JP4384236B2 - Network monitoring device, network monitoring method, network monitoring program, and recording medium storing network monitoring program - Google Patents

Description

  The present invention relates to a network monitoring device, a network monitoring method, a network monitoring program, and a recording medium storing a network monitoring program.

  To prevent unauthorized terminals from being connected to the network, a network system that detects the presence of unauthorized terminals and prevents the unauthorized terminals from communicating with other devices on the network is realized. It is demanded. In order to monitor the presence of an unauthorized terminal in a network using the IP (Internet Protocol) protocol, DHCP (Dynamic Host Configuration Protocol) shown in RFC (Request For Comments) 2131 issued from IETF (Internet Engineering Task Force) ) Is applied. As a technique of this type, in the technique described in Japanese Patent Laid-Open No. 8-186469 (Patent Document 1), address information assigned by an address management device using DHCP and address information extracted from a packet transmitted over a network are used. In use, the address management device monitors the presence of unauthorized terminals in the network. On the other hand, in the technology described in Japanese Patent Laid-Open No. 2002-158701 (Patent Document 2), in a cable modem device, an IP address assigned by DHCP is managed, and packets using other than the assigned IP address enter the network. If it is possible, it is determined that the packet is illegally used, and the packet is discarded by the cable modem device.

  Also, without using physical layer address information (such as IP address) and data link layer address information in the OSI (Open Systems Intetconnection) reference model, dedicated software is installed in advance on each monitoring device and each terminal connected to the network. In addition, a system is known in which the monitoring device grasps the state of the corresponding terminal by extracting the information in the terminal in cooperation with the dedicated software on the monitoring device side and the dedicated software on the terminal side.

Japanese Patent Application Laid-Open No. 8-18669 JP 2002-158701 A

  In the above conventional technique, the presence of an unauthorized device on the network is detected based on the address information assigned by DHCP. However, in a general network environment, not only the environment in which an address is assigned by DHCP, There is also a general network environment that uses an address that is fixedly assigned to a device.

  In addition, there is a method that makes it impossible to communicate with other devices by putting a relay device into the network and always discarding a specific frame with this relay device, but by using such a relay device, It is also necessary to consider the failure of the relay device itself, the fact that the network performance depends on the relay performance, or the network traffic due to the frames transmitted from this unauthorized device.

  Further, as the number of devices connected to the network increases, work related to management and maintenance of the network, costs associated therewith, or a burden on the network administrator increase, but no consideration is given to reducing these.

  An object of the present invention is to provide an apparatus capable of monitoring a network without being greatly affected by the system configuration. The present invention is not limited to an environment in which addresses are assigned by DHCP, but is also detected in a network environment in which an address that is fixedly assigned to a device is used. In that case, the presence is detected at the timing when the unauthorized device is connected to the network. Furthermore, not only the presence of unauthorized devices is detected, but also unauthorized devices themselves cannot communicate with other devices using a network (hereinafter referred to as disconnection). It is another object of the present invention to enhance network security by eliminating the need to previously store dedicated software related to the present invention in devices connected to the network including devices that are determined not to be permitted.

  In addition, the present invention relates to network management and maintenance by generating address management information used when determining the presence of unauthorized terminals from information in the network frame or from the source address information of the frame. The purpose is to reduce the work and associated costs, or the burden on the network administrator.

  In addition, the present invention allows a device that has been once disconnected as an unauthorized device to be disconnected once without influencing users of other devices on the network by instructing the outside from the judgment of the administrator or the like. Is to be able to use the device. Similarly, the connected device can be used without affecting other users on the network by giving instructions from the outside to the connected device at the discretion of the administrator. It is to separate so that it disappears. This aims to reduce the work and costs associated with network management and maintenance, or the burden on the network administrator.

In order to achieve at least one of the above objects, according to the present invention, when information flowing through a network is received and a request for an address resolution protocol is received as the reception, a source address included in the request for the address resolution protocol is Based on the physical address together with the network address, it is determined whether it corresponds to a predetermined permitted terminal constituting a local network, and if it is determined not to correspond to the permitted terminal, it is included in the request for the address resolution protocol It is determined whether a network address as a source address is used by a terminal to be protected in the local network, and if it is used by a terminal to be protected in the local network, it is used as a set in the terminal Network address and physical address If the address is not used by the terminal to be protected in the local network, the network address of the terminal that has requested the address resolution protocol and a predetermined physical address are address resolved. It was configured to send as a response to a protocol request. More specifically or alternatively, receiving means for receiving information flowing through the network, determining means for determining whether the information corresponds to a predetermined authorized terminal based on information transmitted for network connection, and permission A network monitoring apparatus characterized by having a transmission means for sending information indicating that an address for identifying a terminal that has transmitted the information is used in the network when it is determined not to correspond to a terminal. A means for receiving a disconnection instruction for a connected terminal or a connection instruction from an external terminal, and if the received instruction is a disconnection instruction, information for generating a network address duplication state in order to disconnect the corresponding terminal. A network monitoring device, and a network Based on the receiving means for receiving the information flowing in the network and the information transmitted to obtain the address on the physical layer side from the network address paired with the network address, it is determined whether the information corresponds to a predetermined authorized terminal And a network monitoring device characterized by having a transmission means for sending information indicating a physical layer side address different from that corresponding to the network address to the network when it is determined not to correspond to the permitted terminal. The receiving means for receiving the flowing information and the information requesting to return the information including the address are transmitted so that the information is sequentially received by a plurality of terminals, and predetermined information is determined based on the returned information. A determination means for determining whether the information corresponds to an authorized terminal; and if it is determined that the information does not correspond to an authorized terminal, A network monitoring device characterized by having a transmission means for sending information indicating an address on the physical layer side of the network address different from the network equivalent to the network, or a receiving means for receiving information flowing on the network, for network connection Based on the transmitted information, a determination means for determining whether the information corresponds to a predetermined permitted terminal, and when it is determined that the information does not correspond to the permitted terminal, an overlapping state is generated for an address that identifies the terminal that transmitted the information A network monitoring device characterized by having a transmission means for sending information to be sent to the network, and detecting the presence of an unauthorized device at a timing when a device that does not permit connection is connected to the network. In addition, disconnect this unauthorized device from the network It is. At this time, there is no need to previously incorporate processing dedicated to the present system on the side of the apparatus that performs the connection.

  Specifically, in a monitoring system for monitoring a plurality of devices connected to the network and the state of the network, all means for receiving a frame addressed to the monitoring system and a broadcast frame addressed to all devices on the network or all flowing through the network Means for receiving the frame, means for registering information on whether or not the apparatus can be connected to the network, means for comparing the registered connection possibility information with the contents of the frame data, and determining whether or not to connect, and does not permit connection In order to detach the corresponding device, a means for generating a frame for generating an IP address duplication state in the network, and a frame sent from the monitoring system to the network, and an IP address duplication state in the network By generating the Providing means for disconnecting from the workpiece while it is for the device to be disconnected is unnecessary to keep incorporating previously the system dedicated processing for disconnecting, characterized in that the the.

  As a result, for example, even if a personal computer (Personal Computer) that is not permitted to connect is contaminated with a virus, the monitoring system detects that the PC is connected to the network, and the physical layer level is detected. To disconnect the PC. As a result, the contaminated frame is not sent to the network, which is effective in preventing the spread of virus contamination to other devices on the network. On the other hand, in the method in which communication is not performed in cooperation with pre-installed dedicated software, an effect cannot be expected when an unauthorized PC that does not include the dedicated software is connected. However, since it is not necessary to pre-install dedicated software related to the present invention in a device connected to the network including a device that is determined not to be permitted in the present invention, Network security can be strengthened compared to a method that prevents communication by cooperating.

  Furthermore, the feature of the present invention for achieving the above object is that the network monitoring system monitors the network, collects address information held by devices connected to the network, and sequentially creates address information. It is characterized in that it can be used as network connection availability information.

