JP6829615B2 - A device that monitors transmitted packets - Google Patents

Description

The present invention relates to a technique for monitoring transmitted packets.

As a background technique of the present disclosure, Japanese Patent Application Laid-Open No. 2000-349851 is known. Japanese Unexamined Patent Publication No. 2000-349851 discloses a technique that enables security control and priority control corresponding to a session in a packet transfer device that communicates between terminals belonging to each network. Specifically, "when it is determined whether or not the packet output from the main processing unit that executes the routing process, the filtering process, and the priority control process conforms to the session opening condition, and the conformity is determined for the packet, the packet is determined. It retains packet information and sends subsequent packets belonging to the same session based on the packet information, bypassing the main processing unit. ”(Summary).

Japanese Unexamined Patent Publication No. 2000-349851

For example, edge computing analysis / monitoring delivers an analysis program to a customer base where there is no data analyst. The analysis program is encrypted because it requires a security function that prevents the analysis program from being taken out by the site manager (customer manager). The customer manager cannot check the output contents of the analysis program. The data analyst performs the analysis work of the analysis result of the analysis program in the data center where the customer manager is absent, for example.

As in the above example, when an application program that cannot be managed by the customer is executed at the customer's site, the application program has a security function (information leakage monitoring function) to prevent confidential data in the site from being taken out. Required. Furthermore, it is desired to reduce the processing load for information leakage monitoring.

A typical example of the present invention is a device that monitors a packet transmitted from a packet source located within a security boundary defined by a network address, and stores a processor and a program executed by the processor. The processor manages the position of the destination network address of the packet transmitted from the packet source with respect to the security boundary, including the memory, and the network address on the security boundary and the network address within the security boundary. Based on the management information, it is specified, the packet whose destination network address is an address outside the security boundary is discarded, and the monitoring process is executed for the packet whose destination network address is a network address on the security boundary. ..

According to one aspect of the present invention, the processing load for monitoring information leakage can be reduced.

A configuration example of the system of the first embodiment is shown. A general computer configuration is shown. A configuration example of the computer IP address list in the shield is shown. A configuration example of the shield boundary computer IP address list is shown. A configuration example of the filter policy is shown. An example of packet configuration is shown. The flow chart of the process of the analysis result confirmation unit and the data analysis unit is shown. A flowchart including a monitoring process by a network I / O recording & filter unit in a distribution source computer and a distribution destination computer is shown. The detailed flowchart of the process based on the filter policy is shown. A configuration example of the system of the second embodiment is shown. A configuration example of the transfer control table is shown. A configuration example of the gateway computer IP address / MAC address list is shown. A flowchart for creating a transfer control table is shown. A flowchart of processing in the distribution source computer and the distribution destination computer is shown. The flowchart of the process of the switch device A and the switch device B is shown. The flowchart of the processing of the packet transfer part in the gateway computer A / gateway computer B is shown. The flowchart of the processing of the network I / O recording & filter part in the gateway computer A / gateway computer B is shown. A configuration example of the system of the third embodiment is shown. A configuration example of the filter computer IP address / MAC address list is shown. A flowchart for creating a transfer control table is shown. The flowchart of the processing of the packet transfer part in the gateway computer A is shown. A configuration example of the system of the fourth embodiment is shown. A configuration example of the taint area list is shown. A configuration example of a taint bitmap is shown. The flowchart of the process by the taint area tracking unit is shown. A flowchart of processing in each of the delivery destination computer and the delivery source computer is shown. The flowchart of the processing of the received packet by the network I / O recording & filter unit is shown. The flowchart of the processing of the transmission packet by the network I / O recording & filter unit is shown.

Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. It should be noted that the present embodiment is merely an example for realizing the present invention and does not limit the technical scope of the present invention.

In this embodiment, the network I / O recording & filter program is executed on the distribution source computer and the distribution destination computer of the analysis program. In this embodiment, the analysis program and the analysis result confirmation program are executed in the virtual machines in the distribution destination computer and the distribution source computer, respectively. The Hypervisor and network I / O recording & filtering programs run on the host OS.

The network I / O recording & filtering program executed on the delivery destination computer monitors the I / O (confidential data leakage) issued by the analysis program. The analysis program and the virtual machine are the sources of the packets, respectively. The network I / O recording & filtering program executed on the distribution source computer monitors the I / O (confidential data leakage) issued by the analysis result confirmation program. The analysis result confirmation program and the virtual machine are the sources of the packets, respectively.

The customer manager defines a security boundary (data shield) in the network in advance. Data, including sensitive data, is allowed to move within the data shield. The nodes at the data shield boundary and the nodes within the data shield are managed in the management information. In this example, the data shield is defined by these nodes. In the examples described below, the data shield is defined by an IP address, which is an example of a network address.

For example, the distribution destination computer, the distribution source computer, and the base database that stores the data analyzed by the analysis program are the computers in the data shield. In the examples described below, the proxy server is defined as the data shield boundary calculator.

The network I / O recording & filtering program filters packets sent by the monitoring response program based on their location in the data shield of the destination node. A packet is a data unit that is forwarded over a network and is a data unit at any communication protocol layer.

In the example described below, the network I / O recording & filtering program blocks (discards) packets destined for a node (IP address) outside the data shield. This reduces the load for data leakage monitoring and allows packets transferred outside the data shield to pass through the nodes at the data shield boundary.

