JP5055237B2 - Secure communication device - Google Patents

Description

  The present invention relates to a method for securely exchanging data between a plurality of computers and an apparatus configuration thereof. In particular, the present invention relates to a method and a device configuration for exchanging data safely with excellent real-time characteristics when exchanging data between a general-purpose computer and a built-in computer.

  A technique for exchanging data among a plurality of computers is disclosed in [Patent Document 1].

  The gateway disclosed in [Patent Document 1] is connected between different networks. This gateway is composed of two computers, two shared memories, and two disks connected to each computer. The shared memory is configured to bridge two computers. Each shared memory can be read and written only from one computer, and can only be read from the other computer. Data transfer is performed via different shared memories depending on the direction of data transfer. For this reason, remote access from one network terminal to the other network terminal becomes impossible, and illegal intrusion via the network is prevented.

Japanese Patent Laid-Open No. 7-200433

  In recent years, general-purpose personal computers (PCs) and communication technologies surrounding PCs are being introduced in the computer system field, which has been uniquely constructed so far, from the viewpoint of convenience and introduction cost. For example, control computer systems used in factories, power generation / substations, and chemical plants can be cited as examples.

  Once installed, these control computers tend to be used for a long period of time, from several years to over ten years, compared to PCs used in offices. As general-purpose PC technology has advanced, technology in control computer systems has been utilized in various ways. For example, it has become easy to confirm the operation of the control computer from a remote location by using a wireless communication technology such as a wireless LAN or a portable packet communication network.

  By the way, various security threats exist in general-purpose PCs and their application products. The contents of threats include those that cause data destruction or unusable due to virus infection, those that secretly take over and take over the PC, and those that distribute PC internal data to other PCs on the Internet inexhaustibly.

  There are also concerns about physical security (physical security) such that an unauthorized person approaches the PC itself, or the PC is disassembled to directly read or destroy the hard disk or memory. Problems to be solved by the present application are mainly targeted at information security (cyber security). Hereinafter, unless otherwise specified, “security” means cyber security.

  As the introduction of PC peripheral technology into control computer systems progresses, security threats that have occurred in the PC environment have emerged as similar problems in control computer systems. An object controlled by a control computer system may have a great influence on human life and the environment due to unexpected operations. There are also concerns about economic loss due to production line anomalies and leakage of secret manufacturing technology information.

  From the above, the security measures in the computer system for control have been attracting attention from the industry as a theme that should be dealt with intensively in the future utilization of PC technology. As an example of a security measure, a gateway, a router, and the like are generally arranged between a control network constituting a control computer system and an information network connected thereto. Measures that allow communication between the computer devices on the two networks without allowing direct communication between them and that only the authorized user can communicate are used. In this case, the gateway disclosed in the above-mentioned [Patent Document 1] is also a countermeasure technology. It can be.

  However, the above-described known examples have problems in the following points.

  That is, the gateway disclosed in [Patent Document 1] does not disclose a technique for a computer belonging to the other network to grasp the update even when there is a data update from a computer belonging to one network. . For this reason, for example, in a configuration in which a monitoring PC is arranged on one network and a control computer is arranged on the other network, the monitoring PC periodically checks the notification data in order to grasp the notification data from the control computer. Need to go (polling). When the amount of data is large or when the monitoring target extends over many gateway devices, it is difficult to monitor with high real-time performance. A solution for separating networks using a general gateway or router is a technology that permits communication if there is no problem with the communication protocol and user authentication, and blocks the others. Therefore, it is also assumed that the control computer is damaged by malicious communication according to the permitted procedure. For example, a denial-of-service attack may be launched from a PC contaminated with a virus connected to a reliable network.

  In view of the above, an object of the present invention is to disclose a safe and real-time data exchange method for a computer to be protected, and to provide a method and apparatus for realizing data exchange.

  In order to achieve the above object, according to the present invention, in a communication apparatus having a plurality of communication I / Fs, communication data is exchanged and blocked between the first communication I / F and the second communication I / F. A path control unit for changing, a storage unit for storing a part of the communication data, and interpreting the communication data from the path control unit and converting a part of the communication data into writing or reading to the storage unit A data access unit that performs data update, an update detection unit that detects writing or reading of data to or from the storage unit, and a data update that is notified from the update detection unit to a predetermined computer via the first or second communication I / F And an update notification means for notifying of the presence or absence of this.

  Furthermore, in the communication apparatus of the present invention, the update detection unit has a detection rule database that holds a combination of access patterns to the storage unit by the data access unit, and the access pattern recorded in the detection rule database It is characterized by detecting the presence or absence of a match.

  Furthermore, in the communication apparatus of the present invention, the update notification unit has a notification destination database that holds a destination to which an update notification is communicated, and updates to the destination of the notification destination database according to the information notified from the update detection unit. A notification is transmitted.

  Furthermore, in the communication device according to the present invention, the storage unit includes a data interface that transmits and receives data to a storage element outside the communication device.

  In order to achieve the above object, the present invention provides a communication apparatus having a plurality of communication I / Fs, a first authentication unit that authenticates a communication partner in communication from the first communication I / F, and a second authentication unit. A second authentication unit that authenticates a communication partner in communication from the communication I / F, and a path for exchanging, blocking, and changing communication data between the first authentication unit and the second authentication unit A control unit, a storage unit that stores a part of the communication data, and a data access unit that interprets the communication data from the path control unit and converts the communication data into a write or read to the storage unit Update detection means for detecting writing or reading of data with respect to the storage unit, and notification of presence or absence of data update to the predetermined computer via the first or second communication I / F notified from the update detection means Further It is characterized in that a notifying means.

