JP5163984B2 - Quarantine control device, quarantine control computer program, communication interruption method, terminal device, agent computer program, computer program, and erroneous learning processing method - Google Patents

Description

  The present invention relates to a quarantine control device and the like used for network quarantine.

Network quarantine eliminates network access by unauthorized unauthorized terminal devices such as PCs. Non-patent document 1 discloses a method for performing such network quarantine.
InterSec / NQ30b, [online], NEC, [searched October 1, 2008], Internet <http://www.express.nec.co.jp/pcserver/products/appliance/nq/index.html>

Here, in the previous application (Japanese Patent Application No. 2007-119127), the present applicant discloses that the quarantine control device performs a communication blocking process on a target terminal device that is required to block communication. ing.
The jamming process in the previous application is performed by the quarantine controller broadcasting a pseudo ARP response in which the source IP address is the IP address of the jamming target terminal device and the source MAC address is a fake MAC address. .

  By transmitting the pseudo-ARP response by broadcast, the other terminal devices in the network learn the MAC address of the terminal device to be disturbed by mistake. As a result, communication to the target terminal device for interference is interrupted.

  As a result of further studies by the present inventors, there is a terminal device that cannot mislearn the MAC address of the terminal device to be disturbed in broadcast transmission of a pseudo ARP response, and the intended communication interference cannot be performed. I found out that there was something. However, even if the terminal device cannot be erroneously learned, if the pseudo-ARP response is transmitted by unicast, the MAC address of the interference target terminal device can be erroneously learned.

The phenomenon of no false learning in the broadcast transmission of the pseudo ARP response occurs when the OS installed in the terminal device is Windows Vista and Windows Server 2008 (hereinafter referred to as “Vista-based OS”) (Windows, Windows Vista, and Vista). Is a registered trademark, and so on).
Assuming from the packets actually transmitted / received by the Vista-based OS, when receiving a broadcast ARP response, the Vista-based OS does not immediately learn the MAC address included in the ARP response, but the source of the ARP response It is presumed that the IP address is used as a clue to perform processing for confirming the MAC address with respect to the transmission source of the ARP response.
In addition, in a version earlier than the Vista-based OS, such as Windows XP (registered trademark), and other OSs other than the Vista-based OS, erroneous learning can be performed by the broadcast pseudo-ARP.

Assuming that a terminal device having an OS that cannot mislearn the MAC address of the target device to be disturbed in broadcast transmission of a pseudo ARP response like a Vista-based OS, the pseudo ARP response is , Need to send by unicast.
However, when a pseudo ARP response is transmitted to each terminal device by unicast, there arises a problem that the communication amount of packets and the processing amount of the quarantine control device increase. That is, every time there is one obstruction target terminal device, a unicast pseudo-ARP response is transmitted to all the terminal devices in the network, and is proportional to the product of the number of terminal devices in the network and the obstruction target terminal device. The load increases.

  Therefore, an object of the present invention is to suppress an increase in the amount of packet communication and the amount of processing performed by a quarantine control device while performing pseudo-ARP response transmission to a terminal device by unicast.

[Quarantine control device]
(1) The present invention is a quarantine control device including a communication disturbing unit that performs a communication disturbing process on a target terminal device that is required to interfere with communication among terminal devices connected to a network, The communication disturbing unit broadcasts and transmits a pseudo ARP response in which a transmission source IP address is an IP address of the interference target terminal device and a transmission source MAC address is a fake MAC address other than the MAC address of the interference target terminal device. 1 pseudo ARP response transmitter, a pseudo ARP response in which the source IP address is the IP address of the target terminal device to be disturbed and the source MAC address is a pseudo MAC address other than the MAC address of the target terminal device to be disturbed. Broadcast by the second pseudo ARP response transmitter for transmitting the cast and the first pseudo ARP response transmitter In the received pseudo ARP response, an identification unit that identifies a mis-learning-incapable terminal device that cannot mislearn the MAC address of the interference target terminal device, and the second pseudo ARP response transmission unit includes: The quarantine control device is characterized in that the pseudo-ARP response is unicast transmitted to a terminal device identified as a terminal device that cannot be mislearned by an identification unit.

  According to the present invention, the pseudo-ARP response broadcast transmission and the unicast transmission are used together, and the pseudo-ARP response broadcast transmission transmits unicast to a terminal device that cannot be mislearned. Therefore, even if the pseudo ARP response transmission to the terminal device is performed by unicast, an increase in the communication amount and the processing amount can be suppressed.

(2) It is preferable that the said identification part is provided with the exclusion means which excludes the predetermined | prescribed terminal device from the object which unicast-transmits the said pseudo | simulated ARP response among the said mislearning impossible terminal devices. In this case, a terminal device that does not require a unicast pseudo-ARP response can be excluded from the target of unicast transmission, and an increase in communication amount and processing amount can be suppressed.

(3) The terminal device excluded by the exclusion means is a terminal device that cannot be mis-learned with an agent installed therein, and the agent is the MAC of the terminal device to be disturbed with respect to the terminal device that cannot be mis-learned with the agent installed. It is preferable to perform a mislearning process that mislearns the address. In this case, since the agent can perform an erroneous learning process on the terminal device, the terminal device on which the agent is mounted can be excluded from the target of unicast transmission, and an increase in communication amount and processing amount can be suppressed. The agent is a dedicated program that resides in each terminal device under the network.

(4) An excluded terminal device list indicating an excluded terminal device excluded from a target for unicast transmission of the pseudo ARP response is provided, and the terminal device excluded by the excluding unit is an excluded terminal device indicated in the excluded terminal device list. Preferably there is. In this case, if a terminal device that does not need to transmit a unicast pseudo-ARP response is registered in the excluded terminal device list, even a terminal device that cannot be erroneously learned can be excluded from the target of unicast transmission. An increase in processing amount can be suppressed.

(5) It is preferable that the terminal device excluded by the exclusion means is a terminal device other than the communication counterpart of the interference target terminal device. Even if the terminal device other than the communication partner of the interference target terminal device does not unicast the pseudo ARP response, a problem does not occur immediately. Thus, by excluding terminal devices other than the communication partner of the interference target terminal device from the targets of unicast transmission, it is possible to suppress an increase in communication amount and processing amount.

(6) The exclusion means may be configured to perform the jamming in the first jamming process after the jamming target terminal device changes state from a non-jamming target terminal device that does not need jamming to a jamming target terminal device that requires jamming. The terminal device other than the communication partner of the target terminal device is not excluded from the target for unicast transmission of the pseudo ARP response, and during the second and subsequent disturbance processing after the state transition, It is preferable that a terminal device other than the communication partner is excluded from a target for unicasting the pseudo ARP response.
In the first disturbance process after a state transition from a non-disturbed target terminal device that does not require interference to a disturbed terminal device that requires disturbance, each terminal device on the network sets the MAC address of the disturbed terminal device. There is a possibility that it has already been recognized. For this reason, in the first disturbance processing after the state transition, the terminal device other than the communication partner of the interference target terminal device is not excluded from the target for unicast transmission of the pseudo ARP response, and is excluded after the second time. Therefore, reliable interference can be performed.

(7) A communication partner table for storing the interference target terminal device and its communication partner is provided, and the exclusion means recognizes the communication partner of the interference target terminal device by referring to the communication partner table. Is preferred. In this case, the communication partner can be easily grasped.

(8) The second pseudo ARP response transmitter, when a terminal device that has erroneously learned the MAC address of the interference target terminal device makes an ARP request to confirm the MAC address of the interference target terminal device, The pseudo ARP response is preferably transmitted to the terminal device that has transmitted the request. In this case, the quarantine control apparatus can respond to the confirmation with a pseudo ARP response, and can maintain the erroneous learning state.

(9) The communication jamming unit is configured to perform a jamming process at the time of communication detection of the jamming target terminal device and to periodically execute the jamming process at the time of the communication detection of the jamming target terminal device. The pseudo-ARP response unicast transmission is performed together with the pseudo-ARP response broadcast transmission, and the pseudo-ARP response broadcast transmission is performed without performing the pseudo-ARP response unicast transmission in the periodic interference processing. Is preferred. In this case, since the unicast transmission is not performed in the periodic interference process, the communication amount and the processing amount can be suppressed.

(10) The information processing apparatus includes an acquisition unit that acquires, from the terminal device, identification information for identifying whether the terminal device is the mis-learnable terminal device, and the identification unit acquires the identification information acquired by the acquisition unit. It is preferable to identify a terminal device that cannot be erroneously learned based on the information. In this case, the quarantine control device can easily identify the terminal device that cannot be erroneously learned.

(11) It is preferable that the identification unit identifies a terminal device that cannot be erroneously learned according to the type of OS that the terminal device has.

(12) It is preferable that a transmission unit that transmits information indicating the terminal device to be interfered to the agent mounted on the terminal device is provided. In this case, the agent can perform an erroneous learning process based on information indicating the disturbance target terminal device.

(13) The transmission means may be configured to cause the terminal device to perform a state transition from a non-disturbing target terminal device that does not need to be disturbed to a disturbing target terminal device that needs to be disturbed or from a disturbing target terminal device that needs to be disturbed. When a state transition is made to a non-disturbing target terminal device that is not necessary, it is preferable to transmit information indicating the disturbing target terminal device. In this case, when the state transition occurs, the agent can acquire information indicating the disturbance target terminal device, and can perform an erroneous learning process at an appropriate timing.

[Quarantine control computer program]
(14) The present invention viewed from another viewpoint is a quarantine control computer program for causing a computer to function as the quarantine control device according to any one of (1) to (13).

[Communication blocking method]
(15) From another viewpoint, the present invention is a communication interference method for performing communication interference processing on a target terminal device that is required to interfere with communication among terminal devices connected to a network. In the process, the pseudo-ARP response in which the transmission source IP address is the IP address of the disturbance target terminal device and the transmission source MAC address is a fake MAC address other than the MAC address of the disturbance target terminal device is broadcast and transmitted. In the pseudo ARP response broadcast-transmitted by the first pseudo ARP response transmission unit, the source IP address is the target to be disturbed with respect to a terminal device that cannot be mis-learned, which cannot mislearn the MAC address of the terminal device to be disturbed. The IP address of the terminal device, and the source MAC address is the MA of the target terminal device to be disturbed Pseudo ARP reply is false MAC address other than the address, is a communication disturbing method, characterized by unicast transmission. Note that the transmission order of broadcast transmission and unicast transmission is not particularly limited.

(16) In the disturbance processing, it is preferable that the terminal device is identified by acquiring information indicating whether or not the terminal device is a terminal device that cannot be erroneously learned from the terminal device.

[Terminal device]
(17) Another aspect of the present invention is a terminal device in which an agent is installed, and the agent has a fake MAC address other than the MAC address of a target terminal device to be disturbed, The terminal device is characterized in that it includes a mislearning processing unit that causes the terminal device on which the agent is installed to perform mislearning that the interference target terminal device is the MAC address. In this case, the agent can cause the terminal device to mislearn the MAC address of the terminal device to be disturbed. Therefore, it is not necessary to perform unicast transmission of the pseudo ARP response to the terminal device on which the agent is mounted, and an increase in communication amount and processing amount can be suppressed.

(18) It is preferable that the agent includes means for acquiring information indicating the terminal device to be disturbed from the outside of the terminal device through a network. In this case, the agent can easily obtain information indicating the terminal device to be disturbed.

(19) It is preferable that the agent acquires information indicating a terminal device to be disturbed from the quarantine control device according to (12) or (13). In this case, the agent can easily obtain information indicating the terminal device to be disturbed.

(20) From another viewpoint, the present invention is a terminal device on which an agent is mounted, and the agent is mounted on the quarantine control device according to any one of (1) to (13). The terminal device is characterized by comprising a transmission means for transmitting information indicating whether or not the terminal device is an erroneous learning impossible terminal device. In this case, the quarantine control device can acquire information indicating whether or not the terminal device is a mis-learning terminal device from the terminal device.

(21) The transmission unit transmits the OS type of the terminal device on which the agent is installed as information indicating whether or not the terminal device on which the agent is installed is the mis-learning impossible terminal device. Is preferred.

[Agent computer program]
(22) The present invention viewed from another viewpoint is an agent computer program for causing a computer to function as the agent described in any one of (17) to (21).

[Computer program]
(23) From another viewpoint, the present invention provides a quarantine control computer program for causing a computer to function as the quarantine control device according to any one of (1) to (13), and the computer ( 17) to the agent computer program for functioning as an agent according to any one of (21), a computer program comprising.

