JP5477104B2 - Unauthorized connection prevention device and program - Google Patents

Description

  The present invention relates to an unauthorized connection prevention apparatus and program for preventing unauthorized connection to a network.

  In recent years, it has been a problem that information assets in a network are illegally accessed and secret information is leaked due to unauthorized connection to a company's local area network (LAN) or infection of a terminal in the network with a virus. It has become.

Generally, a terminal connected to a network in an IPv4 (Internet Protocol version 4) environment transmits an ARP (Address Resolution Protocol) request packet by broadcast in order to resolve an address. When receiving the ARP request packet, the target terminal of the ARP request packet returns an ARP response packet storing its own MAC address to the transmission source of the received ARP request packet. The transmission source of the ARP request packet receives this ARP response packet, and stores the MAC address stored in the received ARP response packet in the ARP cache. Through the above operation, the terminals in the network perform address resolution and communication.
Therefore, a method for preventing unauthorized access to a defense target using an ARP response packet is disclosed (for example, see Patent Document 1). In the method disclosed in Patent Document 1, a list of terminals that are permitted to connect to the network is used. More specifically, an ARP response packet having a fake MAC address is transmitted in response to an ARP request packet broadcast from an apparatus not registered in the list. In this way, terminals in the network can be protected from unauthorized access.
In the method described in Patent Literature 1, when an ARP request packet is transmitted to a broadband from a non-permitted device that is not registered in the list, a correct ARP response packet is returned from the information processing device to be protected, and then within the same network. The unauthorized connection prevention apparatus transmits an ARP response packet having a fake MAC address as a MAC address to be protected. As a result, the combination of the IP address and the MAC address of the information processing apparatus to be protected stored in the non-permitted apparatus does not match, so that unauthorized access can be prevented.

Japanese Patent Laying-Open No. 2005-079706

  As described above, in the method described in Patent Document 1, a terminal recognized as an unauthorized terminal is controlled so that it cannot communicate with all other terminals on the network. Among the terminals that are recognized as unauthorized terminals, there are also violated terminals that are identified as unauthorized due to reasons such as patches not being applied. Therefore, in order for a terminal that does not have a perfect patch to apply a patch, it is necessary to create a new closed network for applying the patch, or to store the patch in an external storage medium and each terminal that wants to apply the patch Must be patched from an external storage medium. All of these methods are complicated, and the burden on both the user and the administrator is large.

The present invention has been made in view of the above problems, and provides an unauthorized connection preventing apparatus and a program for controlling a violation terminal so that it can communicate with a specific terminal but cannot communicate with other terminals. The purpose is to do.
Another object of the present invention is to provide an unauthorized connection prevention apparatus and program that can be introduced without changing the network configuration while maintaining the security level.

In order to achieve the above object, an unauthorized connection prevention apparatus according to the first aspect of the present invention provides:
A communication unit connected to the network and performing communication in the network;
Registered terminal storage means for storing registered terminal identification information for identifying a registered terminal registered in advance;
Normal terminal storage means for storing normal terminal identification information for identifying a normal terminal that is the registered terminal permitted to communicate in the network;
Specific terminal storage means for storing specific terminal identification information for identifying a specific terminal that is specifically permitted to communicate with a violation terminal that is the registered terminal that is not permitted to communicate within the network;
When the communication unit receives the ARP request packet, the received ARP request packet, the registered terminal identification information stored in the registered terminal storage unit, the normal terminal identification information stored in the normal terminal storage unit, and the specific Based on the specific terminal identification information stored in the terminal storage means, packet transmission control means for transmitting a packet from the communication unit;
With
When the communication unit receives an ARP request packet that is an unregistered terminal whose transmission source is neither the registered terminal nor the specific terminal, the packet transmission control unit is configured to transmit the unregistered terminal to the target of the received ARP request packet . Sending a fake ARP response packet for changing the ARP cache to a fake one to the unregistered terminal;
The packet transmission control means transmits the fake ARP response packet to the violating terminal when the communication unit receives an ARP request packet whose source is the violating terminal and whose target is not the specific terminal.
It is characterized by that.

The program according to the second aspect of the present invention is:
A procedure for storing in a registered terminal storage means registered terminal identification information for identifying a registered terminal registered in advance in a computer;
A procedure for storing normal terminal identification information in the normal terminal storage means for identifying a normal terminal that is the registered terminal permitted to communicate in a network;
A procedure for storing in a specific terminal storage means specific terminal identification information for identifying a specific terminal that is specifically allowed to communicate with a violating terminal that is the registered terminal that is not permitted to communicate within the network;
When receiving the ARP request packet, the received ARP request packet, the registered terminal identification information stored in the registered terminal storage means, the normal terminal identification information stored in the normal terminal storage means, and the specific terminal storage means A procedure for determining the source and target of the ARP request packet based on the stored specific terminal identification information;
When an ARP request packet that is an unregistered terminal that is neither the registered terminal nor the specific terminal is received, the ARP cache of the unregistered terminal for the target of the received ARP request packet is changed to a false one. Sending to the unregistered terminal;
When the ARP request packet whose source is the violating terminal is received, a procedure for transmitting to the violating terminal that the ARP cache of the violating terminal for the target of the received ARP request packet is changed to a false one;
Is executed.

According to the present invention, it is possible to provide an unauthorized connection preventing apparatus that controls a violation terminal so that it can communicate with a specific terminal but cannot communicate with another terminal.
Furthermore, according to the present invention, it is possible to introduce an unauthorized connection preventing apparatus without changing the network configuration while maintaining the security level.

It is a block diagram which shows the unauthorized connection prevention system connected with the unauthorized connection prevention apparatus which concerns on embodiment of this invention. It is a block diagram which shows the structure of the unauthorized connection prevention apparatus of FIG. It is a figure which shows the registration terminal list which the unauthorized connection prevention apparatus of FIG. 2 memorize | stores. It is a figure which shows the specific terminal list which the unauthorized connection prevention apparatus of FIG. 2 memorize | stores. It is a figure which shows the normal terminal list which the unauthorized connection prevention apparatus of FIG. 2 memorize | stores. It is a figure which shows the unauthorized terminal list | wrist which the unauthorized connection prevention apparatus of FIG. 2 memorize | stores. It is a figure which shows the patch list which the unauthorized connection prevention apparatus of FIG. 2 memorize | stores. 3 is a flowchart of unauthorized connection prevention processing when an ARP request packet is received by the unauthorized connection prevention apparatus of FIG. 1. It is a figure which shows the data of the packet used with the unauthorized connection prevention apparatus of FIG. It is a figure which shows the data of the packet used with the unauthorized connection prevention apparatus of FIG. It is a figure which shows the data of the packet used with the unauthorized connection prevention apparatus of FIG. It is a figure which shows the data of the packet used with the unauthorized connection prevention apparatus of FIG. 6 is a flowchart of an application example of unauthorized connection prevention processing when an ARP request packet is received by the unauthorized connection prevention device of FIG. 1.