  In order to achieve the above object, the present invention provides a communication system that connects a plurality of networks to which a plurality of computers belong, wherein a communication device that connects the plurality of networks has a plurality of communication I / Fs, A path control unit that exchanges, blocks, and changes communication data between the communication I / F and the second communication I / F, a storage unit that stores a part of the communication data, and the path control unit A data access unit that interprets the communication data and converts a part of the communication data into writing or reading to or from the storage unit, update detection means that detects writing or reading of data to or from the storage unit, and the update detection Update notification means for notifying the presence / absence of data update to the predetermined computer via the first or second communication I / F notified to the plurality of networks. At least one computer to transmits the communication data to the communication device at a predetermined time interval, the communication device is characterized in that to send a notification of the data update to a predetermined computer.

  Furthermore, in the communication system according to the present invention, the update detection unit has a detection rule database that holds a combination of access patterns to the storage unit by the data access unit, and the access pattern recorded in the detection rule database It is characterized by detecting the presence or absence of a match.

  Furthermore, in the communication system according to the present invention, the update notification unit has a notification destination database that holds a destination to which an update notification is communicated, and updates to the destination of the notification destination database according to the information notified from the update detection unit. A notification is transmitted.

  Furthermore, in the communication system of the present invention, the storage unit includes a data interface that transmits and receives data to a storage element external to the communication device.

  In order to achieve the above object, according to the present invention, in a communication apparatus having a plurality of communication I / Fs, communication data is exchanged between the first communication I / F and the second communication I / F. A path control unit that blocks and changes, a storage unit that stores a part of the communication data, and interprets communication data from the path control unit and writes or reads a part of the communication data to the storage unit A data access unit that converts the data into the storage unit, an update detection unit that detects writing or reading of data to or from the storage unit, and a data update to a predetermined computer that is notified by the update detection unit via the 1 or 2 communication I / F Update notification means for notifying the presence or absence of data, and heartbeat generation means for executing writing or reading of predetermined data at a predetermined time interval in the storage unit. That.

  Furthermore, in the communication device of the present invention, the communication device transmits the data update notification to a predetermined computer when the update detection unit detects data access to the storage unit of the heartbeat generation unit. It is a feature.

  In order to achieve the above object, according to the present invention, in a communication apparatus having a plurality of communication I / Fs, communication data is exchanged between the first communication I / F and the second communication I / F. A path control unit for blocking and changing, a storage unit for storing or erasing a part of the communication data, and interpreting communication data from the path control unit and storing a part of the communication data A data access unit for converting to writing or reading to the unit and a heartbeat notification means for transmitting a heartbeat to a predetermined computer, and when a response of the heartbeat from the computer is not obtained within a predetermined time, The heartbeat notifying means issues a memory erasure instruction to the storage unit.

  Furthermore, in the communication apparatus of the present invention, an update detection unit that detects writing or reading of data to or from the storage unit, and a predetermined computer notified from the update detection unit via the first or second communication I / F Update notification means for notifying the presence or absence of data update, and heartbeat generation means for executing writing or reading of predetermined data at a predetermined time interval in the storage unit, and a heartbeat response from the computer is a predetermined time If not obtained, the heartbeat notification means issues a storage erasure instruction to the storage unit.

  In order to achieve the above object, the present invention provides a communication system that connects a plurality of networks to which a plurality of computers belong, wherein a communication device that connects the plurality of networks has a plurality of communication I / Fs, A path control unit for exchanging, blocking, and changing communication data between the communication I / F and the second communication I / F, storage means for storing the communication data in a storage element, and contents of the storage element A storage unit having storage erasing means for erasing data, a data access unit that interprets communication data from the path control unit and converts a part of the communication data into writing or reading to the storage unit, and the storage unit Update detecting means for detecting writing or reading of data to / from the data, and updating of data to a predetermined computer via the first or second communication I / F notified by the update detecting means Update notification means for notifying presence / absence, and heartbeat generation means for executing writing or reading of predetermined data at a predetermined time interval in the storage unit, and a heartbeat response from the computer is obtained within a predetermined time. If not, the heartbeat notification means issues a storage erasure instruction to the storage unit.

  In order to achieve the above object, according to the present invention, in a communication apparatus having a plurality of communication I / Fs, communication data is exchanged between the first communication I / F and the second communication I / F. A path control unit for blocking and changing; a storage unit having a plurality of storage elements for storing a part of the communication data; and interpreting the communication data from the path control unit to convert a part of the communication data. A data access unit for converting to writing or reading to the storage unit, an update detecting unit for detecting writing or reading of data to or from the storage unit, and the first or second communication I / Update notification means for notifying the presence or absence of data update to a predetermined computer via F, and the storage unit selects the plurality of storage elements according to the importance of stored data so That.

  Furthermore, in the communication device according to the present invention, the storage unit includes a data interface that transmits and receives data to a storage element outside the communication device.

  With the secure communication device of the present invention, the controller belonging to one network transmits data to the communication device at an appropriate timing, and the PC belonging to the other network is notified that the conditions such as writing are in place and communicates. Since it becomes possible to access the apparatus, it is possible to share information between the controller and the PC in a safe and real-time manner.

  Also, in the present invention, it is possible to perform filtering of communication data in combination with the above functions, so that it is possible to prevent the operation of the controller in the other network from becoming unstable due to frequent access from one network. It becomes.

  Further, as another effect of the present invention, when the controller or the communication device is stopped due to an abnormality, a management server different from the communication device can detect the abnormality.

  Furthermore, even if the communication device is stolen, for example, data in the communication device can be erased, and it is possible to safely store highly important data.

  The present invention relates to a method and apparatus for exchanging data safely with excellent real-time characteristics when exchanging data between a general-purpose computer and a built-in computer. First, the apparatus configuration of the present invention that realizes data exchange with high real-time property and safety will be described. Thereafter, a method for safely operating the communication apparatus will be described.

  FIG. 1 shows a block configuration diagram showing a configuration of a secure communication apparatus according to the first embodiment of the present invention and an outline of the system.

