JPWO2007034535A1 - Network device, data relay method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To extract predetermined information such as a specific pattern from information flowing in the network without affecting the network, process the extracted information and flow it to the network again, or discard the extracted information It is an object of the present invention to provide a network device, a data relay method, and a program that perform notification or notification to a specific destination. A packet of a target application is identified, buffered, the contents of the packet are checked, and when a packet including predetermined information such as a specific pattern is detected, the information is discarded or processed. Then, return to the network, notify the registered destination that the predetermined information has been received by e-mail and other means, activate the lamp, alarm device, etc., and notify the received contents on a specific line Constitute. In addition, the content checking method is configured to have two types: a real-time check and a check after packet assembly. [Selection] Figure 2

Description

  The present invention relates to an apparatus or a data relay method and program installed in a network having a plurality of lines, and in particular, checks information flowing on the network and determines whether to forward a packet received from a transmission source to a destination. The present invention relates to a network device, a data relay method, and a program for performing a notification of a warning or the like to a network administrator or the like when necessary.

  Conventionally, on the IP (Internet Protocol) network, sending and receiving mail using POP (Post Office Protocol), SMTP (Simple Mail Transfer Protocol), IMAP (Internet Message Access Protocol), etc., using HTTP (Hyper Text Transfer Protocol) Services such as file browsing using WEB browsing, FTP (File Transfer Protocol) or FTP over HTTP can be used. In the above service, in order to cope with illegal information in the information to be sent and received, for example, malicious virus etc., virus check or removal software is installed individually on the terminal, virus check and removal on the mail server At least one of the countermeasures such as installing software for performing virus detection or installing virus detection and removal software on a gateway or router to which a terminal is connected as disclosed in Patent Document 1 has been performed.

Patent Document 2 proposes a technique for providing a stealth function for concealing one's identity in the IP layer with respect to transmission / reception of information.
Patent Document 3 describes a technology relating to a switch that detects illegal packets in transmission / reception of information within a LAN and between WANs.
Japanese Patent Laid-Open No. 10-320186 JP 2002-366684 A JP 2003-348113 A

  However, in the above-described conventional technology, particularly virus check and removal, it is troublesome to uninstall virus check software for each individual terminal, and it uses terminal resources such as CPU, memory, and hard disk. Therefore, there is a heavy burden on the terminal, and it is necessary to install various virus check software depending on the OS of the terminal, so that management becomes complicated. However, it was a problem that it was difficult to prevent the connection of the terminal not installed with the virus check software brought in from the outside to the in-house network. Similarly, when virus check software is installed on a mail server, it has not been possible to prevent local network virus infection caused by connection of a terminal brought in from outside.

  Also, in order to connect a network device having a function of checking information flowing on the network between devices such as routers or gateways, it is necessary to change the setting on the terminal side without affecting the existing network. It was difficult.

  Furthermore, even when a virus check function is added to the gateway or router, it is not possible to check for local communications, so it is not possible to deal with viruses that exploit OS security holes. Furthermore, software suitable for the OS on which the routers and gateways operate is necessary, and there was no versatility. In addition, the technique disclosed in Patent Document 1 has the above-described problems because the gateway or router itself has a virus check function as described above.

  In Patent Document 2, although it is possible to hide one's presence without affecting the network in the IP layer, it is not possible to extract a specific packet from all packets flowing on the network. Only when a transmission request is made to the user, the packet can only be taken based on a preset IP address used by the user.

  In the technology disclosed in Patent Document 3 in which a virus check function is provided in the switch, for example, when checking a file containing a virus attached to an e-mail, all the files are temporarily buffered, and thus the speed is supported. It's hard to say that you can. Moreover, it is not disclosed at all whether the packet bit stream is monitored in real time.

  In addition, there is a demand for detecting specific information from a data stream flowing on the network and removing the detected packet from the network, or processing the packet and flowing it to the network.

  The present invention has been made in view of such a conventional problem, and monitors information transmitted / received not only in communication with the outside of a network but also in communication between internal terminals, and information corresponding to a predetermined condition. The packet is extracted without affecting the network and discarded from the network or processed and returned to the network. It is another object of the present invention to provide a network device, a data relay method, and a program that do not affect an existing network no matter which network is installed.

  In order to achieve the above object, a network device according to the present invention is a device that is installed between devices that communicate via a network, and that transparently relays data that is transmitted and received between the devices. Packet receiving means for receiving packets addressed to other devices, application identifying means for determining the application type of a packet received using a predetermined application identification method, and based on the application type determined by the application identifying means A series of data is formed based on a plurality of packet groups received by the packet receiving means, and when the data meets a predetermined condition, at least one of the plurality of packet groups is formed. Change one packet and send it to the other device as the destination, If otherwise, to certain conditions is characterized by having a, a packet content check means for transmitting a plurality of packets thus received the other device addressed is directly sent.

  As a result, illegal data such as a malicious virus including information corresponding to a predetermined condition in a packet that matches the application type identified based on the application identification method specified on the packet stream flowing on the network. Is found, the corresponding packet stream is discarded, and if it is not included, it can be transmitted to the destination address without affecting the network. Here, the information corresponding to the predetermined condition is not limited to a malicious virus or the like, but all packets including predetermined information such as a specified content pattern or information can be extracted and discarded.

  In addition, when the packet content check means identifies information corresponding to a predetermined condition, the packet content check means normally responds to the packet on the transmission side, and uses the content of the received packet on the destination side. It is also preferable to make a modification according to the application being used, and to make it appear that the reception has failed, and to notify the destination side according to the application that the information corresponding to the predetermined condition has been received.

  According to the present invention, when information corresponding to a predetermined condition is received, information can be extracted without being known to the transmission source by normally transmitting and receiving packets with the transmission source. Further, when the packet is an illegal packet such as a virus, it is possible to prevent the illegal packet from being processed on the destination side by modifying and transmitting the received packet to the destination. Furthermore, it is possible to give a sense of security to the destination terminal by transmitting to the destination side that the information corresponding to the predetermined condition has been found.