  Specifically, in a monitoring system that monitors a plurality of devices connected to the network and the state of the network, means for receiving a frame addressed to the monitoring system and a broadcast frame addressed to all devices on the network or all frames flowing through the network Receiving means, means for registering information on whether or not the device can be connected to the network, means for comparing the registered connection enable / disable information with the contents of the frame data, and determining whether or not to connect, and determining that connection is not permitted In this case, in order to disconnect the corresponding device, a means for generating a frame for generating an IP address duplication state in the network and a frame sent from the monitoring system to the network to generate an IP address duplication state in the network Make the corresponding device network On the other hand, it is not necessary to pre-install this system dedicated process for performing the separation on the corresponding device to be separated, and the monitoring system can be used for all devices on the network or designated devices. Providing at least one of a means for issuing a frame for inducing the issuance of an ARP frame to one or more devices and a means for extracting an IP address and MAC address information from an ARP frame issued from each device; Further, the extracted IP address and MAC address are combined to uniquely generate the address information of the device connected to the network, and the ascending order from the outside using the element classification of the generated unique address information as a key. Or a means of sorting in descending order and individual requirements for the generated unique address information. Means for enabling or disabling setting from the outside, generating device address information by using these means, and using the device address information as information on whether or not the device can be connected to the network. .

  As a result, in creating address information of many devices connected to the network, for example, the network administrator can connect the device to the network based on the address information described in the connection permission application by another means. When creating information, it is effective in reducing the burden associated with the application processing of the network manager and device owner.

  In addition, the feature of the present invention for achieving the above object is that the use of other devices on the network can be performed by instructing the device once disconnected as a device that is not permitted by the administrator's judgment. It is to make it possible to use the device without affecting the user, and on the contrary, to disconnect the connected device so that it cannot be used.

  Specifically, a means for receiving a frame addressed to the monitoring system and a broadcast frame addressed to all devices on the network or a means for receiving all frames flowing through the network and information on whether or not the device can be connected to the network are registered. A means for comparing the registered connection permission information with the frame data contents to determine whether the connection is permitted; and, if it is determined that the connection is not permitted, an IP address in the network is disconnected in order to disconnect the corresponding device. A means for generating a frame that generates a duplicate state of the network, a means for sending the frame from the monitoring system to the network, and generating a duplicate state of the IP address in the network, and a means for disconnecting the corresponding device from the network. To change the device to an authorized device from outside Means for generating a connection frame for enabling the once disconnected device to communicate with other devices, and sending the connection frame from the monitoring system to all devices connected to the network. Means to allow the device once disconnected to communicate with other devices, and means to change from the outside to disconnect the connected device, while The apparatus is characterized in that it is not necessary to previously incorporate a system-dedicated process for disconnecting or connecting.

  As a result, for example, when a network administrator authorizes the corresponding device after a predetermined procedure has been performed on a PC that has been disconnected because the connection is not permitted, it also burdens other users of the device. Therefore, it is possible to provide an environment in which the corresponding PC can be incorporated into the network without using the network, and this is effective in reducing the burden on the network administrator.

  The above-described features of the present invention and features of the invention other than those described above will be further clarified by the following description.

  In the present invention, the network monitoring system monitors the ARP frame issued by the device connected to the network from the frame data flowing in the network, and extracts the IP address and MAC address of the device that sent the ARP frame from this ARP frame. Use means. Further, at least one piece of address information of the IP address or MAC address of the device permitted to connect to the network from the outside is registered in the monitoring system as information on whether or not the device can be connected to the network. The address information registered by the registration means is compared with the address information extracted from the ARP frame, and if they do not match, it is regarded as an unpermitted device, and means for disconnecting the corresponding device is executed. In order to separate the corresponding device, a frame is generated by combining the IP address of the corresponding device extracted from the ARP frame and the MAC address of the network monitoring system using a means for generating a frame that generates an IP address duplication state. . Thereafter, the frame is sent from the monitoring system to the network, and an IP address duplication state is generated in the network. The corresponding device that has received this frame detects that an IP address duplication state has occurred, and autonomously leaves the network. As a result, the unauthorized device is disconnected from the network.

  Further, according to the present invention, the network monitoring system monitors the ARP frame that is spontaneously issued by a device connected to the network among the frame data flowing in the network, and the IP address of the device that has transmitted the ARP frame from this ARP frame. And means for extracting the MAC address. As a result, the address information of the devices connected to the network is sequentially created. On the other hand, by issuing a frame that triggers the issuance of an ARP frame to all devices on the network or to one or more designated devices, the same processing is performed on the ARP frames issued from each device. The address information of the devices connected to the network is created sequentially. Further, unique address information is generated by using a means for generating uniquely based on the sequentially created address information. Furthermore, a means for rearranging the generated unique address information from the outside in ascending or descending order using the element classification of the generated unique address information as a key, and valid or invalid from the outside for each element of the generated unique address information. A means for enabling setting is provided. At least one address information of the IP address or the MAC address of the device address information generated by using the provided means is used as information indicating whether or not the device can be connected to the network.

  Further, in the present invention, in order to make a device that has been disconnected as an unauthorized device an authorized device, a connection for enabling the disconnected device to communicate with other devices based on an external change instruction. Use a means to generate frames. At this time, the IP address and the MAC address extracted from the ARP frame issued by the unauthorized device are newly registered as information indicating whether the device can be connected to the network, and at the same time, a frame in which these addresses are combined is generated. Thereafter, this frame is sent from the monitoring system to all the devices connected to the network, and the correspondence table of IP addresses and MAC addresses that each device has for communication is updated. Thus, an environment in which the once disconnected device can communicate with other devices on the network is prepared. Also, in order to disconnect the connected device, a means for generating an IP address duplication status occurrence frame for preventing the connected device from communicating with other devices based on an external change instruction is used. To do. Thereafter, the frame is sent from the monitoring system to all devices connected to the network. As a result, it is possible to make it impossible for the devices connected so far to communicate with other devices on the network.

  Further, it is determined that the receiving means for receiving information flowing through the network, the judging means for judging whether the information is equivalent to a predetermined authorized terminal based on the information transmitted for network connection, and not being equivalent to the authorized terminal. In this case, the network monitoring apparatus is configured to have transmission means for sending information indicating that the address identifying the terminal that has transmitted the information is used in the network (Configuration 1).

  In configuration 1, whether to permit or not is determined by comparing means for registering information relating to whether or not connection to the network corresponding to the terminal and the received information and information relating to whether or not connection is possible. A network monitoring device is configured (configuration 2).

  In the configuration 2, a network monitoring apparatus is configured to receive information addressed to the receiving means and broadcast information or multicast information addressed to a plurality of terminals in the network, or receive substantially all information flowing through the network ( Configuration 3).

  In the configuration 3, the network monitoring device is configured such that the terminal is disconnected from the network regardless of whether or not a dedicated disconnecting unit is installed in the terminal that is determined not to be permitted. (Configuration 4).

  In Configuration 1, means for notifying an external terminal that a terminal that does not permit connection is detected in the network or that a terminal that does not permit connection is disconnected from the network, and a terminal connected to the network And a means for receiving at least one of the disconnection instruction and the connection instruction from an external terminal, and a means for generating information for generating an overlapping state of network addresses when the received instruction is a disconnection instruction. Is configured (Configuration 5).

  In the configuration 5, when the received instruction is a connection instruction, the network monitoring apparatus is configured to include means for generating information for eliminating the overlapping state of the network address in the network (configuration 6). .

  In addition, when a disconnection instruction or connection instruction for a terminal connected to the network is received from an external terminal, and when the received instruction is a disconnection instruction, a network address duplication state is generated in order to disconnect the corresponding terminal. A network monitoring device characterized in that it has means for generating information for configuration (Configuration 7).

  In the configuration 7, when the received instruction is a connection instruction, a network monitoring apparatus is provided that includes means for generating information for eliminating the duplicated state of the network address in the network (configuration 8). .

  In configurations 1 to 8, a means for monitoring address request information issued from a network terminal and extracting a network address and physical layer side address information from the address request information, all terminals on the network or designated 1 At least one of means for issuing information for inducing issuance of address request information to two or more terminals, and means for extracting network address and physical layer side address information from address request information issued from each terminal Means for generating the address information of the terminal connected to the network by combining the extracted network address and the physical layer side address, and element classification of the generated unique address information. Depending on the order from the outside to the ascending or descending order, the generated unique Provide means to enable valid / invalid setting for each element of the dress information from outside, generate terminal address information by these means, and use this terminal address information as information on whether or not the terminal can be connected to the network A network monitoring device is configured (configuration 9).