[Incorrect learning method]
(24) The present invention viewed from another viewpoint is a false learning processing method in a terminal device on which an agent is mounted, and the agent is a false address other than the MAC address of the target terminal device that is required to interfere with communication. A mislearning processing method characterized in that mislearning that the MAC address is the MAC address of the interference target terminal device is performed for the terminal device on which the agent is mounted.

[Communication blocking method]
(25) The present invention viewed from another point of view relates to a terminal device to be obstructed that requires communication interruption among the terminal devices in a quarantine system in which a quarantine control device and a terminal device are connected via a network. A method for performing communication interruption, wherein a pseudo ARP response is obtained in which a transmission source IP address is an IP address of the interference target terminal apparatus and a transmission source MAC address is a fake MAC address other than the MAC address of the interference target terminal apparatus. A unicast transmission step in which the quarantine control device performs unicast transmission, and an error that causes the agent installed in the terminal device to mislearn the MAC address of the terminal device to be disturbed to the terminal device in which the agent is installed. A mislearning process step of performing a learning process, wherein the unicast transmission step includes: A terminal device other than the terminal device, and the agent to the terminal device which is not mounted, a communication jamming method and transmits the pseudo ARP unicast response cast.
According to the above invention, a unicast pseudo-ARP response is not transmitted to the terminal device on which the agent is mounted, and erroneous learning is performed in the terminal device by the agent. Therefore, the number of terminal devices that require unicast transmission of the pseudo ARP response can be reduced. Therefore, even if the pseudo ARP response transmission to the terminal device is performed by unicast, an increase in the communication amount and the processing amount can be suppressed.

[Quarantine control device]
(26) From another viewpoint, the present invention relates to a quarantine control apparatus including a communication disturbing unit that performs a communication disturbing process on a target terminal apparatus that is required to interfere with communication among terminal apparatuses connected to a network. The communication jamming unit sends a pseudo ARP response in which the source IP address is the IP address of the jamming target terminal device, and the source MAC address is a fake MAC address other than the MAC address of the jamming target terminal device, A pseudo ARP response transmission unit that performs unicast transmission, and the pseudo ARP response transmission unit transmits the pseudo ARP response to a terminal device other than the target terminal device to be interfered with and not equipped with an agent. And the agent misidentifies the MAC address of the terminal device to be disturbed with respect to the terminal device on which the agent is mounted. A quarantine control device which is characterized in that performs erroneous learning process for. According to the present invention, a unicast pseudo ARP response is not transmitted to a terminal device on which an agent is mounted, and erroneous learning is performed in the terminal device by the agent. Therefore, the number of terminal devices that require unicast transmission of the pseudo ARP response can be reduced. Therefore, even if the pseudo ARP response transmission to the terminal device is performed by unicast, an increase in the communication amount and the processing amount can be suppressed.

  According to the present invention, even if the pseudo ARP response transmission to the terminal device is performed by unicast, it is possible to suppress an increase in communication amount and processing amount.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[1. Overall configuration of the quarantine system]
FIG. 1 shows the entire quarantine system 1. The quarantine system 1 includes a network (TCP / IP network) such as a LAN, a quarantine control device 2 that performs network quarantine control, terminal devices 3a and 3b that are subject to quarantine such as a PC that is subject to network quarantine, and quarantine management. The server 4 is connected. In addition, when not distinguishing in particular the some quarantine target terminal device 3a, 3b, it will generically call "quarantine target terminal device 3".

Further, in the same network segment N to be quarantined by the quarantine control device 2, a fixture such as a printer 7 that does not function as the quarantine target terminal devices 3 a and 3 b but can be a quarantine target, and also a quarantine target terminal device 3 a , 3b may not exist, but there may be a terminal device 8 such as a PC that can be a quarantine target. Further, the quarantine target terminal device 3, the fixtures such as the printer 7, and the terminal device 8 are common in terms of the “terminal device” in the network. Therefore, these are collectively referred to as “terminal device” as necessary. Sometimes it is.
FIG. 1 shows the in-house server 5 and the router 6, but these are components not directly related to the quarantine system 1.

[2. Quarantine system computer program set]
The quarantine control device 2, the quarantine target terminal device 3, and the quarantine management server 4 are configured by a computer that can execute a computer program, and a storage unit (not shown) such as a hard disk or a memory in which the computer program is stored. And a calculation unit (not shown) such as a CPU for executing the computer program.

As shown in FIG. 1, a quarantine control computer program P1 is installed in the quarantine control apparatus 2. The agent computer program P2 is installed in the quarantine target terminal device 3. By installing the agent computer program P in the terminal device 3, the terminal device 3 functions as an agent.
The quarantine management server 4 is installed with a quarantine management computer program P3.
These computer programs P1, P2 and, if necessary, P3 are collectively referred to as a quarantine system computer program set.
Of the devices in the network segment N, the agent computer program P2 is not installed in the fixture such as the printer 7 or the terminal device 8.

As shown in FIG. 2, the quarantine system computer program set is recorded on one or a plurality of computer-readable recording media (CD-ROM or the like) C1, C2, C3 and provided to the user of the quarantine system. The quarantine system computer program set or individual computer programs P1, P2, and P3 are provided to the user by the devices 2, 3, and 4 downloading the computer programs P1, P2, and P3 from a program providing server (not shown) on the Internet. It may be done by doing.
Further, the quarantine control computer program P1 can be provided to the user in a state preinstalled in the quarantine control device 2 instead of the portable recording medium C2 such as a CD-ROM.

[3. Quarantine control device 2]
The quarantine control device 2 is configured by installing a quarantine control computer program P1 on a computer in which an OS (for example, Windows (registered trademark), Linux (registered trademark)) that supports network communication by TCP / IP is installed. . In addition, when Windows (registered trademark) is adopted as the OS of the quarantine control apparatus 2, the version is not particularly limited.

FIG. 3 shows various functions as the quarantine control apparatus 2 exhibited by the computer when the quarantine control computer program P1 is executed by the computer.
As shown in FIG. 3, the quarantine control device 2 includes an inspection unit 210, a determination unit 220, a terminal information table 230, a table update unit 240, a communication monitoring unit (ARP request monitoring unit) 250, a communication blocking unit 260, and a communication normalization. Unit 270, exception communication unit 280, unregistered terminal device processing unit 290, and first terminal information table transmission unit 295.

[3.1 Terminal information table 230]
Details of the terminal information table 230 of FIG. 3 are shown in FIG. The terminal information table 230 is used for determining whether or not the communication processing of the terminal device on the network is necessary, and includes a first terminal information table 230a and a second terminal information table 230b.
Note that the second terminal information table 230b includes a permitted terminal information table 233, a prohibited terminal information table 234, and an exception information table 235.

[3.1.1 First terminal information table 230a]
The first terminal information table 230a is an area for holding information acquired from a terminal device by an agent ping described later.
In this first terminal information table 230a, an area 230a-1 for storing the IP address of the terminal apparatus, an area 230a-2 for storing the MAC address of the terminal apparatus, and an area for storing the ID of the agent installed in the terminal apparatus 230a-3, an area 230a-4 for storing information (terminal information) indicating whether the terminal device is a passing terminal or an isolated terminal, and an area for storing information (OS information) indicating the type of OS the terminal apparatus has 230a-5 and an area 230a-6 for storing information indicating the presence or absence of an agent ping response.

The terminal information in the area 230a-4 indicates whether the inspection result of the quarantine target terminal device 3 inspecting its internal state according to a predetermined inspection policy is “pass” or “isolation” (= “fail”). It is information which shows. Hereinafter, the terminal device in which “pass” is recorded as the terminal information of the area 230a-4 is referred to as “passed terminal”. Hereinafter, the terminal device in which “quarantine” is recorded as the terminal information in the area 230a-4 is referred to as “quarantine terminal”.
The terminal device inspection result (inspection policy check result) is acquired from the quarantine target terminal device (agent computer program P2) 3 by an “agent ping” function described later.
In addition, the terminal information in the area 230a-4 is “isolated” in addition to the case where the inspection result of the terminal device is “isolation”, the case where the agent computer program P2 is not installed, and the other isolation. This is when communication should be interrupted.

  The OS information of the area 230a-5 is acquired from the quarantine target terminal device (agent computer program P2) 3 by the “agent ping” function. This OS information is used for identifying whether or not the terminal device is a terminal device that cannot be erroneously learned (details will be described later).

  The area 230a-6 is used to record whether or not there is a response from the agent function (function by the agent computer program P2) of the terminal device when the terminal device is confirmed by the agent ping function. By providing this area 230a-6, it is determined whether the quarantine terminal has been quarantined based on the inspection result, or whether the quarantine terminal has been quarantined because the agent computer program P2 is not installed and thus cannot receive an agent ping response. Can be distinguished.

[3.1.2 Second terminal information table]
[3.1.2.1 Permitted terminal information table 233]
The permitted terminal information table 233 is an area that always holds list information (a list of MAC addresses or IP addresses) of terminal devices that allow normal network communication. Here, the terminal device registered in the permitted terminal information table 233 is referred to as “permitted terminal”.

The permitted terminal may be a fixture such as the printer 7 or a terminal device 8 equipped with an OS that does not support the agent computer program P2. In addition, the permitted terminal may include the quarantine target terminal device 3. For terminal devices that are permitted terminals, communication is permitted regardless of the inspection result or the presence or absence of the inspection result.
The authorized terminal information is acquired from the quarantine management server 4 by a “management communication function” described later.

[3.1.2.2 Prohibited terminal information table 234]
The prohibited terminal information table 234 is an area for holding list information (a list of MAC addresses or IP addresses) of terminal devices that unconditionally prohibit (disturb) normal communication. Here, the terminal device registered in the prohibited terminal information table 234 is referred to as a “prohibited terminal”. For terminal devices that are prohibited terminals, it is determined that interference processing is necessary regardless of the inspection result received from the terminal device.
The prohibited terminal information is acquired from the quarantine management server 4 by a “management communication function” described later.

[3.1.2.3 Exception information table 235]
The exception information table 235 is a list of exceptional communication partners (IP address list) that can be communicated from the quarantine target terminal device 3 whose inspection result of the quarantine target terminal device is “quarantine” (= “fail”). ).
The exception information table is acquired from the quarantine management server 4 by a “management communication function” described later.

[3.1.3 Description of terminal information table]
The first terminal information table 230a is a table whose contents are updated based on the agent ping response.
On the other hand, the permitted terminal information table 233, the prohibited terminal information table 234, and the exception information table 235 constituting the second terminal information table 230b are obtained from the quarantine management server 4.

[3.2 Main functions of quarantine controller]
The main functions of the quarantine control apparatus 2 are an agent ping function, a communication function for management performed with the quarantine management server 4, and a network communication control function for performing communication disturbance processing in the network. This is realized by each unit shown in FIG.

[3.2.1 Agent ping function (inspection result transmission request function) of quarantine controller]
The quarantine control apparatus 2 has “agent ping” as a unique network protocol. The agent ping requests the quarantine target terminal device 3 to transmit the inspection result.
Processing related to the agent ping is performed by the inspection unit (agent ping function unit) 210 illustrated in FIG.

  The inspection unit 210 includes an agent ping transmission unit (inspection result transmission request unit) 211 that transmits an agent ping (inspection result transmission request). The agent ping transmission unit 211 transmits an agent ping to a terminal device that requires a test result.

  The agent ping transmission timing and the like are managed by the agent ping transmission management unit 212. For example, the agent ping transmission is periodically performed on the terminal device registered in the first terminal information table 230a, and is also unknown to the quarantine control device 2 (registered in any terminal information table). This is also performed when the communication monitoring unit 250 captures that communication data from a non-terminal device is flowing on the network. Details of these agent ping transmission timings will be described later.

When the quarantine target terminal device 3 (the agent computer program P2) receives the request from the agent ping, the inspection result is transmitted as an “agent ping response”. This response is received by the agent ping response reception unit (inspection result reception unit) 213 of the inspection unit 210. The agent ping response includes the IP address, MAC address, agent ID, terminal information (inspection result), and OS information that are information to be registered in the first terminal information table 230a.
The agent ping response receiving unit 213 is also an acquisition unit that acquires OS information (identification information for identifying whether or not the terminal is an unlearnable terminal) in order to receive the OS information of the terminal device.