The network I / O recording & filtering program selects packets destined for a node (IP address) at the data shield boundary and executes monitoring processing. The monitoring process performs filtering and / or logging. Packets destined for a node (IP address) in the data shield are forwarded without performing monitoring processing. This reduces the analytical load for data leakage monitoring.

The network I / O recording & filtering program performs filtering according to a preset filter policy for network I / O via IP addresses on the data shield boundary. The filter policy prohibits PUTs of a predetermined size or larger in, for example, a packet of write = http via a proxy server.

The network I / O record & filter program logs packets destined for IP addresses on the data shield boundary. For example, the network I / O recording & filtering program logs all packets or logs some packets selected according to the filter policy. The network I / O recording & filtering program may execute only one of filtering and logging of packets destined for a node on the data shield boundary.

In the example described below, the distribution source computer executes an external device I / O recording & filtering program. The external device I / O recording & filter program monitors data leakage from the analysis result confirmation program to an external storage device such as a hard disk drive (HDD) or a USB flash drive. The delivery destination computer may also execute an external device I / O recording & filter program to monitor data leakage from the analysis program to the external storage device.

FIG. 1A shows a configuration example of the system of this embodiment. In FIG. 1A, different components having the same function may be labeled with the same reference numerals. The distribution source computer 111 and the distribution destination computer 112 of the data analysis program are connected via the network 104. In the example of FIG. 1A, the network is a VPN (Virtual Private Network). The distribution source computer 111 is installed in the data center 101, and the distribution destination computer 112 is installed in a base different from the data center 101.

The distribution source computer 111 and the distribution destination computer 112 access the I / O log database (DB) 121 and the configuration DB 122 via the VDC 104 or another network. The I / O log database (DB) 121 and the configuration DB 122 are stored in, for example, a server computer installed in a data center 101 or a base 102, respectively. The base DB 123 is stored in, for example, a server computer in the base 102, and is accessed from the delivery destination computer 112.

The proxy servers 113 and 114 are installed in the data center 101 and the base 102, respectively. Proxy servers 113 and 114 mediate data communication between other computers and the external network (Internet 103).

The data shield 131, which is the security boundary in the network, is predefined in the system. Within the data shield 131, the movement of data including confidential data is permitted. The data shield 131 is defined by the nodes in the system.

Specifically, it is defined by the nodes in the data shield and the boundary nodes of the data shield. In the example of FIG. 1A, the proxy servers 113 and 114 are boundary nodes, and the other nodes except the external storage device 125 are in-shield nodes. A calculator is an example of a node.

The delivery destination computer 112 includes a data analysis unit 143, a Hypervisor 145, a network I / O recording & filter unit 147, and a host OS 148. The data analysis unit 143 acquires and analyzes the base data 155 in the base DB 123 via the NIC (Network Interface Card).

The data analysis unit 143 is realized by the processor executing the data analysis program on Hypervisor 145. The analysis result of the data analysis unit 143 is transmitted to the network I / O recording & filter unit 147 via Hypervisor 145. The network I / O recording & filtering unit 147 is realized by the processor executing the network I / O recording & filtering program on the host OS 148.

As will be described later, the network I / O recording & filter unit 147 is a monitoring unit that monitors the network I / O of the data analysis unit 143. The network I / O recording & filtering unit 147 refers to the information stored in the configuration DB 122 and executes filtering and logging of packets from the data analysis unit 143.

The configuration DB 122 stores the in-shield computer IP address list 152, the shield boundary computer IP address list 153, and the filter policy 154. The information in the configuration DB 122 is preconfigured by the customer manager. The network I / O recording & filtering unit 147 stores the information of the I / O log of the data analysis unit 143 in the I / O log 151 of the I / O log DB 121. The I / O log 151 is checked by the customer manager.

The analysis result is further transferred from the network I / O recording & filter unit 147 to the distribution source computer 111 via the NIC and the VDC 104. The delivery destination computer 112 is a source computer for a packet showing the analysis result, and the delivery source computer 111 is a reception computer for the packet.

The distribution source computer 111 includes an analysis result confirmation unit 141, a Hypervisor 145, an external device I / O recording unit 146, a network I / O recording & filter unit 147, and a host OS 148. In the distribution source computer 111, the analysis result is transmitted to the network I / O recording & filter unit 147 via the NIC and the host OS 148. The network I / O recording & filtering unit 147 is realized by the processor executing the network I / O recording & filtering program on the host OS 148.

The network I / O recording & filtering unit 147 is a monitoring unit that monitors the network I / O of the analysis result confirmation unit 141. The network I / O recording & filter unit 147 reads and holds the information stored in the configuration DB 122 in advance. The network I / O recording & filtering unit 147 refers to the configuration information and executes filtering and logging of packets from the analysis result confirmation unit 141. The network I / O recording & filtering unit 147 stores the information of the I / O log of the analysis result confirmation unit 141 in the I / O log 151 in the I / O log DB 121.

The analysis result confirmation unit 141 receives the analysis result from the network I / O recording & filter unit 147 via Hypervisor 145. The analysis result confirmation unit 141 transmits the data to the user terminal used by the data analyst. The analysis result is stored in, for example, the auxiliary storage of the distribution source computer 111. The analysis result confirmation unit 141 is realized by the processor executing a data analysis program on Hypervisor 145.