  Hereinafter, an unauthorized connection prevention system according to an embodiment of the present invention will be described with reference to the drawings.

As illustrated in FIG. 1, the unauthorized connection prevention system 1 according to the present embodiment includes a normal terminal 110, a violation terminal 120, an unregistered terminal 130, a patch server 140, and an unauthorized connection prevention device 150. These are connected to the same network 100.
Although there are one normal terminal 110, one violating terminal 120, one unregistered terminal 130, and one patch server 140 connected to the network 100, a plurality of terminals may be provided.

  Further, the normal terminal 110 and the violating terminal 120 are collectively referred to as a registered terminal 115, and the violating terminal 120 and the unregistered terminal 130 are collectively referred to as an unauthorized terminal 125.

  The normal terminal 110 is a terminal to which an optimal patch is applied. The normal terminal 110 includes a control unit including a CPU (Central Processing Unit), a ROM (Read Only Memory), and a RAM (Random Access Memory), a storage unit including a hard disk device, a NIC (Network Interface Card), a router, or a modem. And a communication unit including the like.

  The violating terminal 120 is a terminal whose communication on the network 100 is blocked by the unauthorized connection preventing apparatus 150 because the optimum patch is not applied. The violation terminal 120 is a computer including a control unit including a CPU, a ROM, and a RAM, a storage unit including a hard disk device, and a communication unit including a NIC, a router, or a modem.

  The unregistered terminal 130 is a terminal in which communication on the network 100 is blocked by the unauthorized connection prevention device 150 even when an optimal patch is applied. The unregistered terminal 130 is a computer including a control unit including a CPU, a ROM, and a RAM, a storage unit including a hard disk device, and a communication unit including a NIC, a router, or a modem.

  The patch server 140 is a device that provides a patch to the registration terminal 115. The patch server 140 is a computer including a control unit including a CPU, a ROM, and a RAM, a storage unit including a hard disk device, and a communication unit including a NIC, a router, or a modem. The patch server 140 stores a patch to be provided to the registration terminal 115 in the storage unit.

  As shown in FIG. 2, the unauthorized connection prevention device 150 includes a control unit 151 including a CPU, a ROM, and a RAM, a storage unit 159 including a hard disk device, a communication unit 152 including a NIC or a router or a modem, a keyboard or And an input unit 153 including a mouse or the like. The storage unit 159 stores a registered terminal list 154, a specific terminal list 155, a normal terminal list 156, an unauthorized terminal list 157, and a patch list 158.

  The ROM stores program data and the like, and the CPU executes processing according to the data program stored in the ROM. The RAM stores data necessary for the CPU to execute processing.

As shown in FIG. 3, in the registered terminal list 154, the MAC addresses of the normal terminal 110 and the violating terminal 120 are registered and stored in advance.
As shown in FIG. 4, the specific terminal list 155 stores the MAC address and IP address of the patch server 140.
As shown in FIG. 5, the normal terminal list 156 stores the MAC address and IP address of the normal terminal 110.
As illustrated in FIG. 6, the unauthorized terminal list 157 stores the MAC address and IP address of the violating terminal 120 and the MAC address and IP address of the unregistered terminal 130.
As shown in FIG. 7, the patch list 158 stores patch information for the unauthorized connection prevention apparatus 150 to check the patch application status of the registration terminal 115. The unauthorized connection prevention device 150 determines whether or not the registration terminal 115 can communicate with the network 100 based on the patch information stored in the patch list 158.

  The control unit 151 of the unauthorized connection prevention device 150 includes a transmission source MAC address and a target IP address of the ARP request packet received by the communication unit 152, a registered terminal list 154, a specific terminal 155 list, a normal terminal list 156, and an unauthorized terminal. Based on the terminal list 157, the unauthorized terminal 125 is allowed to communicate with the patch server 140 while blocking the communication of the unauthorized terminal 125 on the network 100.

  The configuration of the unauthorized connection prevention device 150 will be described in further detail.

  When the MAC address is input to the input unit 153 of the unauthorized connection prevention apparatus 150 illustrated in FIG. 2, the control unit 151 registers the input MAC address in the registered terminal list 154 (see FIG. 3) of the storage unit 159. To do.

The control unit 151 of the unauthorized connection prevention apparatus 150 connects to the network 100 via the communication unit 152 and repeatedly accesses the registered terminal 115 whose MAC address is registered in the registered terminal list 154. Based on the patch list 158, the control unit 151 determines whether or not the registered terminal 115 that has been accessed is applying the optimum patch. Based on the determination result, the control unit 151 repeatedly updates the normal terminal list 156 shown in FIG. 5 and the unauthorized terminal list 157 shown in FIG.
The unauthorized connection preventing apparatus 150 registers the MAC address and IP address of the registered terminal 115 to which the optimum patch is applied in the normal terminal list 156, and the MAC address and IP of the registered terminal 115 to which the optimum patch is not applied. The address is registered in the unauthorized terminal list 157.

When the unauthorized connection preventing apparatus 150 confirms that the optimum patch is applied to the unauthorized terminal 125, the MAC address and IP address of the unauthorized terminal 125 are automatically deleted from the unauthorized terminal list 157, Instead, the MAC address and IP address of the unauthorized terminal 125 are automatically registered in the normal terminal list 156.
Similarly, when the unauthorized connection preventing apparatus 150 confirms that the optimum patch has not been applied to the normal terminal 110, the MAC address and IP address of the normal terminal 110 are automatically deleted from the normal terminal list 156. Instead, the MAC address and IP address of the normal terminal 110 are automatically registered in the unauthorized terminal list 157.

  The control unit 151 receives the ARP request packet, and if the transmission source MAC address of the received ARP request packet is not stored in the registered terminal list 154, the transmission source of the ARP request packet is the unregistered terminal 130. Is determined. In this case, the control unit 151 stores the MAC address and IP address of the transmission source of the received ARP request packet in the unauthorized terminal list 157.

  In addition, the control unit 151 includes the transmission source MAC address and the target IP address of the ARP request packet received from the communication unit 152, the registered terminal list 154, the specific terminal 155 list, the normal terminal list 156, and the unauthorized terminal list 157. Based on, unauthorized connection prevention processing (see FIG. 8) at the time of receiving an ARP request packet is performed. Thereby, the control unit 151 permits the violating terminal 120 to communicate with the patch server 140 while blocking the communication of the unauthorized terminal 125 within the network 100.

In the unauthorized connection prevention process at the time of receiving the ARP request packet, the control unit 151 specifies the source MAC address of the ARP request packet received via the communication unit 152, the normal terminal list 156, the registered terminal list 154, and the like. By searching from the terminal list 155, it is determined whether the transmission source of the received ARP request packet is the normal terminal 110, the violating terminal 120, or the unregistered terminal 130.
In addition, the control unit 151 searches the specific terminal list 155 and the normal terminal list 156 for the target IP address of the ARP request packet received via the communication unit 152, so that the target of the received ARP request packet is the patch server. Whether the terminal 140 is an unauthorized terminal 125 or not is determined.
The control unit 151 transmits a packet from the communication unit 152 corresponding to the determined combination of the transmission source and the target.