  A communication device 1 representing a secure communication device is connected to a plurality of PCs 2-1 to 2-m (m: corresponding to the number of PCs) via a network 3. Similarly, the communication device 1 is connected to a plurality of controllers 5-1 to 5-n (n: corresponding to the number of controllers) via the network 4. In this embodiment, the types are divided for convenience from the PC and the controller, but these are not limited to these types as long as they are computers that communicate via a network. In addition, the present invention can be applied when the number n, m is one or more.

  The network to which the present invention can be applied is not particularly limited, and includes Ethernet (registered trademark), a wireless LAN that conforms to FDDI, RS485, IEEE802.11a / b / g, CAN (Controller Area Network), Fiber. It can be applied to various network physical layers such as Channel. There is no restriction on the protocol used in each network, and the protocol corresponding to the physical layer such as TCP / UDP / IP and iSCSI can be supported. In this embodiment, the description will be made on the assumption that the network is Ethernet and the protocol is IP, but the scope of application of the present invention is not limited to these.

  The configuration of the communication device 1 will be described with reference to FIG. The communication device 1 includes communication interfaces (hereinafter referred to as IFs) 10 and 11, route control units 20 and 21, a data access unit 30, and a storage unit 40.

  The communication IFs 10 and 11 perform data transmission and reception with the networks 3 and 4, respectively. The path control unit 20 performs path control of transmission / reception data related to the communication IF 10. In addition, the path control unit 21 performs path control of transmission / reception data regarding the communication IF 11.

  For example, data received from the network 3 is taken into the communication device 1 via the communication IF 10. The received data input from the communication IF 10 is determined by the path control unit 20 according to the received data, whether it is transferred to a controller in the network 4, used by the communication device 1 itself, or discarded. Specifically, for example, the determination is made based on the destination IP address described in the received data and the TCP or UDP port number.

  When transferring the received data to the controller, the path control unit 20 transmits the received data to the path control unit 21, so that it is output to the network 4 via the communication IF 11 and delivered to the destination controller. When the received data is used by the communication device 1 itself, the path control unit 20 transfers the data to the data access unit 30. When discarding the received data, the path control unit 20 deletes the received data without transferring it anywhere. The path control unit 20 can change a part of the received data as necessary when transferring the received data, but details will be described later.

  Since the configuration and operation of the route control unit 21 are the same as those of the route control unit 20, description thereof will be omitted.

  The storage unit 40 is a storage unit that protects data write, read, erase, write / read prohibition, and the like in response to a request from the data access unit 30. These operations on data are performed on the storage element 41. The storage element 41 may be volatile or nonvolatile. As the storage element 41, various storage elements such as a magnetic disk employed in a hard disk drive, a magneto-optical disk such as a CD-ROM, flash memory, EEPROM, SRAM, DRAM, MRAM, FeRAM, and flip-flop are applicable in the present invention. is there.

  The data access unit 30 requests the storage unit 40 to perform an operation on data in response to requests from the path control units 20 and 21. The data access unit 30 includes an update detection unit 31, a detection rule 32, an update notification unit 33, and a notification destination database (hereinafter, the database is referred to as a DB) 34. The update detection unit 31 has a function of checking whether the operation of updating to the storage unit 40 corresponds to the condition of the detection rule 32. When the operation to the storage unit 40 corresponds to the detection rule 32, the update detection unit 31 notifies the update notification unit 33 that it has been detected. Upon receiving notification from the update detection unit 31, the update notification unit 33 has a function of searching for a corresponding notification destination from the notification destination DB 34, creating notification data, and transmitting it to appropriate route control units 20 and 21. . Next, the operation of the data exchange system according to the present invention will be described with reference to FIG.

  In this system, each controller itself is set to periodically transmit predetermined data to the communication device 1 with respect to the controllers 5-1 to 5-1n. In addition, a user who uses the PCs 2-1 to m requests the communication device 1 for data.

  At this time, for example, consider an application for browsing the monitoring screen of the controller on a certain PC. The controller transmits data to the communication device 1 at each timing. The communication device 1 receives data via the communication IF 11 and transfers the data to the path control unit 21. The path control unit 21 determines that the data is data addressed to the communication device 1 itself, and transfers the data to the data access unit 30. The data access unit 30 transfers the data to the storage unit 40 together with a write instruction. At this time, the update detection unit 31 checks whether the access matches the detection rule 32.

  If the rule matches, the update notification means 33 designates the destination according to the notification destination DB 34, creates notification data, and transmits it to the route control unit 20. The path control unit 20 transmits notification data to a destination PC (not shown) of the network 3 via the communication IF 10. The destination PC that has received the notification data knows that the necessary conditions have been met and accesses the predetermined data of the communication device 1.

  As another example, a case where the PC directly operates the controller will be described. Assume a situation where the controller is operated directly from a PC in order to change the operating conditions and settings of the controller. The communication device 1 receives an operation request packet from the PC. The communication IF 10 transfers the received packet to the route control 20. The route control 20 determines that the packet should be transferred to the controller, and transfers it to the route control 21. The path control 21 sends an operation request packet to the network 4 via the communication IF 11. As described above, the final destination controller can receive the operation request packet.

  With the configuration as described above, the controller transmits data to the communication device 1 at an appropriate timing that can be controlled by itself, and the PC is notified that the condition such as writing is satisfied and accesses the communication device 1. It becomes possible to do.

  Therefore, information can be shared between the controller and the PC. Since the controller is not randomly accessed, the control of the controller is not disturbed, and the controller can be operated safely. Since the PC is notified in real time of the update of the target data, the data can be received promptly without imposing an excessive load on the controller for checking whether or not the information is updated. In addition, direct communication is possible as necessary, and a system can be flexibly constructed.

  FIG. 2 shows a configuration example of the communication device 1. The communication device 1 includes elements such as a CPU 50, a RAM 52, a communication IF 10, a communication IF 11, a storage element 41, and a nonvolatile memory 53. These elements are connected by an internal bus 51 to exchange data with each other. The CPU 50 reads the instructions and constants of the program that implements the OS 54, the path control units 20 and 21, the storage unit 40, the data access unit 30 and the like held in the nonvolatile memory 53, and these instructions and constants are read as necessary. The data is stored in the RAM 52, read or written, and software processing is executed. Examples of the non-volatile memory 53 include an electrically erasable and writable EEPROM, a flash memory, a magneto-optical medium such as a hard disk device and a CD-ROM.