  In the network apparatus, the packet content check means includes at least one of a stream check process for checking a packet stream in real time based on an application type of the packet and a post-assembly check process for checking after the packet is assembled. It is preferable that the contents of the packet be checked by the above process.

  According to the present invention, when checking the contents of a packet after assembling all the packets, a check with a high degree of completion is possible. However, since it is necessary to perform buffering, processing speed is required, and high functionality is required depending on the location where it is installed in the network. Also, when checking packets in real time, buffering is minimal, and if the information that meets the specified conditions cannot be found at the time of checking, the packets are immediately returned to the network, so the speed of the network Avoid bottlenecks. However, for example, when information corresponding to a predetermined condition is found in the middle of data transmitted / received by an application such as e-mail or FTP, the previous packet is returned to the network and reaches the destination, causing a problem. There is still a possibility. However, after the discovery, by processing and transmitting the remaining packets without transmitting them as they are, an illegal packet such as a virus is not erroneously functioned on the destination side, and safety is guaranteed.

  In the network apparatus, preferably, the packet receiving unit stores a destination address of the received packet, and the packet content checking unit performs the check by both the stream check process and the post-assembly check process. In the case where the check by the stream check process does not determine that the predetermined condition is met, but the check by the post-assembly check process determines that the predetermined condition is met, the destination address satisfies the predetermined condition. It is also preferable to be configured to notify that it has been performed.

  Since information corresponding to a predetermined condition that can be checked in real time and information corresponding to a predetermined condition that can be checked after assembling a packet are usually different, according to the present invention, the packet stream is overlooked and transmitted to a destination. It is possible to check and discover a packet that has been assembled after assembling the packet, and to notify a destination that has already been transmitted that it has been discovered later, thereby providing an extremely fine service.

  Further, in the above network device, it is preferable that the packet content check means is configured to notify a predetermined destination address that the predetermined condition is met when it is determined that the predetermined condition is met. .

  According to the present invention, it is possible to know that a packet having information corresponding to a predetermined condition has been received. For example, a network administrator can effectively use this information, and a network researcher can extract data transmitted and received in the network.

  More preferably, the packet content check unit is configured to activate a notification unit that can be recognized by a person when information corresponding to a predetermined condition is identified.

  According to the present invention, it is possible to notify a person when information corresponding to a predetermined condition is found in information transmitted and received on a network. Notification means include lighting / flashing of a lamp, sounding of sound, generation of smell, etc., and can be notified by means that are easy for humans to understand.

  Further, when the packet content check means notifies a predetermined destination address, it is possible to select whether to use either the destination IP address of the received packet or the IP address of the received packet. It is also preferable to configure.

  According to the present invention, a predetermined IP address or a destination IP address is used when notifying a received packet that information corresponding to a predetermined condition is found in a received packet, for example. Can be notified. By using (speaking) the destination IP address, it is possible to exist hidden from the network. When using an IP address that the user has, the presence is suddenly shown by notifying information to the outside.

  Further, it is preferable that at least one of the update information of the application identification method, the information corresponding to the predetermined condition, or the packet content check means is acquired from the network.

  The application identification method, the predetermined condition, or the packet content check means is registered in the network device from the beginning, but in order to cope with a change in the situation, the contents can be acquired from the outside. It is possible to deal with various situations.

  More preferably, at least one of the plurality of lines of the network device is connected to a network different from a network to which other lines are connected.

  Monitors information sent and received between devices in the LAN, between devices in the LAN and devices belonging to a different network, or between external devices and changes the contents that are sent and received, or meets certain predetermined conditions A packet or message containing information can be taken out, or a packet or message containing a virus or the like can be deleted.

  Furthermore, it is preferable that the line is notified as a destination that has a specific line and notifies that information corresponding to the predetermined condition has been received.

  When information corresponding to a predetermined condition is found in a packet or message flowing in the network, it can be notified to a specific line of the network device as its notification destination. The content of the corresponding information can be notified. Thereafter, it is possible to analyze the information received on the specific line.

  Further, the packet content check means is configured to check only at a predetermined interval or a predetermined position of the packet stream with respect to the packet stream when performing the content check of the received packet after assembling. It is also preferable to do this.

  According to the present invention, when checking a packet stream in real time, the packet can be determined at a predetermined interval, a predetermined position of the packet stream, or a method determined from the outside without checking all target packets. By thinning out and making it possible to check, the load on the network device can be reduced. The predetermined interval and the position of the packet stream can be determined for each application with a high possibility that information corresponding to a predetermined condition will appear.

  Furthermore, it is preferable that each line includes at least one of the application identification method or information corresponding to a predetermined condition.

  According to the present invention, when the network device has a plurality of lines, the contents of information corresponding to a predetermined condition can be set for each line, whereby different settings are made for each line. be able to.

  Further, it is preferable that the predetermined condition of the packet content check means includes a computer virus.

  By providing pattern information that can identify a computer virus, a new algorithm, or the like as information corresponding to a predetermined condition, it is possible to find and remove the virus, or notify the outside of the virus.

  Furthermore, it is preferable that the application specified in advance is configured to be at least one of communication applications that perform mutual communication such as POP, SMTP, FTP, HTTP, SMB, and CIFS.

  By registering several POP, SMTP, and other applications that are frequently used as applications for receiving information, packets and messages sent and received on those applications are monitored, and predetermined applications such as viruses Information that meets the conditions can be found and notified.

  In addition, when the predetermined application type is a mail protocol and a computer virus is found by the packet content checking unit after assembling the packet, the packet content checking unit detects the MIME (Multipurpose Internet) of the received packet. Mail Extensions) At least one of processing that modifies the attached file so that the attached file is unreadable, processing that deletes all attached files, and that adds a new header indicating that an illegal packet has been received It is also preferable to execute one process to transmit the received packet to the destination address and to notify that a computer virus is detected at a predetermined destination address.