When the transmission source MAC address of the received ARP request packet is stored in the normal terminal list 156, it is determined that the transmission source of the received ARP request packet is the normal terminal 110.
If the source MAC address of the received ARP request packet is not registered in the normal terminal list 156 and is stored in the registered terminal list 154, the source of the received ARP request packet is the violating terminal 120. It is determined that
If the source MAC address of the received ARP request packet is not registered in the specific terminal list 155 and is not registered in the registered terminal list 154, the source of the received ARP request packet is an unregistered terminal 130 is determined.

If the target IP address of the received ARP request packet is stored in the specific terminal list 155, it is determined that the target of the received ARP request packet is the patch server 140.
If the target IP address of the received ARP request packet is not registered in the specific terminal list 155 and not registered in the normal terminal list 156, the target of the received ARP request packet is the unauthorized terminal 125. Determined.

  When receiving the ARP request packet, the unauthorized connection prevention device 150 changes the target ARP cache to a false one when the transmission source of the received ARP request packet is the violation terminal 120 and the target is not the patch server 140 P1 (see FIG. 9) is transmitted to the violating terminal 120 that is the transmission source of the ARP request packet. In addition, the unauthorized connection prevention device 150 broadcasts and transmits a packet P2 (see FIG. 10) that changes the ARP cache for the violating terminal 120 that is the transmission source of the ARP request packet to a false one. Further, the unauthorized connection prevention apparatus 150 transmits to the patch server 140 a packet P3 (see FIG. 11) that changes the ARP cache for the violating terminal 120, which is an ARP request packet, to a correct one.

The violating terminal 120 that has transmitted the ARP request packet whose target is not the patch server 140 temporarily stores the correct MAC address in the ARP cache for the target by receiving the ARP response packet from the target. However, since the violating terminal 120 changes the ARP cache for the target to a false one by receiving the packet P1, the violating terminal 120 cannot communicate with the target of the ARP request packet.
In addition, when a terminal in the network 100 receives an ARP request packet from the violating terminal 120, the terminal temporarily stores a correct MAC address in the ARP cache for the violating terminal 120. However, since the ARP cache for the violating terminal 120 is changed to a false one by receiving the packet P2, the terminals in the network 100 cannot communicate with the violating terminal 120.
However, since the patch server 140 changes the ARP cache for the violating terminal 120 to the correct MAC address by receiving the packet P3, communication between the violating terminal 120 and the patch server 140 is permitted.

  Further, it is assumed that the transmission source of the received ARP request packet is the violation terminal 120 and the target of the received ARP request packet is the patch server 140. In this case, the unauthorized connection prevention apparatus 150 broadcasts and transmits a packet P2 (see FIG. 10) that changes the ARP cache for the violating terminal 120 that is the transmission source of the ARP request packet to a false one. Further, the unauthorized connection preventing apparatus 150 transmits to the patch server 140 a packet P3 (see FIG. 11) for changing the ARP cache for the violating terminal 120 that is the transmission source of the ARP request packet to a correct one.

The terminal that has received the ARP request packet from the violating terminal 120 temporarily stores the correct MAC address in the ARP cache for the violating terminal 120 that is the transmission source. However, by receiving the packet P2, the terminal changes the ARP cache for the violating terminal 120 to a false one. For this reason, the terminal in the network 100 cannot communicate with the violating terminal 120 that is the transmission source of the ARP request packet.
However, the patch server 140 changes the ARP cache of the violating terminal 120 that is the transmission source of the ARP request packet to a correct MAC address by receiving the packet P3. In addition, the violating terminal 120 that is the transmission source of the ARP request packet stores the correct MAC address of the patch server 140 in the ARP cache by receiving the ARP response packet from the patch server 140. As a result, the violation terminal 120 and the patch server 140 can communicate with each other.

  Further, it is assumed that the transmission source of the ARP request packet received by the unauthorized connection prevention device 150 is the normal terminal 110 and the target of the received ARP request packet is the unauthorized terminal 125. In this case, the unauthorized connection prevention device 150 transmits a packet P1 (see FIG. 9) that changes the ARP cache for the target of the received ARP request packet to a false one, to the normal terminal 110 that is the transmission source of the ARP request packet. . Further, the unauthorized connection preventing apparatus 150 changes the MAC address and IP address of the packet P4 (see FIG. 12) for changing the ARP cache for the normal terminal 110 that is the transmission source of the ARP request packet to a false one, and the unauthorized terminal list 157. It transmits to stored violation terminal 120 and unregistered terminal 130 by unicast.

The normal terminal 110 that has transmitted the ARP request packet whose target is the unauthorized terminal 125 temporarily stores the correct MAC address of the unauthorized terminal 125 in the ARP cache by receiving the ARP response packet from the target unauthorized terminal 125. . However, the normal terminal 110 changes the ARP cache for the illegal terminal 125 that is the target of the ARP request packet to a false MAC address by receiving the packet P1. As a result, the normal terminal 110 cannot communicate with the unauthorized terminal 125.
In addition, the unauthorized terminal 125 temporarily stores the correct MAC address ARP cache of the normal terminal 110 by receiving the ARP request packet from the normal terminal 110. However, the unauthorized terminal 125 changes the ARP cache for the normal terminal 110 to a fake MAC address when receiving the packet P4 after storing the correct MAC address. As a result, the unauthorized terminal 125 cannot communicate with the normal terminal 110.

  Also, assume that the transmission source of the received ARP request packet is the normal terminal 110 and the target of the received ARP request packet is not the unauthorized terminal 125. In this case, the unauthorized connection preventing apparatus 150 uses a packet P4 (see FIG. 12) for changing the ARP cache for the normal terminal 110 that is the transmission source of the received ARP request packet to a false one, and the MAC address and IP address are incorrect terminals. It transmits to the violation terminal 120 and the unregistered terminal 130 stored in the list 157 by unicast.

  A terminal in the network 100 temporarily stores the correct MAC address of the normal terminal 110 in the ARP cache by receiving the ARP request packet transmitted from the normal terminal 110. However, the unauthorized terminal 125 stores the fake MAC address as the MAC address of the normal terminal 110 in the ARP cache by receiving the packet P4 transmitted by unicast. As a result, the unauthorized terminal 125 cannot communicate with the normal terminal 110.

  In addition, a case will be described in which the unauthorized connection prevention apparatus 150 receives the unregistered terminal 130 as the transmission source of the received ARP request packet. In this case, the unauthorized connection prevention apparatus 150 transmits a packet P1 (see FIG. 9) for changing the ARP cache for the target of the received ARP request packet to a false one, to the unregistered terminal 130 that is the transmission source of the ARP request packet. To do. Further, the unauthorized connection prevention apparatus 150 transmits a packet P4 (see FIG. 12) for changing the ARP cache for the unregistered terminal 130 that is the transmission source of the ARP request packet to a false one.

