JP3426832B2 - Network access control method - Google Patents

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a network access control method for a computer system that protects an internal network with a firewall.

[0002]

2. Description of the Related Art The use of computer systems has rapidly and widely spread to various fields as computer systems have become smaller and less expensive, and network environments have been enhanced. Also, the shift from centralized systems to distributed systems Is progressing. Especially in recent years, in addition to sharing resources such as files and printers in the office, communication with outside offices and outside of one organization (such as electronic (E-mail, electronic news, file transfer, etc.)
Has become possible and these have begun to be widely used. In recent years, in particular, the use of the world's largest computer network “Internet” has become widespread, and it has become popular with external users who connect to the Internet and use publicly available information and services, and vice versa. On the other hand, by providing information and services, new computer business is being cultivated. In addition, new technologies are being developed and deployed regarding the use of the Internet.

However, in the case of widespread use of networks, realization of free connections between networks, and exchange of vast amounts of data and services, it becomes necessary to consider security issues. For example, how to prevent leakage of confidential information inside the organization to the external network, and how to protect resources and information connected to the internal network from unauthorized intrusion from outside the organization. . Since the Internet was originally constructed for academic research, it emphasizes the exchange of free data services by connecting networks, and although such security problems were not taken into consideration, many companies and organizations have recently taken into consideration. Has come to connect to the Internet, and it is necessary to have a mechanism for defending its own network from security problems.

Therefore, when connecting a plurality of networks, the data exchanged through these networks are monitored and checked, and unauthorized access from the outside or leakage of the internal data to the outside. It is common practice to arrange a mechanism to prevent this. Such a mechanism is called a firewall. By installing a firewall, it is possible to prevent leakage of confidential information to the outside and unauthorized access from the outside, and to receive external services safely from inside.

Conventional firewalls are typically located at the contacts of external networks. This state is shown in FIG.
That is, the network 101 to be protected by the firewall 103 and the other network 102
External network 1 located at only one connection point with
All packets exchanged between 02 and the network 101 to be protected are made to pass through this firewall 103. A firewall does not refer to one network connection device, but generally refers to a plurality of components including hardware and software such as a router and a gateway collectively. The firewall confirms the legitimacy and security of all communication that passes through the firewall and permits communication.

However, in the conventional method, all traffic from inside the organization to outside the organization is concentrated on the firewall. Therefore, if many computers exist in the organization, the firewall will be heavily loaded. Therefore, even if the capacity of the communication path to both sides of the firewall, that is, outside and inside the organization, is sufficiently large, it is not possible to utilize this communication capacity unless the processing capacity of the firewall is commensurate with it. There is a problem that it cannot be done and it hinders high-speed communication. In addition, the more restrictive the firewall, the more restricted the services that can be used, and the less convenient the user is. On the contrary, the more the user demands convenience, the lower the safety becomes. Also, if the firewall is distributed and assigned to each computer, the trust relationship within the organization is lost, and it becomes difficult to use useful services that can be used due to the trust relationship between hosts, and again the users' The convenience will be impaired.

[0007]

The conventional method has a problem that the load is concentrated on the firewall. In addition, it is difficult to decentralize firewalls while ensuring network safety and user convenience, due to the characteristics of conventional firewalls.

The present invention has been made in consideration of the above circumstances, and it is possible to decentralize firewalls in a computer system in which a plurality of computers are communicably connected by a plurality of interconnected communication networks. An object of the present invention is to provide a network access control method that enables the network access control.

Further, the present invention, in a computer system in which a plurality of computers are communicably connected to each other through a plurality of interconnected communication networks, ensures the safety of each computer in the protection unit network. At the same time, it is an object of the present invention to provide a network access control method capable of providing free access control rules.

[0010]

The present invention (Claim 1) includes:
In a network access control method for protecting a plurality of computers in a management network that can be connected to an external network from the outside, all packets destined to a source or a destination of the plurality of computers are provided at a position where they can be monitored. Based on the contents of the packet, the connection state detection means detects at least connection start and connection end with other computers of the plurality of computers, and at least the protection means provided corresponding to the plurality of computers detects at least It is characterized in that whether or not the corresponding computer is made to receive a packet is determined based on the information of the connection start or the connection end thus established.

