switch 300, the points different from the operations of the corresponding blocks included in the security switch 100 and the security switch 200 are as follows.

  The frame analysis unit 110 extracts the frame information from the received input frame when the input frame is received and the registration period, and receives the traffic amount expected value received from the traffic amount management unit 220 and the day / time management unit 140. The current day of the week / time data received from is provided to the permission list generation unit 120 described later.

  In addition, the frame analysis unit 110 extracts frame information from the received input frame if it is an operation period when the input frame is received. Then, the extracted frame information is compared with the permission list corresponding to the current day of the week / time / communication amount among the permission lists stored in the permission list storage unit 130.

  Furthermore, the granularity of the traffic volume monitored by the traffic volume monitoring unit 210 may be a physical port unit, a device unit, or a day / time range unit corresponding to each permission list.

  Next, the operation of the present embodiment during the registration period will be described with reference to the flowchart of FIG.

  First, in step S301, the day / time of the permission list to be generated is registered. For example, when “Monday: 8:30 to 17:29” is set, 8:30 to 17:29 on Monday is a learning period and is referred to during operation from 8:30 to 17:29 on Monday. An allow list is generated.

  Next, in step S302, the security switch 300 determines whether or not the frame analysis unit 110 is set for the registration period. If the registration period is set (S302: Yes), the process proceeds to step S303. On the other hand, if it is not set in the registration period (S302: No), that is, if it is set in the operation period, the process proceeds to step S311 in FIG.

  Next, in step S <b> 303, the frame analysis unit 110 performs frame analysis and transmits frame information to the permission list generation unit 120. At this time, the actual frame is output as an output frame via the traffic monitoring unit 210 and the communication control unit 230.

  Next, in step S304, the traffic management unit 220 assigns data of expected traffic to the frame information transmitted by the frame analysis unit 110. For example, in order to set the communication amount from 0 Mbps to 5 Mbps within the normal communication amount range, data “0 Mbps to 5 Mbps” is assigned.

  Next, in step S305, the day / time management unit 140 further assigns the current day of the week and time data to the frame information to which the expected amount of traffic is assigned.

  Next, in step S306, the permission list generation unit 120 receives the frame information to which the current day of the week and time data and the traffic amount expected value data are added, and generates permission list information.

  Next, in step S <b> 307, the permission list generation unit 120 transfers the generated permission list to the permission list storage unit 130.

  Next, in step S308, the permission list storage unit 130 stores the transferred permission list.

  Next, in step S309, the security switch 100 determines whether or not the registration period has ended. If the registration period has expired (S309: Yes), the process proceeds to step S310. If the registration period has not expired (S309: No), the process returns to step S303.

  Next, in step S310, the user directly operates the permission list storage unit 130 to generate a permission list when the communication amount is outside the range of the expected amount of communication, for example, the permission list of FIG. . For example, when it is determined in advance that the permission list when the traffic is outside the range of the expected traffic is an empty list as shown in FIG. Alternatively, the permission list generation unit 120 may automatically generate a permission list when the traffic is outside the range of the expected traffic.

  The operation when the permission list generated and updated in this way is used in the operation period will be described with reference to FIG.

  First, in step S311, when the security switch 300 receives an input frame during an operation period, the frame analysis unit 110 extracts frame information by analyzing the received input frame.

  Next, in step S312, the traffic monitoring unit 210 transmits the current traffic to the traffic management unit 220.

  Next, in step S313, the traffic management unit 220 compares the current traffic with the range of expected traffic values that are attributes of the permission list stored in the permission list storage unit 130, and performs frame analysis. The unit 110 is instructed to select a communication traffic expected value range corresponding to the current traffic. For example, when the current communication volume is 2 Mbps, selection of “normal communication volume” is instructed, and when the current communication volume is 10 Mbps, selection of “abnormal communication volume” is instructed.

  Next, in step S314, the day / time management unit 140 instructs the frame analysis unit 110 to select a day / time range corresponding to the current day / time. For example, if the current time is 12:30 on Monday, selection of “Monday-Noon” is instructed.

  Next, in step S315, the frame analysis unit 110 selects the communication amount range instructed by the communication amount management unit 220 in step S313, and the day / time instructed by the day / time management unit 140 in step S314. Browse the allow list corresponding to the range. For example, if “communication amount normal” is selected in step S313 and “month-day” is selected in step S314, the permission list “month-day-normal” is referred to.

  In step S316, the frame analysis unit 110 compares the extracted frame information with the referenced permission list, and determines whether or not they match.

  When the two match (S316: Yes), the frame analysis unit 110 processes the frame corresponding to the frame information that matches the permission list according to the operation setting instruction when the frame matches the permission list (Step S316). S317). For example, if the setting is “pass, do not notify”, the frame is output by passing the frame analysis unit 110 through the frame. However, no notification is given.

  When the process of step S317 ends, the process returns to step S311, and the above-described operations are repeated for the newly received frame.

