JP5455870B2 - Network connection device - Google Patents

Description

  The present invention relates to a network connection device such as a switching hub and a router constituting a network system, and more particularly to login control to the network connection device.

For various settings of network connection devices such as switching hubs and routers and investigation of failure information,
This is done by logging into the network connection device from a console PC connected to the serial port of the network connection device. When logging in, enter your login ID and password.
When managing a plurality of network connection devices, it is difficult to change the login ID and password for each network connection device, and the same ID and password are likely to be obtained. In addition, when a failure occurs in the network connection device, the device is sent to the maintenance destination. From the viewpoint of security, it is necessary to change the ID and password each time, but there is a case where it is not performed.

  In particular, when the ID and password set in the network connection device are kept as they are, there is a possibility that information in the network connection device can be read in the case of theft. Even when the network connection device is discarded, there is a possibility that information in the network connection device can be read unless the setting contents are deleted.

  Japanese Patent Application Laid-Open No. 2004-133826 proposes a method for sucking setting information from a maintenance target network connection device using a maintenance tool and then deleting it from the network connection device as a security measure in the maintenance work of the network connection device.

JP 2009-265715 A

  However, when the maintenance tool is used, the workload of the administrator increases, which may be a burden. In addition, there is a risk that the cost of the product itself increases due to the development of a tool dedicated to maintenance. Moreover, even if data is sucked out by a maintenance tool or the like, the data itself may be lost or stolen.

  An object of the present invention is to provide a network connection device that facilitates security management of IDs and passwords of network connection devices, and cannot read device information even in the case of theft during maintenance or device disposal.

  In order to achieve at least a part of the above-described problem, an apparatus according to the present invention includes a plurality of ports, a communication control unit that performs communication via the ports, and identification information of devices connected via the ports. When a log-in request is received from a storage unit that stores a connection state and another device, the storage unit is referred to, and whether or not to log in to the network device is determined based on the connection state of the device indicated by specific identification information It has a processor.

  According to the present invention, it is possible to restrict login to the network connection device by determining permission / non-permission of login to the network connection device based on information of the network device connected to the network connection device. Can be prevented from being read.

An example of the connection relationship of devices on the LAN An example of an image with devices on the LAN removed Example of configuration diagram of network connection device according to the present invention Example of setting of authentication object setting table according to the present invention Example of configuration of connection destination device information table according to the present invention Example of configuration diagram of network connection device according to the present invention Example of configuration of connection destination device information table according to the present invention An example of setting change of the authentication target setting table according to the present invention Example of configuration diagram of network connection device according to the present invention Example of configuration of connection destination device information table according to the present invention An example of a flowchart of login control according to the present invention An example of setting change of the authentication target setting table according to the present invention An example of the configuration of an authentication target setting table according to the present invention Example of configuration of connection destination device information table according to the present invention An example of the configuration of an authentication target setting table according to the present invention Example of configuration of connection destination device information table according to the present invention An example of the configuration of an authentication target setting table according to the present invention Example of configuration of connection destination device information table according to the present invention An example of the configuration of an authentication target setting table according to the present invention Example of configuration of connection destination device information table according to the present invention

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 1 shows an example of a network system such as a company. The upstream of the GW 100 is connected to another network such as a WAN. SW1 101 and SW2 102 as switches are connected downstream of the GW 100. Furthermore, switches SW3 103 to SW10 110 are connected downstream of SW1 101. Switches SW11 111 to SW20 120 are connected downstream of SW2.

  The network administrator logs in the SW using a PC or the like when making individual settings of the SW1 101 to SW20 120. It is assumed that login IDs and passwords are set for each SW. However, when managing a large number of SWs, the network administrator keeps the SW IDs and passwords at the time of shipment. There is a risk of putting it all in the same password.

  If the SW20 120 of FIG. 1 is managed with the ID and password at the time of shipment, as shown in FIG. 2, if the SW20 120 is discarded or stolen and removed from the network, a third party who should not originally have access rights May log in by guessing the ID and password of SW20 120. If the settings at the time of operation remain in the SW20 120, the network configuration in the company leaks to the outside, which is not preferable in terms of security.

  In this embodiment, therefore, information is prevented from leaking from a device removed from the network by using a connection relationship with an adjacent device on the operating network for authentication.