Here, the management network means a set of networks to be protected. The external network is a network other than the management network.
According to the present invention, the connection state detection means is provided at one place to centrally monitor the connection state with other computers in the management network to be protected, and the protection means is the management network to be protected. Computers are distributed within the network, and each protection means allows or denies communication based on at least the connection status of each computer detected by the connection status detection means.Therefore, the mechanism for protecting the computer by performing network access control is distributed. Since they can be arranged, concentration of load can be avoided and higher speed communication becomes possible. In addition, each computer has an independent rule for access control, and it is possible to maintain the safety of the entire network while ensuring the convenience of the user.

The present invention (claim 2) is a network access control method for protecting a plurality of computers in a management network connectable to an external network from the outside, wherein any one of the plurality of computers is a source or a destination. The connection state detection means provided at a position capable of monitoring all packets detects at least the start and end of connection with other computers of the plurality of computers based on the contents of the packets, and derives the risk level. Based on the information of the connection start or the connection end detected by means, the risk degree of each of the plurality of computers is obtained, and at least the risk degree obtained by the protection means provided for the plurality of computers. It is characterized in that whether or not the corresponding computer is made to receive the packet is determined based on the information of (1).

The present invention (claim 3) is a network access control method for protecting a plurality of computers in a management network connectable to an external network from the outside, wherein any one of the plurality of computers is a source or a destination. The connection state detecting means provided at a position capable of monitoring all packets at least detects connection start and connection end with other computers of the plurality of computers based on the contents of the packets, and at least the connection. Each time the start or the connection end is detected, the risk derivation means obtains the risk degree of each of the plurality of computers based on the detected information of the connection start or the connection end, and the obtained new The risk degree is transmitted to a protection means that is provided for the plurality of computers and protects the corresponding computers. .

Here, the degree of risk is an index indicating how dangerous a computer is, and is set for each computer. For example, it is set to 1 when it is dangerous and 0 when it is safe.

It is assumed that this risk can be propagated by the connection. That is, the risk level may change on both the connected side and the connected side depending on the current connection destination of each established connection of the computer.

Whether or not the risk is propagated by the connection is defined as, for example, a rule of changing the risk by the connection, and only when the connection start or the end where the risk is propagated is detected, each of the plurality of computers is detected. The risk level of may be obtained.

According to the present invention, the connection status detecting means is provided at one place to centrally monitor the status of the connection between the computer in the management network to be protected and the other computer, and the detection result of the connection status detecting means is used. Therefore, the risk degree deriving means derives the risk degree of each computer at each time point.

On the other hand, the protection means are distributed in the management network to be protected corresponding to the computers, and each protection means permits or rejects the communication based on at least the connection status or the degree of danger of each computer.

That is, the protection means determines whether or not the packet can be transferred to the computer in the management network based on the risk and the connection information and according to the determined rule.
The connection information is general information associated with the connection, such as the time when the computer started the connection, the address of the partner computer, the type of service provided or received, and the like.

Further, when the risk level of the computer at the connection destination changes, the protection means that has received the notification can block or permit the communication according to the new risk level.
According to the present invention, a mechanism for performing network access control and protecting a computer can be arranged in a distributed manner for each computer, so that concentration of load can be avoided and higher speed communication can be performed.

Further, in each computer connected to the management network, when determining whether to connect from another computer, it can be judged by whether the other computer is a dangerous computer or is connected to a dangerous computer. Even if the protection mechanisms are distributed, a reliable computer can be dynamically determined based on the degree of risk, and a useful service based on the trust can be used.

Further, by using the index of the degree of danger for each computer, safe and flexible operation is possible even when the protection devices are distributed and operated. That is,
Each computer has its own rules for access control,
It is possible to maintain the safety of the entire network while ensuring the convenience of the user.

The present invention can also be realized in the form of a network access control device, which is, for example, a connection state detecting means for detecting connection start and end of a computer in a management network, and this connection state. It is provided with connection information management means for managing the connection information obtained by the detection device and deriving the degree of risk, and a protection device provided for the computer for controlling the transfer of packets to each computer according to a predetermined rule. .