  If the two do not match (S316: No), the frame analysis unit 110 processes the frame corresponding to the frame information that does not match the permission list according to the operation setting instruction when the frame information does not match the permission list. (Step S318). For example, if the setting is “discard, notify”, the frame is discarded and the setting terminal 50 is notified of the discard.

  When the process of step S318 ends, the process returns to step S311 and the above-described operations are repeated for the newly received frame.

  According to the third embodiment, a specific terminal can be made to communicate only for a certain time on a certain day of the week, and security can be further improved. The reason is that the permission list referred to from the permission list storage unit is switched for each day of the week and time, and the frame analysis unit compares and determines the received frame data. Furthermore, communication control (blocking, detouring, bandwidth control, etc.) can be performed when the communication volume of the regular communication flow exceeds a certain range as compared with the normal time. The reason is that the communication amount monitored by the communication amount monitoring unit 210 is compared with the normal communication amount by the communication amount management unit 220, and if out of the range, the communication control unit 230 performs communication control.

  In the third embodiment, when generating a permission list for a specific day of the week / time, it is set to learn during the specific day / time at the stage of setting the first learning period. Instead, for example, the learning period is set to one week, and a permission list is generated once a week, and the permission list is divided into weekly and time units by directly operating the permission list storage unit. May be.

  Each of the security switch, the communication terminal, and the setting terminal can be realized by hardware, software, or a combination thereof. The relay method performed by the security switch, the communication terminal, and the setting terminal can also be realized by hardware, software, or a combination thereof. Here, “realized by software” means realized by a computer reading and executing a program.

  The program may be stored using various types of non-transitory computer readable media and supplied to the computer. Non-transitory computer readable media include various types of tangible storage media. Examples of non-transitory computer readable media include magnetic recording media (for example, flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (for example, magneto-optical disks), CD-ROMs (Read Only Memory), CD- R, CD-R / W, and semiconductor memory (for example, mask ROM, PROM (Programmable ROM), EPROM (Erasable PROM), flash ROM, RAM (random access memory)).

  Moreover, although the above-described embodiment is a preferred embodiment of the present invention, the scope of the present invention is not limited only to the above-described embodiment, and various modifications are made without departing from the gist of the present invention. Implementation in the form is possible.

  For example, each embodiment can be modified as follows.

  In each of the above-described embodiments, the security switch is connected to the Internet, but it is not always necessary to connect to the Internet. Even if it is not connected to the Internet, it is possible to detect a malicious frame that occurs when, for example, a malicious user connects an unauthorized terminal to the corporate network.

  In each of the above-described embodiments, the operation period is continued after a predetermined time has elapsed since the registration period, and the operation is continued. In this case, the transition may be made from the operation period to the registration period again, and when a predetermined time has elapsed after the transition, the operation period may be changed again. In other words, the permission list may be updated by re-registration.

  For example, when a new communication terminal is added after the operation period transition, a frame related to the added communication terminal may be added to the permission list by performing re-registration. In this case, the permission list may be in a clean state, and the permission list may be recreated from scratch, or new frame information may be added to the existing permission list.

  A part or all of the above-described embodiment can be described as in the following supplementary notes, but is not limited thereto.

(Appendix 1)
A relay device,
Storage means for storing a list of frames to be subjected to the first processing after reception by the relay device;
Analyzing means for matching the received frame with the list;
At the time of verification by the analyzing means, if the received frame matches the frame described in the list, the first process is performed on the received frame, and if the frame does not match, the received frame Control means for performing the processing of 2;
There are a plurality of lists according to the day of the week and time, and the analysis unit collates the received frame with a list corresponding to the day of the week and time of operation.

(Appendix 2)
The relay device according to attachment 1, wherein
In addition to the day of the week and the time, there are a plurality of lists according to the traffic during operation, and the analysis means includes the received frame and a list corresponding to the day of the week, time during operation, and the traffic. A relay device characterized by matching.

(Appendix 3)
A relay device,
Storage means for storing a list of frames to be subjected to the first processing after reception by the relay device;
Analyzing means for matching the received frame with the list;
At the time of verification by the analyzing means, if the received frame matches the frame described in the list, the first process is performed on the received frame, and if the frame does not match, the received frame Control means for performing the processing of 2;
There are a plurality of lists according to the traffic during operation, and the analysis means collates the received frame with a list corresponding to the traffic during operation.

(Appendix 4)
The relay device according to any one of appendices 1 to 3,
The relay apparatus according to claim 1, wherein the first process includes transferring the frame to a destination of the frame, and the second process does not include transferring the frame to a destination of the frame.

(Appendix 5)
The relay device according to any one of appendices 2 to 4,
A relay device, wherein the communication amount in the relay device unit is monitored as the communication amount during the operation.

(Appendix 6)
The relay device according to any one of appendices 2 to 4,
A relay device characterized in that the communication amount in physical port units of the relay device is monitored as the communication amount during the operation.