The external device I / O recording unit 146 monitors the I / O of the analysis result confirmation unit 141 with the external storage device 125, and records the log. The log is stored in the I / O log 151. The external device I / O recording unit 146 is realized by the processor executing the external device I / O recording program on the host OS 148.

FIG. 1B shows a general computer configuration. The distribution source computer 111, the distribution destination computer 112, the computer storing the proxy servers 113, 114, DB 121, 122, 123, and the proxy servers 113, 114 have, for example, the hardware configuration shown in FIG. 1B.

The computer 12 includes a CPU (Central Processing Unit) 223, a main memory 224 for storing data (including a program) necessary for the CPU 223 to execute processing, and a hard disk having a capacity for storing a large amount of data. Includes auxiliary storage 225 such as flash memory.

The computer 12 further includes an IF (interface) 222 for communicating with other devices and a communication path 227 connecting each of these devices. The CPU 223, which is a processor, operates as a functional unit that realizes a predetermined function by executing a program stored in the main memory 224.

The auxiliary storage 225 stores data (information) used by the CPU 223. The program or data may be stored in advance in the main storage 224 or the auxiliary storage 225 including the non-temporary storage medium, or may be installed (loaded) from another device via the IF 222 when necessary. .. The main memory 224 and the auxiliary memory 225 constitute a memory individually or integrally. The computer 12 may further include an input / output device 226 for input / output such as a keyboard and a display. A part of the functional unit may be realized by a dedicated circuit different from the CPU 223.

The data shield 131 is managed (defined) by the information of the configuration DB 122. Specifically, the information of the boundary computer and the internal computer of the data shield 131 is stored in the configuration DB 122.

FIG. 2A shows a configuration example of the in-shield computer IP address list 152. The in-shield computer IP address list 152 shows the IP addresses of the computers in the data shield. FIG. 2B shows a configuration example of the shield boundary computer IP address list 153. The shield boundary computer IP address list 153 shows the IP address of the computer at the boundary of the data shield 131.

FIG. 2C shows a configuration example of the filter policy 154. The filter policy 154 is referred to by the network I / O recording & filter unit 147, and indicates an operation () to be executed according to the packet. Specifically, the filter policy 154 has a protocol column 203, a read column 204, a write column 205, and an action column 206.

The read column 204 and the write column 205 indicate whether it is permitted or prohibited to forward the read packet and the write packet without monitoring, respectively. Action 206 indicates processing for prohibited packets. For the "prohibited" packet, for example, the processing of discarding, logging, discarding and logging is executed.

FIG. 3 shows a packet configuration example. The packet includes Ethernet header 301, IP header 302, TCP header 303, L7 header 304 and L7 data field 305. The Ethernet header 301 includes a destination MAC address field 306. The IP header 302 includes a source IP address field 307 and a destination IP address field 308. The TCP header 303 includes a sequence number field 309.

FIG. 4 shows a flowchart of processing of the analysis result confirmation unit 141 and the data analysis unit 143. The analysis result confirmation unit 141 activates the analysis unit 143 (analysis program) on the Hypervisor 145 of the delivery destination computer 112 (402). The analysis unit 143 accesses the base data 155 and executes the data analysis process (403). The analysis unit 143 transmits the data analysis result to the analysis result confirmation unit 141 (404). The analysis result confirmation unit 141 displays the data analysis result on the data analyst's terminal in response to the request from the data analyst's terminal (405).

The data analysis result is transferred to the distribution source computer 111 in the distribution destination computer 112 via Hypervisor 145, the network I / O recording & filter unit 147, and the host OS 148. In the distribution source computer 111, the data analysis result is transferred to the analysis result confirmation unit 141 via the host OS 148, the network I / O recording & filter unit 147, and the Hypervisor 145.

FIG. 5 shows a flowchart including processing by the network I / O recording & filter unit 147 in the distribution source computer 111 and the distribution destination computer 112. The analysis unit 143 or the analysis result confirmation unit 141 issues an I / O request to Hypervisor 145 (501). Hypervisor 145 determines whether the I / O request is a network I / O request (I / O request via a network) (502).

In the example of FIG. 1A, the I / O request from the analysis result confirmation unit 141 may be an I / O request to an external device rather than a network I / O request. If the issued I / O request is not a network I / O request (502: etc.), Hypervisor 145 converts the I / O request into an I / O request to the host OS 148 and external device I / O recording unit 146. (505). The external device I / O recording unit 146 outputs the I / O log to the I / O log DB 121 (506), and transfers the I / O request to the host OS 148.

When the issued I / O request is a network I / O request (502: network I / O), Hypervisor 145 converts the I / O request into an I / O request to the host OS 148 and records the network I / O. & Sent to filter unit 147 (503). The network I / O recording & filtering unit 147 refers to the destination IP address field 308 in the IP header 302 of the packet included in the I / O request and identifies the destination IP address (504).

The network I / O recording & filter unit 147 refers to the in-shield computer IP address list 152 and the shield boundary computer IP address list 153, and determines where the destination IP address of the packet exists with respect to the data shield 131. (507).

When the destination IP address is a shielded IP address, that is, when the destination IP address is included in the shielded computer IP address list 152 (507: shielded IP address), the network I / O recording & filter unit 147 filters. And the I / O request is transferred to the host OS 148 without executing the log recording (monitoring process) (508).