  According to the present invention, it is possible to prevent the execution of a corresponding executable file by clicking with a mailer or the like by preventing the MIME of an illegal attachment file such as a virus received by mail from having readability. Become. In addition, it is possible to notify the fact that illegal information has been received only by adding a header without changing the attached information without the possibility of causing a problem by deleting the attached file. At the same time, it is possible to notify a predetermined destination that information corresponding to a predetermined condition has been received. This operation operates for both reception of mail from the outside and transmission of mail from the inside. The mail protocol is POP, SMTP, IMAP, or the like.

  Further, in the case where the application specified in advance is a mail protocol and the information corresponding to a predetermined condition is identified when the packet stream is checked in real time, the packet content checking means It is also preferable that the transmission / reception is terminated normally, the content of the packet to be transmitted to the destination is modified and transmitted, and that the information corresponding to the predetermined condition is notified to a predetermined destination. .

  According to the present invention, the communication with the transmission source is normally terminated, and the communication with the destination is transmitted as information that does not affect the destination by modifying the information, and at the same time, the predetermined destination is registered with the destination. It is possible to notify that the information corresponding to the above condition has been received, and the necessary information can be processed without any problem without affecting the communication with the transmission source.

  Further, a means for determining whether or not the packet received by the packet receiving means corresponds to a predetermined application type, and if it corresponds to a predetermined application type, is formed based on the received packet group. It is also preferable to include a means for storing a series of data.

  According to the present invention, packets or application data including predetermined predetermined information can be stored, and can be used for subsequent investigations.

  Further, the stored series of information may be configured to be accessible from an internal network.

  According to the present invention, it is possible to refer to a series of contents of information received from an administrator terminal or an information destination terminal in the internal network, and thus it is possible to investigate the received information.

  A network device according to the present invention is a device that is installed between devices that communicate via a network and transparently relays data that is transmitted and received between the devices, and that transmits packets addressed to one device from another device. Based on the packet reception means for receiving, the application identification means for determining the application type of the packet received using a predetermined application identification method, the packet received by the packet reception means, or the received packet group Means for monitoring whether or not predetermined information is included in the formed series of data, and if the predetermined information is included, the packet or the series of data including the information is stored And a means for executing a predetermined operation based on the application type.

  According to the present invention, for each application, it can be determined whether or not predetermined information is included in the communication of the application, and a predetermined operation can be performed for each application. If it contains confidential information in the company, employee database, etc., or if you are trying to obtain the above information by FTP or HTTP, stop sending the file and perform the sender of the email or FTP or HTTP It is possible to identify the IPs that are being recorded and simultaneously record them, and to prevent leakage of personal information, confidential information, and the like.

  Furthermore, when the application type is a mail protocol, it is preferable that the predetermined operation is to prohibit the relaying of mails having the same mail source address and mail destination address.

  According to the present invention, it is possible to block a mail from a sender who is sending an illegal mail, so that the user of the mail does not receive a harmful mail or an unnecessary mail. A sense of security can be given.

  In order to achieve the above object, a data relay method according to the present invention is a method for transparently relaying data transmitted and received between devices connected via a network, in which a packet addressed from one device to another device is transmitted. A step of receiving, a step of determining an application type of a packet received using a predetermined application identification method, and a series of steps based on the plurality of received packet groups based on the determined application type Forming data, and when the data meets a predetermined condition, change at least one packet in the plurality of packet groups and transmit to the other device as a transmission destination, When the predetermined condition is not met, the plurality of received packet groups are transmitted as they are to the other device as the transmission destination. Characterized in that it comprises Tsu and up, the.

  A data relay method according to the present invention is a method for transparently relaying data transmitted and received between devices that are installed between devices communicating via a network, and is a packet addressed from one device to another device. , A step of determining an application type of a packet received using a predetermined application identification method, and the received packet or a series of data formed based on the received packet Monitoring whether or not predetermined information is included, and if predetermined information is included, a packet or a series of data including the information is stored and based on the application type And a step of executing a predetermined operation.

  In order to achieve the above object, a data relay program according to the present invention is a program that is installed between devices that communicate via a network and that operates on a device that transparently relays data transmitted and received between the devices. Based on the process of receiving a packet addressed to another apparatus from one apparatus, the process of determining the application type of a packet received using a predetermined application identification method, and the determined application type, A series of data is formed based on the received plurality of packet groups, and when the data meets a predetermined condition, at least one packet in the plurality of packet groups is changed. When the packet is transmitted to the other device as the transmission destination and the predetermined condition is not met, the plurality of received packet groups are Characterized in that it comprises a, a process of transmitting to the other device addressed as the destination remains.

  In order to achieve the above object, a data relay program according to the present invention is a program that is installed between devices that communicate via a network and that operates on a device that transparently relays data transmitted and received between the devices. A process for receiving a packet addressed to another apparatus from one apparatus, a process for determining an application type of a packet received using a predetermined application identification method, and the received packet or the received A process for monitoring whether or not predetermined information is included in a series of data formed based on a packet, and, if predetermined information is included, a packet or a series including the information And a process of executing a predetermined operation based on the application type.

  In the above contents, an illegal packet is a file attached to an e-mail in the case of a mail protocol, and threatens the operation of the terminal by the OS, a program that executes the file, and a program that operates when the file is expanded. File to give. In addition, SYN packets such as SYN floods and packets used in DOS (Denial Of Service) attacks that cause buffer overflow are also illegal packets. Information used at the application level in a file after assembling a plurality of packets, such as an attachment file of the above mail protocol. For example, if it contains a virus, it is regarded as an illegal packet at the application level. . This is not limited to email, but there are illegal packets at various layers depending on the protocol such as network sharing.

