JP6382244B2 - Packet filtering device - Google Patents

Description

  The present invention relates to a packet filtering device that controls whether or not a communication packet can pass between a terminal device connected to an internal network and an external device connected to an external network.

  Conventionally, a packet filtering device (layer 3 firewall) that restricts packet communication between computers connected to a network is known (see Patent Document 1). A conventional packet filtering device, for example, stores in advance conditions (filtering conditions) such as an IP address, a protocol, and a port number of a packet that is permitted (or not permitted) to pass, and a header of a packet that passes through the packet filtering device. Whether or not a packet can pass is controlled based on whether or not an IP address, a protocol, a port number, and the like included in the packet match this condition. Such a layer 3 firewall has a simpler process than a firewall that refers to information of layers higher than that, and thus can perform high-speed processing.

JP 2002-261788 A

  However, in the conventional packet filtering device, the conditions (filtering conditions) for determining whether or not packets can pass are described in terms of IP address, port number, protocol, and the like. It was difficult to figure out. In particular, when the IP address included in the filtering condition is described with a global IP address that is not under the management of the administrator, the external device (such as a server) under the management of anyone simply looks at the global IP address. It was difficult for the administrator to recognize whether there was any. For this reason, there is a problem that it takes time and effort to manage the filtering conditions, which increases the management burden.

  The present invention has been made in view of the above problems, and an object of the present invention is to provide a packet filtering device that can easily manage filtering conditions and reduce the administrative burden.

  The packet filtering device of the present invention is a packet filtering device that controls whether or not a communication packet can pass between a terminal device connected to an internal network and an external device connected to an external network, and is a target of the control. A storage unit for storing condition information including a condition for identifying the host name of the external device and IP address information including the IP address of the external device, and a communication packet transmitted from the terminal device to the external device are electronic A connection packet determination unit that determines whether or not the connection packet is based on a secure communication protocol using a certificate, and if the connection packet is determined, the terminal device is represented to the external device. A connection request transmission unit for transmitting a connection request based on the secure communication protocol; An electronic certificate acquisition unit that acquires an electronic certificate from the external device as a response, and a destination IP of the connection packet when a host name extracted from the acquired electronic certificate satisfies the condition of the condition information An IP address update unit that updates the IP address information using an address, and whether or not an IP address of a communication packet transmitted / received between the terminal device and the external device is included in the IP address information A communication control unit that controls whether or not the communication packet can pass.

  With this configuration, based on whether or not the host name extracted from the electronic certificate acquired from the external device is included in the filtering condition information stored in advance, the communication packet transmitted to the external device of that host name Passability is controlled. Here, “controlling whether or not communication packets can pass” refers to control that permits or prohibits passage of communication packets between a terminal device and an external device. The condition information is information that describes a condition for identifying the host name. For example, the condition information is information describing a pattern condition that can identify a host name such as a host name itself, FQDN (Fully Qualified Domain Name), or regular expression / wild card. Therefore, the administrator can manage using condition information that allows a person to easily recognize the content, not the filtering condition including a numeric string such as an IP address, and thus the management burden can be reduced.

  In the packet filtering device of the present invention, the condition information includes a condition for identifying a host name of the external device permitted to communicate with the terminal device, and the IP address updating unit acquires the acquired electronic certificate. When the host name extracted from the certificate satisfies the condition information, the connection control unit updates the destination IP address of the connection packet to be added to the IP address information, and the communication control unit updates the terminal device and the external device. When the IP address of the communication packet transmitted / received to / from the device is included in the IP address information, the communication packet may be permitted to pass.

  With this configuration, the host name of the external device that is allowed to communicate as being a trusted external device is included in the filtering condition information, and the host name extracted from the acquired electronic certificate is included in the filtering condition information. Then, the IP address information is updated based on the electronic certificate. Based on this IP address information, permission to pass communication packets is controlled. Thereby, the passage of the communication packet to the reliable external device can be appropriately permitted.

  In the packet filtering device of the present invention, the storage unit further stores prohibition condition information including a condition for identifying a host name of the external device that is prohibited from communicating with the terminal device, and the IP address update unit May delete the destination IP address of the connection packet from the IP address information when the host name extracted from the acquired electronic certificate satisfies the condition of the prohibition condition information.

  With this configuration, when prohibition condition information is set by an administrator or the like as an untrusted external device (for example, a server that performs malicious processing), the host name extracted from the acquired electronic certificate is included in the prohibition condition information. If it is registered, it is deleted from the IP address information based on the electronic certificate. Based on the IP address information, whether or not the communication packet can pass is controlled. As a result, even if the host name is registered in the condition information as an external device that can be trusted in the past, and the IP address of the external device is registered in the IP address information, the IP address information is changed based on the prohibition condition information. Can be updated appropriately. Therefore, the communication packet can be appropriately prohibited from passing to an unreliable external device.