If the destination IP address is an unshielded IP address, that is, if the destination IP address is not included in the shielded computer IP address list 152 and the shield boundary computer IP address list 153 (507: etc.), Network I / O recording & The filter unit 147 discards the I / O request (511).

When the destination IP address is a shield boundary IP address, that is, when the destination IP address is included in the shield boundary computer IP address list 153 (507: shield boundary IP address), the network I / O recording & filter unit 147 uses TCP. After reconstructing the packet (509) based on the sequence number (in the field 309) of the header 303, the I / O request (packet) is processed based on the filter policy 154 (monitoring process) (510).

FIG. 6 shows a detailed flowchart of the process (510) based on the filter policy 154. The network I / O recording & filter unit 147 analyzes the L7 header 304 to determine the protocol used and the read / write type (601). The network I / O recording & filter unit 147 searches the filter policy 154 for the entry to which the packet corresponds (602).

If the entry corresponding to the packet does not exist in the filter policy 154 (603: NO), the network I / O recording & filter unit 147 outputs the I / O log to the I / O log DB 121 (610) and outputs the packet. Discard (611).

When the corresponding entry of the packet exists in the filter policy 154 (603: YES), the network I / O recording & filter unit 147 determines whether the packet is permitted to be transmitted from the host OS 148 (604). Specifically, the network I / O recording & filtering unit 147 determines whether the corresponding column of the read column 204 and the write column 205 of the corresponding entry indicates "permission".

If the packet is "allowed" (604: YES), the network I / O recording & filter unit 147 forwards the I / O request to the host OS 148 without outputting the I / O log (605). ..

When the packet is "prohibited" (604: NO), the network I / O recording & filtering unit 147 determines whether the value of action column 206 of the entry includes "log" (606). When "log" is included (606: YES), the network I / O recording & filter unit 147 outputs the I / O log to the I / O log DB 121 (607).

Further, the network I / O recording & filtering unit 147 determines whether the value of the action column 206 of the entry includes "discard" (608). If "discard" is not included (608: NO), the network I / O recording & filter unit 147 forwards the I / O request to the host OS 148 (605). When "discard" is included (608: YES), the network I / O recording & filter unit 147 discards the packet (609).

As described above, the monitoring process of this embodiment determines the packet discard / transfer (filtering) and the presence / absence of logging based on the packet type (protocol type and read / write type) according to the filter policy. ..

As described above, the network I / O recording & filtering unit 147 selects only some packets based on the position of the destination IP address with respect to the data shield 131, and executes log recording and filtering (monitoring processing). As a result, the processing load for information leakage can be reduced. The network I / O recording & filter unit 147 operates on the same computer as the packet source (data analysis result confirmation program or analysis program) to efficiently monitor packets without using other hardware resources. be able to.

The second embodiment will be described below. The difference from the first embodiment will be mainly described. In this embodiment, the packet from the distribution source computer or the distribution destination computer is transferred to the gateway computer. The network I / O recording & filtering unit 147 executes packet filtering and logging in the gateway computer. As a result, the load on the distribution source computer and the distribution destination computer can be reduced. Further, packets of a plurality of distribution destination computers or a plurality of distribution source computers can be monitored by one gateway computer.

FIG. 7 shows a configuration example of the system of this embodiment. In addition to the configuration of the first embodiment, the switch device A211 and the gateway computer A213 are added in the data center 101, and the switch device B212 and the gateway computer B214 are added in the base 102. These devices are located within the data shield 131.

The delivery destination computer 112 is connected to the gateway computer B214 via the switch device B212. Although FIG. 7 shows one delivery destination computer, a plurality of delivery destination computers may be connected to the gateway computer B214. The distribution source computer 111 is connected to the gateway computer A213 via the switch device A211. Although FIG. 7 shows one distribution source computer, a plurality of distribution source computers may be connected to the gateway computer A213.

The gateway computer A213 and the gateway computer B214 are connected via the VDC 104. The distribution source computer 111 and the distribution destination computer 112 are connected to the proxy servers 113 and 114 via the gateway computer A213 and the gateway computer B214, respectively.

The gateway computer A213 and the gateway computer B214 include a transfer control table 252, a packet transfer unit 242, and a network I / O recording & filter unit 147, respectively. The gateway computer A213 and the gateway computer B214 are connected to each other connected to another device (network) via a NIC. The packet transfer unit 242 is realized by the processor executing the program.

The switch device A211 and the switch device B212 each include a packet inspection unit 241. The switch device A211 and the switch device B212 are connected to each other connected to another device (network) via a NIC. The packet inspection unit 241 is realized, for example, by the processor executing a program.

In this embodiment, the network I / O recording & filter unit 147 is mounted on the gateway computer A213 and the gateway computer B214 instead of the distribution source computer 111 and the distribution destination computer 112. The configuration DB 122 stores the gateway computer IP / MAC address list 251 in addition to the information of the first embodiment.

FIG. 8 shows a configuration example of the transfer control table 252. The forwarding control table 252 associates the destination address of the packet with the forwarding address. The transfer control table 252 has a destination IP address column 1001, a transfer destination IP address column 1002, and a transfer destination MAC address column 1003.