  The communication IFs 10 and 11 perform processing for transmitting data requested from the CPU 50 via the internal bus 51 to the networks 3 and 4 and processing for receiving processing received from the networks 3 and 4 to the CPU 50. The present invention is not limited by the network technology used as the networks 3 and 4.

  The communication IFs 10 and 11 notify the CPU 50 of an interrupt signal (not shown) that its own state change or processing request has occurred. The CPU 50 executes the software and processes interrupts from the communication IFs 10 and 11 to realize a target function. FIG. 3 shows a flowchart of the operation of the route control unit 20.

  The operation of the route control unit 21 can also be explained in the same manner as the operation bath chart of FIG. 3 by replacing the communication IFs 10 and 11 described in FIG. 3 and replacing the route operation units 20 and 21.

  The operation of each step will be described according to the flowchart of FIG.

  First, it is determined from which path the input data transferred to the path control unit 20 is input (step 100).

  When it is determined from the route control unit 21 in step 100, the transmission source address is changed as necessary (step 110). This is a technique called Source NAT (Network Address Translation), which means that the IP address of the transmission source is changed by the IP protocol. The process of step 110 can be omitted if Source NAT is not required or if the input data is not based on the IP protocol. After step 110, the input data is transferred to the communication IF 10 (step 111), and the path control is terminated.

  If it is determined from the data access unit 30 in step 100, the destination address is changed as necessary (step 101). This is a technique called Destination NAT, which means that the destination IP address is changed by the IP protocol. If Destination NAT is not required or if the input data is not based on the IP protocol, step 101 can be omitted. Next, it is determined whether to discard the data (step 108). This means that the route control unit 20 filters data that should not be transmitted. It is assumed that a rule for determining whether or not data can pass is set in the route control unit 20 in advance. If it is determined not to discard the data, the process proceeds to step 110. If it is determined that the data is to be discarded, the data is discarded (step 109), and the path control is terminated.

  If it is determined from the communication IF 10 in step 100, Destination NAT is executed if necessary (step 102). This step can be omitted as in step 101. Next, the destination of the input data is determined (step 103).

  If it is determined in step 103 that the destination is the data access unit 30, it is next determined whether to discard the data (step 105). When discarding data, the process proceeds to step 109. If the data is not discarded, the input data is transferred to the data access unit 30 (step 107), and the path control is terminated.

  If it is determined in step 103 that the destination is the path control unit 21, it is next determined whether to discard the data (step 104). When discarding data, the process proceeds to step 109. If the data is not discarded, the input data is transferred to the route control unit 21 (step 106), and the route control is terminated.

  FIG. 4 shows a DB configuration of the detection rule 32.

  The detection rule 32 is a DB having attributes of input data source address 200, data update destination area 201, access type 202, and action 203. FIG. 4 shows an example of tuples 205, 206, and 207 having these attributes.

  The tuple 205 reads: “If the computer with the IP address“ 192.168.0.1 ”has a data“ write ”for the update destination area“ Area-A ”, the action No.“ 1 "" is executed. Here, action No. represents an index of the notification destination DB 34 described later.

  In the tuple 206, the action 203 has a plurality of index descriptions. This is intended to execute a plurality of indexes in the notification destination DB 34.

  Further, the tuple 207 means that a plurality of computers having a subnet whose source address is 192.168.10.0 (subnet mask 24 bits) are designated.

  FIG. 5 shows the configuration of the database of the notification destination DB 34.

  The notification destination DB 34 is a database having attributes of action 220, notification destination IP address 221, and message 222. FIG. 5 shows an example of tuples 223 to 226 having these attributes.

  The tuple 223 means that the message “Area-A is updated” is transmitted to the computer having the destination IP address “192.1688.10.1” in “action No.“ 1 ””. The same applies to the tuples 224 to 226.

  The update notification means 33 constructs a message having the content to be transmitted with the destination IP address from the data corresponding to the requested index.

  In the present embodiment, the message 222 is a fixed message, but more detailed data can be included in the message. In that case, it is preferable to design a message and an argument in accordance with the format of the C language printf () function, for example.

  FIG. 6 shows a flowchart of the operation of the data access unit 30, and the operation of each step will be described.

  First, the data access unit 30 interprets the content of the received input data and issues it to the storage unit 40 (step 120). Here, the data access unit 30 converts the input data contents into an instruction sequence that can be understood by the storage unit 40. For example, when the content of the request from the outside does not include a specific storage element name, the storage element name (for example, / dev / sd0) mounted on the communication device 1 is added. In addition, a storage area corresponding to a computer that stores data may be allocated in advance and converted into access to the storage area according to the transmission source of the input data.

  In the present embodiment, the storage unit 40 performs the specified data access (reading or writing) in the specified area.

  After the response from the storage unit 40 is obtained, the update detection unit 31 acquires the detection rule from the detection rule 32 in order to check whether the data access content corresponds to the update detection rule (step 121). Thereafter, the update detection means 31 checks whether the data access matches the acquired rule (step 122). In this embodiment, the contents of the data access are inspected for the source address 200, the data update destination area 201, and the access type 202 shown in FIG.

  Thereafter, it is determined whether the data access corresponds to the inspection rule (step 123). If applicable, the update notification means 33 acquires the notification destination from the notification destination DB 34 in accordance with the detection rule 32 (step 124). Then, the update notification means 33 issues the message content acquired in the notification destination DB 34 to the destination designated in the notification destination DB 34 (step 125). Then, the process proceeds to step 126.

  If no match is found in step 123, it is checked whether there is a remaining update detection rule to be checked by the detection rule 32 (step 126). If so, the process proceeds to step 121. If not, the process of the data access unit 30 ends.