  In the packet filtering device of the present invention, the storage unit stores the IP address information and the condition information in association with each other, and the IP address update unit stores the host name extracted from the acquired electronic certificate. When the condition of the condition information is satisfied, the destination IP address of the IP address information associated with the host name may be updated.

  With this configuration, even if the association between the host name of the external device and the IP address is dynamically changed by dynamic DNS (Domain Name System) or the like, it is based on the latest association after the change. Since the IP address information is also updated, it is possible to determine whether or not a packet can pass based on the latest association. Therefore, it is possible to appropriately prevent the packet from being erroneously passed (or not passed) based on the old IP address before the change corresponding to the host name of the external device.

  In the packet filtering device of the present invention, the storage unit stores a terminal IP address, which is an IP address of the terminal device, and the IP address information in association with each other, and the IP address update unit stores the acquired electronic When the host name extracted from the certificate satisfies the condition of the condition information, the IP address information associated with the terminal IP address equal to the source IP address of the connection packet is updated. Good.

  With this configuration, the packet filtering device obtains an electronic certificate from an external device by performing encrypted communication connection using the transport layer communication protocol on behalf of the terminal device, and based on the acquired electronic certificate, the terminal The IP address information is updated for each device. Therefore, the association between the host name of the external device and the IP address can be managed for each terminal device.

  In the packet filtering device of the present invention, the IP address update unit may update the IP address information based on a verification result of the electronic certificate.

  According to this configuration, when the verification result of the electronic certificate acquired from the external device is appropriate (for example, when the external device possesses the private key of the electronic certificate, the certificate can be verified, the electronic certificate The IP address information is updated based on the destination IP address of the connection packet. Therefore, an appropriate host name of the external device can be grasped. Thereby, the bad influence of the attack with respect to a DNS server, such as DNS poisoning, can be reduced, for example.

  According to the present invention, filtering conditions can be easily managed, and the administrative burden can be reduced.

1 is a schematic configuration diagram of a network system in an embodiment of the present invention. It is a block diagram of the packet filtering apparatus in the embodiment of the present invention. It is a figure which shows an example of the condition information in the embodiment of this invention, IP address information, prohibition condition information, and prohibition IP address information. It is a figure which shows an example of matching with condition information and IP address information in embodiment of this invention. It is a figure which shows an example of matching with the terminal IP address and IP address information in embodiment of this invention. It is a flowchart which shows operation | movement of the packet filtering apparatus in embodiment of this invention. It is a flowchart which shows the flow of the IP address information update process in embodiment of this invention. It is a sequence diagram explaining the flow of a process at the time of updating IP address information based on the DNS response of the packet filtering apparatus in embodiment of this invention, and filtering-controlling. It is a sequence diagram explaining the flow of a process at the time of updating IP address information based on SSL (Secure Socket Layer) / TLS (Transport Layer Security) communication of the packet filtering apparatus in embodiment of this invention, and filtering-controlling.

  Hereinafter, a packet filtering apparatus according to an embodiment of the present invention will be described with reference to the drawings. In the present embodiment, a case of a packet filtering device used for a firewall or the like that restricts packet communication between computers connected to a network will be exemplified.

  The configuration of the packet filtering apparatus according to the embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a diagram showing a schematic configuration of a network system to which the packet filtering apparatus of the present embodiment is applied. As shown in FIG. 1, the network system 1 includes a terminal device 3 (for example, terminal devices X, Y, and Z), a packet filtering device 4 (firewall), a DNS server 5, and an external network 6 connected to an internal network 2. The external device 7 (for example, external devices A, B, and C) connected to is provided. It is assumed that the packet filtering device 4 is connected to a location on the internal network where a DNS response from the DNS server 5 to the terminal device 3 can be intercepted. The terminal device 3 and the external device 7 are personal computers, for example, and the packet filtering device 4 has a function of filtering the passage of communication packets between the terminal device 3 and the external device 7.

  FIG. 2 is a block diagram showing a configuration of the packet filtering device 4. As shown in FIG. 2, the packet filtering device 4 includes a communication unit 40, an input unit 41, an output unit 42, a storage unit 43, and a control unit 44.

  The communication unit 40 has a function of communicating with the terminal device 3 and the DNS server 5 via the internal network 2. Further, the communication unit 40 has a function of communicating with the external device 7 via the external network 6. The input unit 41 is an interface for inputting various data and the like, and corresponds to, for example, an information input device such as a keyboard, a mouse, a touch panel, and a portable storage medium reader. The output unit 42 is an interface for outputting various data, and corresponds to an information output device such as a display or a storage device of a portable storage medium.

  The storage unit 43 stores condition information 430, IP address information 431, prohibited condition information 432, prohibited IP address information 433, and the like.