FIG. 9 shows a configuration example of the gateway computer IP address / MAC address list 251. The gateway computer IP address / MAC address list 251 manages the address of the gateway computer. The gateway computer IP address / MAC address list 251 has an IP address column 1101 and a MAC address column 1102. Each entry indicates the gateway computer's IP address and MAC address. The gateway computer IP address / MAC address list 251 is preset by the customer administrator.

FIG. 10 shows a flowchart for creating the transfer control table 252. The gateway computer A213 and the gateway computer B214 each create a transfer control table entry for the destination IP address described in the in-shield computer IP address list 152 (1201). The gateway computer A213 and the gateway computer B214 set the IP address and MAC address of the gateway computer in the transfer destination IP address column 1002 and the transfer destination MAC address column 1003, respectively (1202).

FIG. 11 shows a flowchart of processing in the distribution source computer 111 and the distribution destination computer 112. Steps 801 to 805 correspond to steps 501 to 503, 505 and 506 of FIG. 5, respectively. Since the network I / O recording & filter unit 147 is not mounted on the distribution source computer 111 and the distribution destination computer 112, the step in the flowchart of FIG. 5 is omitted.

FIG. 12 shows a flowchart of processing of the switch device A211 and the switch device B212. The packet inspection unit 241 identifies the destination MAC address of the received packet (901). The packet inspection unit 241 refers to the destination MAC address field 306 in the Ethernet header 301 of the received packet.

The packet inspection unit 241 refers to the gateway computer IP address / MAC address list 251 and determines whether the destination MAC address is the MAC address of the gateway computer (902). The packet inspection unit 241 reads the gateway computer IP address / MAC address list 251 from the configuration DB 122 in advance and holds it.

When the destination MAC address is the MAC address of the gateway computer (902: YES), the switch device A211 / switch device B212 forwards the packet to the gateway computer (903). If the destination MAC address is not the MAC address of the gateway computer (902: NO), the packet inspection unit 241 discards the packet (904).

By the process of FIG. 12, the packet inspection unit 241 operating on the switch device A211 blocks (discards) packets other than the IP packets transmitted from the distribution source computer 111 via the gateway computer A213. The packet inspection unit 211 operating on the switch device B212 blocks (discards) packets other than IP packets transmitted from the delivery destination computer 112 via the gateway computer B214. As a result, all network packets from the distribution source computer 111 and the distribution destination computer 112 pass through the gateway computer.

FIG. 13 shows a flowchart of processing of the packet transfer unit 242 in the gateway computer A213 / gateway computer B214. When the packet transfer unit 242 receives the packet from the switch device, the packet transfer unit 242 identifies the destination IP address of the packet (1301). The packet transfer unit 242 refers to the destination IP address field 308 in the IP header 302 of the received packet.

The packet transfer unit 242 refers to the transfer control table 252 and acquires the transfer destination MAC address of the corresponding entry (1302). The packet transfer unit 242 sets the transfer destination MAC address in the destination MAC address field 306 of the Ethernet header 301 of the packet (1303).

The packet transfer unit 242 refers to the gateway computer IP address / MAC address list 251 and determines whether the transfer destination MAC address is the address of the gateway computer (1304). When the transfer destination MAC address is a gateway computer (1304: gateway computer), the packet transfer unit 242 transfers the packet to the transfer destination (1305). When the transfer destination MAC address is not a gateway computer (1304: etc.), the packet transfer unit 242 transmits the packet to the network I / O recording & filter unit 147 (1306).

By the processing of FIG. 13, the packets processed by the network I / O recording device & filter unit 147 can be limited to the packets destined for the outside including the data shield boundary. The packet forwarding unit 242 forwards the packet received from the other gateway computer according to the destination IP address.

FIG. 14 shows a flowchart of processing of the network I / O recording & filter unit 147 in the gateway computer A213 / gateway computer B214. The network I / O recording & filtering unit 147 refers to the destination IP address field 308 in the IP header 302 of the packet received from the packet forwarding unit 242 to identify the destination IP address (1401).

The network I / O recording & filter unit 147 refers to the shield boundary computer IP address list 153 and determines whether the destination IP address of the packet is the shield boundary address (1402).

When the destination IP address is an unshielded IP address, that is, when the destination IP address is not included in the shield boundary computer IP address list 153 (1402: etc.), the network I / O recording & filter unit 147 sets the packet. Discard (1405).

When the destination IP address is a shield boundary IP address, that is, when the destination IP address is included in the shield boundary computer IP address list 153 (1402: shield boundary IP address), the network I / O recording & filter unit 147 uses TCP. The packet is reconstructed (1403) based on the sequence number of the header 303 (in field 309).

The network I / O recording & filter unit 147 processes the packet based on the filter policy 154 and the L7 header 304 (1404). Step 1404 performs packet filtering and non-logging as described with reference to FIG. Packets that are not dropped are forwarded to the proxy server.

The third embodiment will be described below. The difference from the second embodiment will be mainly described. In this embodiment, the network I / O recording & filter unit 147 is mounted on a filter computer different from the gateway computer. By implementing it on a computer different from the gateway computer and the distribution source / distribution destination computer, the load on those computers can be reduced. Also. The network I / O recording & filter unit 147 can be easily incorporated into the existing network system.

FIG. 15 shows a configuration example of the system of this embodiment. Compared with the configuration of the second embodiment, the gateway computer B214, the switch device B212, and the proxy server 114 at the base 102 are omitted. A filter calculator 1511 has been added in the data center 101.