  FIG. 7 shows a sequence diagram representing the operation of the communication apparatus according to the present invention. Here, the operation when a data storage request is issued from the controller will be described.

  A data storage request is issued from the controller 5 (step 240). The communication IF 11 receives the storage request and transfers it to the path control unit 21 (step 241). Thereafter, the communication IF 11 responds to the controller 5 that it has accepted the storage request (step 250).

  Receiving the storage request, the path control unit 21 determines the destination of the storage request according to the flow of FIG. 3, and transfers the storage request to the data access unit 30 (step 242). The data access unit issues a storage request to the storage unit 40 according to the flow of FIG. 6 (step 243). Thereafter, the data access unit 30 that has received the completion notification from the storage unit 40 (step 244) performs an update check and determines whether the check rule is met (step 245). As a result, if applicable, the data access unit issues an update notification to the route control unit 20 by the update notification means 33 (step 246). The path control unit 20 that has received the update notification from the data access unit 30 transfers it to the communication IF 10 according to the flow of FIG. 3 (step 247).

  Finally, the communication IF 10 transfers the update notification to the PC 2 and ends the process (step 248).

  As can be seen from the above flow, the update detection unit 31 and the update notification unit 33 in the data access unit 30 issue an update notification from the data requested to be stored by the controller to the PC associated with the data. That is, the PC can know the data update without polling for the data update.

  Further, the route control units 20 and 21 can filter communication data. For example, the access from the PC 2 to the controller 5 is given to the communication device 1 by setting the path control units 20 and 21 to pass the access from the network 4 to which the controller belongs and to block the access from the network 3 to which the PC belongs. Can be blocked. As an effect, it becomes possible to prevent the operation of the controller from becoming unstable due to frequent access from the PC. In addition, the present invention makes it possible to protect the controller from malicious access such as viruses and worms and denial of service (DoS).

  FIG. 8 is a configuration example of the secure communication apparatus according to the second embodiment of the present invention.

  Functions and elements having the same reference numerals used in the embodiments mean the same functions and elements as described in the first embodiment unless otherwise specified.

  Compared to the first embodiment, the communication apparatus according to the present embodiment does not include the storage element 41 but includes the data IF 55 instead. The storage element 41 is configured in a storage device 6 different from the communication device 1 ′.

  As the data IF 55, an interface for connecting to the storage device 6 is selected. For example, if a USB memory or USB hard disk accessible via USB (Universal Serial Bus) is used as the storage device 6, the data IF 55 is suitably a USB-IF. If Serial ATA (SATA) -IF is used for the data IF 55, an external SATA hard disk can be used. By using an Ethernet-IF for the data IF 55, an external NAS (Network Attached Storage) can be used as the storage device 6.

  By appropriately configuring the data IF 55, Compact Flash (registered trademark) and various memory cards can be used.

  In the present embodiment, the storage unit 40 has a function of accessing the data IF 55. The storage unit 40 performs interface abstraction so that the various storage devices 6 as described above can be uniquely handled as communication devices from the communication device. By doing so, the various configurations described in the first embodiment can be directly applied to the present embodiment.

  According to the present invention, various memory elements can be used in addition to the effects of the first embodiment. For example, in the case of a storage element such as a hard disk, there may occur an accident that mechanical wear occurs due to long-term use. In addition, since the memory element using the flash memory has a limited number of times of writing, it is desirable to replace it by maintenance. Even in the above case, if the storage device 6 can be replaced by the data IF 55, maintainability is improved.

  As a risk due to the external storage device 6, data theft can be considered. However, for example, if the communication apparatus is installed in a place where theft is difficult, there is no problem in applying the configuration of the present embodiment.

  FIG. 9 is a block diagram showing the configuration of the secure communication apparatus according to the third embodiment of the present invention. Unless otherwise specified, functions and elements having the same reference numerals used in the embodiments mean the same functions and elements as those described in the first and second embodiments.

  The communication apparatus 7 according to the present embodiment newly has authentication units 12 and 13 as compared with the first and second embodiments.

  The authentication units 12 and 13 have a function of confirming the authenticity of a communication device such as a PC or a controller connected to the communication device 7 via a network. In the present embodiment, only a device whose authenticity is recognized can communicate with the communication device 7.

  By confirming whether a device connected via the network is a reliable device, it is possible to provide data according to the degree of reliability. For example, if a data request is from a PC with administrator authority, all data will be disclosed, but if it is a data request from a PC with normal operator authority, a part of the monitoring data will be disclosed and the authority will not be authorized. This data request can be rejected.

  Various authentication techniques exist as means for confirming the authenticity of a communication device. For example, authentication by public key encryption or authentication by a pre-shared key. In the present invention, known authentication techniques including them can be applied. Further, IPsec (Security Architecture for Internet Protocol) can be used as an implementation of a communication protocol for confirming authenticity.

  A communication operation according to this embodiment will be described. The basic operation flow is as shown in FIG. The present embodiment is different from the first embodiment in that an authentication process is performed before a regular communication process is started. That is, processing is performed so that the authentication process is completed in advance between both “between the controller and the communication device 7” and “between the PC and the communication device 7”.

  According to the present invention, in addition to the effects of the first embodiment and the second embodiment, the disclosure range of data can be limited by authenticating the connected device. It is possible not to disclose data to an unreliable device.

  On the other hand, considering connection with an existing controller, authentication by IPsec is often difficult. In that case, the communication device 7 and the controller are installed so as to be physically secure so that the connection cannot be changed from the outside so that only the authentication unit 12 is enabled and the authentication unit 13 is disabled. However, data can be exchanged safely.

  FIG. 10 is a block diagram showing the configuration of a secure communication apparatus according to the fourth embodiment of the present invention. Unless otherwise specified, functions and elements having the same reference numerals used in the embodiments mean the same functions and elements as those described in the first to third embodiments.