The quarantine control device 2 analyzes the agent ping response and determines the state (passed / isolated) of the terminal device based on the received terminal information (inspection result). In addition, the quarantine control apparatus 2 registers the IP address, MAC address, agent ID, terminal information (inspection result), OS information, and information with an agent ping response included in the agent ping response in the first terminal information table 230a. To do. In addition, for the terminal device 8 that does not receive an agent ping response even if the agent ping is transmitted, the terminal device 8 is set as a quarantine terminal, and information including no agent ping response is included in the first terminal information table 230a. be registered.
The determination of the terminal device is performed by the determination unit 220 of the quarantine control device 2, and the registration to the first terminal information table 230a is performed by the table update unit 240 (see FIG. 3).

  Further, the inspection unit 210 includes an agent ping start request reception unit (start request reception unit) 214 that receives a request to start transmission of an agent ping from the quarantine target terminal device 3. When the quarantine control device 2 receives the agent ping start request, the agent ping is transmitted to the quarantine target terminal device 3 that has transmitted the start request.

[3.2.2 Communication function for management of quarantine controller 2]
The quarantine control apparatus 2 communicates with the quarantine management server 4 among the terminal information table 230, the second terminal information table 230b (permitted terminal information table 233, prohibited terminal information table 234, exception information table 235) and a static information described later. Each content of the target list table 263 can be exchanged. The exchange of the second terminal information table 230b and the static list table 263 is performed by the second terminal information table & static list table update unit (management communication unit) 242 of the quarantine control device 2 (see FIG. 3).
The second terminal information table & static list table updating unit 242 uses the contents of the second terminal information table 230b acquired from the quarantine management server 4 as table regions 233, 234 of the second terminal information table 230b of the quarantine control device 2. The contents of the static list table 263 acquired from the quarantine management server 4 are stored in the static list table 263 of the quarantine control apparatus 2.

  The contents of the second terminal information table 230b and the static list table 263 are maintained by the administrator on the quarantine management server 4 as will be described later, and from the quarantine management server 4 to the quarantine control apparatus 2 according to a request from the administrator. Sent. Further, the quarantine control device 2 (the second terminal information table & static list table update unit 242) may acquire the second terminal information table 230b from the quarantine management server 4 as necessary.

[3.2.3 Communication jamming function of quarantine controller 2]
The quarantine control apparatus 2 includes a communication disturbing unit 260 that performs communication obstruction for a terminal device that requires communication obstruction processing (see FIG. 3). The communication disturbing process is not performed for a terminal device (permitted terminal) whose MAC address or IP address is registered in the permitted terminal information table 233 or a terminal device (passed terminal) whose test result is passed.
Conversely, the terminal device (prohibited terminal) registered in the prohibited terminal information table 234, the terminal device (isolated terminal) whose inspection result is quarantine (= failed), or the inspection result cannot be specified without responding to the agent ping. The terminal device (isolation terminal) performs communication interference processing.

  However, when the communication partner of the prohibited terminal or the quarantine terminal is a device registered in the exception information table 235, the communication disturbance process is not performed only for the communication. For such exceptional communication permission, the quarantine control device 2 includes an exception communication unit 280 (see FIG. 3).

  In addition, the quarantine control device 2 can normalize communication when there is no need for the interference processing for the terminal device that has once performed the communication interference processing. For such communication normalization, the quarantine control device 2 includes a communication normalization unit 270 (see FIG. 3).

  Furthermore, since the quarantine control apparatus 2 causes the agent installed in the terminal apparatus to perform the communication interruption process, the first terminal information table transmission unit 295 for transmitting the contents of the first terminal information table 230a to each agent. It has. The communication jamming process by the agent will be described later.

[4. Quarantine target terminal device 3]
The quarantine target terminal device 3 is configured by installing an agent computer program P2 for inspecting the internal state of the computer in accordance with a predetermined inspection policy in a computer in which an OS supporting network communication by TCP / IP is installed. Yes.
The quarantine target terminal device 3 and the other terminal devices 7 and 8 in the network of this system include a terminal device having a Vista-based OS such as Windows Vista or Windows Server 2008 and a terminal device having a non-visita-based OS such as Windows XP. ing. However, the OS of the terminal device is not limited to the above. Windows, Windows Vista, and Vista are registered trademarks, and so on.

FIG. 5 shows various functions (functions as an agent) as the quarantine target terminal device 3 exhibited by the computer when the agent computer program P2 is executed by the computer.
As illustrated in FIG. 5, the quarantine target terminal device 3 includes an inspection control unit 310, an inspection policy reception unit 320, an inspection unit 330, and an erroneous learning processing unit 340.

The inspection control unit 310 performs control related to inspection processing such as timing at which the quarantine target terminal device 3 performs inspection according to a predetermined inspection policy. The inspection is performed, for example, periodically or as needed.
The inspection policy receiving unit 320 acquires an inspection policy from the quarantine management server 4 in advance. Note that the inspection policy receiving unit 320 may acquire the inspection policy when performing the inspection. Further, it is not necessary for the quarantine target terminal device 3 and the quarantine management server 4 to directly communicate at the time of inspection.

  The inspection unit 330 inspects the internal state of the computer (the quarantine target terminal device 3) in which the agent computer program P2 is installed according to a predetermined inspection policy (quarantine policy).

  The inspection policy includes, for example, whether or not the agent computer program P2 is the latest, whether or not inventory transmission from the agent to the quarantine management server 4 is performed, whether or not the automatic logon setting of the OS is disabled, the screen saver setting of the OS, Whether the password lock is enabled, whether the software designated by the administrator is installed in the quarantine target terminal device 3, whether the software designated to be prohibited by the administrator is installed in the quarantine target terminal device 3. Whether the anti-virus software real-time scanning function is enabled, whether the anti-virus software, the software engine and the software pattern file are up-to-date, S update, whether the latest OS monthly patch is applied, whether the specified file on the quarantine target terminal device 3 exists (or does not exist), quarantine target terminal device 3 Whether the specified OS registry key exists (or does not exist).

  The inspection execution unit 331 of the inspection unit 330 in the quarantine target terminal device 3 inspects the internal state of the quarantine target terminal device 3 according to the inspection policy. This inspection is performed periodically or as needed.

The inspection unit 330 includes an agent ping reception unit (inspection result transmission request reception unit) 332 that receives an agent ping from the quarantine control device 2 via a network, an agent ping response generation unit 333 that generates an agent ping response from the inspection result, When the agent ping is received, an agent ping response transmission unit (inspection result transmission unit) 334 that transmits an agent ping response to the quarantine control apparatus 2 is provided.
The agent ping response transmission unit 334 transmits a terminal IP address, a MAC address, an agent ID, and OS information in addition to the inspection result (terminal information) as an agent ping response. That is, the agent ping response transmission unit is also a means for transmitting the type of OS included in the terminal device on which the agent is installed.

  The inspection unit 330 of the quarantine target terminal device 3 includes an agent ping start request transmission unit (start request transmission unit) 335 that actively requests the quarantine control device 2 to start transmission of the agent ping. Once the quarantine target terminal device 3 receives the agent ping, the quarantine target terminal device 3 can acquire the MAC address and IP address of the quarantine control device 2 from the agent ping. A request to start transmission can be made to the quarantine control apparatus 2.

  For example, when the quarantine target terminal device 3 inspects itself, the agent ping transmission start request can be made each time the result is different from the previous inspection result. When the inspection result changes by the quarantine target terminal device 3 actively requesting the start of agent ping transmission, the quarantine control device 2 can immediately grasp the change in the result.

  The mislearning processing unit 340 is configured to operate the terminal information receiving unit 341 for receiving the contents of the first terminal information table 230a from the quarantine control device 2 and the ARP table to operate the ARP table (the OS installed in the terminal device). And an ARP table operation unit 342 for mislearning the MAC address of the terminal device. The mislearning process by the agent will be described later.

[5. Quarantine management server 4]
The quarantine management server (quarantine management computer) 4 is configured by installing a quarantine management computer program P3 on a computer in which an OS supporting network communication by TCP / IP is installed.

FIG. 6 shows various functions as the quarantine management server 4 exhibited by the computer when the quarantine management computer program P3 is executed by the computer.
As illustrated in FIG. 6, the quarantine management server 4 includes a table generation unit 410, a table transmission unit 420, an inspection policy generation unit 430, and an inspection policy transmission unit 440.

The table generation unit 410 allows the administrator to generate and / or manage the second terminal information table 230b (permitted terminal information table 233, prohibited terminal information table 234, exception information table 235) and static list table 263. Is.
The table transmission unit 420 is for transmitting the generated second terminal information table 230b and the static list table 263 to the quarantine control apparatus 2.

The inspection policy generation unit 430 is for an administrator to generate and / or manage an inspection policy.
The inspection policy transmission unit 440 is for transmitting the generated inspection policy to the quarantine target terminal device 2.

[6. Various processes in the quarantine system]
[6.1 ARP: Address Resolution Protocol]
One of the TCP / IP protocols supported by the OS installed in the quarantine control device 2 and the quarantine target terminal device 3 is ARP (Address Resolution Protocol). This ARP is a protocol for obtaining the MAC address of a terminal device from the IP address of a certain terminal device. ARP is a function supported by the OS, but will be described below because it is used in the quarantine system 1.

  FIG. 7 shows an outline sequence of ARP. Here, terminal A and terminal B having the IP address and the MAC address shown in FIG. 7 are assumed. FIG. 7 shows a process in which the terminal A acquires the MAC address of the terminal B from the IP address of the terminal B. It is assumed that terminal A has previously acquired the IP address of terminal B from DNS or the like.

  First, terminal A checks whether there is an entry for terminal B in its ARP table. If there is no entry, in order to acquire the MAC address of the terminal B, an Ethernet frame carrying an ARP request packet is broadcast to the network (step S1-1).

  All terminals in the same network segment including terminal B enter the IP address and MAC address of the transmission source (= terminal A) in their ARP table when receiving the ARP request packet (from terminal A). This entry is deleted if there is no communication with terminal A for a certain time. If terminal A has already been entered, the MAC address is overwritten with the latest information (step S1-2).

  The terminal that is requested for ARP (= terminal B) creates an ARP response packet in which its own IP address and MAC address are set in the transmission source information, and sends the ARP response packet to the original transmission source (= terminal A). It transmits to (step S1-3).

When the terminal A receives the ARP response packet (from the terminal B), the terminal A enters the IP address and MAC address of the transmission source (= terminal B) in its ARP table (step S1-4).
As described above, a certain terminal A can acquire the MAC address of another terminal B on the network.

[6.2 ARP request packet monitoring processing]
8 and 9 show a process in which the communication monitoring unit 250 of the quarantine control apparatus 2 monitors and captures an ARP packet flowing on the network, and the determination unit 220 determines whether or not the communication blocking unit 260 needs to block communication. Shows the flow.

  The communication monitoring unit (ARP request monitoring unit) 250 of the quarantine control device 2 includes an ARP request capturing unit 251 that captures broadcast ARP request packets that flow on the network (see FIG. 3). When the ARP request capturing unit 251 receives the broadcast ARP request packet (step S2-1), the transmission source IP address and MAC of the packet are determined from the ARP request packet received by the ARP request analysis unit 252 of the communication monitoring unit 250. An address and a destination IP address are acquired (step S2-2). Note that the destination MAC address cannot be known from the ARP request packet.

  When the ARP request analysis unit 252 acquires the transmission source information and the transmission destination information, the transmission source confirmation processing (step S2-3) and the transmission destination confirmation processing (steps S2-4 and S2-5) are performed by the quarantine control device 2. Is determined by the determination unit 220 or the like, and it is determined whether or not communication interruption is necessary for each of the transmission source and the transmission destination of the ARP request packet, and if necessary, disturbance processing is performed.

The determination unit 220 includes a first determination unit 220a that performs determination using the terminal information table 230, and a second determination unit 220b that performs determination using agent ping. In the processing, determination by each of the determination units 220a and 220b is performed.
As the destination confirmation process, a destination IP address confirmation process (step S2-4) and a destination MAC address confirmation process (step S2-5) are performed.

[6.2.1 Source Confirmation Process (Step S2-3)]
In the transmission source confirmation process, first, the first determination unit 220a confirms whether or not the transmission source IP address or MAC address of the ARP request packet is registered in the prohibited terminal information table 234 (step S2-3-1). . That is, it is determined whether or not the transmission source is a prohibited terminal.
If registered, the process proceeds to step S2-3-7, and if not registered, the process proceeds to step S2-3-2.

In step S2-3-2, the first determination unit 220a determines whether the transmission source is registered as an isolated terminal in the first terminal information table 230a based on the transmission source IP address or the MAC address of the ARP request packet. Check.
If it is registered as a quarantine terminal, the process proceeds to step S2-3-7. If it is not registered, the process proceeds to step S2-3-3.