  As described above, according to the present invention, the network device according to the present invention can be installed without affecting the network, and at least one of a local terminal and a server in the network, or at least a local terminal and a WAN. On the other hand, packet transmission / reception information to be performed can be checked, and a packet including information corresponding to a predetermined condition can be extracted from the network and processed.

  Hereinafter, the best mode for carrying out the present invention will be described. FIG. 1 shows a connection configuration diagram in a network of a network apparatus 1 according to the first embodiment of the present invention. In FIG. 1, an internal network 9 is connected to an external network via a communication network 4 such as the Internet (registered trademark), and the external network stores various information related to the network device 1. The storage server 7 is installed in a state where it can be connected to the network device 1. In the internal network 9, there is a router 2 connected to the communication network 4, which controls transmission / reception of information between an internal device and a device connected to the external network, and an upper level switch 3 under the router 2. The network device 1 can be installed between the router 2 and the switch 3. In this case, the network device 1 monitors information between the router 2 and the switch 3, monitors communication between a terminal in the LAN and the outside, and cannot monitor information between the terminals in the LAN. It can also be installed as a switch 3. In this case, all packets flowing through the switch 3 can be monitored even if they are information within the LAN of the internal network 9.

  Further, a switch 31 of the next level is connected under the upper level switch 3, a switching hub or a shared hub 6 is connected under the switch 31, and a PC or a server 5 is connected under each of them. The network device 1 can also be installed as the next level switch 31 as described above. Furthermore, the network device 1 can be built in a line connected between the router 2 and the switch 3, for example, a cable represented by categories 5 and 6. As described above, the network device 1 is installed at the locations indicated by the arrows between the switch 3, the router 2 and the switch 3, and between the switch 31, the router 2, the switches 3, 31 and the hub 6, and the PC 5. All locations including cables that are connected.

  FIG. 2 shows a functional block diagram of the network device 1. The network device 1 includes a plurality of lines 12, a packet receiving unit 121 that processes a packet received for each line, and a packet transmission unit 122 that processes a packet to be transmitted. An arithmetic processing unit 13, a storage unit 14 that stores data for performing various processes, and a man-machine interface function with the network device 1, an input that receives input from an external input device and notifies the central processing unit 13 Unit 15, display unit 16 having a function of displaying notification information from central processing unit 13 and a display device, and a packet that receives or transmits information when information corresponding to a specified predetermined condition is received Notification dedicated line 17 which is a line to be notified when identified in the same manner, information corresponding to a predetermined condition is also identified Lamp / alarm device 18 to notify the time was, and the like. Further, the central processing unit 13 is composed of the following means having various functions. The storage unit 14 receives data such as predetermined information corresponding to predetermined conditions, system data that is data relating to the entire system, data related to application information, predetermined information corresponding to predetermined conditions from the input unit 15 or the network. The data input / output means 133 having a function of storing information in the corresponding area and retrieving information from the storage unit 14 when necessary, identifies the packet based on the information acquired from the application identification information file 145 to identify the packet type The application identification means 134 for checking the contents of the identified packet and searching for predetermined information corresponding to the predetermined condition. When transmitting the received information to the destination, the packet content checking means 135 is provided. Packet processing means having a function of processing content 36, a reception notification unit 137 having a function of notifying a predetermined notification destination that predetermined information corresponding to a predetermined condition has been received, a reception buffer 142 for storing information received by the packet transmission / reception processing unit 131, and transmission A buffer control means 138 for controlling a buffer such as an assembly buffer 143 which is a buffer for assembling received packets until a single message is assembled.

  The storage unit 14 stores the transmission buffer 141, the reception buffer 142, the assembly buffer 143, and MAC address information that stores connection-related information between the destination MAC address and the line when the received packet is transmitted to the destination. Table 144, application identification information file 145 storing information for identifying which application the packet is used for, and further identifying the packet with the predetermined information corresponding to the predetermined condition from the identified transmission / reception packet Predetermined information 146 for storing necessary predetermined information, and system / line corresponding data 147 for storing line corresponding data, which is system data used in the entire system and data used for line correspondence, are included.

  In the storage unit 14, information such as a buffer that is constantly rewritten during operation is stored in a RAM (Random Access Memory), and predetermined information 146, an application identification information file 145, system / line correspondence data 147, etc. Information that needs to remain even when the power is cut off or instantaneously stored is stored in a flash ROM (Read Only Memory) or a hard disk. The input unit 15 may be connected to a keyboard or may be provided with a serial interface so that a serial console connection can be made. Similarly, the display unit 16 may have a monitor interface, or may be configured to notify information such as a message using the serial interface.

  Next, data to be used will be described below. FIG. 3 shows data used as the entire system. As the contents, the default notification destination is a predetermined default notification destination that is notified when predetermined information is identified in the packet. For example, the notification dedicated line 17 may be designated. The default update destination is a destination for updating application identification information or predetermined information such as a virus pattern file or an inference engine. For example, the domain name is set at the time of factory shipment.

  The MAC address stores a MAC address unique to this network device. For example, a fixed IP address such as “192.168.10.10” is set at the time of shipment from the factory, or the IP address can be acquired by DHCP (Dynamic Host Configuration Tool). The acquired IP address is registered. Further, a column is provided so that ID and password information can be registered so that work such as rewriting environment setting data by communicating with the network device 1 can be performed. For example, a value such as admin / admin is entered as the default value.

  The data corresponding to the line is shown in FIG. As a packet check method, either “real time” or “after assembly” operation mode that can be set for the line is set. When checking in real time, a stream check process is performed. When checking after assembly, a check process after assembly is performed. For example, “real time” is set as the default value. The application list is for registering applications to be checked on the line. For example, POP, SMTP, FTP, HTTP, etc. are set as check targets as default values. In addition, it is also possible to register SMB, CIFS (port number 445) and other applications used for network sharing of Windows (registered trademark). As described above, the system data and the application-corresponding data shown in FIGS. 3 and 4 have default values, for example, at the time of shipment from the factory, but the values can be changed during operation.