The unregistered terminal 130 temporarily stores the correct MAC address of the target in the ARP cache by receiving the ARP response packet from the target of the transmitted ARP request packet. However, the unregistered terminal 130 that transmitted the ARP request packet stores the correct MAC address, and then receives the packet P1, thereby storing the fake MAC address in the ARP cache for the target of the transmitted ARP request packet. As a result, the unregistered terminal 130 cannot communicate with a terminal in the network.
By receiving the ARP request packet transmitted from the unregistered terminal 130, the terminal in the network 100 temporarily stores the correct MAC address of the unregistered terminal in the ARP cache. However, by receiving the packet P4, the terminal in the network 100 changes the ARP cache for the unregistered terminal that is the transmission source of the ARP request packet to a fake MAC address. For this reason, terminals in the network 100 cannot communicate with the unregistered terminal 130.

  Since the order of the ARP response packets is not guaranteed, the unauthorized connection prevention apparatus 150 transmits the packet P1 as a spare packet after transmission of the packet P1, for example, every 500 milliseconds. Sent 20 times.

Since the order of the ARP response packets is not guaranteed, for example, after the unregistered terminal 130 transmits the ARP request packet and receives the packet P1 from the unauthorized connection prevention device 150 for the transmitted ARP request packet, There is a case where an ARP response packet having a correct MAC address is received from the target of the transmitted ARP request packet.
In this case, the unregistered terminal 130 can communicate with the target of the transmitted ARP request packet.
However, since the unauthorized connection prevention device 150 transmits the packet P1 as a spare packet 20 times every 500 milliseconds, the unregistered terminal 130 receives again a spare packet having a fake MAC address as the target MAC address of the ARP request packet. It will be.
As a result, the unregistered terminal 130 cannot communicate with the target of the transmitted ARP request packet.
As described above, by transmitting the spare packet, even if the order of the ARP response packet is shifted, the communication block can be accurately executed.

  Next, unauthorized connection prevention processing performed when the unauthorized connection prevention apparatus 150 receives an ARP request packet will be described with reference to FIG.

Upon receiving the ARP request packet, the unauthorized connection prevention device 150 receives the source MAC address of the received ARP request packet and the target IP address of the ARP request packet, the registered terminal list 154, the specific terminal list 155, and the normal terminal list 156. And the unauthorized terminal list 157, respectively. By this search, the transmission source and the target of the ARP request packet are specified. The unauthorized connection prevention device 150 transmits a packet corresponding to the identified combination of the transmission source and the target.
First, the unauthorized connection prevention apparatus 150 determines whether or not the transmission source of the received ARP request packet is the violating terminal 120 (step S210).

  When the transmission source of the received ARP request packet is the violating terminal 120 (“YES” in step S210), the unauthorized connection prevention apparatus 150 determines whether the target of the received ARP request packet is the patch server 140 or not. (Step S211). If the target of the received ARP request packet is not the patch server 140 (“NO” in step S211), the unauthorized connection prevention apparatus 150 transmits the packet P1 (step S212), and transmits the packet P2 (step S213). The packet P3 is transmitted (step S214).

As described above, the packet P1 is an ARP response packet that changes the ARP cache for the target of the ARP request packet received by the unauthorized connection prevention apparatus 150 to a fake MAC address. The packet P1 is transmitted to the transmission source of the ARP request packet. Here, the fake MAC address is a fictitious MAC address that does not exist in the network 100.
As shown in FIG. 9, the destination MAC address and the source MAC address of the Ethernet (registered trademark) header of the packet P1 are the source MAC address of the received ARP request packet and the MAC address of the unauthorized connection prevention device 150, respectively. . The source MAC address, source IP address, target MAC address, and target IP address of the ARP header of the packet P1 are the fake MAC address, the target IP address of the received ARP request packet, and the source MAC address of the received ARP request packet, respectively. The source IP address of the received ARP request packet. The packet P1 is unicast to the violating terminal 120 that is the transmission source of the ARP request packet.

  The violating terminal 120 that has transmitted the ARP request packet (packet P1) temporarily stores the correct MAC address of the target in the ARP cache by receiving the ARP response packet from the target. However, after receiving the ARP response packet, the violating terminal 120 rewrites the ARP cache for the target of the transmitted ARP request packet to a fake MAC address by receiving the packet P1. As a result, the violating terminal 120 cannot communicate with the target of the ARP request packet.

As described above, the packet P2 is an ARP response packet that updates the ARP cache for the transmission source of the ARP request packet received by the unauthorized connection prevention apparatus 150 to the fake MAC address. The packet P2 is transmitted by broadcast to all terminals in the network 100.
As shown in FIG. 10, the destination MAC address and the source MAC address of the Ethernet (registered trademark) header of the packet P2 are the broadcast address and the MAC address of the unauthorized connection prevention device 150, respectively. The source MAC address, source IP address, target MAC address, and target IP address of the ARP header of the packet P2 are a fake MAC address, a source IP address of the ARP request packet, a broadcast address, and a source of the ARP request packet, respectively. IP address.

  The terminals in the network 100 temporarily store the correct MAC address of the violating terminal 120 that is the transmission source in the ARP cache in order to receive the ARP request packet transmitted by the violating terminal 120 by broadcast. However, since the terminal in the network 100 receives the packet P2 after receiving the ARP request packet, the ARP cache for the violating terminal 120 that is the transmission source of the ARP request packet is changed to a fake MAC address. As a result, the terminals in the network 100 cannot communicate with the violating terminal 120 that is the transmission source of the ARP request packet.

As described above, the packet P3 is an ARP response packet that updates the ARP cache for the transmission source of the ARP request packet received by the unauthorized connection prevention apparatus 150 to the correct MAC address. The packet P3 is unicasted to the patch server 140 whose MAC address and IP address are stored in the specific terminal list 155.
As shown in FIG. 11, the destination MAC address and the source MAC address of the Ethernet (registered trademark) header of the packet P3 are the MAC address of the patch server 140 and the MAC address of the offending terminal 120 that is the source of the ARP request packet, respectively. . The source MAC address, source IP address, target MAC address, and target IP address of the ARP header of the packet P3 are respectively the correct MAC address of the violating terminal 120 that is the source of the ARP request packet, and the source of the source of the ARP request packet. The IP address of the violating terminal 120, the MAC address of the patch server 140, and the IP address of the patch server 140.

  In the patch server 140 that has received the packet P2, the ARP cache for the violating terminal 120 that is the transmission source of the ARP request packet is temporarily changed to a fake MAC address. However, when receiving the packet P3 after receiving the packet P2, the patch server 140 changes the ARP cache for the violating terminal 120, which is the transmission source of the ARP request packet, to a correct MAC address. As a result, the patch server 140 can communicate with the offending terminal 120 that is the transmission source of the ARP request packet.