In step S2-3-3, the first determination unit 220a checks whether the transmission source IP address or the MAC address of the ARP request packet is registered in the permitted terminal information table 233. That is, it is determined whether the transmission source is a permitted terminal.
If registered, the process proceeds to step S2-4-1 (destination IP address confirmation processing), and no interference processing is performed on the transmission source. If not registered, the process proceeds to step S2-3-4.

In step S2-3-4, based on the transmission source IP address or MAC address of the ARP request packet, the first determination unit 220a determines whether the transmission source is registered as a passing terminal in the first terminal information table 230a. Check.
If it is registered as a passing terminal, the process proceeds to step S2-4-1 (transmission destination IP address confirmation processing), and the interference processing for the transmission source is not performed. If not registered, the process proceeds to step S2-3-5.

When the process comes to step S2-3-5, it is determined that the transmission source is a terminal device that is not registered in the terminal information table 230 and is unknown to the quarantine control device 2.
Therefore, in step S2-3-5, an agent ping is performed on an unknown transmission source, and an attempt is made to acquire the inspection result of the transmission source (terminal device) necessary to determine whether communication should be interrupted. . Details of the processing in step S2-3-5 will be described later.

  The result of performing the agent ping on the transmission source of the ARP request packet is determined by the second determination unit 220b. If the determination result is an isolation determination, the process proceeds to step S2-3-7. If the determination result is a pass determination, the process proceeds to step S2-4-1 (destination IP address confirmation process), and no interference process is performed on the transmission source.

  In step S2-3-7, a process of transmitting a pseudo ARP response packet is performed by the communication disturbing unit 260 of the quarantine control device 2. In order to perform this processing, the communication disturbing unit 260 includes a pseudo ARP response transmission unit 261 and a pseudo ARP response transmission management unit 262.

  As illustrated in FIG. 28, the pseudo ARP response transmission unit 261 includes a first pseudo ARP response transmission unit 261a that broadcasts a pseudo ARP response packet, and a second pseudo ARP response transmission unit 261c that performs unicast transmission of the pseudo ARP response packet. And an identification unit 261b that identifies a terminal device (a terminal device that cannot be mislearned) that is a target of unicast transmission of the pseudo ARP response packet.

The pseudo ARP response packet generated by the pseudo ARP response transmission unit 261 is generated as an ARP response packet having an address portion set as shown in FIGS.
In each of the pseudo ARP response packets shown in FIGS. 10A and 10B, the IP address of the transmission source terminal (disturbance target terminal device) of the ARP request packet is set as the “transmission source IP address”. The MAC address (fake MAC address) of the quarantine control device 2 is set as “MAC address”.
Here, the pseudo ARP response packet generated by the first pseudo ARP response transmission unit 261a is for broadcast transmission as shown in FIG. 10A, and the “destination IP address” and “ As the “destination MAC address”, a broadcast address is set. Therefore, the pseudo ARP response packet is broadcasted to the network.
On the other hand, as shown in FIG. 10B, the pseudo ARP response packet generated by the second pseudo ARP response transmission unit 261c is not a pseudo ARP response packet broadcast by the first pseudo ARP response transmission unit 261a. It is unicast transmitted to a terminal device that cannot be mislearned (a terminal device having a Vista OS) that cannot mislearn the MAC address of the target terminal device. Therefore, in FIG. 10B, as the “destination IP address” and “destination MAC address” of the pseudo ARP response packet, the IP address and MAC address of the Vista-based OS terminal device which is a mis-learning terminal device, respectively. Is set.

When communication is interrupted, the first pseudo ARP response transmission unit 261a broadcasts the pseudo ARP response packet of FIG. 10A, and the second pseudo ARP response transmission unit 261c transmits the pseudo ARP response packet of FIG. 10B. An ARP response packet is transmitted to a terminal device having a Vista OS.
As a result, the MAC address of the transmission source terminal is erroneously learned by the communication partner terminal device with which the transmission source terminal (disturbance target terminal device) of the ARP request packet may communicate. In other words, if the terminal device has a non-Vista-based OS, the MAC address of the terminal device to be disturbed is erroneously learned by the broadcast pseudo ARP response packet of FIG. 10A, and if the terminal device has a Vista-based OS, The MAC address of the terminal device to be disturbed is erroneously learned by the 10 (b) unicast pseudo ARP response packet.

Therefore, the MAC address of the quarantine control device 2 is erroneously set as the transmission destination for all packets destined for the transmission source terminal transmitted from the terminal device of the communication partner. The transmission source terminal of the ARP request packet cannot receive the packet because the MAC address is incorrect. On the other hand, since the MAC address of the ARP request packet destined for the transmission source terminal is that of the quarantine control apparatus 2, all of the packets can be received by the quarantine control apparatus 2. The quarantine control apparatus 2 collects and discards packets in which such a MAC address is set as a transmission destination. Therefore, the communication between the transmission source terminal (disturbance target terminal device) of the ARP request packet and its counterpart can be obstructed.
In addition, since the quarantine control device 2 sends a pseudo ARP “response” packet as the disturbance processing, it is not necessary to receive an ARP response packet from another terminal device 3, and an increase in communication load can be avoided.
Further details of the interference process will be described later.

  When the pseudo ARP response transmission in step S2-3-7 ends, the transmission source confirmation process (step S2-3) ends, and the process proceeds to the transmission destination IP address confirmation process S2-4.

[6.2.2 Destination IP Address Confirmation Process (Step S2-4)]
In the transmission destination IP address confirmation process, first, the first determination unit 220a confirms whether or not the transmission destination IP address of the ARP request packet is registered in the prohibited terminal information table 234 (step S2-4-1). That is, it is determined whether or not the transmission destination is a prohibited terminal.
If registered, the process proceeds to step S2-6, and if not registered, the process proceeds to step S2-4-2.

In step S2-4-2, based on the transmission destination IP address of the ARP request packet, the first determination unit 220a checks whether or not the transmission destination is registered as an isolated terminal in the first terminal information table 230a.
If registered, the process proceeds to step S2-6, and if not registered, the process proceeds to step S2-4-3.

In step S2-4-3, the first determination unit 220a checks whether or not the transmission destination IP address of the ARP request packet is registered in the permitted terminal information table 233. That is, it is determined whether or not the transmission destination is a permitted terminal.
If it is registered, the ARP request packet monitoring process is terminated because the disturbance process for the transmission destination is unnecessary. If not registered, the process proceeds to step S2-4-4.

In step S2-4-4, based on the transmission destination IP address of the ARP request packet, the first determination unit 220a checks whether or not the transmission destination is registered as a passing terminal in the first terminal information table 230a.
If it is registered, the ARP request packet monitoring process is terminated because the disturbance process for the transmission destination is unnecessary. If not registered, the process proceeds to step S2-4-5.

When the process comes to step S2-4-5, it is determined that the transmission destination is a terminal device that is not registered in the terminal information table 230 and is unknown to the quarantine control device 2.
Therefore, in step S2-4-5, the ARP request packet shown in FIG. 11 is transmitted to the unknown transmission destination. The process of step S2-4-5 is performed by the unregistered terminal apparatus processing unit 290 (see FIG. 3) of the quarantine control apparatus 2. The unregistered terminal device processing unit 290 includes an ARP request transmission unit 291. This ARP request transmission unit 291 has an ARP request packet in which an address is set as shown in FIG. 11 in order to obtain an unknown destination MAC address. Broadcast.

  After transmitting the ARP request packet of FIG. 11, the quarantine control device 2 waits for an ARP response packet for the ARP request packet for a certain period (step S2-4-6). If the quarantine control apparatus 2 does not receive the ARP response packet even after waiting for a certain period, the ARP request packet monitoring process is terminated, and if the ARP response packet is received within the certain period, step S2-4-8 Proceed to

  In step S2-4-6, when the ARP response packet is received, the quarantine control apparatus 2 acquires the MAC address of the unknown destination from the ARP response packet (step S2-4-8), and the destination MAC. Control proceeds to address confirmation processing S2-5.

[6.2.3 Destination MAC Address Confirmation Process (Step S2-5)]
In the transmission destination MAC address confirmation process, first, the first determination unit 220a confirms whether or not the transmission destination MAC address of the ARP request packet is registered in the prohibited terminal information table 234 (step S2-5-1). That is, it is determined whether or not the transmission destination is a prohibited terminal.
If registered, the process proceeds to step S2-6, and if not registered, the process proceeds to step S2-5-2.

In step S2-5-2, based on the transmission destination MAC address of the ARP request packet, the first determination unit 220a checks whether or not the transmission destination is registered as an isolated terminal in the first terminal information table 230a.
If registered, the process proceeds to step S2-6, and if not registered, the process proceeds to step S2-5-3.

In step S2-5-3, the first determination unit 220a checks whether or not the transmission destination MAC address of the ARP request packet is registered in the permitted terminal information table 233. That is, it is determined whether or not the transmission destination is a permitted terminal.
If it is registered, it is not necessary to perform the disturbing process for the transmission destination, so the ARP request packet monitoring process is terminated. If not registered, the process proceeds to step S2-5-4.

In step S2-5-4, based on the transmission destination MAC address of the ARP request packet, the first determination unit 220a checks whether the transmission destination is registered as a passing terminal in the first terminal information table 230a.
If it is registered, it is not necessary to perform the disturbing process for the transmission destination, so the ARP request packet monitoring process is terminated. If not registered, the process proceeds to step S2-5-5.

When the processing has come to step S2-5-5, it is determined that the transmission destination is a terminal device that is not registered in the terminal information table 230 and is unknown to the quarantine control apparatus 2. Become.
Therefore, in step S2-5-5, an agent ping is performed on an unknown destination, and an attempt is made to acquire the inspection result of the destination (terminal device) necessary to determine whether or not communication should be interrupted. . Details of the processing in step S2-5-5 will be described later.

  The result of performing the agent ping on the transmission destination of the ARP request packet is determined by the second determination unit 220b. If the determination result is a quarantine determination, the process proceeds to step S2-6. If the determination result is a pass determination, the ARP request packet monitoring process is terminated because there is no need to perform an interference process for the transmission destination.

  In step S2-6, the pseudo ARP response transmission unit 261 of the communication jamming unit 260 performs processing for transmitting a pseudo ARP response packet.

The pseudo ARP response packet transmitted here is generated as an ARP response packet whose address portion is set as shown in FIGS. FIG. 12A shows a broadcast pseudo ARP response packet generated by the first pseudo ARP response transmission unit 261a, and FIG. 12B shows a unicast pseudo ARP response packet generated by the second pseudo ARP response transmission unit 261c. It is.
In these pseudo ARP response packets, the IP address of the transmission destination terminal (disturbance target terminal device) of the ARP request packet is set as the “source IP address”, and the quarantine control device is set as the “source MAC address” of the pseudo ARP response packet. 2 MAC address (false MAC address) is set.
In the case of the pseudo ARP response packet in FIG. 12A, broadcast addresses are set as the “destination IP address” and “destination MAC address”, respectively. Therefore, the pseudo ARP response packet is broadcasted to the network.
On the other hand, the pseudo ARP response packet generated by the second pseudo ARP response transmission unit 261c is unicast transmitted to a terminal device that cannot be mislearned (a terminal device having a Vista OS), as shown in FIG. It is what is done. Accordingly, in FIG. 12B, as the “destination IP address” and “destination MAC address” of the pseudo ARP response packet, the IP address and MAC address of the Vista-based OS terminal device which is a mis-learning terminal device, respectively. Is set.

When communication is interrupted, the first pseudo ARP response transmission unit 261a broadcasts the pseudo ARP response packet in FIG. 12A, and the second pseudo ARP response transmission unit 261c transmits the pseudo ARP response packet in FIG. 12B. An ARP response packet is transmitted to a terminal device having a Vista OS.
As a result, the MAC address of the transmission destination terminal is erroneously learned by the communication partner terminal apparatus with which the transmission destination terminal (disturbance target terminal apparatus) of the ARP request packet may communicate.