  FIG. 5 shows data corresponding to the application. For each application such as POP, SMTP, FTP, HTTP, etc., “Packet notification method”, “IP address used during communication”, specification of operation when receiving and checking the packet “Regulation”, “information reception notification” and “predetermined information” for registering a list of notification destinations when predetermined information is identified in a packet can be registered. Further, the “packet notification method” is configured so that at least one of “packet discard”, “process and send”, “notify alarm device”, and “notify dedicated line for notification” can be selected.

  The “IP address used during communication” is configured to register an IP address used when the network device 1 communicates with the outside. "Self IP address", "Destination IP address", "Source IP address", "Specific IP address", "Presence / absence of notification to notification dedicated line", etc. can be selected. Alternatively, it may be configured to have a flag which is expressed as a list and used / not used in the list.

  The “regulation of operation” includes “whether communication with the destination is normally terminated”, “whether to notify the destination that the predetermined information has been received”, “whether to notify the destination”, "Information modification method" when sending and sending, "real-time discovery" that defines the action to be taken when predetermined information is found in post-assembly check processing after assembly that was not detected in real-time stream check processing “Operation when unsuccessful but found when assembled” and “Real-time detection thinning-out method” defining the thinning-out method when performing real-time checking can be registered. “Real-time detection decimation method” has an option of “not decimation” although not shown in the figure. In the “information reception notification”, a notification destination is registered in a list as shown in FIG.

  FIG. 6 shows the configuration of a file that stores the MAC address of a terminal or the like connected to the line when there is packet transmission / reception. 7 and 8 show the structure of the IP header and the structure of the transmission / reception message. Actual communication is performed using the MAC address, but the destination port number in the TCP data in the IP header is referred to in order to identify the application. For example, the POP application uses port number 110, the SMTP application uses 25, the FTP application uses 20, 21, and the HTTP application uses 80.

  The data structure is divided into a physical layer, a data link layer, a network layer, and a transport layer in accordance with the concept of layering the OSI reference model, and is configured so that an entity wraps data in each layer. In all layers, for example, like IP (network layer), it is composed of the contents of information communicated with header information and trailers (FCS (Frame Check Sequence) in Ethernet, etc.). The header information further includes information such as an IP version, a header length, a service type that defines service priority, a packet length, and the like. Since IP is a network layer, it includes a source IP address, a destination IP address, and the like that specify a terminal to communicate with by IP address.

  The TCP that is the transport layer has the same configuration. Also, in TCP, information between applications in which a terminal that performs communication is operating is identified by a source port number and a destination port number. As described above, there is a communication protocol (communication protocol) for communication between network devices, and information is transmitted and received correctly according to the communication protocol.

  The network device 1 according to the present invention is functionally configured as described above, and its operation will be described below.

[1. Environment setting data registration process]
FIG. 21 shows an operation flow relating to registration of various data. The network device 1 of the present embodiment has default values at the time of factory shipment, for example, system data, data relating to application information, data such as predetermined information, for example, connecting a system console from a serial line or inputting a keyboard The contents can be changed by connecting to the unit 15 or by connecting from the outside via the communication network 4 by telnet or ssh (Secure SHell).

  FIG. 21 is an operation flow diagram in which the maintenance person connected to the network apparatus 1 changes the contents of data by the above method. The data registration operation will be described below with reference to FIG. FIG. 21 is a diagram when the system console is connected through a serial line, for example.

  When the system console is connected, the network device 1 requests input of an ID and a password in order to change the environment setting data (S211a). In this operation, if the connection is made via the communication network 4, some kind of encryption processing is necessary. In the case of ssh, since it is encrypted, the input ID and password are not stolen. In the case of the system console, since it is directly connected, the encryption process may be performed, but it is not particularly necessary.

  The system console receives information for prompting the input of the ID and password (S211b), displays the information on the screen, and transmits the ID and password input by the maintenance person (S212b). At the time of this transmission, encryption is performed when communicating with the network device 1 using ssh or the like. The network device 1 also needs to have an ssh function. Receiving the ID and password (S212a), the network device 1 compares the contents with the registered ID and password shown in FIG. 3 (S213a). If it is NG, an NG screen is created and transmitted (S214a), the process returns to step S211a, and the process is repeated until the ID and password match. The system console that has received the NG screen displays the screen and returns to step S211b (S213b).

  If the IDs and passwords match, the screen is not displayed, but a screen on which setting data for system units, line units, and application units can be edited and set is created and transmitted to the system console (S214a). The system console receives a screen on which data can be edited and set, and displays it on the screen (S214b). The contents input by the maintenance person are accepted and the input contents are transmitted to the network device 1 (S215b). The network device 1 receives the input information and performs registration (S215a). Although not shown, the network device 1 transmits an error screen when the contents such as wrong contents and unacceptable contents are matched. The input of the environment setting data is performed as described above.

[2. Packet transmission / reception processing]
FIG. 9 shows an operation flow when the network device 1 receives, for example, a TCP packet. The hardware that performs reception or the firmware that operates on the hardware is periodically activated, and the packet delivered from the line is placed in the reception buffer 142 (S91). Whether the network device 1 uses its own MAC address or the destination MAC address to perform communication with the source address in correspondence with the application when processing such as a packet response of the reception buffer 142 (S92), if the user's own MAC address is not used, communication processing is performed using the destination MAC address (S93). If the user's own MAC address is used, the communication process is performed using the user's own MAC address (S94). By doing in this way, even if the network device 1 according to the present invention is installed in an existing network in an already configured network, communication up to that point and future Communication can be performed without affecting communication. The meaning of not influencing means that there is no influence when performing communication in the IP layer and that no influence is exerted in the data link layer using the MAC address.

