JP4566855B2 - Communication security policy management device - Google Patents

Description

  The present invention relates to a communication security policy management apparatus.

Conventionally, even a network such as a public line is known as a virtual private network (Virtual Private Network, hereinafter referred to as a VPN network) that can be used as if it were a dedicated line. A large number of user terminals are connected to each other via a VPN apparatus through a network, and communication data is encrypted or decrypted by the VPN apparatus to perform data communication between the user terminals.
In such a VPN network, a security policy database (hereinafter referred to as “SPD”) is used to define the operation of each VPN apparatus. The operator inputs the SPD to the VPN management device, and the VPN management device transmits this to each VPN device.

  An example of such security management is shown in Patent Document 1. Patent Document 1 discloses a technology in which the security server 1 manages a security policy, distributes it to a security client, and the security client performs access control using this security policy.

JP 2004-94401 A

  The size of the VPN network varies, and the number of SPD entries varies accordingly. In the case of a small-scale VPN network consisting of several bases, the SPD has a dozen entries, and in the case of a large-scale VPN network including several tens to hundreds of bases, the SPD has tens of thousands to hundreds of thousands of entries. There is.

  However, in the management of SPD in a conventional VPN network, particularly a large-scale VPN network, there is a problem that an operator's work related to creation / addition / deletion is large and cannot be performed efficiently. For example, it is difficult for an operator to individually manage SPDs having tens of thousands to hundreds of thousands of entries, and this may cause work errors.

  The present invention has been made to solve such problems, and an object of the present invention is to provide a communication security policy management apparatus that makes SPD management more efficient.

The communication security policy management apparatus according to the present invention is a communication security policy management apparatus that is used in a network that performs cryptographic communication using a plurality of VPN devices and generates an SPD that includes a plurality of rules that regulate the operation of the VPN device. The network includes a source base and a destination base that form a part of the network corresponding to each of a plurality of VPN devices, and the communication security policy management device shares at least part of the rules with a plurality of address books. A master policy including an address represented using a common name included in the address book provided for the source base and the destination base, and the common name and one or more different addresses. It receives as input an address book to relate, and the master policy, a common by the address book One or more based on the address is related to universal, and generates the SPD.

At least a part of the SPD may include a source address and a destination address of communication performed via the VPN device.
The network includes bases that form part of the network corresponding to each of the plurality of VPN devices, the address book is provided corresponding to the bases, and the abstracted expression is included in common to the plurality of address books. Each address book may associate a commonly included expression with one or more different addresses.
Furthermore, a key for cryptographic communication may be generated and delivered.
Rule defines the operation of the VPN apparatus to encrypt data communication includes a concealment rules, confidentiality rules are those which contain specified that VPN device decodes the corresponding encrypted data to the destination site There may be.
The communication security policy management device, based on the master policy and the one or more addresses associated with the common name by the address book corresponding to the transmission source site, the transmission source address and the second SPD of the first SPD. Destination address of the first SPD and transmission of the second SPD based on the master policy and one or more addresses associated with the common name by the address book corresponding to the destination location The original address may be generated.

The communication security policy management device according to the present invention is used in a network that performs communication using a plurality of packet filtering devices, and generates a SPD including a plurality of rules that define the operation of the packet filtering device. The management device includes a transmission source base and a destination base that form a part of the network corresponding to each of the plurality of packet filtering devices, and the rule is that the packet filtering device operates to transmit communication data. The communication security policy management device includes at least a part of the rules common to a plurality of address books , including a transparency rule that regulates and a discard rule that regulates an operation in which the packet filtering device discards communication data. a representation using a common name that contains Te Comprising a master policy, an address book provided corresponding to the source base and destination locations, receives a common name, and address book associates the plurality of different addresses respectively as inputs, and master policy, address An SPD is generated based on one or more addresses associated with a common name by a book.

  According to the present invention, since the communication security policy management apparatus increases the efficiency of SPD generation, it is possible to increase the efficiency of SPD management.