Therefore, the MAC address of the quarantine control apparatus 2 is erroneously set as the transmission destination for all packets destined for the transmission destination terminal transmitted from the communication partner terminal apparatus. The destination terminal of the ARP request packet cannot receive the packet because the MAC address is incorrect.
On the other hand, since the MAC address of the ARP request packet destined for the destination terminal is that of the quarantine control apparatus 2, all of the packets can be received by the quarantine control apparatus 2. The quarantine control apparatus 2 collects and discards packets in which such a MAC address is set as a transmission destination. Therefore, communication between the transmission destination terminal (disturbance target terminal device) of the ARP request packet and the counterpart can be obstructed.
In addition, since the quarantine control device 2 sends a pseudo ARP “response” as the disturbance processing, it is not necessary to receive an ARP response packet from another terminal device 3, and an increase in communication load can be avoided.
Further details of the interference process will be described later.

  When the pseudo ARP response transmission in step S2-6 ends, the ARP request packet monitoring process ends.

[6.2.4 Agent ping execution process (steps S2-3-5, S2-5-5, etc.)]
FIG. 13 shows an agent ping execution process. In the agent ping execution process, first, the agent ping transmission unit 211 transmits the agent ping to the terminal device (the agent computer program P2) that is the target of the determination as to whether or not to quarantine (step S3-1).

  The agent ping response reception unit 213 waits for a certain period of time (agent ping response) from the agent computer program P2 of the terminal device (step S3-2). If there is a response within a certain period, the process proceeds to step S3-3, and if there is no response after waiting for a certain period, the process proceeds to step S3-7.

  If the agent ping response packet received in step S3-2 is normal, the process proceeds to step S3-4. If the agent ping response is invalid, the process proceeds to step S3-7.

The agent ping response received by the agent ping response receiving unit 213 is determined by the second determination unit 220b (see FIG. 3) of the determination unit 220 whether or not it should be isolated. The second determination unit 220b determines whether or not to isolate by confirming the “inspection result” included in the agent ping response (step S3-4).
If the received inspection result indicates “pass”, the process proceeds to step S3-5, and if it indicates “isolation” (= “fail”), the process proceeds to step S3-7.

  In step S3-5, the first table updating unit 241 registers the quarantine target terminal device 3 that has transmitted the agent ping response as a successful terminal in the first terminal information table 230a, and proceeds to step S3-6. In step S3-5, if the terminal device to be registered in the first terminal information table 230a is already registered as a passing terminal in the first terminal information table 230a, the first terminal information is updated with the latest information. The table 230a is overwritten.

  When the process comes to step S3-6, the second determination unit 220b determines that the quarantine target terminal device 3 that has transmitted the agent ping response is “pass”, and ends the agent ping execution process.

  In step S3-7, the first table update unit 241 registers the quarantine target terminal device 3 that has transmitted the agent ping response as a quarantine terminal in the first terminal information table 230a, and proceeds to step S3-8. In step S3-7, if the terminal device to be registered in the first terminal information table 230a is already registered as an isolated terminal in the first terminal information table 230a, the first terminal information is updated with the latest information. The table 230a is overwritten.

  When the process comes to step S3-8, the second determination unit 220b determines that the quarantine target terminal device 3 that has transmitted the agent ping response is “quarantine”, and ends the agent ping execution process.

[6.2.4.1 Agent ping protocol]
FIG. 14 shows the sequence of the agent ping protocol and the data structure of the agent ping.
Here, the agent ping sent by the quarantine control device 2 is referred to as an “agent ping request”.

  The entity of the agent ping packet is obtained by storing necessary information such as the type and inspection result (check result) described later in the data part of a normal IP packet.

There are three types of agent ping packets: an agent ping request packet (step S4-2), an agent ping response packet (step S4-3), and an agent ping start request packet (step S4-1).
In order to distinguish these three packets, the agent ping has a flag value area of “type” as its data structure. As shown in FIG. 15, the type includes information indicating three types of “request”, “response”, and “start request”, and any of the information is stored in the “type” area of the agent ping packet.

In the agent ping data structure shown in FIG. 14, the protocol version indicates version information of the agent ping protocol.
In addition to the protocol version and type, the agent ping response includes information on the inspection result and information (OS information) indicating the type of OS included in the terminal device on which the agent is installed.

As illustrated in FIG. 14, the information regarding the inspection result includes an agent ID, a check result (inspection result), and a policy file update date and time. The agent ID is an identifier of the agent computer program P2 and is composed of an arbitrary length ASCII character string. The check result is a flag value indicating an inspection result by the quarantine target terminal device 3 and includes information indicating “pass” and “quarantine” as illustrated in FIG. 16, and either information is stored in the “check result” area. Is done. The policy file update date / time indicates the update date / time of the inspection policy used for the inspection.
Note that the agent ping stores the IP address and MAC address of the transmission source and the transmission destination in the same way as a normal packet.

[6.2.4.2 Agent ping start request]
The agent ping is regularly executed by the quarantine control device 2. However, only that, if the result of the inspection performed by the quarantine target terminal device 3 periodically or when necessary is different from the previous value (if the state transitions from the state to be isolated to the acceptable state, or should be isolated from the acceptable state) In the case of transition to a state), the quarantine control device 2 cannot instantaneously change the quarantine control accordingly.

Therefore, the quarantine target terminal device 3 can request the quarantine control device 2 to start transmission of the agent ping when such a change in the inspection result occurs or when necessary.
In particular, in the quarantine target terminal device 3, when the agent computer program P2 is activated, and the user of the quarantine target terminal device 3 requests the agent computer program P2 to perform the inspection, and the inspection is completed. Sometimes, the agent ping start request transmission unit 335 always makes an agent ping start request. FIG. 17 shows the sequence of this agent ping start request.

[6.3 Periodic Agent Ping Execution Processing for Passed Terminals]
As shown in FIG. 18, the agent ping transmission management unit 212 (see FIG. 3) of the quarantine control device 2 periodically pings the terminal device registered in the passed terminal information table 231, The terminal information table 230 is maintained while determining whether or not obstruction processing is necessary.

In the periodic agent ping execution process, first, the agent ping transmission management unit 212 registers information indicating that the terminal is a successful terminal in the terminal information area 230a-4 among a plurality of terminal information in the first terminal information table 230a. Is referred to (passed terminal information) (step S5-1).
If there is a successful terminal whose internal state should be confirmed among the successful terminals, the process proceeds to step S5-3. If the statuses of all the successful terminals on the first terminal information table 230a are confirmed, the periodic agent ping The execution process is terminated (step S5-2).

  In step S5-3, the agent ping transmission unit 211 transmits an agent ping request to a terminal device (state confirmation target terminal device) that needs state confirmation (step S5-3).

  The agent ping response receiving unit 213 waits for a certain period of time for an agent ping response from a terminal device (state confirmation target terminal device) that needs state confirmation (step S5-4). If there is no response after waiting for a certain period, the process proceeds to step 5-5, and if there is a response within the certain period, the process proceeds to step S5-7.

  In step S5-5, it is determined whether or not to resend the agent ping request to the state confirmation target terminal device that does not respond. If the number of retransmissions in the sequence is less than the maximum number of transmissions designated from the outside of the quarantine control device 2, the process returns to step S5-3. On the other hand, if the number of retransmissions in the sequence has reached the maximum number of transmissions, the process proceeds to step S5-6.

  When the processing has come to step S5-6, it means that the agent ping response has not been received from the state confirmation target terminal device that has been the accepted terminal, so the terminal information of the terminal device is deleted from the first terminal information table 230a. Return to step S5-2.

  In step S5-7, it is determined whether the received agent ping response is normal. If normal, the process proceeds to step S5-8, and if invalid, the process proceeds to step S5-9.

  In step S5-8, the second determination unit 220b confirms the “policy check result” included in the agent ping response. If the “policy check result” means “pass”, the process returns to step S5-2, and if it means “isolation”, the process proceeds to step S5-9.

In step S5-9, the terminal information (passed terminal information) of the state confirmation target terminal device is deleted from the first terminal information table 230a, and the process proceeds to step S5-10.
In step S5-10, the state check target terminal device is registered in the first terminal information table 230a as an isolated terminal. At this time, other information related to the isolated terminal is also registered based on the agent ping response.

In step S5-11, a pseudo ARP response packet is transmitted in order to disturb the communication of the state check target terminal device determined to be isolated, and the process returns to step S5-2.
The pseudo ARP response packet transmitted here is generated as an ARP response packet whose address portion is set as shown in FIGS. FIG. 19A is a broadcast pseudo ARP response packet generated by the first pseudo ARP response transmission unit 261a, and FIG. 19B is a unicast pseudo ARP response packet generated by the second pseudo ARP response transmission unit 261c. It is.
In these pseudo ARP response packets, the IP address of the state confirmation target terminal device (disturbance target terminal device) is set as the “source IP address”, and the quarantine control device 2 sets the “source MAC address” of the pseudo ARP response packet. A MAC address (fake MAC address) is set.
In the case of the pseudo ARP response packet in FIG. 19A, broadcast addresses are set as the “destination IP address” and “destination MAC address”, respectively. Therefore, the pseudo ARP response packet is broadcasted to the network.
On the other hand, the pseudo ARP response packet generated in the second pseudo ARP response transmission unit 261c is unicast transmitted to a terminal device that cannot be mislearned (a terminal device having a Vista-based OS), as shown in FIG. It is what is done. Therefore, in FIG. 19B, as the “destination IP address” and “destination MAC address” of the pseudo ARP response packet, the IP address and MAC address of the Vista-based OS terminal device, which is a mis-learning terminal device, respectively. Is set.
As a result, the terminal device of the communication partner with whom the state check target terminal device (interference target terminal device) may communicate erroneously recognizes and learns the MAC address of the destination terminal.

[6.5 Regular Agent Ping Execution Process for Isolated Terminal]
As shown in FIG. 20, the agent ping transmission management unit 212 (see FIG. 3) of the quarantine control device 2 periodically sends an agent ping to the terminal device registered as an isolated terminal in the first terminal information table 230a. By doing so, it is determined whether or not obstruction processing is necessary, and the terminal information table 230 is maintained.

First, the agent ping transmission management unit 212 refers to the information (the quarantine terminal information) in which the terminal information 230a-4 indicates the quarantine terminal in the first terminal information table 230a, and proceeds to step S6-2 ( Step S6-1).
If there is a quarantine terminal whose internal state should be confirmed in the first terminal information table 230a, the process proceeds to step S6-3. If the states of all quarantine terminals in the first terminal information table 230a are confirmed, the periodic agent The ping execution process is terminated (step S6-2).

  In step S6-3, the agent ping transmission unit 211 transmits an agent ping request to a terminal (state confirmation target terminal device) whose state needs to be confirmed, and proceeds to step S6-4.

  In step S6-4, an agent ping response from the state confirmation target terminal device is waited for a certain period. If there is no response after waiting for a certain period, the process proceeds to step S6-5, and if there is a response within the certain period, the process proceeds to step S6-8.

  In step S6-5, it is determined whether to resend the agent ping request to the state check target terminal device. If the number of retransmissions in the sequence is less than the maximum number of transmissions designated from outside the quarantine control device 2, the process returns to step S6-3. If the number of retransmissions in the sequence has reached the maximum number of transmissions, the process proceeds to step S6-6.

In step S6-6, if the status confirmation target terminal device has not responded in the previous polling (that is, the value in the “presence / absence of agent ping response” column 230a-6 of the first terminal information table 230a is “no response”). ”), The process returns to step S6-2. Here, “previous polling” refers to “periodic agent ping execution processing for isolated terminal” performed previously, and so on.
When the status check target terminal device has responded in the previous polling (that is, when the value in the “presence / absence of agent ping response” column 230a-6 of the first terminal information table 230a indicates “response present”) ), Go to Step S6-7.

  When the processing has come to step S6-7, the terminal information of the state confirmation target terminal device is deleted from the first terminal information table 230a, and the process returns to step S6-2. There is a high possibility that the terminal device that was “response” in the previous polling could not respond within the range of normal operation such as machine stop at night. Therefore, by deleting the terminal device that was “response present” in the previous polling from the first terminal information table 230a, it is possible to avoid storing the terminal device as an isolated terminal.

  In step S6-8, it is determined whether the received agent ping response is normal. If normal, the process proceeds to step S6-9. If invalid, the process returns to step S6-2.

  In step S6-9, the second determination unit 220b confirms the “policy check result” included in the agent ping response. If the “policy check result” means “quarantine”, the process proceeds to step S6-10, and if it means “pass”, the process proceeds to step S6-11.

  In step S6-10, for the status confirmation terminal device in the quarantine terminal information table 232, the value of the “agent ping response presence / absence column” is updated to a value indicating “response present”, and the process returns to step S6-2.