  The above-mentioned “for application” means that packets other than registered applications such as POP, SMTP, FTP, and HTTP are passed through without correcting the source and destination MAC addresses. This means that the network device 1 takes in information and performs mediation. However, it must operate without knowing that it is mediating. Therefore, transmission / reception processing of each application is performed “in correspondence with the application”.

  Similarly, the packet transmission process operates periodically, and in order to identify the line to which the terminal indicated by the destination address is connected, identify the line where the destination address is registered with reference to the address information shown in FIG. (S101). It is determined whether to use the own MAC address or the destination MAC address to transmit the information in the transmission buffer to the specified line (S102). When the own MAC address is not used, Transmission is performed without changing the MAC address or the like (S103). If the user's own MAC address is used, the communication process is performed using the user's own MAC address (S104). In this way, when mediating information as in the above-described reception process, it is possible to perform the mediation without being known in the IP layer or the data link layer.

[3. Check operation of received packet contents]
The received packet is processed as shown in FIG. 9 and remains in the reception buffer 142. FIG. 11 shows an operation flow of a packet content check for selecting information from the reception buffer 142, which will be described below. First, in order to determine whether the packet stored in the reception buffer 142 is a registered application packet, the registered application information is obtained by reading the line correspondence data shown in FIG. 4 (S111). Next, the packet information received from the reception buffer 142 is read (S112).

  Then, it is checked whether the application has been registered by checking the TCP destination port number in the contents of the read packet (S113). For example, if POP, SMTP, FTP, HTTP, and CIFS are registered as check targets, the destination port numbers are 25 (POP), 110 (SMTP), 20 (for FTP data communication), 80 (HTTP), 445 It is checked whether (CIFS: Windows network sharing) is specified as the destination port number. If the application shown in FIG. 4 is not set for the destination port number and the values do not match, all the received packets are transmitted as they are to the line corresponding to the destination MAC address, and the reception buffer is cleared (S11A).

  If they match, it is a packet to be checked, and next, the operation mode for each line shown in FIG. 4 is referred to and it is determined whether or not it is a real-time check (S114). If it is not a real-time check, the contents of the reception buffer are assembled in order in the assembly buffer 143 in order to determine as one message (S115). This loading is repeated until one message is completed (S116). When the assembly is completed, the process proceeds to “Activation of content check routine” in step S117. When the operation mode is a real-time check, a content check routine is started (S117). The content check routine will be described later.

  When the process returns from the “content check routine”, it is determined from the return value whether predetermined information exists (S118). If the predetermined information is not included, the contents of the reception buffer 142 or the contents of the assembly buffer 143 are transmitted as they are to the line corresponding to the destination MAC address, and the reception buffer 142 or the assembly buffer 143 is cleared (S11A). ). If the predetermined information is included, a “packet handling routine” is activated (S119). The above operation is repeated for all lines (S11B).

  The operation of the “content check routine” will be described with reference to FIG. First, it is determined whether or not the operation mode is a real-time check mode (S121). In the case of a real-time check, the check target is the reception buffer 142 (S122). In the case of the post-assembly check, the check target is the assembly buffer 143 (S123). Predetermined information or information corresponding to the line and application is extracted from the predetermined information 146, and the check target buffer is searched for the acquired predetermined information (S124).

  It is determined whether or not there is predetermined information (S125). If it is found, “NG” is returned as a return value and the process is terminated (S126). If not found, the process is repeated until the contents of all the buffers are confirmed (S127), and the process returns to step S124. If all the buffers are searched and not found, “OK” is returned as a return value, and the process is terminated (S128).

[4. Operation when a packet containing predetermined information is received]
Next, the “packet handling routine” will be described with reference to FIG. First, it is determined whether the real-time check is performed (S131). In the case of real-time check, the check target is the reception buffer 142 (S132). If the check is a post-assembly check instead of a real-time check, the check target is set to the assembly buffer 143 (S133). It is determined whether or not it is set to process and transmit the content received at the destination (S134).

  In the case of processing transmission, the “processing transmission routine” is started (S135), and then the process proceeds to step S136. If it is not processing transmission, it is determined whether to discard the received content (S136). If it is set to be discarded, the contents of the reception buffer 142 or the assembly buffer 143 are discarded and the process proceeds to step S138. If not discarded, it is determined whether or not the setting is made to notify that the predetermined information has been received (S138). In the case of notification, a “predetermined information reception notification routine” is started (S139), and the process ends. If not notified, the process ends.

[5. Process to process and send the received information to the destination]
Next, a “processing / transmission routine” for processing and transmitting information to a destination will be described with reference to FIG. First, it is determined whether it is a real-time check (S141). In the case of checking after assembly rather than in real time, the process proceeds to step S151 in FIG. The operation flow of the post-assembly check will be described later. In the case of the real-time check, a message to be transmitted to the destination corresponding to each application is acquired (S142). The message to be transmitted to the destination is obtained from the file showing the processing message shown in FIG.

  When notifying the destination, processing is performed according to each application (S143). In the case of a POP application, a message “Receiving was canceled because an illegal file was found” is set in the body part of the mail (S144) and sent to the destination mail address (S145). In the case of an SMTP application, a message “You are about to send an illegal message” is set in the body of the mail (S146) and sent to the mail address of the sender (S147). In the case of an FTP application, a message “Since an illegal part was found in the file to be acquired and the file acquisition has been canceled” is set (S148), and sent to the terminal running FTP according to the FTP protocol (S149). In the case of an HTTP application, a message “Information acquisition has been stopped because fraud has been found is set” in accordance with the HTTP protocol (S14A), and is sent to a terminal that is trying to receive a file via HTTP ( S14B). Various other processes can be performed by adding and registering various other applications (S14C, S14D).