  FIG. 3 shows an example of condition information 430, IP address information 431, prohibited condition information 432, and prohibited IP address information 433. As shown in FIG. 3, the condition information 430 includes the host name (for example, host A, host B, host C, etc.) of the external device 7 that is a filtering control target (communication control target). In the condition information 430, the host name and FQDN of the external device 7 may be directly described, or may be described by a matching pattern such as a wild card or a regular expression. As described above, the condition information 430 only needs to describe a condition for identifying the host name of the external device 7. The condition information 430 is preset by the administrator. In the present embodiment, the condition information 430 is a white list method in which the host name of the external device 7 permitted to communicate with the terminal device 3 is described. However, not only the white list method but also a black list method in which the host name of the external device 7 that does not permit communication with the terminal device 3 is described.

  The IP address information 431 includes destination IP addresses (for example, global IP address A, global IP address B, and global IP address C) of communication packets that are filtering control targets (communication control targets). The IP address information 431 describes the IP address (global IP address) of the external device 7 that matches the condition information 430. The IP address information 431 is updated by the IP address updating unit 441 as will be described later, and it is determined whether or not the communication packet can pass based on the IP address information 431. The IP address information 431 may be null data (no information) in the initial state, or an IP address set in advance by an administrator may be registered. Further, communication packets from the terminal device 3 to the DNS server 5 are not subject to filtering control. That is, even if the IP address information 431 does not include the IP address of the DNS server 5, it is assumed that communication can be performed between the terminal device 3 and the DNS server 5 without restriction.

  The prohibition condition information 432 includes a condition for identifying the host name of the external device 7 that is prohibited from communicating with the terminal device 3. For example, the host name (eg, host H, host I, host J, etc.) or FQDN of the external device 7 that is prohibited from communicating with the terminal device 3 may be described directly, such as a wild card or a regular expression. It may be described by a matching pattern. The prohibition condition information 432 is set in advance by the administrator. In the present embodiment, the prohibition condition information 432 is described in a black list method. However, in other embodiments in which the condition information 430 is described in a black list method, the prohibition condition information 432 may be described in a white list method. Good (may be permission condition information).

  The prohibited IP address information 433 includes the IP address (for example, global IP address H, global IP address I, global IP address J, etc.) of the external device 7 whose communication with the terminal device 3 is prohibited. The prohibited IP address information 433 is preset by the administrator. In the present embodiment, the prohibited IP address information 433 is described in a blacklist format, but in other embodiments in which the IP address information 431 is described in a blacklist format, the whitelist format is used. (Allowed IP address information may also be used).

  The control unit 44 includes a DNS response interception unit 440, an IP address update unit 441, and a communication control unit 442 as a configuration for updating the IP address information 431 based on the DNS response and performing filtering control.

  The DNS response interception unit 440 has a function of intercepting (for example, sniffing) a communication packet from the DNS server 5 connected to the internal network 2 to the terminal device 3, and extracting a DNS response from the intercepted communication packet. . That is, when the terminal device 3 connects to the external device 7, a DNS request is transmitted to the DNS server 5 via the packet filtering device 4. The DNS server 5 transmits a DNS response as a response to this DNS request to the terminal device 3 via the packet filtering device 4. The DNS request includes the host name of the external device 7 that is the connection destination, and the DNS response includes the IP address (answer IP address) corresponding to the host name together with the host name. The DNS response interception unit 440 intercepts a DNS response including such an answer IP address.

  The IP address updating unit 441 can extract the host name and the reply IP address from the DNS response intercepted by the DNS response intercepting unit 440, and the host name extracted from the DNS response matches the condition of the condition information 430 The IP address information 431 is updated using the reply IP address (global IP address) included in the DNS response. For example, when the host name “host A” extracted from the DNS response is included in the condition information 430, the reply IP address “global IP address A (of host A)” included in the DNS response is the IP address information. 431 is added.

  The DNS response includes a CNAME (Canonical Name) type DNS response. In this case, in response to the DNS request for requesting the IP address of host A, a DNS response that refers to host B (same as host B) is returned. The terminal device 3 that has received this type of DNS response next sends a DNS request for requesting the IP address of the host B, and returns the IP address of the host B (that is, the IP address of the host A) as the response IP address. Receive as. The IP address updating unit 441 can extract the host name and the reply IP address from such a series of DNS responses (a plurality of DNS responses).

  In addition, when the host name extracted from the DNS response intercepted by the DNS response interception unit 440 is included in the prohibition condition information 432, the IP address update unit 441 uses the reply IP address included in the DNS response as the IP address. Delete from the information 431. For example, when the host name “host H” extracted from the DNS response is included in the prohibition condition information 432, the reply IP address “global IP address H (of host H)” included in the DNS response is the IP address. It is deleted from the information 431.

  The communication control unit 442 performs filtering control for controlling whether or not the communication packet can pass based on whether or not the IP address information 431 includes the destination IP address of the communication packet transmitted from the terminal device 3. In the present embodiment, the communication control unit 442 allows the communication packet to pass if the destination IP address of the communication packet transmitted from the terminal device 3 is included in the IP address information 431. On the other hand, if the destination IP address of the communication packet transmitted from the terminal device 3 is not included in the IP address information 431, passage of the communication packet is prohibited.