Embodiments of the present invention will be described below with reference to the accompanying drawings.
Embodiment 1 FIG.
FIG. 1 is a diagram showing a configuration including a VPN (Virtual Private Network) network 100 according to Embodiment 1 of the present invention.
The VPN network 100 includes a WAN (Wide Area Network) that mediates communication according to the Internet protocol (IP). A VPN management apparatus 1 that manages VPNs is connected to the VPN network 100. The VPN management device 1 manages and monitors a plurality of VPN devices and generates and distributes a key for encryption. The VPN management device 1 also functions as a communication security policy management device that generates and distributes SPD, which is a rule that regulates the operation of the VPN device.
The VPN network 100 is connected with VPN devices 50 </ b> A to 50 </ b> C that are first to third VPN devices that realize VPN functions according to the management of the VPN management device 1. The VPN devices 50A to 50C control communication between networks corresponding to each site according to an SPD that defines each operation, and ensure the safety of the communication path. The VPN management device 1 manages the VPN network 100 by generating this SPD and transmitting it to the VPN devices 50A to 50C.

  The VPN network 100 includes bases respectively corresponding to the VPN devices 50A to 50C. The bases are bases 60A to 60C that are networks as first to third bases, and each includes a LAN (Local Area Network). Here, one site includes a plurality of LANs, but this may consist of a single LAN.

  FIG. 2 is a diagram illustrating a configuration of an IP address related to the VPN network 100. For each of the bases 60A to 60C, the IP address (network address) of the network included in the base, the subnet mask of the network included in the base, and the IP address of the VPN device corresponding to the base are shown. Note that the notation “255.255.255.0” in the subnet mask is a portion where the bit is 1 out of 32 bits indicating the IP address, that is, a portion where the first 24 bits represent the network address and the bit is 0. That is, the remaining 8 bits indicate a host address.

FIG. 2 also shows the IP addresses included in the IP telephone network as the first purpose network and the accounting system network as the second purpose network as the purpose-specific networks respectively included in the bases 60A to 60C. A range of is shown.
Here, the part before the “/” symbol indicates the network address, and the part after the “/” symbol indicates the number of bits of the subnet mask. That is, for example, in the IP telephone network at the base 60A, the subnet mask is 25 bits from the top, that is, “255.255.255.128”, and the IP address of the terminal included in this is 10.1.1.1129-10 1.1.1.254.

The base 60A includes the VPN device 50A, the accounting system server 90, and IP telephone terminals 82 and 84.
The base 60B includes the VPN device 50B, an IP telephone terminal 86, and an accounting system terminal 96.
The base 60C includes the VPN device 50C, an IP telephone terminal 88, and an accounting system terminal 98.
FIG. 1 shows the IP addresses of the VPN management device 1, IP telephone terminals 82 to 88, the accounting system server 90, and accounting system terminals 96 and 98. The IP telephone terminals 82 to 88 are also included in the IP telephone network, and the accounting system server 90 and the accounting system terminals 96 and 98 are also included in the accounting system network.

The IP telephone terminals 82 to 88 realize an IP telephone function (telephone function using the IP protocol) by communicating with each other in the IP telephone network, and the port number used for communication is indefinite. .
The accounting system terminals 96 and 98 execute processing relating to the accounting system by communicating with the accounting system server 90 using the TCP protocol in the accounting system network. The port numbers used for this communication are 1024 to 4096.

3 to 5, the VPN management device 1 and the data stored in advance in the VPN management device 1, that is, the configuration of data input from the outside by an operator or the like are shown.
FIG. 3 shows the configuration of the VPN management device 1. The VPN management device 1 is a computer including a calculation unit and a storage unit. This storage means includes master policy storage means 10, address book storage means 12, and SPD storage means 14.
The master policy storage means 10 stores a master policy 30 which is a basic rule that is a basis for generating an SPD.
The address book storage means 12 includes first to third site address books that define the correspondence between the name of the purpose-specific network and the range of IP addresses included in the purpose-specific network for each of the sites 60A to 60C. A certain base address book 32A-32C is stored. The SPD storage unit 14 stores bases SPDs 34A to 34C, which are first to third bases SPD that respectively define the operations of the VPN devices 50A to 50C.
Here, the base address books 32A to 32C and the base SPDs 34A to 34C are address books and SPDs corresponding to the bases 60A to 60C, respectively.