  An operation flow in the case of checking after assembly will be described with reference to FIG. First, a message corresponding to an application is acquired from the processing message file shown in FIG. 16 (S151), and then processing is branched for each application (S153). Since the packet is assembled, all information such as a message or a file exists in the assembly buffer 143, so that various processes can be performed as processing. In the case of the POP application, the processing method shown in FIG. 17 is obtained (S154). The processing method shown in FIG. 17 may be configured in a format linked from “processing and transmission” in the packet notification method for each application shown in FIG. In the present embodiment, four types of processing methods are described: a method of “sending all to destination”, a method of “adding a header indicating that all information has been transmitted and received predetermined information”, and “attachment” A method of “changing mailer that received MIME part of file so that it cannot be clicked” and a method of “sending all and adding header”.

  The contents of the mail are processed according to the acquired processing method (S155), and sent to the destination mail address (S156). In the case of the SMTP, FTP, HTTP application, and other applications, the same processing as the real-time check is performed in this embodiment (S157 to S15E are the same as S146 to S14D).

[6. Operation for notifying that a packet containing predetermined information has been received]
Next, an operation for notifying that a packet including predetermined information has been received will be described with reference to FIG. First, an IP address to be used for performing an information reception notification for notifying that a packet including predetermined information has been received is determined for each application and determined from “IP address used during communication” shown in FIG. (S181). The IP address to be used is the “self IP address” acquired by the fixed or DHCP specified by the user, the “destination IP address” specified by the transmission source, the “IP address of the transmission source”, and the user other than the above Is selected from the “specific IP address” specified by.

  Although not shown at the time of selection, it is possible to provide a flag in the IP address column and turn on the flag of the IP address to be used. In addition, it is assumed that the user can specify a plurality of IP addresses in the “specific IP address”.

  Next, a notification method for notifying that the predetermined information has been received is obtained from the file specifying the information reception notification method shown in FIG. 20 (S182). In the present embodiment, the following four notification methods are described. First of all, a method of “sending a predetermined matched information itself and a series of all received packets including the contents”, “notifying only the matched predetermined information itself and packets including the contents”. Method, “Encrypted and Transmit All Received Packets Containing the Matched Predetermined Information itself and its Contents” Method, “Encrypting Only the Predicted Predictive Information itself and the Packet Containing its Contents The method is transmitted.

  Next, a notification destination when predetermined information is received is acquired from the “information reception notifier list” shown in FIG. 20 (S183). In the present embodiment, as shown in FIG. 20, there are four destinations as registered notifiers, and the information notification method used for each notification is registered in the “information notification method”. For example, in the case of the administrator who is the registrant 1, the e-mail address, webmaster@aaa.bbb.ccc, is registered, and the notification method is “1” with the matched information itself and its contents. "Send a series of all received packets including" is selected.

  Next, using the IP address used in the determined notification, information is notified by the notification method acquired to the destination to be notified. In the present embodiment, the notification is made by e-mail, but it is also possible to make a call in cooperation with a telephone, for example, and notify by voice (S184). The above operation is performed for all notification destinations (S185).

  FIG. 22 shows a case where a function is mounted on a switch as a network device according to the present invention. The network device 1 according to the present embodiment is a switch, a lamp or alarm device 91 for notifying a person when predetermined information is found in a packet, a serial 92 for connecting a line 12, for example, a system console, a predetermined When the information is received, a dedicated notification dedicated line 17 specialized for notifying the contents is provided. The lamp 91, the serial 92, the notification dedicated line 17, and the line 12 are as described above.

  FIG. 23 shows a network device according to the present invention in which functions are implemented in devices located between networks. As in the case of the switch, it has a line 91, a serial 92, a notification dedicated line 17, and a line 12 connected to a lamp or an alarm device.

FIG. 24 shows a network device according to the present invention in which this function is implemented in a cable such as category 5 or 6 that connects network devices. In this case, when it is necessary to reduce the size of the installed memory, etc., store the minimum necessary execution file, pattern file, and information in a flash ROM, etc., and operate while always acquiring information from the network. Is also possible. In addition, acquisition of information from the network may be performed at a moment in which the operation is automatically performed, or may be performed automatically and periodically.
The first embodiment according to the present invention is configured and operates as described above.

  According to the present embodiment, a specific pattern desired to be excluded from a packet flowing on the network, including a packet including predetermined information, for example, a packet including a virus without affecting the network, or to be investigated from information flowing on the network. It is possible to obtain and investigate packet information including the above. In addition, when the registered information is identified from the packet, it is possible to activate a lamp or alarm device to notify the person. If the packet is an illegal packet such as a virus, the information is not known to the sender. Can be notified to the destination, or the registered destination such as the administrator can be notified.

  It is possible to deal with not only viruses but also DOS attacks that cause SYN floods and buffer overflows, SPAM, etc. as illegal packets. Traffic can be reduced or reduced. This network device has been stealthed and attacked without being known to the attacking party by operating as a honeypot against attacks by illegal packets such as the above. Can be provided to the target terminal. Furthermore, since the matched information can be stored in the network device as it is as described above, it can be analyzed later.

  Not only illegal packets but also information on the application level you want to investigate can be given and information on the application that matches the pattern etc. can be acquired, so you can acquire information on any application level that crosses the network Can be stored and investigated.

In addition, the network device can detect predetermined information without affecting the network regardless of which part of the network is connected. It is easy to manage without taking time and effort. Further, since it has the above characteristics, when it is made into a circuit (chip), it can be located anywhere in the network in FIG.
Further, by checking the packet after real time or after assembling, in the case of real time, it is possible to operate so as not to cause a delay in transmission / reception of information, and an accurate check can be performed in the check after assembling.

  Next, a second embodiment will be described. The second embodiment is different from the first embodiment in that the network device 1 has a function of identifying an application and storing a packet that matches the predetermined information 146 as it is in the match information storage data 148. is there.

  The network device 1 opens the communication log accumulated using a file sharing protocol such as SAMBA or the like, and allows matching information accumulation data 148 accumulated as matching information to be opened to a specific user for reference / modification. It is. When sharing files via the network, use your own IP. At this time, it can be referred from a terminal in the network.