In step S6-11, the terminal information (quarantine terminal information) of the state confirmation target terminal device is deleted from the first terminal information table 230a, and the process proceeds to step S6-12.
In step S6-12, the state confirmation target terminal device is registered in the first terminal information table 230a as a passing terminal, and the process proceeds to step S6-13. At this time, other information related to the isolated terminal is also registered based on the agent ping response.

  As described above, since the state confirmation target terminal device that has been determined to be an isolated terminal has made a state transition to a passing terminal, in step S6-13, the normalization of the communication normalization unit 270 is performed in order to cancel the disturbance processing for the state confirmation target terminal. The normal ARP response packet is transmitted by the ARP response transmission unit 271 (see FIG. 3), and the process returns to step S6-2.

As shown in FIGS. 21A and 21B, the normal ARP response packet transmitted here has the IP address of the state confirmation target terminal device in “source IP address” and the status confirmation target in “source MAC address”. The MAC address of the terminal device is set.
The normal ARP response transmitter 271 has the same configuration as the pseudo ARP response transmitter 261 as shown in FIG. That is, the normal ARP response transmitter 271 includes a first normal ARP response transmitter 271a that broadcasts a normal ARP response packet, and a second normal ARP response transmitter 271c that unicasts the normal ARP response packet. And an identification unit 271b for identifying a terminal device for identifying a target for unicast transmission of a normal ARP response packet.

FIG. 21A is a broadcast normal ARP response packet generated by the first normal ARP response transmitter 271a, and FIG. 21B is a unicast normal ARP response packet generated by the second normal ARP response transmitter 271c. It is.
In these normal ARP response packets, the IP address and MAC address of the state confirmation target terminal device (terminal device that is no longer subject to obstruction) are correctly set as “source IP address” and “source MAC address”.
In the case of the normal ARP response packet in FIG. 21A, broadcast addresses are set as the “destination IP address” and “destination MAC address”, respectively. Therefore, the normal ARP response packet is broadcasted to the network.
On the other hand, the normal ARP response packet generated in the second normal ARP response transmission unit 271c is unicast transmitted to a terminal device having a Vista OS as shown in FIG. 21 (b). Therefore, in FIG. 21B, the IP address and MAC address of the Vista-based OS terminal device are set as the “destination IP address” and “destination MAC address” of the normal ARP response packet, respectively.
By transmitting the normal ARP response packet, the terminal device in the network can correctly learn the MAC address of the state check target terminal device, so that communication with the state check target terminal device can be performed normally.

  The target to which the normal ARP response packet is unicast transmitted is identified by the identifying unit 271b. The identification unit 271b stores a list of terminal devices that have transmitted a unicast pseudo-ARP response packet to prevent communication when a terminal device that is no longer a target of interference is a target of interference. When the interference target terminal device is no longer an interference target, the identification unit 271b sets the terminal device indicated by this list as a transmission target of a normal ARP response packet.

[6.6 Inspection of internal status of quarantined terminal device]
FIG. 22 shows an inspection processing procedure according to the inspection policy by the inspection control unit 310 of the quarantine target terminal device 3.

  When a predetermined inspection trigger occurs (step S7-1), the inspection execution unit 331 executes an inspection (policy check) of the internal state of the quarantine target terminal device 3 according to the inspection policy (step S7-1).

  The inspection trigger includes, for example, when the agent computer program P2 is started, manual execution by a user of the quarantine target terminal device 3, and periodic execution by the inspection control unit 310 of the agent computer program P2.

When the inspection (policy check) result is different from the previous inspection (step S7-3), the agent ping start request transmission unit 335 transmits the agent ping start request to the quarantine controller 2 (step S7-5). ). However, since the IP address and the MAC address of the quarantine control device 2 are acquired by the agent ping from the quarantine control device 2, the agent ping start request cannot be transmitted unless the agent ping has been received so far (step S7- 4).
Thereafter, when an agent ping request is received from the quarantine control device 2, the inspection result is transmitted to the quarantine control device 2 as an agent ping response.

[6.7 Second Terminal Information Table Registration Process]
As shown in FIG. 23, in the table generation unit 410 (see FIG. 6) of the quarantine management server 4, the administrator can input the table information of the second terminal information table 230 b and the static list table 263 from the input device. Yes (step S8-1).
The input table information of the second terminal information table 230b and the static list table 263 is transmitted to the quarantine controller 2 by the table transmission unit 420 (see FIG. 6) (step S8-2).

  As shown in FIG. 24, in the quarantine control apparatus 2, the second terminal information table & static list table update unit 232 (see FIG. 3) receives the second terminal information table 230b and the static list table 263 (step S9-1), the contents of the second terminal information table area 230b and the static list table 263 are updated (step S9-2).

[6.8 Communication jamming processing]
[6.8.1 Interfering method]
FIGS. 25A and 25B show the data structure of the above-described pseudo ARP response packet transmitted in steps S2-3-7, S2-6, and S5-11. FIG. 25A shows a broadcast pseudo ARP response packet, and FIG. 25B shows a unicast pseudo ARP response packet.

In the broadcast pseudo ARP response packet of FIG. 25A, the IP address of the terminal device to be disturbed is stored in the first area D1 storing the source IP address, and the quarantine control is performed in the second area D2 storing the source MAC address. The MAC address of the device 2 is stored, and the broadcast address is stored in the third area D3 for storing the destination IP address and the fourth area D4 for storing the destination MAC address.
The quarantine control apparatus 2 broadcasts this pseudo ARP response packet, thereby causing communication interruption of the interruption target terminal apparatus. Note that the second area D2 in which the source MAC address is stored may be the MAC address of another device for packet collection / discarding instead of the MAC address of the quarantine control device 2. In other words, the second area only needs to store a fake MAC address other than the correct MAC address of the disturbance target terminal device.

By broadcast transmission of the pseudo ARP response packet, the terminal devices around the quarantine control device 2 receive the pseudo ARP response packet and use the MAC address of the quarantine control device 2 (or another address as the MAC address of the target terminal device to be disturbed). Device MAC address) is erroneously recognized and learned.
As a result, all data packets transmitted from the surrounding terminal devices to the interference target terminal device reach the quarantine control device 2 (or another device). The quarantine control apparatus discards the data packet, so that the data packet does not reach the disturbance target terminal apparatus. As a result, two-way communication (TCP) or one-way communication (UDP) from the communication partner to the disturbance target terminal device is not established between the disturbance target terminal device and the communication partner, resulting in interference.

  However, the above is a case where the OS of the terminal device that receives the broadcast pseudo ARP response packet is a non-Vista system, and when the OS of the terminal device is a Vista system, the terminal device Even when the ARP response packet is received, the MAC address of the quarantine control device (or the MAC address of another device) is not erroneously recognized / learned as the MAC address of the target device to be disturbed, and the MAC address of the target device to be disturbed is not detected. It will remain recognized correctly.

  Note that the reason why the terminal device does not mislearn is that the Vista-based OS receives the broadcast ARP response packet and immediately determines the MAC address included in the ARP response packet. It is presumed that the learning is not performed and the process of confirming the MAC address with respect to the transmission source of the ARP response packet is performed using the transmission source IP address of the ARP response packet as a key. Note that “not mislearning” here means that even if the Vista-based OS mislearns the MAC address, it results in mislearning as if the mislearning is hindered by checking the correct MAC address. It is meant to include all cases where no.

However, even a terminal device having a Vista OS can be mislearned if a pseudo-ARP response packet is unicast transmitted.
That is, the unicast pseudo ARP response packet in FIG. 25B is transmitted to a terminal device having a Vista OS (including an OS whose type is unknown), and stores a destination IP address. The IP address and MAC address of the Vista-based OS are stored in the third area D3 and the fourth area D4 in which the destination MAC address is stored, respectively.
By using both broadcast transmission and unicast transmission of the pseudo ARP response packet, it is possible to cause the terminal device in the network to mislearn the MAC address of the target terminal device in the network regardless of the OS type of the terminal device in the network.
Moreover, the communication load and the processing load can be reduced by not unicasting the pseudo ARP response packet to all terminal devices in the network, but by unicasting only to the terminal device having the Vista OS. it can.

FIG. 26 shows an ARP flow from when an ARP request packet is transmitted from a terminal A to be disturbed (disturbance target terminal apparatus) A to when a disturbance to the disturbance target terminal apparatus A is established. The monitoring of the ARP request packet transmitted from the interference target terminal device A is performed by the method shown in FIGS.
First, an ARP request packet for acquiring the MAC address of terminal B is transmitted from terminal A (step S10-1). Thereby, the terminal B once correctly learns the MAC address of the terminal A.
The ARP request packet is captured by the quarantine control device 2 (step S10-2).

  Terminal B transmits a normal ARP response packet to terminal A (step S10-3). Thereby, the terminal A learns the MAC address of the terminal B.

Based on the captured ARP request packet, the quarantine control apparatus 2 performs agent ping if necessary, and determines that the terminal A is an interruption target terminal apparatus that needs to be obstructed (step S10-4).
Then, as shown in FIG. 26, the quarantine controller 2 broadcasts and unicasts a pseudo ARP response packet with the source MAC address as its own MAC address and the source IP address as the IP address of the terminal A. Transmit (step S10-5). As a result, terminals on the network including the terminal B (excluding the terminal A) learn the MAC address of the terminal A by mistake, regardless of the type of OS the terminal has, and the interference is established.

  Although the pseudo ARP response packet is also broadcast to the interference target terminal device, the IP address of the interference target terminal device is set as the transmission source IP address, and therefore cannot be received by the interference target terminal device.

  In FIG. 27, contrary to FIG. 26, since the communication partner (non-disturbance target terminal device) B communicates with the interference target terminal device A, the communication partner B transmits an ARP request packet, and thus the interference occurs. The flow of ARP until it is established is shown. The ARP request packet transmitted from the communication partner B is monitored by the method shown in FIGS.

  First, an ARP request packet for acquiring the MAC address of terminal A is transmitted from terminal B, which is a communication partner (step S11-1). This ARP request packet is captured by the quarantine control apparatus 2.

  Terminal A transmits a normal ARP response packet to terminal B (step S11-2). Thereby, the terminal B once correctly learns the MAC address of the terminal A.

Since the MAC address of the terminal A is unknown, the quarantine control device 2 transmits an ARP request packet to the terminal A by the ARP request transmission unit 291 (see FIG. 3) of the unregistered terminal device processing unit 290 (Step S11- 3).
Then, since the terminal A transmits an ARP response packet to the quarantine control device 2 (step S11-4), the terminal A receives this by the ARP response receiving unit 292. Thereby, the quarantine control apparatus 2 can acquire the MAC address of the terminal A.

Then, the quarantine control device 2 performs agent ping if necessary, and determines that the terminal A is an interference target terminal device that needs to be disturbed (step S11-5).
Then, as shown in FIG. 27, the quarantine control apparatus 2 broadcasts and unicasts a pseudo ARP response packet with the source MAC address as its own MAC address and the source IP address as the IP address of the terminal A. Transmit (step S11-6). As a result, terminals on the network including the terminal B (excluding the terminal A) learn the MAC address of the terminal A by mistake, regardless of the type of OS the terminal has, and the interference is established.

  Although the pseudo ARP response packet is also broadcast to the interference target terminal device, the IP address of the interference target terminal device is set as the transmission source IP address, and therefore cannot be received by the interference target terminal device.

  By performing the interference processing as described above, even if the ARP table of the interference target terminal device is statically set and the interference target terminal device is configured not to transmit the ARP request packet, the communication is performed. Communication can be interrupted by having the other party mislearn.

FIG. 30 shows more detailed processing contents of the interference processing. FIG. 30 shows a process for limiting the transmission target of the pseudo ARP response packet in order to reduce the number of transmissions of the unicast pseudo ARP by the quarantine control apparatus 2.
In the disturbance process, the pseudo ARP response transmission unit 261 first performs broadcast transmission of a pseudo ARP response packet (step S12-1). Subsequently, the pseudo ARP response transmission unit 261 performs unicast transmission processing (steps S12-2 to S12-7).
The unicast transmission process includes a process for identifying a unicast transmission target (a terminal device that cannot be erroneously learned) (step S12-2), and an exclusion process for excluding a predetermined terminal device from the unicast transmission target (step S12-3). To S12-6), a process of transmitting a unicast pseudo-ARP response packet (step S12-7) is included.