  The computing means of the VPN management device 1 includes SPD generation means 20 that generates the base SPDs 34A to 34C based on the master policy 30 and the base address books 32A to 32C. The SPD generation means 20 has a function of reading the master policy 30 and the base address books 32A to 32C as inputs from the master policy storage means 10 and the address book storage means 12, and a function of writing the bases SPDs 34A to 34C as outputs to the SPD storage means 14. And have.

  The computing means of the VPN management device 1 includes SPD transmission means 22 for transmitting the base SPDs 34 </ b> A to 34 </ b> C to the VPN network 100. The SPD transmission means 22 has a function of reading the bases SPDs 34A to 34C as inputs from the SPD storage means, and a function of sending the read bases SPDs 34A to 34C as outputs to the VPN devices 50A to 50C on the VPN network 100. Have. This transmission is directly performed by the SPD transmission unit 22, but this may be replaced by an output to a network interface or the like that is attached to the VPN management apparatus 1 and performs communication with the VPN network 100.

FIG. 4 shows an example of the master policy 30. The master policy 30 is data having a two-dimensional tabular structure. Each entry includes a condition for designating a specific packet in communication, and processing for a packet that matches the condition, that is, operations of the VPN devices 50A to 50C for the packet.
In the example of FIG. 4, entries R1 and R2 respectively represent a transmission source name, a destination name, a transmission source port number range, a destination port number range, a protocol number, a transmission source base, and a destination base as communication conditions. And a column representing an action as the corresponding process.

The transmission source name and the destination name respectively define the communication transmission source and the destination by the name. Here, the transmission source and the destination may represent a purpose-specific network such as “IP telephone network”, or may represent a single computer such as “accounting system server”. . Further, in this example, each name is defined using a character name, but this may not be a character name as long as it is consistent with the definition of the base address books 32A to 32C described later. It may be defined using other types of data such as
As described above, the master policy 30 includes the source and destination addresses in the SPD replaced with the source name and destination name which are abstracted expressions.

The transmission source port number range and the destination port number range define a range of port numbers used for communication at the transmission source and the destination by defining a lower limit and an upper limit, respectively. Here, designation of “0 to 0” indicates that communication using any port number is included. Alternatively, “1 to 65535” may be described, or a specific character string representing that communication using any port number is included.
The protocol number defines the protocol number of the protocol used for communication. For example, the TCP protocol is represented by protocol number 6. The designation of “0” indicates that communication using any protocol is included.

The transmission source base and the destination base define the bases corresponding to the transmission source and the destination, respectively. For example, in the communication from the accounting system server 90 to the accounting system terminal 98 in FIG. 1, the base 60A is the transmission source base and the base 60C is the destination base. In the entry R2 in the example of FIG. 4, the source base is designated as “first base”, which represents the base 60A that is the first base. There may be a plurality of designated bases.
The designation “ANY” indicates that communication by any base is included. For example, the entry R2 includes communication between the base 60A, the base 60B, and the base 60C because the transmission base is “first base” representing the base 60A and the destination base is “ANY”. Communication between 60B and base 60C is not included. That is, it represents a star-structured communication centered on the base 60A.
Further, the entry R1 includes communication between all bases because both the transmission source base and the destination base are “ANY”. That is, it represents full mesh communication.

In this embodiment, it is specified by the name of the base such as “first base”. However, this may be data in another format as long as it corresponds to each base on a one-to-one basis. It may be a 50C IP address.
As described above, the master policy 30 includes a source and destination base in the SPD replaced with an abstracted expression, that is, an “ANY” designation.