  FIG. 3 shows an example of the configuration of the network connection apparatus according to the present invention. In the figure, reference numeral 300 denotes a network connection device, which includes a CPU 301, SW control unit 302, memory 303, nonvolatile memory 304, input / output port 3051, input / output port 3052, input / output port 3053, input / output port 3054, and serial port 306. Composed. The nonvolatile memory 304 stores an authentication target setting table 307 and a connection destination device information table 308 which will be described later. In the present embodiment, the number of input / output ports is only four for the purpose of explanation, but any number may be used.

  The SW-HUB 310 is a network device that connects to an upper network connected to the network connection device 300. PC 311 and PC 312 are network devices connected to the network connection device 300. Although it is PC as an example for explanation, it is not limited to PC. The SW control unit 302 performs input / output of the input / output ports 3051 to 3054 under the control of the CPU 301. The console PC 309 is connected to the serial port 306 and logs in to the network connection device 300 to perform various settings of the network connection device 300.

  FIG. 4 is an example of the authentication target setting table 307 that also appears in FIG. The authentication target setting table 307 is a table for setting which neighboring device is used for authentication. Hereinafter, the table in FIG. 4 is referred to as an authentication target setting table 400. The authentication target setting table 400 includes a group number 400a, a MAC address 400b, and a connection port 400c. The group number 400a is used to group devices used for authentication into a group. The MAC address 400b is a MAC address of a device used for authentication. The connection port 400c sets a connection port to which a device used for authentication is connected, but may not be used when the connection port is not used as an authentication condition. Further, the connection port 400c itself is not necessary.

  In the example of FIG. 4, since the record 401 and the record 402 are the same group number 400a “1”, they are the same authentication group. Therefore, it means that login is possible when both the MAC address 400b of “AAA” and “BBB” are connected. The connection port 400c is “any” and is not particularly used in this setting. That is, it may be connected to any connection port. Settings for using the connection port 400c will be described later.

  Next, FIG. 5 shows an example of the connection destination device information table 308. The connection destination device information table 308 is a table representing the connection status of 300 network connection devices. By using this together with the authentication target setting table 307, authentication processing using an adjacent device can be performed. Hereinafter, the table in FIG. 5 is referred to as a connection destination device information table 500. The connection destination device information table 500 represents the connection state of the network connection device 300 in FIG. Further, it is assumed that the authentication target setting table 400 of FIG. 4 is used as the setting.

  The connection destination device information table 500 includes a group number 500a, a MAC address 500b, a connection port 500c, a connection time 500d, a connection status 500e, a comparison target 500f, and a determination value 500g.

  The group number 500a indicates which authentication group in the authentication target setting table 307 the MAC address of the record belongs to. When the comparison target 500f is “target”, it indicates that the MAC address of the record is a comparison target for authentication. “Non-target” indicates that the MAC address of the record is not a comparison target for authentication. In other words, it is not registered in the authentication target setting table 307. The determination value 500g is the number of connected devices necessary for authentication. There are two MAC addresses whose group number 400a in FIG. 4 is “1”. Therefore, the determination value 500g of the record whose group number 500a is “1” in FIG. 5 is “2”.

  Communication between the connection port 3051 to the connection port 1054 of the network connection device 300 is performed based on the MAC address of the network device connected to the port by the SW control unit 302.

  In this embodiment, information of connected network devices possessed by the SW control unit 302 is collected by the CPU 301, and a connection destination device information table 308 is created in the nonvolatile memory 404. Here, the MAC address of the SW-HUB 310 is “AAA”, the connection port is 3051, the MAC address of the PC 311 is “BBB”, the connection port is 3052, the MAC address of the PC 312 is “CCC”, and the connection port is 3053.

  The MAC addresses of the SW-HUB 310, the PC 311 and the PC 312 are recorded in 500b of the connection destination device information table 500, and the connection port is recorded in 500c. Also, 500d records the time since the connection, and 500e records the current connection status. Such information is periodically collected and recorded by the CPU 501. For example, the MAC address acquired by ARP (Address Resolution Protocol) or the like is recorded. The group number 500a, the comparison target 500f, and the determination value 500g are stored with reference to the authentication target setting table 400 of FIG. 4 when the record is registered.

  4 and 5, MAC addresses “AAA” and “BBB” are set in the authentication target setting table 400 group number “1”. In the connection destination device information table 500, since both devices having the MAC addresses “AAA” and “BBB” included in the group number “1” used for authentication are connected, the network connection device 300 can perform login processing. It has become.