First, the network access control device detects the start, interruption, and end of all the connections of all computers in the management network, regardless of whether the connection destination computer is in the management network or an external network. . The detected connection is stored until the connection is terminated. Also, the network access control device stores the degree of risk for each computer. If the connection changes, that is, a new connection is detected or a certain connection is terminated, the risk level changes and the network access device derives a new risk level. The method of deriving the degree of risk can be freely determined by the administrator of the network access control device. When deriving the degree of risk, connection information or information given in advance can be used. When a new connection request is made to the computer in the management network, the network access control device determines whether to pass the connection request to the computer, that is, to transfer the packet to the computer. The determination rule can be determined by the administrator of the network access control device using the connection information and the risk level information. The judgment rule is independently limited for each computer. In addition, if the content of the risk information changes due to the occurrence of a new connection or the termination of a certain connection, and if it is determined that communication that has already been connected also needs to be blocked, the packet related to that connection To cancel the transfer. Therefore, in addition to the dynamic change of the connection state between the computers connected to each other, the connection state of each computer also dynamically changes with the change of the risk level.

[0025]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 shows an example of the configuration of a computer network to which the present invention is applied. External network N
1 is an open network where multiple organizations connect. Computers O1 to O5 shown in FIG. 1 represent external computers, and are connected to the external network N1 directly or via another network.

The computers H1, H2, H3, H4, ... In the management network N2 to be protected in this embodiment are first connected to the protection devices P1, P2, P3, P4 ,. Or to a network connectable to the external network N1.

The connection status detecting device I1 is connected to a position where communication of all computers connected to the network managed by the connection detecting device I1 can be monitored. In FIG. 1, a star network is assumed.

The connection state detection device I1 detects the start and end of connection and the communication partner by monitoring all packets transmitted / received by each computer in the management network, and the new connection can propagate the degree of danger. A device that transmits the connection information including the information associated with this connection to the connection state management device I2, if it has the property. The connection information is, for example, information such as the time when the computer started connection, the address of the partner computer, the type of service provided or received, and the like.

The connection state management device I2 is a device that receives connection information from the connection state detection device I1, manages the information, and obtains a risk level that is an index indicating how dangerous each computer is.

In the present embodiment, the computer that has issued the connection request, that is, has called the call is called a caller. A computer that receives a connection request is called a called party. The connection can be identified by protocol-specific information used by the computers on the network, such as an identifier of each other's computer, an address defined by the network, a type of service and a number for identifying the service called a port. Therefore, it is assumed that multiple different connections can exist on the same computer.

It is assumed that there are three connection states. One is in the state of no connection, which means that there is no communication at all, or communication has been done in the past but the connection has ended, at which point both the calling and called parties send out packets that match the connection. Not say the state. One is a state in which a connection is established, that is, a state in which both the calling party and the called party are sending packets that match the connection. One is a state in which the connection is dormant. This is a state in which the connection is established, but the connection is not currently used regardless of the calling side or the called side.

For detecting the connection, for example, in the case of a protocol in which the establishment, suspension, and termination of the connection can be determined from the packet, the state of the connection can be detected with this. In protocols that cannot do this, if a packet that matches a connection is not sent within a certain period of time, the connection is dormant, and if a packet that matches the connection is not sent for a longer time, the connection is It can be judged that it has ended.

The connection state detection device, connection state management device and protection device will be described below. FIG. 2 shows a configuration example of the connection state detection device I1. Further, FIG. 3 shows a flowchart of an operation example of the connection state detecting device I1.

As shown in FIG. 2, the connection state detecting apparatus I1 of this embodiment has a packet receiving section 301 and a connection detecting section 30.
2. A judgment information storage unit 303, a risk degree judgment unit 304, a connection notification unit 305, and a packet transfer unit 306.

The packet receiving section 301 is a section for receiving all packets transmitted from or toward the computer managed by the connection state detecting device I1.

The connection detecting section 302 is a part for judging the start / end / pause of the connection from these packets and obtaining the connection information from the packets. Judgment information storage unit 303
Is a part that stores judgment information, which is a set of information necessary for determining whether a certain connection can be a dangerous connection.

The risk degree judging section 304 is a section for judging whether a new connection can be a dangerous connection from the judgment information and the connection information. The connection notification unit 305 is a unit that notifies the connection state management device I2 of the connection information when the risk determination unit 304 determines that the connection may be dangerous.

The packet transfer unit 306 is a unit for transferring the received packet to the computer. The packet transfer unit 306 may not be provided and the packet reception unit 301 may transfer the packet to the computer.

The operation of the connection state detecting device I1 of this embodiment is roughly as follows. Connection status detection device I1
Monitors the packet (step S11), detects a new connection (step S12), and determines that the connection propagates the risk level (step S12), the connection state management device I2 starts the connection. Notify (Step S)
14). On the other hand, when the suspension or termination of the connection is detected (step S15), if it is determined that the connection propagates the risk level (step S16), the connection state management device I2 is notified of the suspension / termination of the connection (step S14). .