Further, the unauthorized connection preventing apparatus 150 transmits the packet P1 as a spare packet 20 times every 500 milliseconds (step S215).
Even if the ARP response packet is out of order and the violating terminal 120 that is the transmission source of the ARP request packet receives the packet P1 and then obtains the correct MAC address from the target, the packet P1 transmitted as a spare packet is further received. By doing so, communication in the network 100 of the violation terminal 120 can be blocked reliably.

  When the transmission source of the ARP request packet is the violating terminal 120 (“YES” in step S210) and the target is the patch server 140 (“YES” in step S211), the unauthorized connection prevention device 150 transmits the packet P2. (Step S216), the packet P3 is transmitted (Step S217).

The unauthorized connection prevention device 150 first broadcasts a packet P2 (see FIG. 10) that updates the ARP cache for the transmission source of the received ARP request packet to a fake MAC address. Subsequently, the unauthorized connection prevention apparatus 150 unicasts the packet P3 for updating the ARP cache for the transmission source of the received ARP request packet to the correct MAC address to all the patch servers 140 registered in the specific terminal list 155. To do.
In the terminal that has received the packet P2, the ARP cache for the violating terminal 120 that is the ARP request packet transmission source is changed to a fake MAC address. As a result, communication between the terminal and the violating terminal 120 that is the transmission source of the ARP request packet cannot be performed. However, the patch server 140 receives the packet P2 and then receives the packet P3, and the ARP cache for the violating terminal 120 is changed to the correct MAC address, so that communication with the violating terminal 120 becomes possible.

  Through steps S210 to S217, the violating terminal 120 is blocked from communicating within the network 100. However, communication between the offending terminal 120 and the patch server 140 is permitted.

  When the transmission source of the ARP request packet is not the violating terminal 120 (Step S210 is “NO”), the unauthorized connection prevention apparatus 150 determines whether or not the transmission source of the received ARP request packet is the normal terminal 110 (Step S210). S220). When the transmission source is the normal terminal 110 (“YES” in step S220), the unauthorized connection prevention apparatus 150 determines whether the target of the received ARP request packet is the unauthorized terminal 125 (step S221). . When the target of the received ARP request packet is the unauthorized terminal 125 (“YES” in step S221), the unauthorized connection prevention apparatus 150 transmits the packet P1 (step S222) and transmits the packet P4 (step S223). .

  As described above, the packet P1 is an ARP response packet that changes the ARP cache for the target of the ARP request packet received by the unauthorized connection prevention apparatus 150 to a fake MAC address. The packet P1 is transmitted to the transmission source of the ARP request packet.

  The normal terminal 110 that is the transmission source of the ARP request packet temporarily stores the correct MAC address of the target unauthorized terminal 125 in the ARP cache by receiving the ARP response packet from the target unauthorized terminal 125. However, the normal terminal 110 that is the transmission source of the ARP request packet stores the correct MAC address, and then receives the packet P1, thereby rewriting the ARP cache for the target unauthorized terminal 125 with a fake MAC address. This reliably blocks communication from the normal terminal 110 to the unauthorized terminal 125.

As described above, the packet P4 is an ARP response packet that changes the ARP cache for the transmission source of the ARP request packet received by the unauthorized connection prevention apparatus 150 to a fake MAC address. The packet P4 is transmitted by unicast to the unauthorized terminal 125 whose MAC address and IP address are stored in the unauthorized terminal list 157.
As shown in FIG. 12, the destination MAC address and the source MAC address of the Ethernet (registered trademark) header of the packet P4 are the MAC address of the unauthorized terminal 125 and the source MAC address of the ARP request packet stored in the unauthorized terminal list, respectively. It is. The source MAC address, source IP address, target MAC address, and target IP address of the ARP header of the packet P4 are a fake MAC address, a source IP address of the ARP request packet, a MAC address of the unauthorized terminal 125 that is the destination, and a destination, respectively. Is the IP address of the unauthorized terminal 125.

  By receiving the ARP request packet transmitted from the normal terminal 110, the unauthorized terminal 125 in the network 100 temporarily stores the correct MAC address for the normal terminal 110 that is the transmission source in the ARP cache. However, the unauthorized terminal 125 in the network 100 stores the correct MAC address and then receives the packet P4, thereby rewriting the ARP cache for the normal terminal 110 that is the transmission source of the ARP request packet to a fake MAC address. As a result, even if the ARP request packet is transmitted from the normal terminal 110, the unauthorized terminal 125 cannot store the correct MAC address of the normal terminal 110 in the ARP cache, and cannot communicate with the normal terminal 110. .

Subsequently, the unauthorized connection preventing apparatus 150 transmits the packet P1 as a spare packet 20 times every 500 milliseconds (step S224).
Even if the ARP response packet is out of order and the normal terminal 110 that is the transmission source of the ARP request packet receives the correct ARP response packet from the unauthorized terminal 125 that is the target of the ARP request packet after receiving the packet P1, Communication with the unauthorized terminal 125 of the normal terminal 110 can be blocked by the packet P1 transmitted as the packet.

  In the unauthorized connection prevention apparatus 150, when the transmission source of the received ARP request packet is the normal terminal 110 (step S220 is “YES”), and the target of the received ARP request packet is not the unauthorized terminal 125 (step S221 is “NO”). ) The packet P4 is transmitted by unicast to each unauthorized terminal 125 whose MAC address and IP address are stored in the unauthorized terminal list 157.

The unauthorized terminal 125 in the network 100 receives the ARP request packet broadcast from the normal terminal 110, and temporarily stores the correct MAC address of the normal terminal 110 that is the transmission source in the ARP cache. However, the illegal terminal 125 rewrites the ARP cache for the normal terminal 110 with a fake MAC address by receiving the packet P4 after storing the correct MAC address. As a result, the unauthorized terminal 125 is blocked from communicating with the normal terminal 110.
Further, since the normal terminal 110 that is the transmission source of the ARP request packet acquires the correct MAC address from the target of the ARP request packet, the normal terminal 110 is permitted to communicate within the network 100.

  By executing steps S220 to S225, the normal terminal 110 can perform communication within the network 100 while being protected from access from the unauthorized terminal 125.

  If the transmission source of the received ARP request packet is not the normal terminal 110 (step S220 is “NO”), the unauthorized connection prevention apparatus 150 determines whether the transmission source of the received ARP request packet is the unregistered terminal 130. (Step S230).

  If the transmission source of the received ARP request packet is the unregistered terminal 130 (step S230 is “YES”), the unauthorized connection prevention apparatus 150 transmits the packet P1 (step S231) and transmits the packet P2 (step S232). ).

  As described above, the packet P1 is an ARP response packet that changes the ARP cache for the target of the ARP request packet received by the unauthorized connection prevention apparatus 150 to a fake MAC address. The packet P1 is transmitted to the transmission source of the ARP request packet.