  The control unit 44 includes a connection packet determination unit 443, a connection request transmission unit 444, and a certificate information acquisition unit 445 as a configuration for updating the IP address information 431 and performing filtering control based on SSL / TLS communication. Yes.

  The connection packet determination unit 443 determines whether or not the communication packet transmitted from the terminal device 3 to the external device 7 is a connection packet of a secure communication protocol (for example, SSL / TLS connection) using an electronic certificate. . For example, when the port number of the communication packet is a port number that is normally assigned to the TLS connection such as “443”, the communication packet is determined to be a connection packet for TLS connection. However, the present invention is not limited to this, and if there is a possibility that the packet is a connection packet for secure communication protocol connection using an electronic certificate, the communication packet may be determined as a connection packet of the secure communication protocol. . For example, if it is a TCP connection packet, it may be determined as a secure communication protocol connection packet because there is a possibility of an SSL / TLS connection packet.

  The connection request transmission unit 444 substitutes the terminal device 3 for the external device 7 when the connection packet determination unit 443 determines that the connection packet is a secure communication protocol (TLS connection) using an electronic certificate. Then, a connection request (TLS connection request) for performing the same secure communication protocol (TLS connection) is transmitted.

  The certificate information acquisition unit 445 acquires an electronic certificate from the external device 7 as a response to the TLS connection request. In addition, the certificate information acquisition unit 445 has a function of verifying an electronic certificate acquired from the external device 7. For example, when it is possible to verify that the external device 7 has the private key of the electronic certificate, or when the validity of the certificate can be verified, the electronic certificate is a trusted certificate such as an EVSSL certificate. In this case, it is determined that the verification result is appropriate (the verification condition is satisfied).

  When the certificate information acquisition unit 445 acquires an electronic certificate from the external device 7 on behalf of the terminal device 3, the IP address update unit 441 includes the host name extracted from the acquired electronic certificate in the condition information 430. If the condition is satisfied, the IP address information 431 is updated using the destination IP address of the TLS connection packet transmitted by the terminal device 3 (that is, the global IP address of the external device 7 to which the terminal device 3 is to connect). Further, the IP address update unit 441, if the host name extracted from the electronic certificate acquired by the certificate information acquisition unit 445 is included in the prohibition condition information 432, the destination IP of the TLS connection packet transmitted by the terminal device 3 The address is deleted from the IP address information 431.

  Note that the IP address update unit 441 may update the IP address information 431 based on the verification result of the electronic certificate by the certificate information acquisition unit 445. That is, when the verification result of the electronic certificate acquired from the external device 7 is appropriate, the IP address information 431 is updated using the destination IP address of the TLS connection packet. On the other hand, if the verification result of the electronic certificate acquired from the external device 7 is not appropriate, the IP address information 431 is not updated using the destination IP address of the TLS connection packet.

  The operation of the packet filtering device 4 configured as described above will be described with reference to the flowcharts of FIGS. 6 and 7 and the sequence diagrams of FIGS.

  FIG. 6 is a flowchart showing the operation of the packet filtering device 4. As shown in FIG. 6, when performing filtering control of the passage of communication packets between the terminal device 3 and the external device 7, first, initial setting processing is performed in the packet filtering device 4 (S <b> 1). In this initial setting process, the IP address described in the prohibited IP address information 433 is read, and the IP address is deleted from the IP address information 431.

  Thereafter, the DNS response interception unit 440 of the packet filtering device 4 performs a process of intercepting (for example, sniffing) the communication packet (S2). In this case, the packet filtering device 4 intercepts all communication packets on the communication path. This makes it possible to check the header and payload of each communication packet in the subsequent processing.

  Next, the DNS response interception unit 440 determines whether or not the intercepted communication packet is a DNS response packet (S3). For example, based on the port number of the intercepted communication packet and the format of the payload, it can be determined whether the communication packet is a DNS response. When the communication packet intercepted by the DNS response interception unit 440 is a DNS response packet, the IP address update unit 441 performs update processing of the IP address information 431 (S4). Thereafter, the intercepted DNS response packet is transferred to the terminal device 3, and the process proceeds to S2 to resume the interception of the packet.

  If the intercepted communication packet is not a DNS response packet, it is determined whether or not it is a communication packet transmitted from the terminal device 3 to the external device 7 (S5). For example, based on the destination IP address of the intercepted communication packet, it can be determined whether or not the communication packet is transmitted from the terminal device 3 to the external device 7.

  When the communication packet is transmitted from the terminal device 3 to the external device 7, the communication control unit 442 allows the communication packet to pass based on whether or not the destination IP address is included in the IP address information 431. The process which determines whether or not is performed (S6). For example, in the case of the white list method, when the destination IP address is included in the IP address information 431, it is determined that the communication packet is allowed to pass.