  A feature of this embodiment is that a heartbeat indicating that the communication apparatus 8 is operating normally is transmitted from the communication device 8 to a specific computer, preferably a management server (not shown). As long as the heartbeat is received, the management server can determine that the operation of the communication device 8 is sound. Depending on the method for generating the heartbeat, not only the communication device 8 but also the soundness of the controller 5 supported by the communication device 8 can be confirmed.

  Two examples of a method for generating a heartbeat will be described. The first example is a method for generating a heartbeat from the controller, and the second example is a method for generating a heartbeat from the communication device 8 itself. FIG. 10 is a configuration example for realizing the second example, and details of the content will be described later.

  First, the first example will be described. The first example is realized by setting the detection rule 32 and the notification destination DB 34 so that the controller periodically accesses the specific area, and the communication device 1 monitors the access to the specific area.

  For example, the controller 5-1 (IP address is 192.168.0.10) is set to periodically read (read) Area-X.

  At this time, regarding the detection rule 32 of the communication apparatus 1, the source address 200 = “192.168.0.10”, the data update destination area 201 = “Area-X”, the access type 202 = “Read”, and the action 203 = “ Set 10 ”.

  Further, for the notification destination DB 34, action 220 = “10”, notification destination IP address 221 = “IP address of the management server”, and message 222 = “HeartBeat from CNT5: Time = current time” are set.

  By configuring as described above, as long as the controller operates normally and continues to read and access Area-X as set, the communication device 1 detects access to the area and sends a heart with a time stamp to the management server. It becomes possible to continue sending beats.

  As an effect of the first example of the present embodiment, when the controller 5 or the communication device 1 is stopped due to an abnormality, the management server can detect the abnormality. For this reason, according to the present invention, it is possible to quickly detect an abnormality, and thus the availability of the system can be improved.

  Next, a second example will be described with reference to FIG.

  The communication device 8 in FIG. 10 is different from the communication device 1 in FIG. 1 in that the data access unit 30 includes a heartbeat generation unit 35.

  The heartbeat generating unit 35 is configured to be able to access a set area with a set access type at a set time interval.

  Furthermore, it is possible to notify the management server of the heartbeat by setting the detection rule 32 and the notification destination DB 34 as in the following example.

  In the detection rule 32 of the communication device 8, the source address 200 = “self (for example, 127.0.0.1)”, the data update destination area 201 = “Area-Y”, the access type 202 = “Read”, and the action 203 = "11" is set.

  In the notification destination DB 34, action 220 = “11”, notification destination IP address 221 = “IP address of management server”, message 222 = “HeartBeat from SEC-RT: Time = current time” are set.

  By setting as described above, every time the heartbeat generation unit generates access to the storage unit 40 at the set interval, the update detection unit 31 detects the access, and the update notification unit 33 sends the heartbeat to the management server. It is possible to issue an update notification corresponding to.

  As described above, since the communication device 8 includes the heartbeat generation unit 35, the heartbeat can be notified to the management server without changing the controller 5 and applying a load.

  As another effect, by executing the first example and the second example in combination, it is possible to determine whether an abnormality has occurred in the controller 5 or the communication device 8 when an abnormality occurs. For example, when the heartbeat generated from the heartbeat generating means 35 arrives but the heartbeat generated from the controller 5 does not arrive, it can be determined that the communication device 8 is normal and the controller 5 is abnormal. Therefore, abnormality diagnosis can be performed quickly, which can contribute to improvement of system availability.

  FIG. 11 is a block diagram showing a configuration of a secure communication apparatus according to the fifth embodiment of the present invention. Unless otherwise specified, functions and elements having the same reference numerals used in the embodiments mean the same functions and elements as those described in the first to fourth embodiments.

  The feature of the present embodiment is that the storage elements in the storage unit 40 are divided into a plurality of levels and the storage erasing means 42 is provided in the storage unit 40. According to the present embodiment, the storage element can be changed according to the importance level of the data to be stored, and the data with high importance level can be erased even when the communication device 9 is stolen.

  FIG. 12 shows a circuit example of the storage unit 40. The storage element 43-1 is configured so that the power to the storage element can be cut off by the storage erasing means 42. When a memory erasure instruction is given to the memory erasure means 42, the memory erasure means 42 shuts off the power supply to the memory element 43-1 by a switch means such as an FET or a relay. As the memory element 43-1, a highly volatile memory such as SRAM or DRAM is used. The storage element 43-k is a storage element to which power is always supplied.

  With the configuration as shown in FIG. 12, the memory erasing means 42 can stop the power supply to a specific memory element and securely erase the memory contents of the memory element in response to a memory erasing instruction.

  For this reason, in operation, highly important data is stored in the storage element 43-1, which can be stored and erased, and inconvenient data or less important data when the contents are volatilized are constantly supplied with power 43. It is desirable to store in a storage element other than -1.

  Next, the memory erase operation according to the present embodiment will be described with reference to the sequence diagram of FIG.

  First, an authentication request arrives at the authentication unit 12 of the communication device 9 from the management server (PC 2) (step 260). After performing the process of confirming the authenticity of the management server, the authentication unit 12 issues an authentication response when it can be confirmed that the communication apparatus is an authorized apparatus (step 261). By performing the process of authenticating the management server, it becomes possible to avoid theft detection failure due to “spoofing”.

  When the communication device 9 enters a steady operation state, the data access unit 30 issues a heartbeat access to the storage unit 40 according to the fourth embodiment in order to issue a heartbeat (step 270). After a normal response from the storage unit 40 (step 271), the update detection means 31 of the data access unit 30 detects that there is an access (step 272). Thereafter, the update notification means 33 issues a heartbeat notification to the management server (step 273).

  At this time, the update notification means 33 sets a timer (not shown) that measures the time from the issuance of a heartbeat to the response thereto. If a response from the management server is not obtained before the timer counts a certain time, it is recognized as an abnormality such as a management server stop or theft.

  In response to the response in step 273, since the heartbeat response is obtained in step 274, the update notification means 33 initializes the timer and the process ends.