  By receiving the ARP response packet from the target of the transmitted ARP request packet, the unregistered terminal 130 that is the transmission source of the ARP request packet temporarily stores the correct MAC address in the ARP cache for the target of the transmitted ARP request packet. Remember me. However, by receiving the packet P1, the unregistered terminal 130 rewrites the ARP cache for the target of the transmitted ARP request packet with a fake MAC address. As a result, the unregistered terminal 130 cannot communicate with the target of the ARP request packet.

  As described above, the packet P2 is an ARP response packet that updates the ARP cache for the transmission source of the ARP request packet received by the unauthorized connection prevention apparatus 150 to the fake MAC address. The packet P2 is transmitted by broadcast to all terminals in the network 100.

  The terminal in the network 100 temporarily stores the correct MAC address of the unregistered terminal 130 in the ARP cache by receiving the ARP request packet transmitted from the unregistered terminal 130. However, the terminal in the network 100 changes the ARP cache for the unregistered terminal 130 to a fake MAC address by receiving the packet P2. For this reason, the terminal cannot communicate with the unregistered terminal 130.

Subsequently, the unauthorized connection preventing apparatus 150 transmits the packet P1 as a spare packet 20 times every 500 milliseconds (step S233).
Even if the unregistered terminal 130 that is the transmission source of the ARP request packet has received the packet P1 and has acquired the correct MAC address from the target of the ARP request packet, the ARP response packet has been sent out as a spare packet. Communication within the network of the violating terminal 120 can be blocked by the packet P1.

  Communication in the network of the unregistered terminal 130 is blocked by steps S230 to S233.

As described above, according to the present embodiment, communication between the patch server 140 registered in advance and the violating terminal 120 is enabled while blocking communication within the network 100 of the unauthorized terminal 125. In addition, the violation terminal 120 can automatically communicate with the normal terminal 110 when an optimum patch is applied.
Further, since the ARP request packet is transmitted by broadcast, the unauthorized connection preventing apparatus 150 can be introduced while maintaining the security level without changing the network configuration.

  The embodiment of the present invention has been described in detail so far, but the specific configuration is not limited to the above-described embodiment, and the present invention is not limited to the intended scope described in the claims. Various modifications and applications are possible.

  For example, the normal terminal 110, the violation terminal 120, and the unregistered terminal 130 have been described as computer terminals. However, the normal terminal 110, the violating terminal 120, and the unregistered terminal 130 may be an electronic device terminal connected to the network 100 that includes a control unit, a storage unit, and a communication unit.

Further, it has been described that the MAC address of the registered terminal 115 is registered in advance in the registered terminal list 154. However, registration in the registration terminal list 154 may be automated by installing a specific application in the registration terminal 115.
In this case, when a specific application installed in a terminal in the network 100 causes the terminal to transmit a packet including specific information, and the unauthorized connection prevention apparatus 150 receives the packet including the specific information, the unauthorized connection prevention apparatus 150 The MAC address of the transmission source of this packet is registered in the registered terminal list 154.

In the above embodiment, the unauthorized connection prevention apparatus 150 checks the patch application status by accessing the registration terminal 115, but checks the patch application status by installing a specific application on the registration terminal 115. May be.
This application causes the installed terminal to transmit the patch application status to the unauthorized connection prevention apparatus 150. The unauthorized connection prevention apparatus 150 receives the patch application status and confirms the received patch application status, thereby confirming whether the registration terminal 115 is applying the optimum patch.

  Further, by installing a specific application in the registration terminal 115, the installed application may perform both registration in the registration terminal list 154 of the registration terminal 115 and confirmation of the patch application status.

  In the above embodiment, the patch server 140 has been described as a computer terminal. However, the patch server 140 may be a NAS (Network Attached Storage) configured by integrating a hard disk, a network interface, an OS (Operating System), a management utility, and the like. May be saved.

In the above embodiment, the patch server 140 has been described as a single device, but the patch server 140 may be incorporated in the unauthorized connection prevention device 150.
In the above-described embodiment, the unauthorized connection prevention device 150 checks the patch application status of the registered terminal 115. However, a terminal other than the unauthorized connection prevention device 150 checks the patch application status, and the detected patch application status is illegally connected. You may transmit to the prevention apparatus 150.

Further, the normal terminal 110 has been described as the registration terminal 115 to which the optimal patch is applied, and the violation terminal 120 has been described as the registration terminal 115 to which the optimal patch has not been applied. However, it is not necessary to determine whether the optimum patch is applied. The determination criteria can be appropriately changed according to the system in which the unauthorized connection preventing apparatus 150 is introduced.
For example, fingerprint authentication, information included in a USB (Universal Serial Bus) dongle, or a password may be used. The registration terminal 115 transmits specific information (information included in a fingerprint image or USB dongle, an encryption code such as a password) to the unauthorized connection prevention device 150. When receiving the specific information, the unauthorized connection prevention device 150 collates the received information with the stored information, and when the information matches, the MAC address and IP address of the corresponding registered terminal 115 are determined as normal terminals. It may be temporarily registered in the list 156.
In this case, the patch server 140 need not be a server that stores patches, and can function as a server or NAS that stores shared files on the network 100, for example.

Further, the unauthorized connection prevention process at the time of receiving the ARP request packet is not limited to the flowchart described in the above embodiment. For example, steps S220 to S225 may be executed, steps S210 to S217 may be executed, and steps S230 to S233 may be executed.
Further, as shown in FIG. 13, the unauthorized connection prevention apparatus 150 determines whether or not the transmission source of the received ARP request packet is the violating terminal 120 (step S310), and if it is the violating terminal 120 (step S310). Is “YES”), the packet P2 is transmitted (step S311), and the packet P3 is transmitted (step S312). After transmitting the packet P3, the unauthorized connection preventing apparatus 150 determines whether or not the target is the patch server 140 (step S313). If the target is the patch server 140 (step S313 is “YES”), the process is terminated. If the target is not the patch server 140 (“NO” in step S313), the packet P1 may be transmitted (step S314), and the packet P1 may be transmitted as a spare packet (step S315).
Similarly, as shown in FIG. 13, if the transmission source of the received ARP request packet is a normal terminal (“YES” in step S320), the unauthorized connection prevention apparatus 150 first transmits a packet P4 (step S321). Whether or not the target is the unauthorized terminal 125 is checked (step S322). If the target is not the unauthorized terminal 125 ("NO" in step S322), the process is terminated, and if the target is the unauthorized terminal 125 (step S322) “YES”), packet 1 may be transmitted (step S323), and packet P1 may be transmitted as a spare packet (step S324).

  In the above-described embodiment, the program is described as being stored in advance in a memory or the like. However, a program for causing the communication apparatus to operate as all or part of the apparatus or to execute the above-described processing is a flexible disk, a CD (Compact Disk), a DVD (Digital Versatile Disk), or a MO (Magneto Optical disk). ) Or the like may be stored and distributed in a computer-readable recording medium, installed in another computer, and operated as the above-described means, or the above-described steps may be executed.