FIG. 4 shows an example of the configuration of the connection status management device I2. Further, FIGS. 5A and 5B are flowcharts showing an operation example of the connection status management device I2. As shown in FIG. 4, the connection status management device I2 of the present embodiment has a connection information reception unit 401, a connection status information management unit 402, a connection status information storage unit 403, a risk level determination unit 404, a risk level information storage unit 405, The connection state change notification unit 406 and the inquiry processing unit 407 are included.

The connection information receiving section 401 is a section for receiving connection information from the connection state detecting device I1. The connection state information storage unit 403 is a unit that stores information about which computer is connected to which computer in the management network, and what state the connection is currently in. This connection status information is as shown in FIG. 6, for example. FIG. 6 shows that the computer O1 and the computer H1 are connected by the service telnet (remote login), and the computer H2 and the computer H3 are connected by the service ftp (file transfer), but the connection is now suspended. It shows that it is doing.

The connection status information management unit 402 manages the connection status information storage unit 403 by updating, deleting, adding elements in the connection status information storage unit 403 based on the connection information received from the connection status detecting device I1. It is the part to do.

The risk information storage unit 405 stores, for all computers managed by the connection status management device I2, an index indicating how dangerous the computer is currently connected. Further, a certain degree of risk can be assumed for each computer outside the management network. FIG. 7 shows an example of the risk information.

The risk degree determining unit 404 determines new risk degree information from the connection state information updated by the new connection information and the current risk degree information. The method of calculating the risk level is programmable, and the administrator of the device can flexibly set the method of calculating the risk level.

When the risk information changes due to a new connection, the connection state change notifying unit 406 is affected by the change, that is, the computer with the changed risk and the protection device for the computer in the connected state are connected. Notify how the previous risk has changed.

The inquiry processing unit 407 responds to the inquiry about the degree of risk to a computer from the protection device with an appropriate response from the risk degree information. The operation of the connection status management device I2 of this embodiment is roughly as follows.
When the connection state management device I2 receives the inquiry about the risk information from the protection device (step S21), the connection state management device I2 retrieves the risk information (step S22) and sends a risk alert response (step S23).

When the connection state management device I2 receives the connection information from the connection state detection device I1 (step S
31), and the connection status information is updated (step S32).
Then, the risk is recalculated (step S33), and if there is a risk change calculator (step S34), it is notified to each calculator (step S35).

FIG. 8 shows a structural example of the protection device. Further, FIG. 9 shows a flowchart of an operation example of this protection device. As illustrated in FIG. 8, the protection device according to the present exemplary embodiment includes a packet reception unit 701, a call detection unit 702, and a connection end detection unit 7.
03, transfer permission judgment unit 704, permission rule information management unit 70
5, packet transfer unit 706, risk degree inquiry unit 70
7 and a protection computer connection information storage unit 708.

The packet receiving section 701 is a section for receiving a packet from the network. The protected computer connection information storage unit 708 is a unit that stores information such as the caller and the called party, the service, and the degree of danger of the connection destination viewed from the computer to be protected by the protection device.

The call detection unit 702 detects a call to a computer that is a protection target of the protection device and a call to a computer that is a protection target of the protection device. If a call is detected, the risk inquiry unit 70 determines the risk of the computer at the connection destination.
7, and stores this in the protected computer connection information storage unit 708 in addition to the connection information.

The connection end detection unit 703 detects the end of each connection of the computer that is the protection target of the protection device. When the end of the connection is detected, the connection information is deleted from the protected computer connection information storage unit 708. The connection end detecting unit 703 detects that the call is only made but the connection is not actually made, that is, the connection is failed, and the same operation is performed.

The authorization rule information management unit 705 stores information for determining whether to transfer a packet from the connection information and the connection information such as the risk of the computer requesting the connection or the computer of the connection partner. Is. Since the authorization rule information is also provided for each protection device, each protection device can have an independent rule different from other protection devices.

The transfer permission judgment unit 704 determines from the packet
The matching connection information is acquired from the information stored in the protection computer connection information storage unit 708, and it is determined whether or not to receive the connection request according to the permission rule in the permission rule information management unit 705.