  Note that the group number 500a, the comparison target 500f, and the determination value 500g in the connection destination device information table 500 may be omitted because the authentication target setting table 400 may be referred to. If it is included, it is not necessary to refer to the authentication target setting table 400 every time the authentication is determined.

  Further, the setting information and the status information may be managed only by the connection destination device information table 500 of FIG. 5 without using the authentication target setting table 400 of FIG.

  In this case, the network administrator sets the group number 500a, the comparison target 500f, and the determination value 500g in the connection destination device information table 500 from the console PC 309 when the connection of the devices necessary for authentication is completed, and the network connection device 300 Set the login operation to login control state. For example, when only the SW-HUB 107 is used for authentication, the MAC address “AAA” of the SW-HUB 107 is a comparison target, the group number 500a is set to, for example, “1”, the comparison target 500f is set to “target”, and the SW -Since only one HUB 107 is set, the judgment value is set to 1. The MAC address 500b, connection port 500c, connection time 500d, and connection status 500e are automatically set by ARP or the like.

  The setting in the authentication target setting table 400 of FIG. 4 can be performed before or after connection to the network. When managing setting information and status information only with the connection destination device information table 500 of FIG. 5, the MAC address of the device connected to the network and connected to the connection destination device information table 500 by connecting a device necessary for authentication. It becomes possible after is set.

  Next, FIG. 6 shows another connection state of the network connection device according to the present invention. According to FIG. 6, only the SW-HUB 310 is connected to the network connection device 300. The authentication target setting table 400 remains as shown in FIG.

  In this case, the connection destination device information table is as shown in FIG. Hereinafter, the table in FIG. 7 is referred to as a connection destination device information table 700. Referring to the connection destination device information table 700, looking at the record 701, the SW-HUB 310 of the MAC address “AAA” to be compared is connected, but no other devices are connected. Therefore, login processing cannot be performed because there are no authentication target connections for the determination value “2”.

  Next, explanation will be given for the case where multiple authentication groups are created. The table in FIG. 8 is an example of an authentication target setting table, and is hereinafter referred to as an authentication target setting table 800. In the authentication target setting table 800, there are two group numbers “1” and “2”. In this case, the log-in process to the network connection device 300 can be performed if the condition of any group is satisfied. That is, the device with the MAC address “AAA” or “BBB” that is the condition of the group number “1” is connected to the network connection apparatus 300 or the device with the MAC address “CCC” that is the condition of the group number “2”. If is connected, login processing is possible.

  By setting a plurality of groups in this way, flexible login authentication can be performed. For example, it is possible to set a connection relationship with a specific adjacent network device in one group and set a MAC address of a PC for management by a network administrator in another group. When the MAC address “CCC” of the record 801 in FIG. 8 is the MAC address of the management PC, even if the network connection device 300 or its neighboring device is removed from the network for reasons such as repair, only the administrator manages it. You can log in with your PC.

  The above example will be described with reference to FIG. In the network connection device 300, the SW-HUB 310 is connected to the connection port 3051, and the administrator's console PC 309 is connected to the connection port 3053.

  The MAC address of the W-HUB 310 is “AAA”, and the MAC address of the console PC 309 is “CCC”.

  FIG. 10 shows a connection destination device information table representing the connection state of FIG. Hereinafter, the connection destination device information table 900 is referred to. Referring to the connection destination device information table 900, the MAC address “AAA” of the group number “1” is connected, but does not satisfy the determination value “2”, so the authentication condition is not satisfied.

  On the other hand, since the MAC address “CCC” of the group number “2” is connected and satisfies the determination value “1”, the authentication condition is satisfied. As a result, login processing to the network connection device 300 becomes possible.

  As can be seen from FIGS. 9 and 10, if the console PC 309 is connected through the connection port, the authentication process condition is satisfied, so that the network administrator can always log in to the network connection device 300 by carrying the console PC 309. However, even if a third party tries to use the network connection device 300 in a state where it is disconnected from the network, it cannot log in unless the console PC 309 itself is obtained.

  As described above, by setting a plurality of authentication groups, it is possible to achieve both security and flexibility during operation.

  Next, an authentication flow of the network connection apparatus 300 will be described with reference to FIG. In the initial shipment state of the network connection device 300, login control is in a normal state, and login can be performed by inputting an ID and password from the console. When performing authentication using the connection state with the adjacent connection device, it is necessary to set the “login control mode” while logged in. When “login control mode” can be logged in by entering the ID and password from the console regardless of the adjacent connected device as before, it is called “normal mode”.