The distribution source computer 111 is connected to the gateway computer A213 via the switch device A211. The gateway computer A213 and the switch device B212 are connected via the VDC104. The delivery destination computer 112 is connected to the gateway computer A213 via the switch device B212. The filter computer 1511 is connected to the gateway computer A213 and the proxy server 113.

The network I / O recording & filter unit 147 is mounted on the filter computer 1511 instead of the gateway computer. The filter computer 1511 is connected to another device via a NIC. The configuration DB 122 stores the filter computer IP address / MAC address list 251 in addition to the information of the second embodiment. The filter computer IP address / MAC address list 251 is preset by the customer administrator.

FIG. 16 shows a configuration example of the filter computer IP address / MAC address list 251. The filter computer IP address / MAC address list 251 manages the address of the filter computer 1511. The filter computer IP address / MAC address list 251 has an IP address column 1601 and a MAC address column 1602.

FIG. 17 shows a flowchart for creating the transfer control table 252. The gateway computer A213 creates a transfer control table entry for the destination IP address listed in the in-shield computer IP address list 152, and sets the transfer destination IP address column 1002 and the transfer destination MAC address column 1003 in the IP of the in-shield computer. The address and MAC address are set respectively (1701).

The gateway computer A213 creates a transfer control table entry for default, and sets the IP address and MAC address of the filter computer 1511 in the transfer destination IP address column 1002 and the transfer destination MAC address column 1003, respectively (1702).

The packet inspection unit 241 of the switch device A211 reads the gateway computer IP address / MAC address list 251 from the configuration DB 112, and blocks (discards) packets other than IP packets transferred from the distribution source computer 111 via the gateway computer A213. To do.

The packet inspection unit 241 of the switch device B212 reads the gateway computer IP address / MAC address list 251 from the configuration DB 112, and blocks (discards) packets other than IP packets transferred from the delivery destination computer 112 via the gateway computer A213. To do. As a result, all the surviving packets from the distribution source computer 111 and the distribution destination computer 112 pass through the gateway computer A213.

FIG. 18 shows a flowchart of processing of the packet transfer unit 242 in the gateway computer A213. Upon receiving the packet, the packet transfer unit 242 identifies the destination IP address of the packet (1801). The packet transfer unit 242 refers to the destination IP address field 308 in the IP header 302 of the received packet.

The packet transfer unit 242 searches the transfer control table 252 for the IP address of the received packet. When a matching IP address exists, the packet transfer unit 242 acquires the corresponding MAC address (1802), and sets the transfer destination MAC address in the destination MAC address field of the Ethernet header of the packet (1803).

If there is no matching IP address, the packet transfer unit 242 obtains the MAC address of the filter computer 1511 from the entry of the default (1802), and in the destination MAC address field of the Ethernet header of the packet, the MAC of the filter computer 1511 Set the address (1803). As a result, only packets destined for the outside of the data shield 131 (with or without the shield boundary computer) are transferred to the filter computer 1511, and the load on the filter computer 1511 can be reduced.

The packet forwarding unit 242 forwards the packet to the set MAC address (1804). The network I / O recording & filtering unit 147 of the filter computer 1511 executes packet filtering and logging as shown in the flowchart shown in FIG. 14 of the second embodiment.

Although this example shows one gateway computer, different filter computers may be connected to a plurality of gateway computers as in the second embodiment. One filter computer may be connected to a plurality of gateway computers.

The fourth embodiment will be described below. The difference from the first embodiment will be mainly described. The customer manager sets a data area (taint area) including confidential information in advance. The network I / O recording & filtering unit monitors the transfer of data from the taint area, and data from other areas is excluded from the monitoring target. When the data is read from the taint area, the network I / O recording & filter unit issues a tracking instruction to the taint area tracking unit.

The taint area tracking unit tracks the memory access of the data analysis unit / data analysis result confirmation unit, and analyzes the propagation of the data read from the taint area. As a result, information leakage from the analysis unit / analysis result confirmation unit can be efficiently monitored.

FIG. 19 shows a configuration example of the system of this embodiment. In addition to the configuration of the first embodiment, the tint area tracking unit 1941 is implemented in the distribution source computer 111 and the distribution destination computer 112. The taint area tracking unit 1941 includes a taint bitmap 1952. The taint area tracking unit 1941 is realized by the CPU 223 executing the taint area tracking program. The configuration DB 122 stores the tint area list 1951.

FIG. 20 shows a configuration example of the taint area list 1951. The taint area list 1951 manages the taint area of the storage. The taint area list 1951 has a storage IP address column 2001, a start sector number column 2002, and an end sector number column 2003.

FIG. 21 shows a configuration example of the tint bitmap 1952. The taint bitmap 1952 indicates whether the area (stored data) in the memory is the taint area (stored data). The taint bitmap 1952 has a page address column 2101 and a taint presence / absence bit column 2102. A page is a management unit area in memory.

FIG. 22 shows a flowchart of processing by the taint area tracking unit 1941. The taint area tracking unit 1941 receives the taint area reception notification from the network I / O recording & filter unit 147 (2201). The taint area tracking unit 1941 updates the taint bitmap 1952 so that the memory area is registered as the taint area (2202). The taint area tracking unit 1941 notifies the analysis unit 143 / analysis result confirmation unit 141 of packet reception via Hypervisor 145 (2203).