The packet transfer section 706 is a section for transferring the permitted packet to the computer. The risk inquiring unit 707 is a unit that inquires of the connection status monitoring device about the risk information for a certain computer, which is necessary in the transfer permission determining unit 704. Further, when the connection status management device I2 notifies that the risk level of the computer currently in communication has changed, the information is protected by the protected computer connection information storage unit 70.
Save to 8.

The operation of the protection device of this embodiment is roughly as follows. When the protection device receives the packet (step S41), it detects a call (step S4).
2) Inquire the connection status management device I2 about the degree of risk (step S43) and register it in the protection computer connection information (step S44). On the other hand, when the termination of the connection is detected (step S45), it is deleted from the protection computer connection information (step S46). Then, the received packet is transferred (step S47), is transferred (step S48), and is not transferred (step S47), and is discarded (step S48).

Next, a concrete example of the operation of this embodiment is TCP.
The / IP protocol will be described as an example. With TCP / IP,
The connection destination IP address and the service to be used as the connection information can be identified from the packet.

It is assumed that all the external computers including the computer O1 are dangerous and the computers H1 to H4 are not dangerous as the initial state of the risk degree information of the connection state management device I2. Here, the degree of risk is a binary value of 1 (danger) and 0 (safety). FIG. 7 shows an example of the risk level information in the risk level information storage unit 405 in this case.

As a method of updating the risk degree information, for example, the following method is available. It is assumed that there are connections that propagate risk and connections that do not propagate. That is, when a computer with a risk level of 0 is connected to a computer with a risk level of 1 and the connection is a connection that propagates the risk level, the connected computer has a risk level of 1.

A connection matrix C0 is generated from the connection state information. The connection matrix C0 is generated as follows. Correlate each line with the computer that appears in the connection status information. It is assumed that the computer O1 is the first row, the computer H1 is the second row, the computer H2 is the third row, the computer H3 is the fourth row, and the computer H4 is the fifth row. next,
Associate each computer with the computer to which the computer of interest is connected. At this time, the lines are associated in the same order. That is, the computer O1 is the first column, the computer H1 is the second column, the computer H2 is the third column, the computer H3 is the fourth column, and the computer H4 is the fifth column. When a connection for propagating the degree of danger is made for each row, the component of the corresponding column is set to 1, and the other components are set to 0. However, the diagonal component is 1. Therefore, the components of the connection matrix are of interest for the diagonal components. Temporarily O1 and H
2, assuming that H2 and H3 are connected, the connection matrix is as shown in FIG.

The connection matrix thus obtained is raised to the power of n-1, and the result is designated as C. However, the number of computers appearing in the connection status information is n. Result C expresses to what extent n computers are propagated with respect to their indirect connections.

From the risk information, the state T _{0 of the} risk vector
= [T ₀ , t ₁ , ..., T _n-1 ] ^t is generated. Now, the computers O1, H1, H2, H appearing in the connection status information
Assuming that the number of units is 3 and H4, the initial value is T ₀ from the above conditions.
= [1,0,0,0,0] ^t .

Then, the new risk vector T ₁ is set to T
₁ = C × T ₀ In this example, the newly obtained risk level vector is T ₁ = [1,0,1,1,0] ^t , and the risk level of the computer O1 propagates through the connection to H2, and further to H3. Indicates that it has propagated. In this example, the degree of risk is binary 0 or 1, so the connection matrix C
As a result of the product of 0 and the risk vector T, if each component of the risk vector T takes a value larger than 1, this is set to 1.

Next, it is assumed that the information shown in FIG. 11 is given as the judgment information which the connection state detecting device I1 has. The calling party means a computer that issues a connection request, and the called party means a computer that accepts the connection request. Service means the type of network service used by the connection. When the item of “propagation degree of risk” is “propagation”, it means that the connection is a connection capable of propagating the degree of danger, and informs the connection state management device that a new connection has occurred. If the item of the risk degree propagating property is "not propagate", it means that the connection is a safe connection that does not propagate the risk degree, and does not notify the connection state management device I2 that a new connection has occurred. Therefore,
The intent of this information is a connection that can propagate the risk level for services telnet and ftp when a computer in the external network makes a call to the management network, and a new connection is generated in the connection status management device. It means to convey what you have done. If a computer in the management network makes a call to a computer in the external network and the service is a connection by ftp, it is determined that this connection is not dangerous and ft
This means that even if a new connection by p occurs, it is not notified to the connection status management device.