  Hereinafter, the process of the flowchart of FIG. 11 will be described. When logging in to the network connection device 300, it is determined in S1100 whether the device is in the login control state. If not in the login control state, the login process is executed in S1103. The login process is a process of logging in by inputting an ID and password from a normal console. Instead, hardware authentication and input of ID and password may be omitted.

  If it is in the login control state, whether the MAC address set as the comparison target in S1101 is in the connected state is compared using the connection destination device information table 308. In step S1102, it is determined whether the number of MAC addresses compared is greater than or equal to a determination value. The determination is based on the number of MAC addresses of the same group number and the determination value of the group number. When the number of MAC addresses of any one group number is larger than the determination value of the group number, it is determined that a certain number or more matches. If there is a match for a certain number or more, the Login process of S1103 is executed. If the login is successful in S1104, the network connection apparatus 300 can be operated. If the number of connected MAC addresses is less than or equal to the determination value, or if the ID and password do not match and the Login process fails, the process returns to S1100.

  When the login process fails in the process of S1102 or S1104, the fact that the login has failed is displayed on the screen of the device operated by the user as in S1105. If it is not necessary, it may not be displayed.

  As described above, according to the present invention, the risk of information leakage can be reduced by not performing the normal login process of S1103 unless the conditions of the login control process of S1102 are satisfied. The presence of the step S1102 eliminates the possibility of being logged in even if the ID and password are guessed due to theft.

  Next, processing when the network connection device 300 is moved to a different network will be described. When the network management apparatus is operated in a situation different from the normal network environment for equipment movement or maintenance, normal login processing can be executed by registering the MAC address of the connected equipment in a different environment. FIG. 12 shows a modification example of the authentication target setting table.

  As another embodiment, a method for determining the MAC address of the authentication condition based on the connection time of the adjacent connection device will be described.

  FIG. 13a shows an example of the authentication target setting table. Hereinafter, it is referred to as an authentication target setting table 1300. In the authentication target setting table 1300, the group number “1” has the MAC address “any” and the connection time “1”. This means that the MAC address of the device with the longest connection time is set. Similarly, in the group number “2”, the MAC address is “any” and the connection time is “2”. This means that the MAC address of the device with the second longest connection time is set.

  In the example of the connection destination device information table 1301 in FIG. 13B, referring to the connection time 1302, the MAC address “AAA” of the device with the longest connection time belongs to the group “1”, and the device has the second longest connection time. MAC address “BBB” belongs to group “2”. In this case, as long as the device with either the MAC address “AAA” or “BBB” is connected, the login processing can be performed on the network connection device 300.

  An upstream device or the like that is likely to be connected for a long time by the method of this embodiment can be automatically set as an authentication target.

  As another embodiment, a method for determining an authentication condition by a combination of a MAC address and a connection port will be described.

  FIG. 14a shows an example of the authentication target setting table. Hereinafter, it is referred to as an authentication target setting table 1400. In the authentication target setting table 1400, a combination of a MAC address and a connection port can be set for each group.

  In the example of the connection destination device information table 1401 in FIG. 14B, the combination 1402 of the MAC address and the connection port is referred to and it is confirmed whether the authentication condition set for each group is satisfied.

  As another embodiment, a method for determining an authentication condition by a combination of a MAC address and an IP address will be described.

  FIG. 15a shows an example of the authentication target setting table. Hereinafter, it is referred to as an authentication target setting table 1500. In the authentication target setting table 1500, a combination of a MAC address and an IP address can be set for each group.

  In the example of the connection destination device information table 1501 in FIG. 15B, the combination of the MAC address 1502 and the IP address 1503 is referred to and it is confirmed whether the authentication condition set for each group is satisfied.

  As another embodiment, a method for determining an authentication condition by a combination of a MAC address, a connection port, and an IP address will be described.

  FIG. 16a shows an example of the authentication target setting table. Hereinafter, it is referred to as an authentication target setting table 1600. In the authentication target setting table 1600, a combination of a MAC address, a connection port, and an IP address can be set for each group.

  In the example of the connection destination device information table 1601 in FIG. 16B, the combination 1602 of the MAC address, the connection port, and the IP address is referred to, and it is confirmed whether the authentication condition set for each group is satisfied.