This unicast transmission process is performed on all terminals that the quarantine control apparatus 2 has grasped in the network, such as terminal apparatuses registered in the first terminal information table 230a.
In the process of identifying the unicast transmission target (terminal device that cannot be mislearned) in step S12-2, it is determined whether or not the OS of the terminal device is a Vista system. This determination is performed by the identification unit 216b referring to the OS information 230a-5 of the first terminal information table 230a. If the OS of the terminal device is a non-Vista system, the terminal device is terminated without performing unicast transmission.
If the OS of the terminal device is Vista, the process proceeds to step S12-3. In step S12-2, when the OS information is unknown (when there is no OS information 230a-5 in the first terminal information table 230a), the OS is regarded as a Vista OS, and the process proceeds to step S12-3. When the OS is unknown, it is possible to ensure that the terminal device is mislearned by considering it as a Vista OS.

  If it is determined in step S12-2 that the OS of the terminal device is the Vista system, the identifying unit 261b excludes a predetermined terminal device from the unicast transmission target among the Vista system OS terminal devices. (Steps S12-3 to S12-6) are performed. In the exclusion process, first, it is determined whether an agent is installed in the terminal device (step S12-3). This determination can be made by referring to the first terminal information table 230a, and it can be determined that the terminal device whose agent ID 230a-3 is stored in the first terminal information table 230a is equipped with an agent.

If it is determined in step S12-3 that the agent is installed in the terminal device, the erroneous learning process of the terminal device is left to the agent installed in the terminal device (step S12-4), and the Vista-based OS terminal device Even so, the pseudo-ARP response packet is not unicasted and the process ends.
By excluding the terminal device on which the agent is mounted from the unicast transmission target of the pseudo ARP response packet, it is possible to reduce the communication amount and the processing amount. The mislearning process by the agent will be described later.

If it is determined in step S12-3 that the agent is not installed in the terminal device, the identifying unit 261b determines whether the terminal device is registered in the static list table (excluded terminal device list) 263 as an exclusion process. Is determined (step S12-5). The static list table 263 is a list of terminal devices that do not transmit a unicast pseudo ARP response packet. Here, the terminal device whose OS type is unknown is regarded as a Vista-based OS in step S12-2, and is basically a transmission target of a unicast pseudo-ARP response packet. However, unlike a printer, an agent cannot be installed and the OS is unknown, but there are also terminal devices that originally do not require a unicast pseudo-ARP response packet. As shown in FIG. 31A, in the quarantine control device 2, the IP address and MAC address of such a terminal device are registered in the static list table 263.
If it is determined in step S12-5 that the terminal device is registered in the static list table 263, the pseudo-ARP response packet is not unicasted even if it is a Vista OS, and the process ends.
Thus, by excluding terminal devices that do not originally need to transmit unicast pseudo-ARP response packets from the targets of unicast transmission, it is possible to reduce the amount of communication and the amount of processing.

If it is determined in step S12-5 that the terminal device is not registered in the static list, the identification unit 261b determines that the terminal device is “the quarantine target terminal is not a new quarantine” and “other than the communication partner of the quarantine target terminal. It is determined whether or not it is a “passing terminal” (step S12-6).
Here, when the quarantine target terminal is “new quarantine”, the quarantine terminal (disturbance target terminal device) must be isolated from an acceptable terminal (non-disturbance target terminal device) that does not require interference. This is the time of the first disturbance processing after the state transition to the target terminal device. In addition, “not new quarantine” means that the quarantine terminal (disturbance target terminal device) is changed from an acceptable terminal (non-disturbance target terminal device) that does not require interference to a quarantine terminal (disturbance target terminal device) that requires interference. This refers to the second and subsequent disturbance processing after transition.

  The basic idea of the exclusion process in step S12-6 is to exclude a terminal device (passing terminal) that is not a communication partner of the isolated terminal (interference target terminal device) as a transmission target of the unicast pseudo ARP response packet. . This is because a problem does not occur immediately in the terminal device that is not the communication partner even if the MAC address is not erroneously learned. Thus, by excluding a terminal device that is not a communication partner of the isolated terminal from the target of unicast transmission, it is possible to reduce the communication amount / processing amount.

However, if the terminal device (passing terminal) that is not the communication partner of the isolated terminal (interference target terminal device) is uniformly excluded from the targets of unicast transmission, the interference processing cannot be performed reliably.
That is, before the terminal device becomes an isolated terminal, the terminal device communicates with another terminal device, and the mutual MAC address remains in the ARP table of the terminal device or the other terminal device. Even if the terminal device becomes a quarantine terminal, the ARP request packet is not transmitted between the terminal device and the other terminal device, and the quarantine control device 2 may detect communication involving the quarantine terminal. Can not. Therefore, the quarantine control apparatus 2 does not transmit a unicast pseudo ARP response packet for interfering with the communication of the new isolated terminal, and cannot perform interference when the communication partner is a Vista OS.
Therefore, when the terminal device makes a state transition from a passing terminal to an isolated terminal, a unicast pseudo ARP response packet is transmitted to all Vista-based OS terminals during the first disturbance processing after the state transition, and interference leakage prevent.
On the other hand, in the second and subsequent disturbance processing after the terminal device transitions from the successful terminal to the isolated terminal, as described above, the accepted terminal that is not the communication partner of the isolated terminal is transmitted as a unicast pseudo-ARP response transmission. Since it is excluded from the target, the amount of communication and the amount of processing can be reduced.

As described above, when it is determined in step S12-6 that “the isolation target terminal is not a new isolation” and “a terminal other than the communication partner of the isolation target terminal”, the terminal device performs the unicast pseudo-ARP. Excluded from response sending.
On the other hand, even if “the quarantine target terminal is a new quarantine” or “the quarantine target terminal is not a new quarantine” (in the case of the second and subsequent interference processing), Are not excluded, and a unicast pseudo-ARP response packet is transmitted (step S12-7).

  The identification unit 261a identifies the communication partner of the isolation target terminal by referring to the unicast pseudo ARP information table (communication partner table) 264. The unicast pseudo ARP information table 264 is generated based on the ARP request packet captured by the ARP request capturing unit 251 of the communication monitoring unit 250 and the result of the subsequent agent ping. As shown in FIG. 31B, the unicast pseudo ARP information table 264 is composed of the IP address and MAC address of the isolated terminal and the MAC address of the communication partner of the isolated terminal.

[6.8.2 Periodic transmission of pseudo ARP response packet]
As shown in FIGS. 26 and 27, the jamming process is not only executed when communication of the jamming target terminal device is detected, but also as shown in steps S10-6 and S11-7 in FIGS. The device 2 periodically transmits a pseudo ARP response packet. The contents of the ARP table learned by each terminal device are automatically deleted if there is no communication with the communication partner for a certain period. Therefore, the pseudo ARP response transmission management unit 262 of the quarantine control device 2 periodically broadcasts a pseudo ARP response packet for interfering with the communication of the terminal device registered in the prohibited terminal information table 234 or the quarantine terminal information table 232. Send.

In the periodic transmission of the pseudo ARP response packet, only the broadcast transmission of the pseudo ARP response packet is performed, and the unicast transmission is not performed. Thereby, the amount of communication and the amount of processing can be reduced.
Here, the Vista-based OS has a function of periodically checking its own ARP table. That is, a terminal device that has erroneously learned the MAC address of the target terminal device to be disturbed has “IP address of quarantine terminal, MAC address of quarantine control device 2” recorded in its ARP table. This terminal apparatus periodically unicasts the ARP request packet shown in FIG. In this ARP request packet, the transmission destination IP address is the IP address of the interference target terminal device, but the transmission destination MAC address is the MAC address of the quarantine control device. Do not return packets.
Instead, the second pseudo ARP response transmission unit 271c of the quarantine control device 2 transmits the pseudo ARP response packet shown in FIG. 25B to the terminal device as a response to the ARP request packet of FIG. Thereby, the mislearning state is maintained in the terminal device that is mislearning the MAC address of the interference target terminal device.

  As described above, the Vista-based OS has a function of periodically inquiring and confirming the contents of the ARP table to other terminal devices. However, the quarantine control device 2 responds to the confirmation (ARP request packet) with a pseudo ARP. You can answer with a response packet. Therefore, in the transmission of the pseudo ARP response packet periodically performed by the quarantine control device 2, it is only necessary to perform broadcast transmission of the pseudo ARP response packet, and it is not necessary to actively perform unicast transmission.

[6.8.2 Mislearning process by agent]
As described above, when it is determined that the agent is installed in the terminal device, the erroneous learning process of the terminal device is left to the agent installed in the terminal device (step S12-4), and the Vista OS terminal Even if it exists, the pseudo ARP response packet is not unicasted.
In order to cause the agent to perform a false learning process, the quarantine control device 2 includes a first terminal information table transmission unit 295 as shown in FIG. The first terminal information table transmission unit 295 is a transmission unit that transmits information (first terminal information table 230a) indicating an isolated terminal that is a terminal device to be disturbed to the agent of each terminal device.

The transmission unit 295 does not require interference when the terminal device makes a state transition from a non-disturbing target terminal device that does not need to be disturbed to a disturbing target terminal device that needs to be disturbed. When the state transitions to the non-disturbance target terminal device, the contents of the first terminal information table 230a are transmitted.
That is, when the content of the first terminal information table 230a is updated by the agent ping execution process of FIG. 13, the transmission unit 295 transmits the content of the first terminal information table 230a to the agent. As a result, the agent can immediately obtain the latest information when the terminal is newly isolated or when the terminal is passed.

Then, the terminal information receiving unit 340 of the agent mislearning processing unit 340 (see FIG. 5) installed in the terminal device receives the contents of the first terminal information table 230a transmitted from the quarantine control device 2, and receives the obstruction target. Identify terminal devices (isolated terminals). Further, the ARP table operation unit 342 of the mislearning processing unit 340 operates the ARP table included in the OS to perform interference with the interference target terminal device.
That is, the ARP table operation unit 342 of the agent mounted on the terminal device to be disturbed rewrites the MAC address in the ARP table of the own terminal to the MAC address (fake MAC address) of the quarantine control device 2 for all terminals.
In addition, the ARP table operation unit 342 of the agent installed in the non-disturbance target terminal device uses the MAC addresses (false MAC) of the quarantine control device for the MAC addresses of all the disturbance target terminal devices in the contents of the ARP table of the own terminal. Address) is rewritten. Through these processes, communication from the quarantine terminal and communication to the quarantine terminal both flow to the quarantine control apparatus 2.

As described above, the agent installed in the terminal device performs the erroneous learning process, so that the terminal device can perform the erroneous learning without receiving the unicast pseudo ARP response packet.
The information indicating the interference target terminal device does not need to be the content of the first terminal information table 230a transmitted from the quarantine control device 2. For example, when the terminal device receives the broadcast pseudo ARP response packet transmitted from the quarantine control device 2, the agent acquires the broadcast pseudo ARP response packet, and based on the transmission source IP address of the broadcast pseudo ARP response packet, the agent May grasp the terminal device to be disturbed.

[6.8.3 Relay function]
Among the data packets sent to the quarantine control device 2 (or other collection / discard device) addressed to the interference target terminal device, the IP address of the transmission source (= terminal devices around the quarantine control device) is the exception information. When registered in the table 235, the communication relay unit 281 of the quarantine control device 2 (or other collection / discard device) transfers the data packet to the disturbance target terminal device without discarding the data packet. That is, even if it is a disturbance target terminal device, communication is established only with the terminal device designated as an exception (not disturbed).

By allowing exception communication, resources (such as OS monthly patch (hotfix)) and anti-virus software pattern files for improving the internal state of the quarantine target terminal device 3 determined to be a quarantine terminal are specified. When the terminal is in an in-house server or a server on the Internet, the isolation terminal can acquire the resource or file.
In other words, by registering a server with the resource or file in the exception information table, the resource or file can be acquired from the server via the network, and the internal state of the isolated terminal can be easily improved. .

  If exception communication is not permitted, resources for improving the internal state must be obtained offline, such as a CD-ROM, and the effort for improving the internal state will increase significantly, but allow exception communication. Thus, such trouble is reduced.

In addition, this invention is not limited to the said embodiment, A various deformation | transformation is possible. For example, the communication monitoring unit 250 may monitor other types of IP packets instead of ARP request packets flowing through the network. In this case, what is necessary is just to determine the necessity of disturbance with respect to the transmission source and / or transmission destination of another type of IP packet.
In addition, the OS of the terminal device that cannot be mis-learned is not limited to Windows XP or Windows Server 2008, and includes all OSs that cannot mislearn the MAC address of the target device to be disturbed in the pseudo-ARP response packet that is broadcast. It is.