Next, it is assumed that the permission rule information held by the protection device P2 is given as shown in FIG.
In addition, as the permission rule information that the protection device P3 has, FIG.
Suppose that the one shown in is given.

The management computer in FIGS. 12 and 13 means a computer to be managed by the protection device. The condition indicates how dangerous the connection destination is to satisfy the rule. Therefore, the intention of FIG. 12 is to telnet and ftp from the external network to the management computer.
Refuses, that is, this packet is not forwarded to the management computer. Telnet and ftp from the management network to the management computer forward the packet to the management computer if the caller's risk is 0, but do not forward it if the risk is 1 and discard the packet. Shows. Similarly, the intention of FIG.
The telnet and ftp from the external network to the management computer are rejected, that is, this packet is not transferred to the management computer. On the other hand, telnet and ftp from the management network to the management computer are transferred regardless of the degree of danger of the caller.

Hereinafter, an example of the operation procedure of the network access control apparatus according to the present invention will be described step by step. It is assumed that the computer H1 is connected to the computer O1 in the external network N1 by the service ftp. All the packets sent by the computer H1 and the packets addressed to the computer H1 pass through the protection device P1. This connection is the connection state detection device I1.
However, it is determined from the judgment information 4 in FIG. 11 that this connection does not propagate the risk, and the connection state management device I2
I can't tell you.

It is assumed that the computer H1 is connected to the computer O1 in the external network N1 by the service telnet.
In the connection state detecting device I1, it is judged that this connection propagates the degree of danger from the judgment information 3 in FIG.
The connection between 1 and the computer O1 is transmitted to the connection status management device I2. The connection status management device I2 updates the connection status information storage unit 403 based on this connection information, and at the same time updates the risk level information. The risk degree is propagated from the computer O1 having the risk level 1, and the computer H1 also becomes the computer having the risk level 1.

Next, the computer H1 sends t to the computer H2.
It is assumed that a connection request by elnet is issued. Calculator H2
The protection device P2 inquires of the connection state management device I2 about the current degree of danger of the computer H1. The connection state management device I2 responds from the risk information that the computer H1 is dangerous. Since the protection device P2 does not transfer this packet to the computer H2 from 4 of the permission rule information of FIG. 12, the connection between the computer H1 and the computer H2 is not established.

Next, the computer H3 tells the computer H2 to teln.
It is assumed that a connection request by et is issued. When the connection state management device I2 notifies the protection device P2 that the same process is performed and the risk degree of the computer H3 is 0, the connection between the computer H3 and the computer H2 is established.

The computer H1 then telnes to the computer H3.
It is assumed that a connection request by t is issued. Since the protection device P3 transfers the packet from the permission rule information 3 of FIG. 13 regardless of the risk of the caller, the connection between the computer H1 and the computer H3 is established. This connection is detected by the connection state detecting device I1 and transmitted to the connection state management device I2. The connection status management device I2 re-evaluates the risk level based on this new connection. As a result, it is found that the risk level of the computer H3 has changed from 0 to 1 in the connection status management device I2. This change is notified to the protection device P2 which is the connection destination. In response to this, the protection device P2 stops the transfer of the packet relating to this connection from the computer H3 from 4 of the permission rule information of FIG. 12, and discards this packet. Calculator H
When the connection between the computer 1 and the computer H3 by telnet is completed, the risk of the computer H3 becomes 0 again, and the protection device P2 restarts the packet transfer.

In the above embodiment, the connection state detecting device is provided at the contact point with the external network, but the bus type network does not necessarily have the connection state detecting device at the contact point with the external network. Since it is sufficient to monitor all the packets sent by the computer to be managed and the packets destined for the computer, it is possible to connect to another position on the bus network B1 as shown in FIG. Further, as shown in FIG. 15, the connection state detection device, the connection state management device, and the protection device may be directly housed in the hub HUB1 that connects the computers. In this case, a protection device is built in each contact with the computer.

Further, in the above-described embodiment, the connection state has three states of start, end, and pause. Instead, however, even if a pause is detected, it is regarded as a connected state. It is also possible to adopt other methods such as assuming that the connection is not detected and only detecting the start and end of the connection is not detected. Further, the present invention is not limited to the above-described embodiments, and can be implemented with various modifications within the technical scope thereof.