  In Configurations 1 to 8, as detaching means, means for generating address request response information in which a specific physical layer side address is set for address request information issued by an unauthorized terminal to detect a duplicated network address A network monitoring device characterized by having (configuration 10) is configured.

  In Configurations 1 to 8, the disconnecting means includes means for generating address request response information in which a specific physical layer side address is set for address request information issued for address resolution by an unauthorized terminal. Is configured (Configuration 11).

  In configurations 1 to 8, as means for connecting the corresponding terminal to the network, the address request response information is generated using the physical layer side address of the specific terminal obtained from the address request information and the network address of the corresponding terminal. Means are provided, and a network monitoring device is configured to direct the address request response information to each terminal in the network (Configuration 12).

  In Configuration 10 or 11, as means for generating address request response information in which a specific physical layer side address is set, means for determining whether or not a network address of an unauthorized terminal is currently used by another terminal in the network If this network address is already used by another terminal, the source physical layer side address in the address request response information is set as the physical layer side address of the other terminal using the same network address as the terminal. If this network address is not used by other terminals, set the source physical layer side address in the address request response information to the physical layer side address of the monitoring device or the physical layer side address that cannot exist on the network Means for generating the address request response information is provided. By sending the message to the network, it is recognized that a network address duplication state has occurred in an unauthorized terminal, and the unauthorized network terminal cannot communicate with a terminal other than the unauthorized terminal on the network. The network monitoring device is configured to be able to continue communication between a terminal that has already used the terminal and a terminal other than the unauthorized terminal on the network (Configuration 13).

  In configurations 1 to 8, the range of the host number of the terminal that checks whether or not connection is possible and the timing of the check among all the host numbers from the minimum value to the maximum value that the host number part of the network address system of the network can take A means for setting information, a means for generating a network address for checking using a host number in this range, a means for generating request information that can expect a response from the other terminal using the network address for checking, The request information is sent from the monitoring device at a timing based on the set timing information, and the presence or the content of the response information is compared with the information on whether or not the terminal can be connected to the network to determine whether or not the connection is possible. A network monitoring device is configured (configuration 14).

  In configuration 14, a network monitoring apparatus is configured to generate ICMP request information or address request information as means for generating request information that can be expected to receive a response from the counterpart terminal (configuration 15).

  In configurations 1 to 8, at least one of the network address and the physical layer side address of the terminal, or at least one of the connection permission time zone and the connection non-permission time zone is used as the network connection availability information for the terminal. Or, if the elapsed time more than a certain threshold has passed since the last connection time, the time information used to reject the connection, or if the elapsed time more than a certain threshold has passed since the last connection time The time information used to disconnect the currently connected terminal, the number of times that the connection has not been permitted so far, the threshold value of the allowable network traffic, or the number of terminals allowed to connect to the network, Or terminal owner information, or a combination of at least one of these And what constitutes a network monitoring apparatus characterized by the use (arrangement 16).

  In addition, information corresponding to a predetermined authorized terminal based on information transmitted to obtain an address on the physical layer side from the network address that is paired with the network address, and receiving means for receiving information flowing through the network A network monitoring apparatus comprising: a determination unit configured to determine whether or not a terminal corresponding to the network address is transmitted to a network that indicates information indicating a physical layer side address different from the network address corresponding to the determination unit. Configure (Configuration 17).

  Further, receiving means for receiving information flowing in the network, and transmitting information requesting to return information including an address so that information is sequentially received by a plurality of terminals, based on the returned information, A determination means for determining whether the information corresponds to a predetermined permitted terminal, and information indicating an address on the physical layer side from the network address different from the network address when it is determined that the information does not correspond to the permitted terminal; A network monitoring apparatus characterized by having a transmission means for sending to the network is configured (Configuration 18).

  Further, it is determined that the receiving means for receiving information flowing through the network, the judging means for judging whether the information is equivalent to a predetermined authorized terminal based on the information transmitted for network connection, and not being equivalent to the authorized terminal. In this case, the network monitoring apparatus is configured to have transmission means for sending information for generating a duplicate state to the network for the address that identifies the terminal that has transmitted the information (Configuration 19).

  Further, it receives information flowing through the network, determines whether the information corresponds to a predetermined permitted terminal based on the information transmitted for network connection, and determines that the information does not correspond to the permitted terminal. A network monitoring method is configured to flow information indicating that the address for identifying the transmitted terminal is used in the network (configuration 20).

  Further, it receives information flowing through the network, determines whether the information corresponds to a predetermined permitted terminal based on the information transmitted for network connection, and determines that the information does not correspond to the permitted terminal. A program is configured to cause the electronic computer to send information indicating that the address for identifying the transmitted terminal is used in the network to the network (Configuration 21).

  Further, it receives information flowing through the network, determines whether the information corresponds to a predetermined permitted terminal based on the information transmitted for network connection, and determines that the information does not correspond to the permitted terminal. A recording medium storing a program for causing the electronic computer to send information indicating that the address identifying the terminal that is transmitted is used in the network is configured (configuration 22).

  In the present invention, the network can be monitored without being greatly affected by the system configuration.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. In the following description, a communication protocol is an IP protocol (TCP / IP or the like), and a network is a system using a LAN that is often used in offices.

<Overall system configuration>
First, FIG. 2 shows the overall configuration of a network monitoring system targeted by the present invention. A plurality of devices 201 to 203 are connected to a standard LAN 210. Each device such as a PC is equipped with an industry standard OS (Operating System), and an industry standard communication protocol (IP protocol, etc.) is installed in the OS, and a network layer corresponding to this protocol is installed. An address (IP address) and a physical layer address (MAC address) are assigned. The business program installed in each device advances the overall business while communicating with the business program of each device. On the other hand, when an unauthorized device is connected to the LAN, the network monitoring system 200 detects this and further monitors to disconnect this device from the LAN. The “physical layer side” indicates the physical layer side with respect to the target layer (for example, the network layer).

  In order for a device to communicate with another device, data is sent over the LAN using an IP frame 300 as shown in FIG. 3, but in order to reach the destination, the destination MAC address 301 and the IP header Two addresses of the destination IP address 303 included in 302 are required.

  In general, when a device connected to the network starts up, the corresponding device knows the IP address of the destination device, but does not have the MAC address of the destination device. For this reason, in order to acquire the MAC address of the destination device, an ARP (Address Resolution Protocol) protocol defined by RFC826 is used. FIG. 4 shows the format of this ARP protocol frame 400.

  In the frame data 401 of the ARP frame, the address information related part includes a transmission source MAC address 402, a transmission source IP address 403, a search MAC address 404, and a search IP address 405. In the OP (operation field), the ARP type (ARP request or ARP response) is distinguished.

  On the other hand, FIG. 5 shows a typical communication example for obtaining the MAC address of the destination device using this ARP protocol. Here, in the device d504, when an event 505 for sending data to the device b502 occurs, the device d504 needs to acquire the MAC address of the destination device b502. Therefore, the device d504 transmits the ARP request frame 506 including the IP address IPb of the device b502 as the destination IP address to all devices on the network by the broadcast method. When each device that has received it recognizes that the IP address IPb in the ARP frame is a request for itself, it sends back an ARP response frame in which its own MAC address is set to the device d504. In this example, the device b502 looks at the IP address IPb in the ARP frame, recognizes that this is a request for itself, and sends back an ARP response frame 507 in which the MAC address of the device is set to the device d504. As a result, since the device d504 can obtain the MAC address (MACb) of the destination device b502, the data communication 508 is performed using the IP address (IPb) and the MAC address (MACb).

<Configuration>
The first embodiment will be described below.