1 is an overall view of a quarantine system. It is a figure which shows the recording medium with which the quarantine system computer program set was recorded. It is a block diagram of a quarantine control apparatus. It is a data structure figure of the terminal information table of a quarantine control apparatus. It is a block diagram of a quarantine target terminal device. It is a block diagram of a quarantine management server. It is an ARP outline sequence. It is the first half of the flowchart of an ARP request packet monitoring process. It is the second half of the flowchart of the ARP request packet monitoring process. It is a data structure figure which shows the setting content of the address part of a pseudo ARP response packet. It is a data structure figure which shows the setting content of the address part of an ARP request | requirement. It is a data structure figure which shows the setting content of the address part of a pseudo ARP response packet. It is a flowchart of an agent ping execution process. It is an agent ping protocol sequence. It is a list of agent ping “types”. It is a figure which shows the flag value of agent ping "check result." It is an agent ping start request protocol sequence. It is a flowchart of the periodic agent ping execution process with respect to a pass terminal. It is a data structure figure which shows the setting content of the address part of a pseudo ARP response packet. It is a flowchart of the periodic agent ping execution process with respect to an isolation terminal. It is a data structure figure which shows the setting content of the address part of a normal ARP response packet. It is a flowchart of the inspection process in a quarantine target terminal device. It is a flowchart of the 2nd terminal information table information transmission process by a quarantine management server. It is a flowchart of the 2nd terminal information table information reception process by a quarantine control apparatus. It is a data structure which shows the setting content of the address part of a pseudo ARP response packet. This is an ARP sequence until the interference is established. It is another ARP sequence until disturbance establishment. It is a detailed block diagram of a pseudo ARP response packet transmitter. It is a detailed block diagram of a normal ARP response packet transmitter. It is a flowchart which shows a disturbance process. (A) shows a static list table, (b) shows a unicast pseudo-ARP information table. It is a data structure which shows the address part of the ARP request | requirement for the terminal device which is mislearning the MAC address of the interference target terminal device to confirm the MAC address of the interference target terminal device.

Explanation of symbols

1: Quarantine system, 2: Quarantine control device, 210: Inspection unit (agent ping function unit), 211: Agent ping request transmission unit (inspection result transmission request unit), 212: Agent ping request transmission management unit, 213: Agent ping Response receiver (inspection result receiver),
214: Agent ping start request receiving unit (start request receiving unit), 220: determination unit, 220a: first determination unit, 220b: second determination unit (determination unit for using agent ping), 230: terminal information table, 230a: First terminal information table, 231: Passed terminal information table (non-disturbance target information), 232: Quarantine terminal information table (disturbance target information), 230b: Second terminal information table, 233: Permitted terminal information table (non-disturbance target information) ), 234: Prohibited terminal information table (interference target information), 235: Exception information table (exceptional communication permission information), 240: Table update unit, 241: First table update unit, 242: Second terminal information table & static List table update unit (management communication unit), 250: communication monitoring unit (ARP request monitoring unit), 251: ARP request capture 252: ARP request analysis unit (source and destination address acquisition unit), 260: communication jamming unit, 261: pseudo ARP response transmission unit, 261a: first pseudo ARP response transmission unit, 261b: identification unit, 261c : Second pseudo ARP response transmission unit, 262: pseudo ARP response transmission management unit, 263: static list table, 264: unicast pseudo ARP information table, 270: communication normalization unit, 271: normal ARP response transmission unit, 271a : First normal ARP response transmission unit, 271b: identification unit 271b, second normal ARP response transmission unit 272c, 280: exception communication unit, 281: communication relay unit, 290: unregistered terminal device processing unit, 291: ARP response transmission 292: ARP response receiver, 295: first terminal information table transmitter, 3: quarantine target terminal device, 310: inspection controller, 320 Inspection policy reception unit, 330: inspection unit, 331: inspection execution unit, 332: agent ping request reception unit (inspection result transmission request reception unit), 333: agent ping response generation unit, 334: agent ping response transmission unit (inspection result) 335: Agent ping start request transmission unit (transmission start request), 340: False learning processing unit, 341: Terminal information reception unit 341, 342: ARP table operation unit 342, 4: Quarantine management server (quarantine management computer) ), 410: table generation unit, 420: table transmission unit, 430: inspection policy generation unit, 440: inspection policy transmission unit, 5: in-house server, 6: router, 7: printer, 8: terminal without agent computer program Device, P1: Quarantine control computer program, P2: Age Cement computer program, P3: quarantine management computer program, D1: first region, D2: second region, D3: third region, D4: fourth region

Claims (26)

A quarantine control device including a communication disturbing unit that performs a communication disturbing process for a target terminal device that is required to interfere with communication among terminal devices connected to a network,
The communication disturbing unit is
First pseudo ARP response transmission that broadcasts a pseudo ARP response in which a transmission source IP address is the IP address of the interference target terminal device and a transmission source MAC address is a fake MAC address other than the MAC address of the interference target terminal device And
A second pseudo ARP response for unicasting a pseudo ARP response in which the source IP address is the IP address of the interference target terminal device and the source MAC address is a fake MAC address other than the MAC address of the interference target terminal device A transmission unit;
In the pseudo ARP response broadcasted by the first pseudo ARP response transmission unit, an identification unit for identifying a mis-learning impossible terminal device that cannot mislearn the MAC address of the interference target terminal device;
With
The second pseudo ARP response transmission unit unicasts the pseudo ARP response to a terminal device identified by the identification unit as a terminal device that cannot be mis-learned.   The quarantine control device according to claim 1, wherein the identification unit includes an excluding unit that excludes a predetermined terminal device from the mis-learnable terminal devices from a target for unicast transmission of the pseudo ARP response. The terminal device excluded by the exclusion means is a terminal device that cannot be mis-learned with an agent mounted thereon,
The quarantine control apparatus according to claim 2, wherein the agent performs an erroneous learning process of causing the terminal device on which the agent is installed to mislearn the MAC address of the terminal device to be disturbed. An excluded terminal device list indicating excluded terminal devices to be excluded from the unicast transmission target of the pseudo ARP response,
The quarantine control apparatus according to claim 2 or 3, wherein the terminal device excluded by the exclusion unit is an excluded terminal device indicated in the excluded terminal device list.   The quarantine control device according to any one of claims 2 to 4, wherein the terminal device excluded by the exclusion means is a terminal device other than a communication partner of the interference target terminal device. The exclusion means includes
In the first disturbance process after the state-of-interrupt terminal device transitions from a non-disturbance target terminal device that does not require interference to a target terminal device that needs to be disturbed, Without excluding the terminal device from the unicast transmission target of the pseudo-ARP response,
6. In the second and subsequent disturbance processing after the state transition, a terminal device other than the communication partner of the interference target terminal device is excluded from a target for unicast transmission of the pseudo ARP response. The quarantine control device described. A communication partner table for storing the interference target terminal device and its communication partner,
The quarantine control apparatus according to claim 5 or 6, wherein the exclusion unit recognizes a communication partner of the interference target terminal device by referring to the communication partner table.   The second pseudo ARP response transmission unit transmits the ARP request when a terminal device that has mislearned the MAC address of the interference target terminal device makes an ARP request for confirming the MAC address of the interference target terminal device. The quarantine control apparatus according to any one of claims 1 to 7, wherein the pseudo ARP response is transmitted to the terminal apparatus. The communication jamming unit is configured to perform jamming processing at the time of communication detection of the jamming target terminal device, and to periodically execute the processing.
In the jamming process at the time of communication detection of the jamming target terminal device, unicast transmission of the pseudo ARP response is performed together with broadcast transmission of the pseudo ARP response,
The quarantine control apparatus according to any one of claims 1 to 8, wherein, in the disturbance processing that is periodically executed, the pseudo ARP response is broadcasted without performing the unicast transmission of the pseudo ARP response. An obtaining unit for obtaining identification information for identifying whether or not the terminal device is the mis-learnable terminal device from the terminal device;
The quarantine control device according to any one of claims 1 to 9, wherein the identification unit identifies a terminal device that cannot be erroneously learned based on identification information acquired by the acquisition unit.   The said identification part is a quarantine control apparatus of any one of Claims 1-10 which identify a terminal device which cannot be mislearned according to the classification of OS which the said terminal device has.   The quarantine control apparatus according to claim 3, further comprising a transmission unit configured to transmit information indicating the interference target terminal apparatus to the agent mounted on the terminal apparatus.   The transmission means does not require interference when the terminal device makes a state transition from a non-disturbing target terminal device that does not need to be disturbed to a disturbing terminal device that needs to be disturbed or from a disturbing target terminal device that needs to be disturbed. 13. The quarantine control apparatus according to claim 12, wherein when the state transitions to a non-disturbance target terminal device, information indicating the interference target terminal device is transmitted.   A quarantine control computer program for causing a computer to function as the quarantine control device according to any one of claims 1 to 13. A communication jamming method for performing a jamming process for a jamming target terminal device that needs to be jammed among terminal devices connected to a network,
In the jamming process,
A pseudo ARP response in which a transmission source IP address is an IP address of the interference target terminal device and a transmission source MAC address is a fake MAC address other than the MAC address of the interference target terminal device is broadcast and transmitted.
In the pseudo ARP response broadcasted by the first pseudo ARP response transmission unit, the source IP address is set to the jamming-impossible terminal device that cannot mislearn the MAC address of the jamming target terminal device. A communication jamming method characterized by unicasting a pseudo-ARP response that is an IP address of a target terminal device and whose source MAC address is a fake MAC address other than the MAC address of the jamming target terminal device.   The said interference process WHEREIN: The said mis-learning impossible terminal is identified by acquiring the information which shows whether the said terminal device is a mis-learning impossible terminal apparatus from the said terminal device. Communication interruption method. A terminal device with an agent,
The agent performs a false learning that a false MAC address other than the MAC address of the target terminal device to be disturbed, which is required to interfere with communication, is the MAC address of the target terminal device to be disturbed. The terminal device characterized by including the mislearning processing part to be performed with respect to.   The terminal device according to claim 17, wherein the agent includes means for obtaining information indicating the terminal device to be disturbed from outside the terminal device through a network.   The terminal device according to claim 18, wherein the agent acquires information indicating a terminal device to be disturbed from the quarantine control device according to claim 12 or 13. A terminal device with an agent,
14. A transmission means for transmitting to the quarantine control device according to any one of claims 1 to 13 information indicating whether or not a terminal device on which the agent is mounted is the erroneous learning impossible terminal device. A terminal device.   The transmission means transmits, as information indicating whether or not the terminal device on which the agent is installed is the erroneously-learned terminal device, the type of OS included in the terminal device on which the agent is installed. The terminal device according to claim 20.   The agent computer program for functioning a computer as an agent of any one of Claims 17-21. A quarantine control computer program for causing a computer to function as the quarantine control device according to any one of claims 1 to 13,
An agent computer program for causing a computer to function as the agent according to any one of claims 17 to 21;
Computer programs, including. A false learning processing method in a terminal device on which an agent is mounted,
The agent performs a false learning that a false MAC address other than the MAC address of the target terminal device to be disturbed, which is required to interfere with communication, is the MAC address of the target terminal device to be disturbed. An erroneous learning processing method characterized by being performed on a computer. In a quarantine system in which a quarantine control device and a terminal device are connected via a network, a method of performing communication obstruction for an obstruction target terminal device that is required to obstruct communication among the terminal devices,
The quarantine control apparatus unicasts a pseudo ARP response in which the transmission source IP address is the IP address of the disturbance target terminal apparatus and the transmission source MAC address is a fake MAC address other than the MAC address of the disturbance target terminal apparatus. A unicast transmission step;
An agent installed in the terminal device includes an erroneous learning process step of performing an erroneous learning process of causing the terminal device equipped with the agent to erroneously learn the MAC address of the terminal device to be disturbed,
In the unicast transmission step, the pseudo-ARP response is unicast-transmitted to a terminal device other than the interference target terminal device and having no agent mounted thereon. A quarantine control device including a communication disturbing unit that performs a communication disturbing process for a target terminal device that is required to interfere with communication among terminal devices connected to a network,
The communication jamming unit unicasts a pseudo ARP response in which a transmission source IP address is an IP address of the jamming target terminal device and a transmission source MAC address is a fake MAC address other than the MAC address of the jamming target terminal device. A pseudo ARP response transmitter,
The pseudo ARP response transmitter is a terminal device other than the interference target terminal device and transmits the pseudo ARP response to a terminal device on which an agent is not mounted.
The quarantine control device, wherein the agent performs a false learning process for causing the terminal device on which the agent is installed to mislearn the MAC address of the terminal device to be disturbed.

Images