  When it is determined that the communication packet is allowed to pass (S7), processing for passing the communication packet is performed (S8). On the other hand, when it is determined not to pass, the connection packet determination unit 443 determines whether or not the communication packet is a connection packet for TLS connection (S9). For example, the connection packet determination unit 443 determines whether the communication packet has the possibility of a connection packet for TLS connection based on the port number of the intercepted communication packet. It is determined that the packet is a connection packet. Specifically, when the port number of the communication packet is a port number that is normally assigned to a TLS connection such as “443”, it is determined that the communication packet is a connection packet for TLS connection. If it is not a connection packet for TLS connection, the communication packet is discarded (S10).

  When the connection packet determination unit 443 determines that the connection packet is for TLS connection, the packet filtering device 4 temporarily holds (caches) the transfer of the connection packet, and the connection request transmission unit 444 sends the connection request to the external device 7. On the other hand, a connection packet for TLS connection is transmitted (TLS connection request) on behalf of the terminal device 3 that has transmitted the connection packet (S11). That is, the IP address of the packet filtering device 4 itself is set as the transmission source IP address of the connection packet that is proxy-transmitted by the TLS connection request. Note that after sending the proxy TLS connection request (S11) first, it may be determined whether the packet is a connection packet for TLS connection (S9).

  Then, the certificate information acquisition unit 445 acquires an electronic certificate from the external device 7 as a response to the TLS connection request, and verifies the electronic certificate (S12). In this verification, whether or not the external device 7 possesses the private key of the electronic certificate, whether or not the acquired electronic certificate is valid, the acquired electronic certificate is an EVSSL certificate, etc. Verify whether it is a trusted certificate. Then, the certificate information acquisition unit 445 determines whether or not the verification result satisfies a predetermined verification condition (S13). It is assumed that the verification condition is set in advance by the administrator and stored in the storage unit 43. For example, if filtering control is to be performed based on a more reliable electronic certificate, a plurality (multiplex) such as “having a private key”, “valid electronic certificate”, “EVSSL certificate”, etc. Is set.

  If the IP address update unit 441 determines that the verification result satisfies the verification condition, the IP address update unit 441 performs an update process of the IP address information 431 (S14). Then, the communication control unit 442 determines whether or not to allow the communication packet to pass based on whether or not the destination IP address in the connection packet for TLS connection received from the terminal device 3 is included in the updated IP address information 431. Processing for determining whether or not (S6). On the other hand, when it is determined that the verification condition is not satisfied, the communication packet is discarded (S10).

  FIG. 7 is a flowchart showing the flow of the IP address information 431 update process executed by the IP address update unit 441. As shown in FIG. 7, when the update processing of the IP address information 431 is started, first, the host name extracted from the DNS response intercepted in S2 or the host name extracted from the electronic certificate acquired in S12 (hereinafter referred to as these It is determined whether or not the extracted host name is referred to as “extracted host name” in the condition information 430 (S20). That is, it is determined whether or not the extracted host name satisfies at least one of a plurality of conditions in the condition information 430.

  If the extracted host name satisfies the condition of the condition information 430, the reply IP address extracted from the DNS response or the destination IP address extracted from the connection packet for TLS connection (hereinafter, these extracted IP addresses are extracted. It is determined whether or not “prohibited IP address information 433” is included in the IP address information 433 (S21). If the extracted IP address is not included in the prohibited IP address information 433, the extracted IP address is added to the IP address information 431 (S22). If the extracted IP address is included in the prohibited IP address information 433, the IP address information update process is terminated without adding the extracted IP address to the IP address information 431.

  On the other hand, if the extracted host name is not included in the condition information 430 in S20, it is determined whether or not the extracted host name is included in the prohibited condition information 432 (S23). When the extracted host name is included in the prohibition condition information 432 and the extracted IP address is included in the IP address information 431, the extracted IP address is deleted from the IP address information 431 (S24). If the extracted host name is not included in the prohibition condition information 432, the IP address information update process ends.

  FIG. 8 is a sequence diagram illustrating the flow of processing when the IP address information 431 is updated and filtering control is performed based on the DNS response of the packet filtering device 4. As shown in FIG. 8, a DNS request is first transmitted from the terminal device 3 to the DNS server 5 (S100). As a response to this DNS request, a DNS response is transmitted from the DNS server 5 to the terminal device 3 via the packet filtering device 4. That is, a DNS response is transmitted from the DNS server 5 to the packet filtering device 4 (S101), and the packet filtering device 4 transfers the DNS response to the terminal device 3 (S102). At this time, the packet filtering device 4 intercepts the DNS response.