  The configuration of the network monitoring system of the present invention is shown in FIG. The network monitoring system 200 is a frame reception processing unit 102 that receives a frame from the network 120, a connection availability information management processing unit 104 that manages connection availability information for a device connected to the network, and a device to which the connected device is permitted. A connection possibility determination processing unit 106 that determines whether or not there is an IP address duplication state generation frame generation processing unit 105 for disconnecting the corresponding device from the network, a frame transmission processing unit 101 that transmits the generated frame to the network, Timing information management processing unit 108 for controlling transmission timing, external notification processing unit 107 for notifying the outside that a device that is not permitted to be connected has been detected or the device has been disconnected, an external device disconnection instruction or device Accepting external instructions to accept connection instructions, etc. A processing unit 109, a connection frame generation processing unit 110 that generates a frame for connecting a once disconnected device, a connection availability check IP address generation processing unit 112 for generating a connection availability check IP address for the device, Address management information 113 registered in advance for generating the IP address, a check frame generation processing unit 111 for generating a frame of the generated IP address for checking whether connection is possible, and connecting to the network from the frame contents received from the network A device address information generation processing unit 103 for generating the address information of the device being connected, and an external device 114 for giving an instruction from the outside. Here, the IP address duplication state refers to a state where a plurality of devices connected to the network erroneously use the same IP address.

<Disconnecting unauthorized devices>
With reference to FIG. 1, a process for disconnecting a device that is not permitted will be described.

  In the network monitoring system, the frame reception processing unit 102 receives an ARP request frame transmitted to all devices on the network 120 using the broadcast method. Then, in order to identify the device that issued the ARP request frame, the IP address and the MAC address that are the address information of the corresponding device are extracted from this frame. On the other hand, since the address information of the device permitted to connect to this network is stored in advance in the connection availability information management processing unit 104, the address information extracted from the ARP frame by the connection availability determination processing unit 106 is A check is made as to whether or not it is registered as connectability information. If it is not registered, it is determined that an unauthorized device is connected, and processing for disconnecting the device from the network is executed. In order to execute this processing, the IP address duplication state occurrence frame generation processing unit 105 creates a frame for logically generating a device having the same IP address as that of the corresponding device in the network, and the frame transmission processing unit 101 This frame is transmitted to all the devices in the network 120 via the network, and the IP address is duplicated in the network. At this time, the transmission timing to the network is transmitted according to the timing information management processing unit 108. The corresponding device that received this frame (the device that issued the ARP request frame) determines that there is another device with the same IP address as its own device in the network (IP address duplication state), and autonomously from the network break away.

  As a result, an unauthorized device can be disconnected from the network.

<Disconnecting the permitted device from outside>
On the other hand, the disconnection process is executed from the connection possibility determination processing unit 106, but the disconnection process may be executed in response to an instruction from the external device 114. This will be described in Example 3.

  The disconnection process has been described above, but in the frame reception process, only the frame addressed to the monitoring system or the broadcast frame addressed to all devices on the network is received, but after receiving all the frames flowing on the network, The frames necessary for the present invention may be extracted.

<Configuration processing unit>
Hereinafter, the configuration processing unit related to the detachment process of the unauthorized device will be described in detail.

  Information managed by the connectability information management processing unit 104 is shown in FIG. The connectability information 600 is composed of a combination of the MAC address 601 of the device that permits connection to the network and the IP address 602 of the device that permits connection. When the device is connected to the network, the connectability determination processing unit 106 Then, the IP address and MAC address of the connected device are compared with the contents of the connection enable / disable information to determine whether or not the corresponding device can be connected. This connection permission information may be information registered in advance from the outside, or may be updated from the outside during operation of the monitoring system. Information generated from the device address information generation processing unit 103 can also be used as connection permission / inhibition information.

  6 shows a one-to-one combination of a MAC address and an IP address. As shown in FIG. 7, only a combination 701 of a MAC address (MAC1) and an IP address (IP1) 701, and an IP address (IP2) are provided as connection availability information 700. 702, in the case of only the MAC address (MAC3) 703, or in the case of IP address range designation (IP4 to IP5) 704. These are properly used according to the network security policy, network environment, or operation policy.

  Further, as shown in FIG. 8, a network connection permission time zone 801, a connection non-permission time zone 802, and owner information 803 can be used for each device as the connection availability information 800. For example, in the case of the device 1 that is permitted to connect to the network, the connection is permitted only from the time a to the time b in the step 804, but is not permitted in other time zones. On the other hand, in the case of the apparatus 3 805, the connection to the network is not permitted between time e and time f. In FIG. 8, the time zone is set for each device. However, these time zones may be determined not for each device but for the entire network, for example. The owner information 803 identifies the user of the apparatus, and is used, for example, as a decision material when connection to the network is permitted or not permitted depending on the user authority. With respect to the owner authority, for example, it is possible to determine whether or not connection is possible more finely in cooperation with a directory system.

  Further, as shown in FIG. 9, the connection permission / inhibition information 900 is used for rejecting a new connection for each device when the previous connection time 901 and an elapsed time more than a certain threshold from the previous connection time have passed. Connection lapse elapsed time 902, connection lapse elapsed time 903 used to disconnect the currently connected device if the elapsed time equal to or greater than a certain threshold has elapsed since the last connection time, and the connection is permitted It is also possible to have the number of times 904 that has not been done. Even if this is a permitted device such as a PC, a device that has not been connected to the network for a certain period of time will not be updated with the latest virus because the virus check pattern has not been updated to the latest one. It is also assumed that it is contaminated. In such a case, if the elapsed time since the previous connection exceeds the connection rejection elapsed time 902, the possibility of adverse effects on the network is reduced by not permitting the connection to the network. It is effective in. Similarly, even for a permitted device, for example, there is a case where it is desired to limit the time for maintaining a continuously connected state in accordance with service operation. In such a case, when the elapsed time from the time of connection this time exceeds the elapsed time for connection interruption 903, the relevant device is disconnected to enable fine network operation. For example, in the case of the device 1 905, the device 1 cannot be connected to the network after the connection rejection elapsed time (time 1) or longer. On the other hand, after the device 1 is connected to the network, the connection interruption progress As time (time a) passes, it will be disconnected from the network.

  In the connection availability information 900, the connection refusal elapsed time 902 and the connection interruption elapsed time 903 are provided for each apparatus, but each may be the entire system.

  In addition, although not shown in the figure, it is possible to connect devices to the network as connection permission information for the purpose of keeping network traffic below a certain level by keeping the total number of devices connected to the network below a certain level. The number and network traffic status can also be used.

  The timing information management processing unit 108 controls the transmission timing of frames transmitted to the network. As shown in FIG. 10, the timing information 1000 is used in a form in which at least one of transmission timings 1001, 1002, 1003, 1004 and frame transmission repetition count 1005 is combined for each frame type.

  For example, in the case of the IP address duplication state generation frame 1010, when there is a frame transmission request, it is immediately transmitted to the network. In the case of the address collection frame 1040, it is sent to the network according to the interval 1 of T5 seconds and the interval 6 of T6 seconds.

  The timing of transmission to the network is determined by security management, network system operation policy, and the like. As a result, fine control according to the load state of the network and the usage status of the device is possible. The timing information may be registered in advance from the outside, or may be updated from the outside during the operation of the monitoring system.

  The IP address duplication state occurrence frame generation processing unit 105 creates a corresponding frame in order to create a state where IP addresses are duplicated on the network, that is, a state where a plurality of devices use the same IP address.

  For example, when a PC is connected to a network and the corresponding PC is started up, the OS (Operating System) of the corresponding PC checks that the IP address of the corresponding PC is not used by another device (IP address duplication check) Process).

  At this time, an ARP request frame 1100 as shown in FIG. 11 is broadcast from the corresponding PC to the network. At this time, the IP address of the transmission source address 1101 is the IP address (IP1) 1112 of the corresponding PC, and the MAC address is the MAC address (MAC1) 1111 of the corresponding PC. On the other hand, the IP address (IP1) 1114 of the corresponding PC is set as the IP address of the search address 1102, and 0 is set as the MAC address 1113. In the monitoring system, the received ARP request frame 1100 is used to generate an IP address duplication state occurrence frame-a1200 or an IP address duplication state occurrence frame-b1250 as shown in FIG. Specifically, this will be described in detail below. The point here is to determine the influence on other devices in the network when an unauthorized PC (device) is connected to the network, that is, the influence on communication between other devices. The influence is determined by what IP address the unauthorized PC uses to connect to the network. For example, when an unauthorized PC uses an IP address used by another device in the network, the ARP management table in each device used by another device in the network during communication The information inside is destroyed and communication becomes impossible. Therefore, it is important not only to disconnect the corresponding PC from the network but also to repair the destroyed ARP management table of each device at the same time so that communication between other devices can be continued. That is, if the unauthorized PC does not use the IP address used by another device in the network, the IP address duplication state occurrence frame -a1200 is generated. Specifically, at this time, the IP address of the transmission source address 1201 is the IP address (IP1) 1212 of the corresponding PC, and the MAC address is the MAC address (MACx) 1211 of the monitoring system. On the other hand, the search address 1202 sets the IP address (IP1) 1214 of the corresponding PC, and the MAC address sets the MAC address (MAC1) 1213 of the corresponding PC. Here, although the MAC address (MACx) 1211 of the monitoring system is used as the MAC address of the transmission source address 1201, this MAC address may be a bit pattern of a MAC address that is not used by other devices in the network.