The action defines the operation of the VPN devices 50A to 50C. “Concealment” indicates a concealment rule that defines an operation of encrypting data of the communication.
The action may include other operations. For example, a “transparent” rule may be defined as “transparent” that defines an operation of transmitting the communication data as it is to the VPN network 100 without encryption.
For communication requests that do not meet the conditions of any entry, the default value is an operation to discard the communication data, that is, an operation that does not allow the communication (“discard”). Rules apply. Alternatively, as a default value, a transparency rule may be applied. The discard rule and the transparency rule may not be default values, and may be explicitly specified as “discard” and “transparent”, respectively, for a specific communication, for example.

  FIG. 5 shows examples of base address books 32A to 32C respectively corresponding to the bases 60A to 60C as (A) to (C). The base address books 32A to 32C are data having a two-dimensional table format structure. Each entry R11 to R16 defines and associates the correspondence between the name of the purpose-specific network and computer and the address (single IP address or a range including a plurality of IP addresses) at each base. Here, the part before the “/” symbol indicates the network address, and the part after the “/” symbol indicates the number of bits of the subnet mask. When the number of bits of the subnet mask is 32, the address indicates a single IP address, and when it is less than 32, the address indicates a range including a plurality of IP addresses.

For example, in (A), 10.1.129 to 10.1.1.2254 are defined as addresses corresponding to purpose-specific networks having the name “IP telephone network”. A single IP address 172.16.1.100 is defined as an address of a computer having the name “server”.
The name of the purpose-specific network may be included in common in a plurality of base address books. For example, “IP telephone network” is included in all of the base address books 32A to 32C. However, even if the names are the same, addresses corresponding to different terminals are associated in each base address book.
Although the name is defined by characters, it may be defined by other formats as long as it matches the definition of the master policy 30 described above.

  Processing when the VPN management device 1 generates the base SPDs 34A to 34C will be described with reference to FIGS. 6 and 7. FIG. 6 is a flowchart showing the flow of processing, and FIG. 7 is a diagram showing the configuration of the generated bases SPDs 34A to 34C. Further, it is assumed that the master policy 30 and the base address books 32A to 32C are as shown in FIGS. 4 and 5, respectively.

In the flowchart of FIG. 6, the SPD generation means 20 first initializes a counter variable i corresponding to the number of master policy entries (step S1). In this example, i = 1.
Next, the SPD generation means 20 reads the i-th row entry of the master policy 30 from the master policy storage means 10 (step S2). For example, when i = 1, the entry R1 in FIG. 4 is read. Hereinafter, the entry read here is referred to as a “master policy entry being processed”.

Next, the SPD generation unit 20 initializes a counter variable j corresponding to the number of bases included in the transmission source base (step S3). In this example, j = 1.
Next, the SPD generation means 20 determines which base is the j-th transmission source base in the master policy entry being processed (step S4). For example, when i = 1, the designation of the corresponding transmission source base (transmission source base of entry R1 in FIG. 4) is “ANY” and includes all the bases. Further, when j = 1, the corresponding base, that is, the first base is the base 60A. In the present embodiment, it is assumed that the first to third bases in the “ANY” designation are bases 60A to 60C, respectively.

If this designation is not “ANY”, for example, but a designation of a single site (for example, the source site in entry R2 in FIG. 4 where “first site” is designated), the source site The number of bases included in is 1, and the corresponding base is the first base.
Hereinafter, the base that is the source base determined here is referred to as a “source base being processed”.
Next, the SPD generation unit 20 reads a base address book corresponding to the transmission source base being processed (step S5). For example, when the master policy entry being processed is entry R1 and j = 1, the base address book 32A corresponding to the base 60A, that is, (A) of FIG. 5 is read.