  In the present embodiment, a method of sniffing a DNS response is used to intercept the DNS response. However, the present invention is not limited thereto, and the packet filtering device 4 operates a relay program (for example, a DNS server program) that relays a DNS packet between the terminal device 3 and the DNS server 5 and refers to the operation history of the relay program. The DNS response may be intercepted. The DNS packet relay here is not a simple transport layer packet transfer, but a DNS program is received by a relay program operating on the packet filtering device 4, and the relay program creates a response to the DNS packet. Therefore, it refers to a process of obtaining necessary information by inquiring a higher-level DNS server and performing a response to the DNS packet based on the necessary information.

  Then, the packet filtering device 4 performs the update process of the IP address information 431 based on the intercepted DNS response (S103). For example, when the host name extracted from the intercepted DNS response (extracted host name) is the host name included in the condition information 430, the IP address (global IP address) is registered in the IP address information 431. Thereafter, when a communication packet is transmitted from the terminal device 3 to the external device 7 (S104), the packet filtering device 4 determines whether or not the communication packet can pass based on the IP address information 431 (S105). When the destination IP address of the communication packet is registered in the IP address information 431, the communication packet is allowed to pass. On the other hand, when the destination IP address of the communication packet is not registered in the IP address information 431, the communication packet is discarded. If it is determined that communication is permitted, the communication packet is transmitted to the external device 7.

  FIG. 9 is a sequence diagram illustrating the flow of processing when the IP address information 431 is updated and filtering control is performed based on the SSL / TLS communication of the packet filtering device 4. As shown in FIG. 9, first, a packet for making a TLS connection request to the external device 7 is transmitted from the terminal device 3 (S200). Upon intercepting the packet, the packet filtering device 4 temporarily holds the TLS connection request packet, generates a new TLS connection request packet on behalf of the terminal device 3 that has made the TLS connection request, and the external device 7. (S201). Then, as a response to the TLS connection request, an electronic certificate is transmitted from the external device 7 to the packet filtering device 4 (S202).

  The packet filtering device 4 verifies the electronic certificate acquired from the external device 7 (S203), and updates the IP address information 431 based on the acquired electronic certificate (S204). For example, if the condition information 430 includes a host name extracted from the acquired electronic certificate (extracted host name), the destination IP address (global IP address of the external device 7) of the TLS connection request in S200 is set to IP. Register in the address information 431. Thereafter, based on whether or not the IP address of the communication packet of the TLS connection request in S200 is registered in the IP address information 431, it is determined whether or not the communication packet can pass (S205). If it is determined that communication is permitted, the TLS connection request once suspended in S200 is transmitted to the external device 7 (S206), and a TLS session is established between the terminal device 3 and the external device 7. (S207). Thereafter, when a communication packet is transmitted from the terminal device 3 to the external device 7, the packet filtering device 4 determines whether or not the communication packet can pass based on the IP address information 431, and the destination IP address of the communication packet is If registered in the IP address information 431, the communication packet is allowed to pass. On the other hand, when the destination IP address of the communication packet is not registered in the IP address information 431, the communication packet is discarded. Note that the terminal device 3 may be notified of “connection failure” without causing the TLS connection request to be suspended, and the terminal device 3 may be caused to transmit an SSL / TLS connection request again. Further, the TLS connection request may be ignored and the retransmission from the terminal device 3 may be waited.

  According to the packet filtering device 4 of this embodiment, whether the host name (extracted host name) extracted from the intercepted DNS response or the electronic certificate obtained by proxy satisfies the condition information 430 stored in advance. Whether or not the communication packet transmitted to the external device 7 having the host name is allowed to pass is controlled based on whether or not it is passed. The condition information 430 is information that can identify the host name itself, or a host name such as FQDN or regular expression, for example. Therefore, the administrator can easily recognize the contents of the filtering condition (condition information 430), and the administrative burden can be reduced.

  Further, since the packet filtering device 4 of the present embodiment extracts the host name from the intercepted DNS response or the electronic certificate acquired by proxy, the destination IP address of the communication packet matches the condition information 430 (satisfaction It can be determined without making a reverse inquiry to the DNS server 5.

  In general, a host name and an IP address are not necessarily associated in a one-to-one relationship. For example, a plurality of IP addresses are associated with one host name, or a plurality of IP addresses are associated with one IP address. A host name is associated. Therefore, the host name obtained by making a reverse query to the DNS server 5 does not necessarily match the host name of the external device 7 that the terminal device 3 is trying to access. In such a case, when performing filtering control using the host name described in the condition information 430, a device that makes a reverse lookup query to the DNS server for the host name does not pass a communication packet that should be allowed to pass through. Alternatively, a situation may occur in which a communication packet that should not be passed is passed.

  On the other hand, in the packet filtering device 4 of the present embodiment, whether or not a communication packet can pass is controlled based on the IP address information 431. This IP address information 431 is updated by comparing the host name (extracted host name) extracted by intercepting the DNS response sent and received by the terminal device 3 with the DNS server 5 in advance and the condition information 430. Information. Therefore, the IP address of the external device 7 that the terminal device 3 is trying to access can be accurately associated with the host name, and it is possible to appropriately determine whether or not the communication packet can pass.