  On the other hand, when an unauthorized PC uses an IP address used by another device in the network, an IP address duplication state occurrence frame -b is generated. Specifically, at this time, the IP address of the transmission source address 1251 is the IP address (IP1) 1262 of the corresponding PC, and the MAC address is the MAC address (MACy) 1261 of another device that used the same IP address. On the other hand, the IP address (IP1) 1264 of the corresponding PC is set as the IP address of the search address 1252, and the MAC address (MAC1) 1263 of the corresponding PC is set as the MAC address.

  By sending the frame set in this way to all devices in the network, an IP address duplication state is generated in the network. The corresponding PC that received this frame from the network recognizes that the IP address used by itself is duplicated (recognizes that devices other than its own device use the same IP address), and is autonomous from the network. Leave. At the same time, the ARP management table of each destroyed device is repaired so that communication between other devices can be continued.

  This processing unit is also executed when it is determined that connection is not permitted by the connection permission determination processing unit 106 or when a request instruction for disconnecting a specific device from the external device 114 is received by the external instruction reception processing unit 109. Is done.

  FIG. 13 is a flowchart illustrating an example of a device detachment process that is not permitted. In this example, the protocol type in the frame header is checked to identify the frame received in process 1300, and the process ends if the protocol is other than ARP. This protocol type can be identified by the type 304 in the IP frame 300 of FIG. In the case of ARP, the processing ends with the ARP issued by the monitoring system itself in processing 1310 being excluded from processing. In processing 1320, it is determined whether the type of the received ARP is an ARP request frame or an ARP response frame, and only the ARP request frame is set as a subsequent processing target. In process 1330, the source IP address and the source MAC address are extracted from the corresponding ARP frame 1100, and in process 1340, the corresponding address is registered in the connectability information table 900. Furthermore, in process 1350, the connectability information table 900 It is checked whether or not the permission condition is satisfied, and if it is not registered or not satisfied, the corresponding device is selected as a separation target.

  In process 1360, it is checked whether the IP address of the unauthorized device is currently being used by another apparatus in the network. If the IP address is not being used by another apparatus in process 1370, the IP address is entered into the network in process 1370. In order to generate a duplicate state, an IP address duplicate state occurrence frame -a is generated. At this time, the source MAC address is set as the MAC address of the monitoring system. If the IP address of the unauthorized device is currently being used by another device in the network, in step 1380, an IP address duplication status generation frame-b1250 is generated to generate an IP address duplication status in the network. To do. At this time, the source MAC address is set as the MAC address of another device that is currently using the same IP address. In processing 1390, frame transmission timing information is extracted from the timing management information table 1000, and using this timing information, the IP address duplication status occurrence frame (IP address duplication status occurrence frame-a or IP address duplication) generated above in processing 1400 is used. Send status generation frame-b 1250) to the network. Here, instead of the connectability information table 900 in the process 1340, the connectability information tables 600, 700, and 800 may be used.

  The connection possibility check IP address generation processing unit 112 will be described.

  In the above description, the flow of processing for an ARP request frame sent to all devices on the network 120 using the broadcast method has been described. To supplement this processing, the following processing is performed. For example, assuming that the monitoring system is stopped for some reason and then restarted, if an unauthorized device is connected to the network while the monitoring system is stopped, the unauthorized device Detecting presence may be delayed. This will be described below with reference to FIG. In order to actively detect the presence of unauthorized devices, the monitoring system issues a frame to trigger the issuance of an ARP frame to all devices on the network or to one or more specified devices. . For this purpose, the device to be issued is determined in advance registered in the address management information 113. Here, for example, the IP address range specification of the target device and the timing information for sending the check frame are registered. If the IP address range is not specified, the IP addresses of all hosts on the network are generated and issued based on the address system and netmask information of the corresponding network. For example, the IP addresses of all hosts on the network are generated and issued based on the IP address and netmask information of the corresponding network as shown in FIG. In FIG. 18, since the IP address 1800 is 172.20.10.52 and the subnet mask 1801 is 255.255.255.192, the network address part is 26 bits and the host part is 6 bits. Next, based on the address management information 113, the IP address generation processing unit 112 for checking whether or not connection is possible sequentially generates an IP address, and a check frame is generated by the check frame generation processing unit 111 using the IP address. To do. At this time, as shown in FIG. 22, an ICMP protocol 2200 defined by RFC 792 is used. Here, after generating an ICMP echo request frame whose type 2201 is 8, the frame transmission processing unit 101 is used to transmit this frame to the network. This is repeated according to the contents of the address management information 113. At this time, frames are transmitted to the network at transmission intervals registered in the address management information 113 so as not to increase the traffic load on the network. Since the apparatus connected to the network returns a response to the ICMP echo request frame to the monitoring system in an ICMP echo response frame, the frame reception processing unit 102 receives this information. Thereafter, using the address information obtained by combining the IP address and the MAC address of the transmission source device of the response frame, the connection possibility determination is performed. The subsequent processing after the connection possibility determination processing is the same as the above processing.

  Here, an example is shown in which an ICMP echo request frame is used for checking, but it is not limited to an ICMP echo request frame as long as it is a frame in which a response is returned from a device that is checked for connectivity. For example, it may be an ICMP time stamp request, an ICMP address mask request, or an ARP request frame shown in FIG.

  Next, FIG. 23 is a flowchart showing an example for the connection availability check process.

FIG. 23 shows an example in which the process continues once it is activated. Processes 2301 to 2303 are initialization processes. First, in process 2301, IP address range information (for example, when collecting address information in the range of IPx to IPy) of the device used for connection availability check from the address management information 113, and frame transmission timing are determined. Read. The frame transmission timing is set in the timing management information 1000. Also, the IP address and subnet mask information for grasping the address system information of the network to which the monitoring system is connected are read. Next, in processing 2303, the transmission timing b (interval 1) T3 and the transmission timing c (interval 2) T4 of the check 1030 are fetched from the timing management information table 1000 that defines the timing for sending out the frame. In process 2304, an index used in processes 2305 to 2309 is initialized. That is, the host number management index for updating the host numbers one by one and the address range management index for updating the range-specified IP addresses one by one are initialized. In the process 2305, if the range of the IP address for checking whether or not connection is possible is specified in accordance with the information read in the process 2301, the corresponding IP address is selected in the process 2308 and the index is updated for the next selection in the process 2309. To do. If the range of the IP address for checking whether connection is possible is not specified, a host number portion is extracted in accordance with the subnet mask in processing 2306 to generate a host number. In process 2307, the index is updated to generate the next host number. In process 2310, an IP address is generated. In process 2311, an ICMP echo request frame using this IP address is generated. In process 2312, this frame is transmitted. In process 2313, it is determined whether or not an ICMP echo request frame for address collection has been issued to all the specified hosts (devices). If all frames have been completed, the process 2114 pauses for interval 2 and thereafter processes. To continue. On the other hand, if all of them are not completed, the system pauses for interval 1 and continues processing for the next host (device).

  According to the present embodiment, by registering in advance device information that is permitted to be connected to the network, the monitoring system detects the presence of the device that is not permitted to connect to the network when it is connected to the network. In addition, unauthorized devices can be disconnected from the network so that unauthorized devices themselves cannot communicate with other devices. Also, when disconnecting unauthorized devices, the method of disconnecting unauthorized devices is changed depending on the usage status of the IP addresses used by unauthorized devices in the network. The communication between the devices can be continued. Further, even when the monitoring system is activated after an unauthorized device is connected to the network, the presence of the device can be detected and the device can be disconnected from the network. In addition, since it is not necessary to put dedicated software related to the present invention in advance in devices connected to the network including devices that are determined not to be permitted, network security can be enhanced.