[0073]

As described above, according to the present invention, the management of the protection means for centrally detecting the connection of the computer in the management network with the other computer at one place and permitting or denying the communication. Since it is distributed in the network for computers, it is possible to avoid concentration of load on the protection mechanism and to enable higher speed communication.

Further, by using the index of the degree of risk for each computer, each computer has a rule for independent access control even when the protection devices are distributed and operated, and the convenience of the user is improved. Since the security of the entire network can be maintained while ensuring the security, safe and flexible operation becomes possible.

[Brief description of drawings]

FIG. 1 is a diagram showing a configuration example of a computer network according to an embodiment of the present invention.

FIG. 2 is a diagram showing a configuration example of a connection state detection device.

FIG. 3 is a flowchart showing an operation procedure of the connection state detection device.

FIG. 4 is a diagram showing a configuration example of a connection status management device.

FIG. 5 is a flowchart showing an operation procedure of the connection status management device.

FIG. 6 is a diagram showing an example of a connection status table.

FIG. 7 is a diagram showing an example of risk degree information.

FIG. 8 is a diagram showing a configuration example of a protection device.

FIG. 9 is a flowchart showing an operation procedure of the protection device.

FIG. 10 is a diagram showing a connection matrix

FIG. 11 is a diagram showing an example of determination information.

FIG. 12 is a diagram showing an example of rule information.

FIG. 13 is a diagram showing an example of management information.

FIG. 14 is a diagram showing a configuration example of a computer network having a bus network.

FIG. 15 is a diagram showing an example of the configuration when it is directly housed in a hub.

FIG. 16 is a diagram showing a conventional example.

[Explanation of symbols]

I1 ... Connection state detection device I2 ... Connection state management device P1, P2, P3, P4 ... Protection device H1, H2, H3, H4, O1, O2, O3, O4, O
5 ... Computer N1 ... External network N2 ... Management network B1 ... Bus type network R1 ... Router HUB1 ... Hub 301 ... Reception unit 302 ... Connection detection unit 303 ... Judgment information storage unit 304 ... Danger degree judgment unit 305 ... Connection notification unit 401 ... Connection information reception unit 402 ... Connection state information management unit 403 ... Connection state information storage unit 404 ... Danger degree determination unit 405 ... Danger degree information storage unit 406 ... Connection state change notification unit 407 ... Inquiry processing unit 701 ... Packet receiving unit 702 ... Call detection unit 703 ... Connection termination detection unit 704 ... Transfer permission determination unit 705 ... Permit rule information management unit 706 ... Packet transfer device 707 ... Danger degree inquiry unit 708 ... Protection computer connection information storage unit

Continuation of the front page (56) Reference JP-A-7-262135 (JP, A) JP-A-6-62013 (JP, A) JP-A-4-235652 (JP, A) (58) Fields investigated (Int .Cl. ⁷ , DB name) G06F 13/00 H04L 12/66

Claims (3)

(57) [Claims] 1. A network access control method for protecting a plurality of computers in a management network connectable to an external network from the outside, wherein all packets whose source or destination is one of the plurality of computers are monitored. A connection state detection means provided at a possible position detects at least connection start and connection end with other computers of the plurality of computers based on the contents of the packet, and protection provided for the plurality of computers. A means for deciding whether or not to cause the corresponding computer to receive a packet based on at least the detected information of the connection start or the connection end by means. 2. A network access control method for protecting a plurality of computers in a management network connectable to an external network from the outside, wherein all packets whose source or destination is any of the plurality of computers are monitored. A connection state detection means provided at a possible position detects at least a connection start and a connection end with another computer of the plurality of computers based on the contents of the packet, and the risk level derivation means detects the connection. Based on the information of the connection start or the connection end, to determine the risk of each of the plurality of computers, by the protection means provided corresponding to the plurality of computers, at least based on the information of the obtained risk Network access control method characterized by determining whether or not to allow the computer to receive a packet . 3. A network access control method for protecting a plurality of computers in a management network connectable to an external network from the outside, wherein all packets whose source or destination is any of the plurality of computers are monitored. At least a connection start and a connection end with the other computers of the plurality of computers are detected by a connection state detection means provided at a possible position based on the content of the packet, and at least the connection start or the connection end is detected. Each time, the risk deriving unit obtains the risk degree of each of the plurality of computers based on the detected connection start or connection end information, and the obtained new risk degree is calculated as A network access, characterized by being provided to a computer and communicating to a protection means for protecting the corresponding computer. Control method.