  Next, an example of heartbeat abnormality is shown.

  The data access unit 30 issues a heartbeat access to the storage unit 40 according to the fourth embodiment (step 280). After a normal response from the storage unit 40 (step 281), the update detection means 31 of the data access unit 30 detects that there is an access (step 283). Thereafter, the update notification means 33 issues a heartbeat notification to the management server (step 284).

  The update notification means 33 waits for a response within a certain time after issuing the heartbeat. At this time, a network packet may be lost in the middle of the network, so it is desirable to issue a heartbeat several times. If a response is not obtained after that, the update notification means 33 determines that there is an abnormality. The update notification means 33 issues a storage erasure instruction to the storage unit 40 (step 285), and the storage unit 40 executes storage erasure (step 286).

  As described above, when communication with the management server is interrupted, for example, even when the communication device 9 is stolen, the data in the communication device 9 can be deleted, and highly important data can be safely stored. It can be stored.

  Even if a thief tries to take out the communication device 9 while impersonating the connection with the management server, it is configured not to receive a response from the unauthenticated management server. Can be deleted.

  The heartbeat generation unit 35 and the update notification unit 33 may be integrated as a heartbeat notification unit. In this case, the heartbeat notification means sends out heartbeats at a predetermined time interval without using the update detection means 31, and if a response to the heartbeat is not obtained within the predetermined time, Similarly, it is possible to instruct the memory unit 40 to erase the memory.

The block diagram showing the structure of the secure communication apparatus in 1st embodiment by this invention, and the outline | summary of a system are shown. 1 shows a configuration example of a communication apparatus according to a first embodiment. 6 shows a flowchart of the operation of the path control unit 20 according to the first embodiment. The structure of the database of the detection rule by Example 1 is shown. 2 illustrates a configuration of a database of a notification destination DB according to the first embodiment. 6 shows a flowchart of the operation of the data access unit 30 according to the first embodiment. FIG. 3 is a sequence diagram illustrating an operation of the communication device according to the first embodiment. The structural example of the secure communication apparatus in 2nd embodiment by this invention is shown. The block diagram showing the structure of the secure communication apparatus in 3rd embodiment by this invention is shown. The block diagram showing the structure of the secure communication apparatus in 4th Embodiment by this invention is shown. The block diagram showing the structure of the secure communication apparatus in 5th Embodiment by this invention is shown. 12 shows a circuit example of a storage unit 40 according to a fifth embodiment. FIG. 10 shows a sequence diagram of an operation of a communication device according to Embodiment 5.

Explanation of symbols

1,1 ', 7,8,9 Communication device 2 PC
3, 4 Network 5 Controller 6 Storage device 10, 11 Communication IF
12, 13 Authentication unit 20, 21 Path control unit 30 Data access unit 31 Update detection unit 32 Detection rule 33 Update notification unit 34 Notification destination DB
35 Heartbeat generating means 40 Storage units 41, 43 Storage element 42 Storage erasing means 50 CPU
51 Internal bus 52 RAM
53 Non-volatile memory 54 OS
55 Data IF

Claims (14)