  Next, the SPD generation unit 20 obtains the IP address corresponding to the transmission source name in the master policy entry being processed or the range thereof based on the base address book read in step S4 (step S6). For example, when i = 1 and j = 1, the designation of the corresponding transmission source name (the transmission source name of entry R1 in FIG. 4) is “IP phone network”. In the base address book 32A, “10.1.1.128/25”, that is, 10.1.1.129 to 10.1.1, is stored in the entry R11 as an address corresponding to the name “IP telephone network”. Since the range of .254 is designated, the SPD generation means 20 obtains this address. This address is stored in a portion (not shown) of the storage means as a transmission source address when generating the entry of the base SPD.

Next, the SPD generation unit 20 initializes a counter variable k corresponding to the number of bases included in the destination base (step S7). In this example, k = 1.
Next, the SPD generation means 20 determines which base is the kth destination base in the master policy 30 entry being processed (step S8). For example, when i = 1, the designation of the corresponding destination base (the destination base of entry R1 in FIG. 4) is “ANY” and includes all bases. Further, when k = 1, the corresponding base, that is, the first base is the base 60A.
If this designation is not “ANY”, for example, and a single base is designated, the number of bases included in the destination base is 1, and the corresponding base is the first base.
Hereinafter, the base that is the destination base determined here is referred to as a “destination base being processed”.

  Next, the SPD generation unit 20 determines whether the transmission source base being processed and the destination base being processed are equal. If they are equal, the process proceeds to step S20, and if not, the process proceeds to step S10.

The SPD generation means 20 reads a base address book corresponding to the destination base being processed (step S10). For example, when the master policy entry being processed is entry R1 and k = 2, the base address book 32B corresponding to the base 60B, that is, FIG. 5B is read.
Next, the SPD generation unit 20 obtains an address corresponding to the destination name in the master policy entry being processed based on the base address book read in step S10 (step S11). For example, when the master policy entry being processed is entry R1 and k = 2, the designation of the corresponding destination name is “IP telephone network”. In the base address book 32B, “10.1.2.128/25”, that is, 10.1.2.129 to 10.1.2, is stored in the entry R13 as an address corresponding to the name “IP telephone network”. Since the range of .254 is designated, the SPD generation means 20 obtains this address. This address is stored in a portion (not shown) of the storage means as a destination address when generating the entry of the base SPD.

Next, the SPD generation unit 20 generates an entry for each of the site SPDs 34A to 34C (step S12).
FIG. 7 shows examples of the bases SPDs 34A to 34C respectively corresponding to the bases 60A to 60C as (A) to (C). The bases SPDs 34A to 34C are data having a two-dimensional table structure. Each of the entries R21 to R24, R31 to R33, and R41 to 43 has a column indicating a transmission source address, a destination address, a transmission source port number range, a destination port number range, and a protocol number as communication conditions, As a process for a packet that matches the condition, it has a column representing an action. It also has a column that represents the IP address of the VPN device corresponding to the site including the destination address.

Of these columns, the source address stored in step S6 is designated as the source address, and the destination address stored in step S11 is designated as the destination address. In the source port number range, destination port number range, protocol number, and action column, the values specified in the master policy entry being processed are specified as they are. Further, when the action is “confidential”, the IP address of the VPN apparatus corresponding to the destination base being processed is specified in the column of the destination VPN apparatus. This is equivalent to specifying which of the VPN devices decrypts the encrypted data.
If the action is not “secret”, the destination VPN device column remains blank.
The entry generated in this way is added to the site SPD corresponding to the transmission source site being processed.
As an example, if the master policy entry being processed is entry R1, the source base being processed is base 60A, and the destination base being processed is base 60B, entry R21 is added to base SPD 34A. become.