FIG. 23 shows a flowchart of processing in each of the delivery destination computer 112 and the delivery source computer 111. The analysis unit 143 / analysis result confirmation unit 141 issues an instruction execution request to Hypervisor 145 (2301). Hypervisor 145 issues an instruction execution notification to the taint area tracking unit 1941 (2302).

The taint area tracking unit 1941 executes instruction analysis (2303). When the memory write of the data read from the taint area is generated (2304: YES), the taint area tracking unit 1941 updates the taint bitmap 1952 so as to register the memory area as the taint area (2305). This allows the taint area to be tracked. If the memory write of the data read from the taint area has not occurred (2304: NO), step 2305 is skipped.

When a memory write of data read from other than the taint area is generated (2306: YES), the taint area tracking unit 1941 updates the taint bitmap 1952 so as to delete the memory area from the taint area (2307). If the memory write of the data read from other than the taint area has not occurred (2306: NO), step 2307 is skipped.

The taint area tracking unit 1941 issues a restart request to Hypervisor 145, and Hypervisor 145 resumes analysis unit 143 / analysis result confirmation unit 141 (2308).

FIG. 24 shows a flowchart of processing of received packets by the network I / O recording & filter unit 147. The network I / O recording & filter unit 147 receives the packet via the NIC (2401). The network I / O recording & filter unit 147 determines whether the received packet is a packet by the storage I / O (2402). When an IP address matching the value of the packet source IP address field 307 exists in the tit area list 1951, the network I / O recording & filter unit 147 determines that the received packet is a packet by storage I / O. judge.

When the packet is a packet by storage I / O (2402: YES), the network I / O recording & filtering unit 147 identifies the sector in which the data was read in the packet and refers to the taint area list 1951. , Determines if the sector is a taint area (2403).

When the sector is a taint area (2403: YES), the network I / O recording & filter unit 147 issues a taint area reception notification to the taint area tracking unit 1941 so as to register the received memory area in the taint area (2403: YES). 2404). This will track the taint area. If the sector is not in the taint area (2403: etc.), step 2404 is skipped.

When the packet is not a packet by storage I / O (2402: NO), the network I / O recording & filtering unit 147 determines whether the IP header 302 of the received packet contains the taint mark (2405).

When the IP header 302 includes the taint mark (2405: YES), the network I / O recording & filter unit 147 issues a taint area reception notification to the taint area tracking unit 1941 so as to register the received memory area in the taint area. (2406). The taint mark allows tracking of data in the taint area between nodes. When the IP header 302 does not include the tint mark (2405: NO), the network I / O recording & filtering unit 147 notifies the analysis unit 143 / analysis result confirmation unit 141 of packet reception via Hypervisor 145 (2407).

FIG. 25 shows a flowchart of processing of transmitted packets by the network I / O recording & filter unit 147. The network I / O recording & filtering unit 147 receives the taint area transmission notification from the taint area tracking unit 1941 (2501). The network I / O recording & filtering unit 147 performs the following steps on the data in the taint area.

The network I / O recording & filtering unit 147 refers to the destination IP address field 308 of the IP header 302 of the packet and identifies the destination IP address (2502). When the destination is a shield boundary computer, that is, when the destination IP address exists in the shield boundary computer IP address list 153 (2503: shield boundary server), the network I / O recording & filter unit 147 performs the filter policy 154 and the packet. Process packets based on type (2504). The network I / O recording & filtering unit 147 restores the file information of the read data and includes it in the I / O log.

When the destination is an in-shield computer, that is, when the destination IP address exists in the in-shield computer IP address list 152 (2503: in-shield computer), the network I / O recording & filter unit 147 uses the IP header of the packet. A header mark is set in 302 and transmission is performed via NIC (2505).

When the destination is an address outside the shield boundary, that is, neither the shield boundary computer nor the shield boundary computer (2503: etc.), the network I / O recording & filter unit 147 discards the packet (2506).

As described above, the network I / O recording & filter unit 147 sets the taint mark on the network packet when the destination is the in-shield computer and detects the network packet (network I / O) from the taint area. To do. Also. When the network I / O recording & filter unit 147 detects the network packet reception in which the taint mark is set, the network I / O recording & filter unit 147 issues a taint area reception notification (tracking instruction) to the taint area tracking unit. As a result, the taint area tracking process is inherited by another node.

When the destination is a shield boundary computer and a network packet (network I / O) from the tint area is detected, the network I / O recording & filtering unit 147 executes filtering and log recording (monitoring processing) for the packet. .. It is not necessary to analyze packets other than network I / O and log output from the taint area to the shield boundary computer, and the load can be reduced.

The present invention is not limited to the above-mentioned examples, and includes various modifications. For example, the above-described embodiment has been described in detail in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to the one including all the configurations described. Further, it is possible to replace a part of the configuration of one embodiment with the configuration of another embodiment, and it is also possible to add the configuration of another embodiment to the configuration of one embodiment. Further, it is possible to add / delete / replace a part of the configuration of each embodiment with another configuration.

In addition, each of the above-mentioned configurations, functions, processing units, and the like may be realized by hardware, for example, by designing a part or all of them with an integrated circuit. Further, each of the above configurations, functions, and the like may be realized by software by the processor interpreting and executing a program that realizes each function. Information such as programs, tables, and files that realize each function can be stored in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC card or an SD card.