  Example 2 will be described below.

<Configuration>
Of the configuration of the network monitoring system of the present invention, the characteristic part is shown in FIG. The other parts are generally the same as in FIG. In FIG. 15, the network monitoring system 200 receives a frame from the network 120, a frame reception processing unit 102, and among the received frames, an IP address and a MAC from an ARP frame issued spontaneously or inductively from each device on the network. ARP frame address information extraction processing unit 1501 that extracts address information, and an address information generation processing unit 1502 that uniquely generates address information of a device connected to the network by combining the extracted IP address and MAC address Sorting from the outside in ascending or descending order using the unique element classification of the address information as a key, and further externally setting each element of this address information to be valid or invalid from the outside According to the setting result of the device 114 A frame that triggers the issuance of an ARP frame is issued to the device address information generation processing unit 103 of the device connected to the network, all devices on the network, or one or more specified devices. Address information collection IP address generation processing unit 1505 for the purpose, address management information 113 registered in advance for generating the IP address, address information collection frame generation processing unit 1504, and frame transmission for transmitting the generated frame to the network The processing unit 101 is included. The connectability information management processing unit 104 and other processing units not shown in this figure are the same as those in FIG.

<Device address information generation process>
The device address information generation process will be described with reference to FIG.

  In the network monitoring system 200, the reception processing unit 102 receives an ARP request frame sent to all devices on the network 120 using the broadcast method. Then, in order to specify the device that issued the ARP request frame, the ARP frame address information extraction processing unit 1501 extracts the IP address and the MAC address, which are the address information of the corresponding device, from the received ARP frame. The address information generation processing unit 1502 checks whether or not the extracted address information has already been registered, and registers the address information received this time only when it has not been registered. As a result, by processing the processing unit 1502, address information of a device connected to the network is uniquely created. Here, when the above processing is carried out for a certain period of time, address information 1600 shown in FIG. 16 is generated as address generation information. In either case, the address information may be based on a combination of an IP address and a MAC address, and may further have time information. Here, this information is not directly used by the connectability information management processing unit 104 but is processed by the device address information generation processing unit 103 in light of the operation of the network system. For example, in the case of a DHCP server environment, since the same IP address is assigned to a plurality of devices with the passage of time, the IP address and the MAC address cannot be associated one-to-one. In such a case, only the MAC address (MAC3) is registered 1703 like the device 3 in the device address information 1700 shown in FIG. In addition, depending on the device, the IP address (IP2) only may be registered 1702 like the device 2 in consideration of the case where the MAC address is changed by replacing the LAN adapter due to a failure of the LAN adapter or the like.

Since it is necessary to make settings in light of the operation of such a network system, etc., the external device 114 is set in ascending or descending order from the outside using the element classification of the generated unique address information as a key. An interface capable of performing rearrangement and an interface for enabling or disabling setting for individual elements of unique address information are provided.

  Therefore, device address information 1700 as shown in FIG. 17 is generated from the external device 114 using this interface. For example, FIG. 16 will be described as an example. The element classification is sorted in ascending order using the IP address 1601 as a key, and MAC2 is invalidated as an element. The information 1702 of the device 2 in FIG. 17 shows this case. Since MAC2 is invalidated, the MAC part is blank. The information generated here can be used by the connectability information management processing unit 104 as connectability information. The flow of processing after the connectability information management processing unit 104 is the same as that in FIG.

  FIG. 19 is a flowchart illustrating an example of passively collecting address information and generating address information. This processing is an example of address information generation, which is preprocessing for performing device address information generation processing. In this example, address information is collected from the network until there is a stop request in processing 1901. In the process 1902, the protocol type of the received frame is checked, and only the case where it is an ARP frame is set as a subsequent process target. A process 1903 excludes the ARP frame issued by the monitoring system from the processing target. In process 1904, an IP address and a MAC address are extracted from the received ARP frame, and in process 1905, it is checked whether or not this address information has already been registered. Only unregistered address information is stored in the address information table 1600 in FIG. Unique address information is generated.

  Next, an example for generating the device address information 1700 of FIG. 17 in accordance with an external instruction in FIG. 20 is shown in the flowchart. Here, the device address information 1700 is generated based on the address information 1600 generated by the above processing. In processing 2010, in order to edit the address information 1600, it is determined whether or not there is an instruction from the outside to perform rearrangement using the MAC address or IP address as a key. If there is an instruction to perform rearrangement, in processing 2011, rearrangement is performed in ascending order or descending order using the IP address or MAC address as a key. In processing 2012, a valid or invalid instruction for each address part is fetched, and a determination is made to generate device address information 1700 based on the address information 1600 according to the instruction. A process 2013 creates device address information 1700 in which only the MAC address is valid. A process 2014 creates device address information 1700 in which only the IP address is valid. Also, the process 2015 creates device address information 1700 in which both the MAC address and the IP address are valid. In the process 2016, when the editing for all devices is completed, the process is terminated.

  On the other hand, the flow of processing for the ARP request frame sent to all devices on the network 120 using the broadcast method has been described. In order to complement this processing, the following processing is performed. For example, when the monitoring system is stopped for some reason and then restarted, it is assumed that it is difficult to generate address information of all devices already connected to the network at that time. Is.

  This will be described below with reference to FIG. In order to actively generate address information, the monitoring system issues a frame for inducing the issuance of an ARP frame to all devices on the network or to one or more specified devices. For this purpose, the device to be issued is determined in advance registered in the address management information 113. Here, for example, there is a range designation of the target IP address or an individually designated IP address list. If no address is specified, for example, the IP addresses of all hosts on the network are generated and issued based on the IP address and netmask information of the network as shown in FIG. . In FIG. 18, since the IP address 1800 is 172.20.10.52 and the subnet mask 1801 is 255.255.255.192, the network address part is 26 bits and the host part is 6 bits. Based on the address management information 113, an IP address generation processing unit for address information collection sequentially generates an IP address, and using the IP address, an ARP request frame generated by the frame generation processing unit for address information collection 1504 is generated. Transmission from the frame transmission processing unit 101 to the network. This is repeated according to the contents of the address management information 113. Since the device connected to the network returns a response to the ARP request frame as an ARP response frame to the monitoring system, the frame reception processing unit 102 receives this information. The subsequent processing is the same as the above processing. FIG. 21 is a flowchart showing an example of actively collecting address information and generating address information. The process in FIG. 21 shows an example in which the process continues once activated. Processes 2101 to 2103 are initialization processes. First, in the processing 2101, the range information of the IP address of the device used for address collection (for example, the range when collecting the address information in the range of IPx to IPy) and the frame transmission timing are read from the address management information 113. . The frame transmission timing is set in the timing management information 1000. Also, the IP address and subnet mask information for grasping the address system information of the network to which the monitoring system is connected are read. Next, in the processing 2103, the transmission timing b (interval 1) T5 and transmission timing c (interval 2) T6 of the address collection 1040 are fetched from the timing information management table 1000 that defines the timing for issuing frames. In process 2104, an index used in processes 2105 to 2109 is initialized. That is, the host number management index for updating the host numbers one by one and the address range management index for updating the range-specified IP addresses one by one are initialized. In the process 2105, according to the information read in the process 2101, if the IP address for collecting address information is designated as a range, the corresponding IP address is selected in the process 2108, and the index is updated for the next selection in the process 2109. To do. If the IP address for collecting address information is not designated as a range, a host number part is extracted in accordance with the subnet mask in processing 2106 to generate a host number. In process 2107, the index is updated to generate the next host number. In process 2110, an IP address is generated. In process 2111, an ARP request frame using this IP address is generated. In process 2112, this frame is transmitted. In process 2113, it is determined whether an ARP request frame for address collection has been issued to all designated hosts (devices). If all of the ARP request frames have been completed, the process 2114 pauses for interval 2 and thereafter performs the process. continue. On the other hand, if all of them are not completed, the system pauses for interval 1 and continues processing for the next host (device).