  Furthermore, the program may be stored in a disk device or the like included in a server device on the Internet, and may be downloaded onto a computer by being superimposed on a carrier wave, for example.

  A part or all of the above-described embodiment can be described as in the following supplementary notes, but is not limited thereto.

(Supplementary Note 1) A communication unit that connects to a network and performs communication within the network;
Registered terminal storage means for storing registered terminal identification information for identifying a registered terminal registered in advance;
Normal terminal storage means for storing normal terminal identification information for identifying a normal terminal that is the registered terminal permitted to communicate in the network;
Specific terminal storage means for storing specific terminal identification information for identifying a specific terminal that is specifically permitted to communicate with a violation terminal that is the registered terminal that is not permitted to communicate within the network;
When the communication unit receives the ARP request packet, the received ARP request packet, the registered terminal identification information stored in the registered terminal storage unit, the normal terminal identification information stored in the normal terminal storage unit, and the specific Based on the specific terminal identification information stored in the terminal storage means, packet transmission control means for transmitting a packet from the communication unit;
With
When the communication unit receives an ARP request packet that is an unregistered terminal whose transmission source is neither the registered terminal nor the specific terminal, the packet transmission control unit falsely sets an ARP cache for the target of the received ARP request packet. Send a fake ARP response packet to change to the unregistered terminal,
The packet transmission control means transmits the fake ARP response packet to the violating terminal when the communication unit receives an ARP request packet whose source is the violating terminal and whose target is not the specific terminal.
A device for preventing unauthorized connection.

(Supplementary Note 2) The packet transmission control means includes:
When the communication unit receives an ARP request packet whose source is the unregistered terminal,
Sending the fake ARP response packet to the unregistered terminal;
Broadcast to change the ARP cache for the unregistered terminal to a fake one,
The unauthorized connection prevention apparatus according to Supplementary Note 1, wherein

(Supplementary Note 3) The packet transmission control means includes:
When the communication unit receives an ARP request packet whose source is the violating terminal and whose target is not the specific terminal,
Sending the fake ARP response packet to the violating terminal;
Broadcasting to change the ARP cache for the violating terminal to a false one,
After broadcasting that the ARP cache for the violating terminal is changed to a false one, the fact that the ARP cache for the violating terminal is changed to a correct one is transmitted to the specific terminal.
The unauthorized connection preventing apparatus according to appendix 1 or 2, characterized in that:

(Supplementary Note 4) The packet transmission control means includes:
When the communication unit receives an ARP request packet whose transmission source is the violating terminal and whose target is the specific terminal,
Broadcasting to change the ARP cache for the violating terminal to a false one,
After broadcasting that the ARP cache for the violating terminal is changed to a false one, the fact that the ARP cache for the violating terminal is changed to a correct one is transmitted to the specific terminal.
The unauthorized connection prevention device according to any one of appendices 1 to 3, wherein

(Supplementary Note 5) The packet transmission control means includes:
When the communication unit receives an ARP request packet in which the transmission source is the normal terminal and the target is the unregistered terminal, and the communication unit receives an ARP request packet in which the transmission source is the normal terminal and the target is the violation terminal. If received,
Sending the fake ARP response packet to the normal terminal that is the source of the received ARP request packet;
The unauthorized connection prevention apparatus according to any one of appendices 1 to 4, wherein

(Appendix 6) Violation terminal storage means for storing violation terminal identification information for identifying the violation terminal,
When the communication unit receives an ARP request packet transmitted from the unregistered terminal, unregistered terminal storage means for storing unregistered terminal identification information for identifying the unregistered terminal included in the received ARP request packet is further provided. Prepared,
When the communication unit receives an ARP request packet whose transmission source is the normal terminal, the packet transmission control means stores the violation terminal identification information stored in the violation terminal storage means and the unregistered terminal storage means Based on the unregistered terminal identification information, the fact that the ARP cache for the normal terminal that is the transmission source of the received ARP request packet is changed to a false one is transmitted to each of the violating terminal and the unregistered terminal by unicast,
The unauthorized connection preventing apparatus according to any one of appendices 1 to 5, wherein

(Supplementary note 7) The packet transmission control means includes:
When the communication unit receives an ARP request packet in which the transmission source is the normal terminal and the target is the unregistered terminal, and the communication unit receives an ARP request packet in which the transmission source is the normal terminal and the target is the violation terminal. If received,
Sending the fake ARP response packet to the normal terminal;
The ARP cache for the normal terminal is changed to a false one and transmitted to each of the violating terminals and each of the unregistered terminals by unicast.
The unauthorized connection preventing apparatus according to any one of appendices 1 to 6, wherein

(Supplementary note 8) The packet transmission control means includes:
The communication unit receives an ARP request packet;
When the fake ARP response packet is transmitted to the transmission source of the received ARP request packet,
After transmission, a spare packet for changing the ARP cache for the target of the received ARP request packet to a false one is transmitted to the transmission source of the received ARP request packet a plurality of times in a certain period.
The unauthorized connection prevention device according to any one of appendices 1 to 7, wherein

(Supplementary Note 9) A connection determination criterion storage unit that stores a connection determination criterion that is a criterion for determining whether or not a terminal in the network may communicate within the network;
Based on the connection determination criterion stored in the connection determination criterion storage means, it is repeatedly determined whether the registration terminal may communicate within the network, and it is determined that the registration terminal may communicate over the network. Then, normal terminal determination means for outputting the registered terminal identification information for identifying the registered terminal for each determination,
Further comprising
The normal terminal storage means receives the registered terminal identification information output for each determination by the normal terminal determination means, and updates the stored normal terminal identification information based on the received registered terminal identification information.
The unauthorized connection preventing apparatus according to any one of appendices 1 to 8, characterized in that:

(Supplementary Note 10) Terminal registration means for receiving registration of a terminal connected to the network and outputting terminal identification information for identifying the terminal that has accepted registration;
In addition,
The registered terminal storage means receives the terminal identification information output by the terminal registration means, and stores the received terminal identification information;
The unauthorized connection preventing apparatus according to any one of appendices 1 to 9, characterized in that:

(Additional remark 11) The procedure which memorize | stores the registration terminal identification information which identifies the registration terminal previously registered in the computer in a registration terminal memory | storage means,
A procedure for storing normal terminal identification information in the normal terminal storage means for identifying a normal terminal that is the registered terminal permitted to communicate in a network;
A procedure for storing in a specific terminal storage means specific terminal identification information for identifying a specific terminal that is specifically allowed to communicate with a violating terminal that is the registered terminal that is not permitted to communicate within the network;
When receiving the ARP request packet, the received ARP request packet, the registered terminal identification information stored in the registered terminal storage means, the normal terminal identification information stored in the normal terminal storage means, and the specific terminal storage means A procedure for determining the source and target of the ARP request packet based on the stored specific terminal identification information;
When an ARP request packet that is an unregistered terminal that is neither the registered terminal nor the specific terminal is received, the unregistered terminal is notified that the ARP cache for the target of the received ARP request packet is changed to a false one. Sending instructions,
A procedure for transmitting to the violating terminal that the ARP cache for the target of the received ARP request packet is changed to a false one when receiving the ARP request packet whose transmission source is the violating terminal;
A program for running