In the communication apparatus have a plurality of communication I / F, for connecting between different networks by the plurality of communication I / F,
A path control unit that determines whether to use or discard the communication data from the communication data address or the communication data type between the first communication I / F and the second communication I / F;
A storage unit for storing a part of the communication data;
A data access unit that interprets communication data from the path control unit and converts a part of the communication data into writing to or reading from the storage unit;
Update detecting means for detecting writing or reading of data with respect to the storage unit;
Update notification means that is notified by the update detection means and notifies the presence or absence of data update to a predetermined computer via the first or second communication I / F ,
The update detection means includes
It has a detection rule database that holds a plurality of combinations of access patterns to the storage unit by the data access unit, and detects whether writing or reading to the storage unit is included in an access pattern recorded in the detection rule database And
The update notification means includes
The communication apparatus , wherein when the write or read to the storage unit is included in the access pattern, the presence or absence of data update is notified to the predetermined computer . The communication device according to claim 1.
The update notification means includes
It has a notification destination database that holds the destination for notification of update notifications,
A communication apparatus that transmits an update notification to a destination in the notification destination database according to information notified from the update detection means. In the communication apparatus of Claim 1 or Claim 2 ,
The communication device includes a data interface for transmitting and receiving data to a storage element external to the communication device. In the communication apparatus have a plurality of communication I / F, for connecting between different networks by the plurality of communication I / F,
A first authentication unit that authenticates a communication partner in communication from the first communication I / F;
A second authentication unit that authenticates a communication partner in communication from the second communication I / F;
A path control unit that determines whether to use or discard the communication data from the communication data address or the communication data type between the first authentication unit and the second authentication unit;
A storage unit for storing a part of the communication data;
A data access unit that interprets communication data from the path control unit and converts a part of the communication data into writing to or reading from the storage unit;
Update detecting means for detecting writing or reading of data with respect to the storage unit;
Update notification means that is notified by the update detection means and notifies the presence or absence of data update to a predetermined computer via the first or second communication I / F ,
The update detection means includes
Whether the data access unit has a detection rule database that holds a plurality of combinations of access patterns to the storage unit, and whether writing to or reading from the storage unit is included in the access pattern recorded in the detection rule database. Detect
The update notification means includes
The communication apparatus , wherein when the write or read to the storage unit is included in the access pattern, the presence or absence of data update is notified to the predetermined computer . In a communication system that connects multiple networks to which multiple computers belong,
Communication device for connecting between the plurality of networks includes a plurality of communication I / F,
A path control unit that determines whether to use or discard the communication data from the communication data address or the communication data type between the first communication I / F and the second communication I / F;
A storage unit for storing a part of the communication data;
A data access unit that interprets communication data from the path control unit and converts a part of the communication data into writing to or reading from the storage unit;
Update detecting means for detecting writing or reading of data with respect to the storage unit;
The update detecting unit is from notification and a update notification means for notifying the presence or absence of data update to the predetermined computer via the first or second communication I / F, it belongs to the plurality of network at least one computer Transmits communication data to the communication device at predetermined time intervals,
The communication device transmits a notification of the data update to a predetermined computer ,
The update detection means includes
Whether the data access unit has a detection rule database that holds a plurality of combinations of access patterns to the storage unit, and whether writing to or reading from the storage unit is included in the access pattern recorded in the detection rule database. Detect
The update notification means includes
When writing to or reading from the storage unit is included in the access pattern, the predetermined computer is notified of the presence or absence of data update,
A communication system characterized by the above. The communication system of claim 5 ,
The update notification means includes
It has a notification destination database that holds the destination for notification of update notifications,
A communication system, wherein an update notification is transmitted to a destination of the notification destination database in accordance with information notified from the update detection means. In the communication system according to claim 5 or 6 ,
The communication system comprising a data interface for transmitting and receiving data to a storage element external to the communication device. In the communication apparatus have a plurality of communication I / F, for connecting between different networks by the plurality of communication I / F,
A path control unit that determines whether to use or discard the communication data from the communication data address or the communication data type between the first communication I / F and the second communication I / F;
A storage unit for storing a part of the communication data;
A data access unit that interprets communication data from the path control unit and converts a part of the communication data into writing to or reading from the storage unit;
Update detecting means for detecting writing or reading of data with respect to the storage unit;
Update notification means for notifying the presence / absence of data update to a predetermined computer via the communication interface of 1 or 2 notified from the update detection means;
Heartbeat generating means for executing writing or reading of predetermined data at a predetermined time interval in the storage unit ,
The update detection means includes
Whether the data access unit has a detection rule database that holds a plurality of combinations of access patterns to the storage unit, and whether writing to or reading from the storage unit is included in the access pattern recorded in the detection rule database. Detect
The update notification means includes
The communication apparatus , wherein when the write or read to the storage unit is included in the access pattern, the presence or absence of data update is notified to the predetermined computer . The communication device according to claim 8 .
When the update detection unit detects data access to the storage unit of the heartbeat generation unit,
The communication apparatus transmits the data update notification to a predetermined computer. In the communication apparatus have a plurality of communication I / F, for connecting between different networks by the plurality of communication I / F,
A path control unit that determines whether to use or discard the communication data from the communication data address or the communication data type between the first communication I / F and the second communication I / F;
A storage unit for storing a part of the communication data or erasing the storage;
A data access unit that interprets communication data from the path control unit and converts a part of the communication data into writing to or reading from the storage unit;
Update detecting means for detecting writing or reading of data with respect to the storage unit;
Update notification means notified from the update detection means for notifying the presence or absence of data update to a predetermined computer via the first or second communication I / F;
A heartbeat notification means for transmitting a heartbeat to a predetermined computer;
When the heartbeat response from the computer is not obtained within a predetermined time, the heartbeat notification means issues a storage erasure instruction to the storage unit ,
The update detection means includes
Whether the data access unit has a detection rule database that holds a plurality of combinations of access patterns to the storage unit, and whether writing to or reading from the storage unit is included in the access pattern recorded in the detection rule database. Detect
The update notification means includes
The communication apparatus , wherein when the write or read to the storage unit is included in the access pattern, the presence or absence of data update is notified to the predetermined computer . The communication device according to claim 10 .
A heartbeat generating means for executing a write or read a predetermined data at a predetermined time interval before term memory unit,
The heartbeat notification means issues a memory erasure instruction to the storage unit when a heartbeat response from the computer is not obtained within a predetermined time. In a communication system that connects multiple networks to which multiple computers belong,
Communication device for connecting between the plurality of networks includes a plurality of communication I / F,
A path control unit for determining whether to use or discard the communication data from the communication data address or the communication data type between the first communication I / F and the second communication I / F;
A storage unit that stores the communication data in the storage element; a storage unit that includes a storage erasing unit that erases the contents of the storage element;
A data access unit that interprets communication data from the path control unit and converts a part of the communication data into writing to or reading from the storage unit;
Update detecting means for detecting writing or reading of data with respect to the storage unit;
Update notification means notified from the update detection means for notifying the presence or absence of data update to a predetermined computer via the first or second communication I / F;
Heartbeat generating means for executing writing or reading of predetermined data at predetermined time intervals in the storage unit,
When the heartbeat response from the computer is not obtained within a predetermined time, the heartbeat notification means issues a storage erasure instruction to the storage unit ,
The update detection means includes
Whether the data access unit has a detection rule database that holds a plurality of combinations of access patterns to the storage unit, and whether writing to or reading from the storage unit is included in the access pattern recorded in the detection rule database. Detect
The update notification means includes
A communication system , wherein when the access pattern includes writing or reading to the storage unit, the predetermined computer is notified of the presence or absence of data update . In the communication apparatus have a plurality of communication I / F, for connecting between different networks by the plurality of communication I / F,
A path control unit that determines whether to use or discard the communication data from the communication data address or the communication data type between the first communication I / F and the second communication I / F; ,
A storage unit having a plurality of storage elements and storing a part of the communication data;
A data access unit that interprets communication data from the path control unit and converts a part of the communication data into writing to or reading from the storage unit;
Update detecting means for detecting writing or reading of data with respect to the storage unit;
Update notification means notified from the update detection means to notify the presence or absence of data update to a predetermined computer via the first or second communication I / F,
The storage unit selects the plurality of storage elements according to the importance of data to be stored ,
The update detection means includes
Whether the data access unit has a detection rule database that holds a plurality of combinations of access patterns to the storage unit, and whether writing to or reading from the storage unit is included in the access pattern recorded in the detection rule database. Detect
The update notification means includes
The communication apparatus , wherein when the write or read to the storage unit is included in the access pattern, the presence or absence of data update is notified to the predetermined computer . The communication device according to claim 13 .
The communication device includes a data interface for transmitting and receiving data to a storage element external to the communication device.

Images