  According to the present embodiment, the address information of the device connected to the network is generated by monitoring the frame including the address information that the device connected to the network voluntarily sends to the network (passive). In addition, the address information is generated by sending a frame to the device in the network that induces the connected device to send the address information (active). Based on the address information generated by these two methods, it is possible to generate detailed management information in accordance with the network system operation policy, etc., when determining the existence of unauthorized terminals Address management information used for This eliminates the need to manually create management information for these large numbers of devices, for example, and can reduce the work and costs associated with network management and maintenance, or the burden on the network administrator.

  Example 3 will be described below.

<Configuration>
The configuration of the network monitoring system of the present invention is shown in FIG.

  Provides a means to manage the connection status of devices connected to the network and to change the once disconnected device to an authorized device from the outside, and a means to change from outside to allow the authorized device to be disconnected The connection information management processing unit 115, and the connection status information managed by this processing unit are rearranged in ascending or descending order from the outside using the element classification of the device connection status information and address information as a key, and With respect to this connection state, an external device 114 for setting “connection” or “disconnect” from the outside, an external instruction reception processing unit 109 for receiving this setting instruction, and a device once disconnected can communicate with other devices A connection frame generation processing unit 110 that generates a connection frame for generating a connection frame, and a frame for disconnecting permitted devices IP address duplication state generator frame generation processing unit 105, the generated frame consists frame transmission processing unit 101 to be transmitted to the network.

  With reference to FIGS. 1 and 24, a process for connecting to a once disconnected apparatus and a process for disconnecting a permitted apparatus will be described.

  The connection information management processing unit 115 manages the connection state of devices connected to the network. In order to change a device once disconnected from the outside to a permitted device, or vice versa, a connection or disconnection instruction is issued from the external device 114 in order to change the permitted device to a device to be disconnected.

  This connection instruction or disconnection instruction is received by the external instruction reception processing unit 109, and the connection status information 2400 according to the connection availability information 700 and the result of the connection availability determination processing unit 106 is first created. Next, the connection status information 2400 managed by the connection information management processing unit 115 is changed in accordance with the contents of this instruction. With respect to the external device 114, an interface that can be rearranged in ascending or descending order from the outside using the connection status and the element classification of the address information as a key, and the device corresponding to this connection information An interface for setting the detachment is provided, and an instruction to connect or detach the corresponding device is given from the outside using this interface. For example, as the element classification, the connection state information 2401 is used as a key to sort in ascending order, and a plurality of disconnected devices or devices in the connection state are extracted. A device that performs connection or disconnection is selected from the plurality of devices, and an instruction is given to set the corresponding device in a connected state or a disconnected state.

<External connection processing for once disconnected device>
FIG. 24 shows connection state information 2400 managed by the connection information management processing unit 115. The connection status information 2400 has the current connection status 2401, MAC address 2402, and IP address 2403 for each device. For example, device 1 2404 indicates a “connected” state, device 2 2405 indicates a “stopped” state, and device 3 2406 indicates a “disconnected” state.

  An example of a connection process from the outside to the once disconnected apparatus is shown in the flowchart of FIG. In process 2501, an instruction from the external device 114 is captured. In processing 2502, after the disconnection instruction is received by the external instruction reception processing unit 109, the connection status information 2400 is created according to the connection availability information 700 and the result of the connection availability determination processing unit 106. In processing 2503, if there is a request for rearrangement in ascending or descending order using the connection status information 2401 as an element classification as the element classification, the processing is performed in processing 2504, and a plurality of disconnected devices are extracted and connected from the plurality of devices. Select the device to perform.

  Thereafter, in process 2505, when the connection status information 2400 of the selected apparatus is changed from the “disconnected” state to the “connected” state, address information of the corresponding apparatus is generated in process 2506. In processing 2507, a connection frame 1400 (ARP response frame) for sending the connection frame to all devices is generated. In processing 2508, the frame is transmitted to all devices.

  Here, the processing of the connection frame generation processing unit 110 in FIG. 1 will be described in detail. This processing unit creates a corresponding connection frame in order to connect a specific device once disconnected to the network again.

  In this case, it is not sufficient to transmit the connection frame only to the corresponding device. In other words, in the correspondence table of IP addresses and MAC addresses managed individually by all devices connected to the network, the correspondence between the IP addresses and MAC addresses of devices that are permitted to connect this time must be corrected correctly. .

  For this purpose, a connection frame 1400 shown in FIG. 14 is created. Specifically, the IP address of the transmission source address 1401 is the IP address (IP1) 1412 of the corresponding device to be connected, and the MAC address is the MAC address (MAC1) 1411 of the corresponding device. On the other hand, the IP address (IPx) 1414 of the monitoring system is set as the IP address of the search address 1402, and the MAC address (MACx) 1413 of the monitoring system is set as the MAC address. This is sent to all devices connected to the network, not to the corresponding device, and updated so that the correspondence between the IP address and the MAC address in the ARP management table possessed by each device is also correct. As a result, the disconnected device can communicate with other devices.

  The connection processing of the disconnected device has been described above by changing the connection status information 2400 managed by the connection information management processing unit 115 from the outside. This connection processing is a direct instruction from the external device 114. It may be received and executed. At that time, the IP address of the connection target device is directly designated from the external device 114 without using the connection state information.

  The external instruction reception processing unit extracts the MAC address of this device corresponding to this IP address from the connection availability information 700, and requests the connection frame generation processing unit 110 to generate a connection frame that combines this IP address and the MAC address. To do. Subsequent processing is the same as the connection processing. As a result, an externally designated device can be connected to the network.

<External disconnection process for connected devices>
On the other hand, when an instruction for disconnecting a permitted device is issued from an external device, the connection state information is similarly changed via the external instruction reception processing unit 109, and the disconnection processing is executed. At this time, the separation process described in the first embodiment is performed.

  The above is the process of disconnecting the connected device by changing the connection status information managed by the connection information management processing unit 115 from the outside. This disconnection process receives a direct instruction from the external device 114. May be executed. In that case, the IP address of the device to be disconnected is directly specified from the external device 114 without using the connection state information.

  The external instruction reception processing unit extracts the MAC address of the device corresponding to the IP address from the connection availability information 700, and generates an IP address duplication state occurrence frame generation by combining the IP address and the MAC address. The processing unit 105 is requested. The subsequent processing is the same as in the first embodiment. As a result, the designated device can be disconnected from the outside.

  For example, after a security device monitoring a virus attack in the network detects an attack, this device is used to isolate the device in the attacking network or to protect the server under attack. Also used when disconnecting servers.

  Although the present embodiment has been described using the configuration of FIG. 1 in which the external device 114 and the network monitoring system 200 are directly connected, even when the external device and the monitoring system are connected via a network. Good.

  According to the present embodiment, a device once disconnected as a device that is not permitted can be determined again by instructing from the outside without affecting the users of other devices on the network at the discretion of the administrator or the like. Can be made available. In connection with disconnection of connected devices, the administrator can determine the disconnection of connected devices by giving instructions from the outside without affecting users of other devices on the network. Will be able to. As a result, work related to network management and maintenance, costs associated therewith, or the burden on the network administrator can be reduced.

  As described above, the timing at which a device that is not permitted to connect to the network is connected to the network even in a network environment that uses an address that is fixedly assigned to the device without being limited to an environment in which addresses are assigned by DHCP. Thus, the monitoring system can detect its presence and further disconnect unauthorized devices from the network so that the unauthorized devices themselves cannot communicate with other devices. Also, when disconnecting unauthorized devices, the method of disconnecting unauthorized devices is changed depending on the usage status of the IP addresses used by unauthorized devices in the network. The communication between the devices can be continued. Further, even when the monitoring system is activated after an unauthorized device is connected to the network, the presence of the device can be detected and the device can be disconnected from the network. In addition, since it is not necessary to put dedicated software related to the present invention in advance in devices connected to the network including devices that are determined not to be permitted, network security can be enhanced.

  In addition to generating address information of devices connected to the network (passive) by monitoring frames containing address information sent spontaneously by the devices connected to the network. In addition, address information is generated (active) by sending a frame that induces the connected device to send address information to the devices in the network. Based on the address information generated by these two methods, it is possible to generate detailed management information in accordance with the network system operation policy, etc., when determining the existence of unauthorized terminals Address management information used for This eliminates the need to manually create management information for these large numbers of devices, for example, and can reduce work related to network management and maintenance, costs associated therewith, or the burden on the network administrator.