  In the packet filtering device 4 of the present embodiment, the IP address information 431 is updated by comparing the extracted host name obtained from the electronic certificate with the condition information 430. Therefore, even if the access is from the terminal device 3 that does not make a name resolution query to the DNS server (for example, access by directly inputting the global IP address of the external device 7), the IP address information 431 is updated. can do. Further, the host name with higher reliability of the external device 7 can be grasped, and for example, the adverse effect of the attack on the DNS server such as DNS poisoning can be reduced.

  In the present embodiment, the condition information 430 includes a condition for identifying the host name of the host name of the external apparatus 7 that is permitted to communicate as being the reliable external apparatus 7, and the extracted host name is the condition information. If 430 is satisfied, the IP address information 431 is updated. Based on this IP address information 431, permission to pass communication packets is controlled. Thereby, only the communication packet to the reliable external apparatus 7 can be appropriately passed.

  Further, in this embodiment, when the prohibition condition information 432 is set by the administrator or the like as an unreliable external device 7 (for example, an external device 7 that performs malicious processing), the host extracted from the intercepted DNS response If the name satisfies the condition of the prohibition condition information 432, the name is deleted from the IP address information 431 based on the DNS response. Based on the IP address information 431, whether or not the communication packet can pass is controlled. As a result, even if the host name is registered in the condition information 430 as the external device 7 that can be trusted in the past, and the IP address of the external device 7 is registered in the IP address information 431, it is based on the prohibition condition information 432. Thus, the IP address information 431 can be updated appropriately. Therefore, the passage of communication packets to the unreliable external device 7 can be appropriately prohibited.

  In the present embodiment, when the verification result of the electronic certificate acquired from the external device 7 is appropriate (for example, when the external device 7 has the private key of the electronic certificate, the certificate can be verified) The IP address information 431 is updated based on the destination IP address of the connection packet in the case where the electronic certificate is a trusted certificate such as an EVSSL certificate. Therefore, a more reliable host name of the external device 7 can be grasped.

  The embodiments of the present invention have been described above by way of example, but the scope of the present invention is not limited to these embodiments, and can be changed or modified according to the purpose within the scope of the claims. is there.

  In the above embodiment, the storage unit 43 stores the IP address information 431 and the condition information 430 in separate tables. However, the present invention is not limited to this, and the storage unit 43 may store the IP address information 431 and the condition information 430 in association with each other as shown in FIG. In the example of FIG. 4, host A and global IP address A are associated, host B and global IP address B are associated, and host C and global IP address C are associated. Note that common ID information may be given to the condition information 430 and the IP address information 431, and the condition information 430 and the IP address information 431 may be associated with each other via the ID information. A plurality of IP addresses can be associated with one host name (condition).

  In this case, if the extracted host name satisfies the condition of the condition information 430 in the IP address information update process (Yes in S20), the IP address update unit 441 associates the IP address information associated with the extracted host name. The IP address of 431 is updated. For example, when the extracted host name “host A” is included in the condition information 430 (Yes in S20), the “host A” and the “global IP address X” of the IP address information 431 are already associated with each other. Updates the “global IP address X” using the extracted IP address “global IP address A” in S22.

  As a result, even if the association between the host name and the IP address of the external device 7 is dynamically changed by dynamic DNS or the like, the IP is based on the changed association (latest association). Since the address information 431 is also updated, it is possible to determine whether or not a packet can pass based on the latest association. Therefore, it is possible to appropriately prevent the packet from being erroneously passed (or not passed) based on the old IP address associated with the host name of the external device 7.

  In the above embodiment, the storage unit 43 stores the terminal IP address (local IP address), which is the IP address of the terminal device 3, and the IP address information 431 without associating them. However, not limited to this, as illustrated in FIG. 5, the storage unit 43 may store the terminal IP address of the terminal device 3 and the IP address information 431 in association with each other. In the example of FIG. 5, the local IP address A, the global IP address A, and the global IP address B are associated with each other, and the local IP address B and the global IP address C are associated with each other.

  In this case, if the extracted host name satisfies the condition of the condition information 430 (Yes in S20), the IP address updating unit 441, in S22, the IP address (or TLS connection request) of the terminal device 7 that is the DNS response transmission destination. The IP address information 431 associated with the terminal IP address equal to the IP address of the terminal device 7 that performed the update is updated. For example, the extracted host name “host A” is included in the condition information 430 (Yes in S20), and the terminal IP address “local IP address A” and the IP address equal to the IP address of the terminal device 7 to which the DNS response is transmitted If “global IP address A” is already associated, a new extracted IP address “global IP address X” is added to the IP address information 431 so as to correspond to the “local IP address A”.