Further, an SPD entry in which the transmission source base and the destination base are reversed is similarly generated. That is, in this SPD entry, the destination address stored in step S11 is specified as the source address, and the source address stored in step S6 is specified as the destination address. In addition, the destination port number range specified in the master policy entry being processed is specified in the source port number range of the SPD entry, and the destination port number range of the SPD entry is specified in the master policy entry being processed. The specified source port number range is specified. In the protocol number and action columns, the values designated in the master policy entry being processed are designated as they are. Further, when the action is “secret”, the IP address of the VPN apparatus corresponding to the transmission source base being processed is specified in the column of the destination VPN apparatus.
The entry generated in this way is added to the site SPD corresponding to the destination site being processed.
In the above example, that is, when the master policy entry being processed is the entry R1, the transmission source base being processed is the base 60A, and the destination base being processed is the base 60B, the entry R31 is stored in the base SPD 34B. Will be added.

Next, the SPD generation means 20 compares the counter variable k with the number of bases included in the destination base (step S13).
If k is smaller than the number of sites as a result of the comparison in step S13, or if the source site and the destination site are equal as a result of the comparison in step S9, k is incremented by 1 (step S20), and then step S8 Return to. Otherwise, the SPD generation means 20 compares the counter variable j with the number of bases included in the transmission source base (step S14).
As a result of the comparison in step S14, if j is smaller than the number of bases, j is increased by 1 (step S21), and then the process returns to step S4. Otherwise, the SPD generation means 20 compares the counter variable i with the number of entries in the master policy 30 (step S15).

  If i is smaller than the number of entries in the master policy 30 as a result of the comparison in step S15, i is incremented by 1 (step S22), and then the process returns to step S2. Otherwise, each of the bases SPDs 34A to 34C generated so far is stored in the SPD storage unit 14 as data collected for each base serving as a transmission source base (step S16). The bases SPD 34A to 34C for the bases 60A to 60C are stored as indicated by (A) to (C) in the example of FIG.

  The bases SPD 34A to 34C generated in this way are read by the SPD transmission means 22 in accordance with an instruction from the outside and transmitted to the corresponding VPN devices 50A to 50C, respectively. This transmission may be automatically performed without waiting for an instruction from the outside.

  As described above, the VPN management apparatus 1 according to the first embodiment includes the master policy 30 including the abstracted expression and the base address book including the association for replacing the abstracted part with the actual IP address. Since the base SPDs 34A to 34C are automatically generated based on 32A to 32C, it is possible to efficiently generate a large number of base SPDs including a large number of entries.

For example, suppose a case where a new purpose-specific network is defined in a VPN network having 100 sites and an SPD for encrypting the full mesh communication is desired to be added. In this case, since it is necessary to generate entries corresponding to communications from all bases to all other bases, the total number is 100 × 99 = 9900. In the conventional VPN management apparatus, it is necessary for the operator to directly input these 9900 entries.
In contrast, the VPN management apparatus 1 according to the first embodiment creates a new network according to purpose in one entry of the master policy in which “ANY” is designated as the transmission source base and the destination base, and the address book of each base. Based on each one entry to be defined, the above 9900 entries can be generated. For this reason, the operator need only input one entry of the master policy and 100 entries of the base address book. In this way, the operator's work can be reduced, and the base SPD can be generated efficiently.

Next, it is assumed that a new base is added to the VPN network having 100 bases. In this case, entries corresponding to communication to the new base are added to the base SPDs of all existing bases by the number of purpose-specific networks included in the new base. In the conventional VPN management apparatus, an operator needs to repeat the work of adding an entry to the site SPD for all 100 sites.
On the other hand, the VPN management apparatus 1 according to the first embodiment automatically includes a new site by specifying “ANY”. For this reason, the operator only has to input the base address book corresponding to the new base and regenerate the base SPD. In this way, the base SPD can be generated efficiently. Thus, it is possible to give flexibility also about scalability.
Note that even when existing sites are deleted, it is not necessary to delete entries for all sites, and it is only necessary to regenerate the site SPD after deleting the corresponding site address book. It is possible to have flexibility.
In addition, since the designation of the destination VPN device for decrypting the encrypted data is also included in the automatically generated site SPD, the generation of the site SPD can be made more efficient in this respect.