(Appendix 7)
The relay device according to any one of appendices 2 to 4,
The relay apparatus according to claim 1, wherein the communication volume in the day of the week and the time unit is monitored as the communication volume during the operation.

(Appendix 8)
A communication system comprising the relay device according to any one of appendices 1 to 7, and a setting terminal connected to the relay device,
A communication system, wherein a part or all of the contents of each process and the contents of the list are changed in accordance with an operation from a user received by the setting terminal.

(Appendix 9)
A relay method used in a relay device,
Storing a list of frames to be subjected to first processing after reception by the relay device;
Checking the received frame against the list;
At the time of verification by the analyzing means, if the received frame matches the frame described in the list, the first process is performed on the received frame, and if the received frame does not match, the first frame is added to the received frame. Two processing steps,
There are a plurality of lists according to the day of the week and time, and the analysis means collates the received frame with a list corresponding to the day and time of operation.

(Appendix 10)
A relay program that causes a computer to function as a relay device,
The computer,
Storage means for storing a list of frames to be subjected to the first processing after reception by the relay device;
Analyzing means for matching the received frame with the list;
At the time of verification by the analyzing means, if the received frame matches the frame described in the list, the first process is performed on the received frame, and if the received frame does not match, the first frame is added to the received frame. Control means for performing the processing of 2;
A plurality of lists exist according to the day of the week and the time, and the analysis unit causes the analysis unit to function as a relay device that collates the received frame with a list corresponding to the day of the week and the time of operation.

  The present invention is suitable for security measures in a relay device.

10 10-1 10-2 10-3 10-4 10-n Communication terminal 50 Setting terminal 100 200 300 Security switch 110 Frame analysis unit 120 Permission list generation unit 130 Permission list storage unit 140 Day / time management unit 150 Communication control Unit 210 communication amount monitoring unit 220 communication amount management unit 230 communication control unit 500 firewall 700 internet

Claims (10)

A relay device,
Storage means for storing a list of frames to be subjected to the first processing after reception by the relay device;
Analyzing means for matching the received frame with the list;
At the time of verification by the analyzing means, if the received frame matches the frame described in the list, the first process is performed on the received frame, and if the received frame does not match, the first frame is added to the received frame. Control means for performing the processing of 2;
There are a plurality of lists according to the day of the week and time, and the analysis unit collates the received frame with a list corresponding to the day of the week and time of operation. The relay device according to claim 1,
In addition to the day of the week and the time, there are a plurality of lists according to the traffic during operation, and the analysis means includes the received frame and a list corresponding to the day of the week, time during operation, and the traffic. A relay device characterized by matching. A relay device,
Storage means for storing a list of frames to be subjected to the first processing after reception by the relay device;
Analyzing means for matching the received frame with the list;
At the time of verification by the analyzing means, if the received frame matches the frame described in the list, the first process is performed on the received frame, and if the received frame does not match, the first frame is added to the received frame. Control means for performing the processing of 2;
There are a plurality of lists according to the traffic during operation, and the analysis means collates the received frame with a list corresponding to the traffic during operation. The relay device according to any one of claims 1 to 3,
The relay apparatus according to claim 1, wherein the first process includes transferring the frame to a destination of the frame, and the second process does not include transferring the frame to a destination of the frame. The relay device according to any one of claims 2 to 4,
A relay device, wherein the communication amount in the relay device unit is monitored as the communication amount during the operation. The relay device according to any one of claims 2 to 4,
A relay device characterized in that the communication amount in physical port units of the relay device is monitored as the communication amount during the operation. The relay device according to any one of claims 2 to 4,
The relay apparatus according to claim 1, wherein the communication volume in the day of the week and the time unit is monitored as the communication volume during the operation. A communication system comprising the relay device according to any one of claims 1 to 7, and a setting terminal connected to the relay device,
A communication system, wherein a part or all of the contents of each process and the contents of the list are changed in accordance with an operation from a user received by the setting terminal. A relay method used in a relay device,
Storing a list of frames to be subjected to first processing after reception by the relay device;
Checking the received frame against the list;
At the time of verification by the analyzing means, if the received frame matches the frame described in the list, the first process is performed on the received frame, and if the frame does not match, the received frame Two processing steps,
There are a plurality of lists according to the day of the week and time, and the analysis means collates the received frame with a list corresponding to the day and time of operation. A relay program that causes a computer to function as a relay device,
The computer,
Storage means for storing a list of frames to be subjected to the first processing after reception by the relay device;
Analyzing means for matching the received frame with the list;
At the time of verification by the analyzing means, if the received frame matches the frame described in the list, the first process is performed on the received frame, and if the frame does not match, the received frame Control means for performing the processing of 2;
A plurality of lists exist according to the day of the week and the time, and the analysis unit causes the analysis unit to function as a relay device that collates the received frame with a list corresponding to the day of the week and the time of operation.

Images