  Thereby, the packet filtering apparatus 4 intercepts the DNS response transmitted / received with the DNS server 5, and updates the IP address information 431 for every terminal device 3 based on the intercepted DNS response. Therefore, the association between the host name and the IP address of the external device 7 can be managed for each terminal device 3, and the association between the IP address and the host name obtained from the DNS response by the terminal device 3 is accurately managed. can do. Therefore, it can be determined whether or not the access from the terminal device to the external device is based on the DNS response. That is, when the terminal device 3 sends a communication packet to the external device 7 other than the IP address information 431 associated with the terminal IP address of the terminal device 3, the communication packet is inquired with the DNS server 5. (For example, the IP address is directly input on the terminal device 3 side) and the packet is transmitted.

  The communication control unit 442 includes the destination IP address of the communication packet transmitted from the terminal device 3 in the IP address information 431 associated with the terminal IP address that matches the IP address of the transmission source of the communication packet. The passage of the communication packet may be controlled based on whether or not it is transmitted.

  In the above embodiment, the communication control unit 442 determines whether the IP address information 431 includes the destination IP address of the communication packet from the terminal device 3 to the external device 7 (that is, the global IP address of the external device 7). Based on this, it is determined whether or not the communication packet can pass. However, the present invention is not limited to this. Based on whether or not the IP address information 431 includes the transmission source IP address of the communication packet transmitted from the external device 7 to the terminal device 3, it is determined whether or not the communication packet can pass. Also good. For example, when the source IP address of the SYN / ACK packet transmitted from the external device 7 to the terminal device 3 as a reply to the SYN packet transmitted from the terminal device 3 to the external device 7 is included in the IP address information 431, The SYN / ACK packet may be discarded as non-passable. Further, even when a UDP packet can be transmitted directly to the terminal device 3 from an external device in which DNS name resolution has not been performed in the terminal device 3, the source IP address of the packet is not included in the IP address information 431. You may make it discard.

  As described above, the packet filtering apparatus according to the present invention can easily manage filtering conditions and reduce the burden on management, and can be used between computers connected to a network. This is useful as a firewall that restricts packet communication.

DESCRIPTION OF SYMBOLS 1 Network system 2 Internal network 3 Terminal apparatus 4 Packet filtering apparatus 5 DNS server 6 External network 7 External apparatus 40 Communication part 41 Input part 42 Output part 43 Memory | storage part 44 Control part 430 Condition information 431 IP address information 432 Prohibited condition information 433 Prohibited IP address information 440 DNS response interception unit 441 IP address update unit 442 communication control unit 443 connection packet determination unit 444 connection request transmission unit 445 certificate information acquisition unit

Claims (6)

A packet filtering device that controls whether or not a communication packet can pass between a terminal device connected to an internal network and an external device connected to an external network,
A storage unit for storing condition information including a condition for identifying a host name of the external device to be controlled, and IP address information including an IP address of the external device;
A connection packet determination unit that determines whether a communication packet transmitted from the terminal device to the external device is a connection packet based on a secure communication protocol using an electronic certificate;
A connection request transmission unit that transmits a connection request based on the secure communication protocol on behalf of the terminal device to the external device when it is determined that the packet is the connection packet;
An electronic certificate acquisition unit that acquires an electronic certificate from the external device as a response to the connection request;
An IP address update unit that updates the IP address information using a destination IP address of the connection packet when a host name extracted from the acquired electronic certificate satisfies the condition information condition;
A communication control unit that controls whether or not the communication packet can pass based on whether or not an IP address of a communication packet transmitted and received between the terminal device and the external device is included in the IP address information;
A packet filtering device comprising: The condition information includes a condition capable of identifying a host name of the external device permitted to communicate with the terminal device,
The IP address update unit updates the destination IP address of the connection packet to be added to the IP address information when the host name extracted from the acquired electronic certificate satisfies the condition of the condition information;
2. The communication control unit according to claim 1, wherein when the IP address information includes an IP address of a communication packet transmitted and received between the terminal device and the external device, the communication control unit permits the communication packet to pass. Packet filtering device. The storage unit further stores prohibition condition information including a condition for identifying a host name of the external device for which communication with the terminal device is prohibited,
The IP address update unit deletes the destination IP address of the connection packet from the IP address information when a host name extracted from the acquired electronic certificate satisfies the condition of the prohibition condition information. 3. The packet filtering device according to 2. The storage unit stores the IP address information and the condition information in association with each other,
The IP address update unit updates the destination IP address of the IP address information associated with the host name when the host name extracted from the acquired electronic certificate satisfies the condition information condition The packet filtering device according to any one of claims 1 to 3. The storage unit stores a terminal IP address, which is an IP address of the terminal device, and the IP address information in association with each other,
The IP address update unit is associated with the terminal IP address equal to the source IP address of the connection packet when the host name extracted from the acquired electronic certificate satisfies the condition information condition. The packet filtering apparatus according to claim 1, wherein the IP address information is updated.   The packet filtering device according to claim 1, wherein the IP address update unit updates the IP address information based on a verification result of the electronic certificate.

Images