  In the first embodiment, the VPN management device 1 generates and distributes the SPD and also generates and distributes the key used for encryption. This is performed by an individual device. Also good. That is, the VPN management device 1 may generate and distribute the SPD, and a key management device provided separately from this may generate and distribute the key.

In the first embodiment, the master policy 30 shown in FIG. 4 includes “confidentiality” instructing encryption of communication data as a value set in the “action” column. Only the action may be settable. That is, only “transmission” or “discard” may be settable. In this case, since it is not necessary to specify the VPN device to be decrypted, the bases SPDs 34A to 34C shown in FIG. 7 may not have the “destination VPN device” column.
By doing in this way, VPN apparatus 50A-50C can be utilized as a simple packet filtering apparatus which does not perform communication encryption and simply transmits or discards data according to the bases at both ends of the communication.

It is a figure which shows the VPN network 100 containing the VPN management apparatus 1 which concerns on Embodiment 1 of this invention. 2 is a diagram illustrating a configuration of an IP address related to a VPN network 100. FIG. It is a figure which shows the structure of the VPN management apparatus 1 which concerns on Embodiment 1 of this invention. It is a figure which shows the master policy 30 which concerns on Embodiment 1 of this invention. It is a figure which shows the base address books 32A-32C which concern on Embodiment 1 of this invention. It is a flowchart which shows the flow of a process of the VPN management apparatus. It is a figure which shows base SPD34A-34C created by the VPN management apparatus 1. FIG.

Explanation of symbols

1 VPN management device (communication security policy management device), 30 master policy, 32A to 32C address book (base address book), 34A to 34C SPD (base SPD), 50A to 50C VPN device (packet filtering device), 60A to 60C Base, 100 networks (VPN network).

Claims (6)

A communication security policy management device that is used in a network that performs cryptographic communication using a plurality of VPN devices, and generates an SPD including a plurality of rules that define the operation of the VPN device,
The network includes a source base and a destination base that form part of the network corresponding to each of the plurality of VPN devices,
The communication security policy management device includes:
A master policy including at least a part of the rules represented by using a common name included in a plurality of address books ;
An address book provided corresponding to the source base and the destination base, and receiving as input the common name and an address book relating one or more different addresses,
Wherein the master policy, based on said one or more addresses are related to the common names by the address book, to generate a pre-SL SPD, communication security policy management device. The communication security policy management apparatus according to claim 1 , further comprising generating and distributing the key for the encryption communication. The rule includes a secret rule that defines an operation in which the VPN device encrypts communication data.
The concealment rules communication security policy management apparatus according to claim 1 or 2 including the designation of the VPN apparatus for decoding corresponding the encrypted data to the destination site. A communication security policy management device that generates an SPD that is used in a network that performs communication using a plurality of packet filtering devices and includes a plurality of rules that define the operation of the packet filtering device,
The network includes a source base and a destination base that form part of the network corresponding to each of the plurality of packet filtering devices,
The rule includes a transparency rule that defines an operation in which the packet filtering device transmits communication data, and a discard rule that defines an operation in which the packet filtering device discards communication data.
The communication security policy management device includes:
A master policy including at least a part of the rules expressed using a common name included in common in a plurality of address books ;
An address book provided corresponding to the source base and the destination base, and receiving the common name and an address book associating a plurality of different addresses as inputs,
Wherein the master policy, based on said one or more addresses are related to the common names by the address book, to generate a pre-SL SPD, communication security policy management device. At least a portion includes the source address and destination address before Symbol communications, communications security policy management apparatus according to any one of claims 1-4 of the SPD.   The communication security policy management device includes:
  Based on the master policy and the one or more addresses associated with the common name by the address book corresponding to the source site, the source address and the second of the first SPD Generating the destination address of the SPD;
  Based on the master policy and the one or more addresses associated with the common name by the address book corresponding to the destination location, the destination address of the first SPD and the second SPD Generate the source address
The communication security policy management device according to claim 5.

Images