  In addition, as a device that is not permitted, a device that has been once disconnected can be used without influencing users of other devices on the network by instructing the outside from the administrator's judgment. Can be able to. In addition, for the disconnection of connected devices, it is possible to disconnect connected devices without affecting other users on the network by giving instructions from the outside at the discretion of the administrator. Can do. As a result, work related to network management and maintenance, costs associated therewith, or the burden on the network administrator can be reduced.

1 is a configuration diagram of a network monitoring system. 1 is an overall configuration diagram of a network monitoring system. IP frame format. ARP protocol format. An example of address resolution communication using the ARP protocol. FIG. 6A is a diagram illustrating connection possibility information according to the first embodiment (1). FIG. 8B is a diagram (2) illustrating connection availability information according to the first embodiment. FIG. 6 is a diagram (3) illustrating connection permission information according to the first embodiment. FIG. 4 is a diagram (4) illustrating connection availability information according to the first embodiment. Frame transmission timing management information according to the first embodiment. ARP request frame format according to the first embodiment. FIG. 3 is an IP address duplication state occurrence frame format according to the first embodiment. FIG. FIG. 3 is a flowchart of apparatus disconnection processing according to the first embodiment. FIG. 9 is a connection frame format according to the third embodiment. FIG. 6 is a configuration diagram of a network monitoring system according to a second embodiment (device address information generation). FIG. 10 is a diagram illustrating address information according to the second embodiment. FIG. 6 is a diagram illustrating device address information according to the second embodiment. The figure which shows the address system of Example 1,2. 10 is a flowchart of passive address information generation processing according to the second embodiment. 9 is a flowchart of device address information generation processing according to the second embodiment. 10 is a flowchart of active address information generation processing according to the second embodiment. 2 is a frame format of the ICMP protocol according to the first embodiment. 5 is a flowchart of connection possibility check processing according to the first embodiment. The figure of the connection status information used when connecting and disconnecting the disconnected apparatus of Example 3 from the outside. 10 is a flowchart of processing for connecting the disconnected device of the third embodiment from the outside.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 101 ... Frame transmission process part, 102 ... Frame reception process part, 103 ... Apparatus address information generation process part, 104 ... Connection availability information management process part, 105 ... IP address duplication state generation frame generation process part, 106 ... Connection availability determination process 107: External notification processing unit, 108 ... Timing information management processing unit, 109 ... External instruction reception processing unit, 110 ... Connection frame generation processing unit, 111 ... Check frame generation processing unit, 112 ... Connection availability check IP Address generation processing unit 113 ... Address management information, 114 ... External device, 115 ... Connection information management processing unit, 120 ... Network, 200 ... Network monitoring system.

Claims (13)

Receiving means for receiving information flowing through the network;
When an address resolution protocol request is received via the receiving means, a predetermined authorized terminal constituting a local network is configured based on a physical address together with a network address as a transmission source address included in the address resolution protocol request. A judgment means for judging whether it is equivalent;
If it is determined not to correspond to the permitted terminal, means for network address as the source address contained in the request of the address resolution protocol, to determine whether it is being used by the to be protected by the local network device,
When used by a terminal to be protected in the local network, the network address and physical address used as a pair in the terminal should be protected in the local network as a response to an address resolution protocol request. A network monitoring apparatus comprising: a transmission unit configured to transmit a network address of a terminal that has requested the address resolution protocol and a predetermined physical address as a response to the request for the address resolution protocol when not used by the terminal . In Claim 1, the means for registering information on whether or not connection to the network is registered in correspondence with the terminal, and the information on whether or not connection is possible and the received information are compared to determine whether permission is permitted. A network monitoring device characterized by determining . 3. The network monitoring device according to claim 2, wherein the information addressed to the receiving means and broadcast information or multicast information addressed to a plurality of terminals of the network are received, or substantially all information flowing through the network is received . 4. The network monitoring apparatus according to claim 3, wherein the terminal is disconnected from the network regardless of whether or not a dedicated disconnecting unit is installed in the terminal that is determined not to be permitted . In claim 1, that terminal does not allow the connection detects that in the network, or that disconnects the terminals that do not allow connections from the network, which is connected to the means for notifying the external terminal, the network A means for receiving at least one of a terminal disconnection instruction or a connection instruction from an external terminal, and a means for generating information for generating an overlapping state of network addresses when the received instruction is a disconnection instruction. A characteristic network monitoring device. 6. The network monitoring apparatus according to claim 5 , further comprising means for generating information for eliminating a duplicated state of network addresses in the network when the received instruction is a connection instruction . 7. The means for uniquely generating address information of a terminal connected to a network by combining a network address and a physical layer side address according to claim 1 , and element classification of the generated unique address information Depending on the device, there are provided means for rearranging in ascending or descending order from the outside, and means for enabling valid or invalid setting from the outside for each element of the generated unique address information. A network monitoring apparatus characterized by generating information and using the terminal address information as information on whether or not a terminal can be connected to the network. 7. The range of host numbers of a terminal that checks whether or not connection is possible among all the host numbers from the minimum value to the maximum value that can be taken by the host number part of the network address system of the corresponding network according to claim 1. A means for setting timing information to be checked, a means for generating a network address for checking using a host number in this range, and a request information for which a response from the other terminal can be expected using this network address for checking And the request information is transmitted from the monitoring device at a timing based on the set timing information, and the presence or information content of the response information is compared with information on whether or not the terminal can be connected to the network. A network monitoring apparatus for determining whether or not connection is possible. 9. The network monitoring apparatus according to claim 8, wherein ICMP request information or address request information is generated as means for generating request information that can expect a response from a partner terminal . 7. In any one of Claims 1 thru | or 6, as a network connection possibility information with respect to a terminal, at least one of a network address and a physical layer side address of a terminal, or a connection permission time zone and a connection non-permission time zone If at least one or an elapsed time equal to or greater than a certain threshold has elapsed since the last connection time, the time information used to reject the connection or the elapsed time greater than or equal to a certain threshold from the previous connection time If it is, the time information used to disconnect the currently connected terminal, the number of times that the connection has not been permitted so far, the threshold of allowable network traffic, or the terminal's Number of allowed connections, terminal owner information, or at least one of these Network monitoring apparatus characterized by a combination of uses. Receive information flowing on the network,
If an address resolution protocol request is received as the reception, does it correspond to a predetermined authorized terminal that constitutes a local network based on a physical address together with a network address as a source address included in the address resolution protocol request? Judging
If it is determined that the terminal does not correspond to the permitted terminal, determine whether a network address as a source address included in the request for the address resolution protocol is used by a terminal to be protected in the local network;
When used by a terminal to be protected in the local network, the network address and physical address used as a pair in the terminal should be protected in the local network as a response to an address resolution protocol request. A network monitoring method for transmitting a network address and a predetermined physical address of a terminal that has requested the address resolution protocol as a response to the request for the address resolution protocol when not used by the terminal. Receive information that flows on the network,
If an address resolution protocol request is received as the reception, does it correspond to a predetermined authorized terminal that constitutes a local network based on a physical address together with a network address as a source address included in the address resolution protocol request? To judge
When it is determined that the terminal does not correspond to the permitted terminal, a network address as a source address included in the request of the address resolution protocol is determined by a terminal to be protected in the local network,
When used by a terminal to be protected in the local network, the network address and physical address used as a pair in the terminal should be protected in the local network as a response to an address resolution protocol request. A program that, when not used by a terminal, causes an electronic computer to transmit a network address and a predetermined physical address of a terminal that has requested the address resolution protocol as a response to the request for the address resolution protocol. Receive information that flows on the network,
If an address resolution protocol request is received as the reception, does it correspond to a predetermined authorized terminal that constitutes a local network based on a physical address together with a network address as a source address included in the address resolution protocol request? To judge
When it is determined that the terminal does not correspond to the permitted terminal, a network address as a source address included in the request of the address resolution protocol is determined by a terminal to be protected in the local network,
When used by a terminal to be protected in the local network, the network address and physical address used as a pair in the terminal should be protected in the local network as a response to an address resolution protocol request. Recording medium storing a program that, when not used by a terminal, causes the electronic computer to transmit the network address and a predetermined physical address of the terminal that has requested the address resolution protocol as a response to the request for the address resolution protocol .

Images