  As another example, the authentication target setting table and the connection destination device information table may be held in an external authentication server. In this case, when there is a login request, the network connection device 300 inquires whether the authentication server is allowed to authenticate, and the authentication server refers to the authentication target setting table and the connection destination device information table, and returns authentication permission / rejection.

  Further, only the authentication target setting table may be provided in the authentication server, and the connection destination device information table may be provided in the network connection apparatus 300. In this case, when there is a login request, the network connection device 300 inquires the contents of the authentication target setting table to the authentication server, and the authentication server returns the contents of the authentication target setting table.

  As described above, by using the present invention, it is possible to improve the security of the network connection device without preparing a special device. The present invention is not limited to the embodiments described in the embodiments, and can be implemented without departing from the scope of the invention. For example, if there is a table attribute that is not used in each embodiment, it may be removed or may be present.

  In addition, as a table setting example in each embodiment, a layout other than the layout described in the embodiment may be used. Even if it is not a relational database format, it may be stored in any format such as XML, text, and binary.

  Further, some or all of the settings on the screen for setting the authentication target setting table and the connection destination device information table displayed on the console PC or the like may be replaced with an abbreviation or another character. Thereby, for example, a part of the set MAC address or the like is displayed in the screen as a hidden character, so that it is possible to cope with a screen snooping.

300: Network connection device 301: CPU
302: SW control unit 303: Memory 304: Non-volatile memory 305 (3051, 3052, 3053, 3054): I / O port 306: Serial port 307: Authentication target setting table 308: Connection destination device information table 309: Console PC
310: SW-HUB
311: PC
312: PC

Claims (13)

A network device,
Multiple ports,
A communication control unit for performing communication via the port;
A storage unit for storing identification information of a device connected via the port and a connection state;
When a login request from the first device is received, the storage unit is referred to, and whether or not to log in to the network device is determined based on whether the second device indicated by the specific identification information is connected to the network device. A network device comprising a processor for determining. The network device according to claim 1, wherein
A network device, wherein a plurality of pieces of identification information used for determining whether or not to log in to the network device can be set. The network device according to claim 2, wherein
When a group is set for the combination of the identification information used to determine whether or not to log in to the network device, and a plurality of groups are set, devices indicated by all the identification information included in any group are connected A network device that permits login to the network device. The network device according to claim 2, wherein
The storage unit stores a connection time for each connected device,
The network device, wherein the processor selects the identification information used for determining whether or not to log in to the network device based on the length of the connection time. The network device according to claim 1, wherein
A network device characterized in that it can switch between a login control mode for determining whether or not to log in to the network device according to a connection state of a device indicated by the specific identification information, and a normal mode for determining whether or not to log in using only an ID and a password. . The network device according to claim 2, wherein
The processor is a screen for setting the identification information used to determine whether or not to log in to the network device, and generates a screen to be displayed on a device logged into the network device, and a part or all of the identification information A network device characterized by not replacing or displaying other characters. The network device according to claim 1, wherein
The identification information is a MAC address;
The storage unit further stores an IP address of the device connected via the port,
The network device, wherein the processor determines whether or not to log in to the network device based on a connection state of a device specified by a combination of the MAC address and the IP address. The network device according to claim 1, wherein
The identification information is a MAC address;
The storage unit further stores a port identifier of a port to which the device is connected,
The network device, wherein the processor determines whether or not to log in to the network device based on a connection state of a device specified by a combination of the MAC address and the port identifier. The network device according to claim 1, wherein
The identification information is a MAC address;
The storage unit further stores an IP address of the device connected through the port, a port identifier of the port to which the device is connected,
The network device, wherein the processor determines whether or not to log in to the network device based on a connection state of a device specified by a combination of the MAC address, the IP address, and the port identifier. The network device according to claim 5, wherein
In the login control mode, the network apparatus further performs login authentication using an ID and a password. A network device,
A first authentication mode for authenticating with an ID and a password;
A second authentication mode for performing authentication according to the connection state of the adjacent device;
When the second authentication mode is set, when a login request from another device is accepted, the connection state of the adjacent device is confirmed, and it is determined whether to reject the login request according to the result of the connection state. A network device. The network device according to claim 11, wherein
When it is determined that the login request is accepted as a result of the connection state, an input of an ID and a password is further accepted. The network device according to claim 11, wherein
In the second authentication mode, a plurality of connection conditions for neighboring devices that accept login requests can be set.

Images