1 Unauthorized Connection Prevention System 100 Network 110 Normal Terminal 115 Registered Terminal 120 Unauthorized Terminal 125 Unauthorized Terminal 130 Unregistered Terminal 140 Patch Server 150 Unauthorized Connection Prevention Device 151 Control Unit 152 Communication Unit 153 Input Unit 154 Registered Terminal List 155 Specific Terminal List 156 Normal Terminal list 157 Unauthorized terminal list 158 Patch list 159 Storage unit

Claims (10)

A communication unit connected to the network and performing communication in the network;
Registered terminal storage means for storing registered terminal identification information for identifying a registered terminal registered in advance;
Normal terminal storage means for storing normal terminal identification information for identifying a normal terminal that is the registered terminal permitted to communicate in the network;
Specific terminal storage means for storing specific terminal identification information for identifying a specific terminal that is specifically permitted to communicate with a violation terminal that is the registered terminal that is not permitted to communicate within the network;
When the communication unit receives the ARP request packet, the received ARP request packet, the registered terminal identification information stored in the registered terminal storage unit, the normal terminal identification information stored in the normal terminal storage unit, and the specific Based on the specific terminal identification information stored in the terminal storage means, packet transmission control means for transmitting a packet from the communication unit;
With
When the communication unit receives an ARP request packet that is an unregistered terminal whose transmission source is neither the registered terminal nor the specific terminal, the packet transmission control unit is configured to transmit the unregistered terminal to the target of the received ARP request packet . Sending a fake ARP response packet for changing the ARP cache to a fake one to the unregistered terminal;
The packet transmission control means transmits the fake ARP response packet to the violating terminal when the communication unit receives an ARP request packet whose source is the violating terminal and whose target is not the specific terminal.
A device for preventing unauthorized connection. The packet transmission control means includes
When the communication unit receives an ARP request packet whose source is the unregistered terminal,
Sending the fake ARP response packet to the unregistered terminal;
Broadcast to change the ARP cache for the unregistered terminal to a fake one,
The unauthorized connection preventing apparatus according to claim 1. The packet transmission control means includes
When the communication unit receives an ARP request packet whose source is the violating terminal and whose target is not the specific terminal,
Sending the fake ARP response packet to the violating terminal;
Broadcasting to change the ARP cache for the violating terminal to a false one,
After broadcasting that the ARP cache for the violating terminal is changed to a false one, the fact that the ARP cache for the violating terminal is changed to a correct one is transmitted to the specific terminal.
The unauthorized connection prevention device according to claim 1 or 2. The packet transmission control means includes
When the communication unit receives an ARP request packet whose transmission source is the violating terminal and whose target is the specific terminal,
Broadcasting to change the ARP cache for the violating terminal to a false one,
After broadcasting that the ARP cache for the violating terminal is changed to a false one, the fact that the ARP cache for the violating terminal is changed to a correct one is transmitted to the specific terminal.
The unauthorized connection prevention device according to any one of claims 1 to 3. The packet transmission control means includes
When the communication unit receives an ARP request packet in which the transmission source is the normal terminal and the target is the unregistered terminal, and the communication unit receives an ARP request packet in which the transmission source is the normal terminal and the target is the violation terminal. If received,
Sending the fake ARP response packet to the normal terminal that is the source of the received ARP request packet;
The unauthorized connection prevention apparatus according to any one of claims 1 to 4. Violation terminal storage means for storing violation terminal identification information for identifying the violation terminal,
When the communication unit receives an ARP request packet transmitted from the unregistered terminal, unregistered terminal storage means for storing unregistered terminal identification information for identifying the unregistered terminal included in the received ARP request packet is further provided. Prepared,
When the communication unit receives an ARP request packet whose transmission source is the normal terminal, the packet transmission control means stores the violation terminal identification information stored in the violation terminal storage means and the unregistered terminal storage means Based on the unregistered terminal identification information, the fact that the ARP cache for the normal terminal that is the transmission source of the received ARP request packet is changed to a false one is transmitted to each of the violating terminal and the unregistered terminal by unicast,
The unauthorized connection prevention device according to any one of claims 1 to 5. The packet transmission control means includes
When the communication unit receives an ARP request packet in which the transmission source is the normal terminal and the target is the unregistered terminal, and the communication unit receives an ARP request packet in which the transmission source is the normal terminal and the target is the violation terminal. If received,
Sending the fake ARP response packet to the normal terminal;
The ARP cache for the normal terminal is changed to a false one and transmitted to each of the violating terminals and each of the unregistered terminals by unicast.
The unauthorized connection preventing apparatus according to any one of claims 1 to 6. The packet transmission control means includes
The communication unit receives an ARP request packet;
When the fake ARP response packet, and transmits to the transmission source of those the ARP request packet,
After transmission, it transmits the source of the ARP cache of the ARP request packet to the target of those the ARP request packet the preliminary packets to change false ones, multiple times a period of time, the sender of the ARP request packet received ,
The unauthorized connection prevention device according to any one of claims 1 to 7. A connection criterion storage means for storing a connection criterion that is a criterion for determining whether or not a terminal in the network may communicate within the network;
Based on the connection determination criterion stored in the connection determination criterion storage means, it is repeatedly determined whether the registration terminal may communicate within the network, and it is determined that the registration terminal may communicate over the network. Then, normal terminal determination means for outputting the registered terminal identification information for identifying the registered terminal for each determination,
Further comprising
The normal terminal storage means receives the registered terminal identification information output for each determination by the normal terminal determination means, and updates the stored normal terminal identification information based on the received registered terminal identification information.
The unauthorized connection prevention device according to any one of claims 1 to 8. A procedure for storing in a registered terminal storage means registered terminal identification information for identifying a registered terminal registered in advance in a computer;
A procedure for storing normal terminal identification information in the normal terminal storage means for identifying a normal terminal that is the registered terminal permitted to communicate in a network;
A procedure for storing in a specific terminal storage means specific terminal identification information for identifying a specific terminal that is specifically allowed to communicate with a violating terminal that is the registered terminal that is not permitted to communicate within the network;
When receiving the ARP request packet, the received ARP request packet, the registered terminal identification information stored in the registered terminal storage means, the normal terminal identification information stored in the normal terminal storage means, and the specific terminal storage means A procedure for determining the source and target of the ARP request packet based on the stored specific terminal identification information;
When an ARP request packet that is an unregistered terminal that is neither the registered terminal nor the specific terminal is received, the ARP cache of the unregistered terminal for the target of the received ARP request packet is changed to a false one. Sending to the unregistered terminal;
When the ARP request packet whose source is the violating terminal is received, a procedure for transmitting to the violating terminal that the ARP cache of the violating terminal for the target of the received ARP request packet is changed to a false one;
A program for running

Images