In addition, control lines and information lines are shown as necessary for explanation, and not all control lines and information lines are shown in the product. In practice, it can be considered that almost all configurations are interconnected.

101 data center, 102 bases, 103 Internet, 104 network, 111 source computer, 112 destination computer, 113, 114 proxy server, 125 external storage device, 131 data shield, 141 analysis result confirmation unit, 143 analysis unit, 146 external Device I / O recording unit, 147 network I / O recording & filter unit, 151 I / O log, 152 In-shield computer IP address list, 153 Shield boundary computer IP address list, 154 filter policy, 155 base data, 211, 212 Switch device, 213, 214 gateway computer, 223 CPU, 224 main storage, 225 auxiliary storage, 226 input / output device, 241 packet inspection unit, 242 packet transfer unit, 1511 filter computer

Claims (15)

A device that monitors packets sent from packet sources located within the security boundaries defined by the network address.
With the processor
Includes memory for storing programs executed by the processor
The processor
The position of the destination network address of the packet transmitted from the packet source with respect to the security boundary is specified based on the management information that manages the network address on the security boundary and the network address within the security boundary.
Drop packets whose destination network address is outside the security boundaries
A device that executes monitoring processing for packets whose destination network address is a network address on the security boundary. The device according to claim 1.
The processor is a device that forwards a packet whose destination network address is a network address within the security boundary without executing the monitoring process. The device according to claim 1.
The processor is a device that executes at least one of filtering based on a packet type and logging of a packet in the monitoring process. The device according to claim 2.
The packet source is a device, which is a program executed by the device. The device according to claim 2.
A device that receives a packet transmitted from a computer that is the source of the packet via a network. The device according to claim 1.
Among the packets transmitted from the computer that is the packet source, the packet whose destination network address is the network address on the security boundary and the packet of the network address outside the security boundary selected by the gateway computer are received. apparatus. The device according to claim 1.
The processor
The monitoring process is executed for a packet including a mark indicating that the destination network address is a network address on the security boundary and data is from a storage area within the security boundary set in advance.
The monitoring process is executed for a packet that does not include a mark indicating that the destination network address is a network address on the security boundary and is data from a storage area within the preset security boundary. A device that transfers without. The device according to claim 7.
The processor includes the mark in a transmission packet whose destination address is an IP address within a shield boundary. A packet source computer that is located within the security boundaries defined by the network address and sends a given packet,
A packet reception computer that receives the predetermined packet from the packet source computer, and
Includes a monitoring unit that monitors packets transmitted from one of the packet source computer and the packet reception computer.
The monitoring unit
Management of managing the position of the destination network address of a packet transmitted from one of the packet source computer and the packet reception computer with respect to the security boundary between the network address on the security boundary and the network address within the security boundary. Informed identification,
Drop packets whose destination network address is outside the security boundaries
A system that performs monitoring processing on packets whose destination network address is a network address on the security boundary. The system according to claim 9.
The monitoring unit is a system that forwards a packet whose destination network address is a network address within the security boundary without executing the monitoring process. The system according to claim 10.
The packet reception computer includes the monitoring unit.
The monitoring unit monitors the packet transmitted from the packet reception computer, and the monitoring unit monitors the packet.
The packet source computer includes a second monitoring unit.
The second monitoring unit
Based on the management information, the relationship between the destination network address of the packet transmitted from the packet source computer and the security boundary is specified.
Drop packets whose destination network address is outside the security boundaries
A monitoring process is executed for a packet whose destination network address is a network address on the security boundary.
A system that forwards a packet whose destination network address is a network address within the security boundary without executing the monitoring process. The system according to claim 9.
Further including a first gateway computer and a second gateway computer within the security boundary,
The first gateway computer includes a transfer unit and a monitoring unit.
The second gateway computer includes a second transfer unit and a second monitoring unit.
The transfer unit selects a packet having a network address different from that of the second gateway computer from the packets transmitted from the packet reception computer, and transmits the packet to the monitoring unit.
The second transfer unit selects a packet having a network address different from that of the first gateway computer from the packets transmitted from the packet source computer, and transmits the packet to the second monitoring unit.
The second monitoring unit
Based on the management information, the relationship between the destination network address of the packet transmitted from the packet source computer and the security boundary is specified.
Drop packets whose destination network address is outside the security boundaries
A system that performs monitoring processing on packets whose destination network address is a network address on the security boundary. The system according to claim 9.
A gateway computer to forward a packet transmitted from said one of said packet source computer and the packet receiving computer,
Further including a monitoring computer including the monitoring unit,
The gateway computer selects a packet whose destination network address is a network address on the security boundary and a packet whose network address is outside the security boundary from among the packets from the packet source computer and the packet reception computer. Then, the system transfers to the monitoring computer. A method of monitoring packets sent from packet sources located within the security boundaries defined by the network address.
The position of the destination network address of the packet transmitted from the packet source with respect to the security boundary is specified by referring to the management information for managing the network address on the security boundary and the network address within the security boundary.
Drop packets whose destination network address is outside the security boundaries
A method comprising performing a monitoring process on a packet whose destination network address is a network address on the security boundary. The method according to claim 14.
Further, a method including forwarding a packet whose destination network address is a network address within the security boundary without executing the monitoring process.

Images