  Information is stored in the match information storage data 148 in steps S13A and S13B of the flowchart shown in FIG. 29 showing the operation corresponding to FIG. 13 in the first embodiment. The routine of FIG. 29 is a routine that operates when the content registered in the predetermined information 146 matches the received packet or application information.

The difference from FIG. 13 which is the first embodiment is that in step S13A in the last part of the flowchart, whether or not to store log information or packets is determined based on registration data of a system (not shown). If it is determined and stored, the log information in step S13B or the received packet if the contents are checked with a plurality of packets, or the assembled application information if the check is performed after the packets are assembled. It accumulates in the match information accumulation data 148. At the time of data sharing, the matched information storage data 148 portion is released to the network as shared data. It is desirable to manage IDs and passwords when sharing.
The second embodiment is configured and operates as described above.

  According to the present invention, it is also possible for the network device 1 to acquire a log of all the mail and file sharing information including the acquired virus and information including a predetermined condition, and to store the file itself. Therefore, it becomes easy to analyze later. It is also possible to store all mail itself. In this case, you can easily carry your mail by providing portability.

  Further, the network device 1 is accessed by using a file sharing technology such as SAMBA from the terminal side or the administrator side to back up the file, retrieve the backed up file, or acquire information including a specific pattern acquired. It is also possible to conduct surveys such as taking statistics, and it is also possible to refer to and acquire files acquired using a USB port, serial port, or the like.

  Next, a third embodiment will be described. In the third embodiment, the network device 1 only identifies the application, and the application information check device 3 determines the application information to be transmitted and received, and the application information (data) is determined based on the determination result. It defines the actions to be performed on it. In the present embodiment, the external application information check device 3 checks the data communicated by the application. However, the network device 1 may have the function.

  In this embodiment, for example, an email or chat protocol is specified as an application, and the body of the mail, the attached information, the body of the chat, and the content of the transmission / reception information sent to the other party by the mail or chat are assembled into packets. The application information check device 3 notifies the network device 1 of “transmission impossible” if, for example, personal information is included in the received application information. The network device 1 performs an operation of stopping transmission.

  As the check information, text information such as the above personal information and information that is not information to be disclosed to the outside such as an in-house information database can be all targets including the database.

  The configuration of the application information check device 3 will be described with reference to FIG. FIG. 26 shows a block configuration diagram of the network apparatus 1 and the application information check apparatus 3 according to the third embodiment.

  In FIG. 26, the application information check device 3 is connected to the network device 1 via a LAN. The application information check device 3 includes a transmission / reception unit 32 that transmits / receives information to / from the network device 1 via the LAN, a central processing unit 33 that processes information received by the transmission / reception unit 32, and a memory for storing information. The unit 34 has a man-machine interface function, and includes an input unit 35 having a function of inputting information to the application information check device 3 and displaying information from the application information check device 3, and a display unit 36. Yes.

  The central processing unit 33 performs transmission / reception processing means (function) 331 for transmitting / receiving information to / from the transmitting / receiving unit 32, and inputs / outputs information between the central processing unit 13, the input unit 15, and the display unit 16. Input / output processing means (function) 332 and content check means (function) 333 for checking the contents of information received from the network device 1 are configured. The storage unit 34 further includes registration contents 341 for registering contents to be checked.

  The apparatus according to the third embodiment is configured as described above, and the operation thereof will be described below with reference to FIGS.

  Comparing FIG. 26 and FIG. 25, it can be seen that the application information check device 3 is added. Further, the network apparatus 1 is different in that the predetermined information 146 is not used in the present embodiment. In addition, the match information accumulation data 148 leaves only information that is deemed necessary by the determination from the application information check device 3. However, there may be a setting that leaves all depending on the setting.

The operation when the network apparatus 1 receives information will be described with reference to the flowchart of FIG. 27 differs from FIG. 11 in two places shown in the following (A) and (B).
(A) While the contents of the packet are checked in the network device 1 in step S117, in FIG. 27, when the application information is assembled and obtained in step S277, the information is sent to the application information check device 3. And wait for the decision.
(B) As a result, it is determined whether or not “predetermined information exists” in step S118. In step S278, it is determined whether or not to transmit as processing.

  These are the above two points. If the “send as is” process is not selected in the predetermined step S278, the operation shown in the flowchart of FIG. 12 is performed in the same manner as in FIG. 11 in step S119. In the present embodiment, the operation is the same as that in FIG. 12, but a different operation may be defined depending on the response from the external application information check device 3.

  In FIG. 27, it is described that in step S114, it is also possible to select to notify information in real time. However, when checking application level information, if real time property is not required, checking is not performed in real time. It is also possible to assemble the packet and obtain the application information and notify the obtained application information to the application information check device 3. Further, when real-time property is required, it is possible to notify the application information check device 3 one by one and check the packets one by one as shown in the flowchart.

Next, the operation of the application information check device 3 will be described. FIG. 28 shows a flowchart of operations performed by the application information check device 3. Since the “content check” described in the first embodiment is basically performed outside, FIG. 28 performs the same operation as FIG. The different parts are the following three points (C) to (E).
(C) In step S124 of FIG. 12, the part that compares the information registered in the predetermined information 146 in the network device 1 is registered in the application information check device 3 in step S284 of FIG. The part being compared with the registered content 341 is different.
(D) The difference is that “NG” is returned in step S126 of FIG. 12, and “transmission stop” is notified in step S286 of FIG.
(E) The difference is that “OK” is returned in step S128 of FIG. 13 and “transmission OK” is notified in step S228 of FIG.
Further, as the information in the network device 1, an operation when the “transmission stop” is received as data used in the system may be defined.
The third embodiment is configured and operates as described above.

  According to the present invention, by specifying an application in advance as information transmitted from the company and registering it in the network device 1, when matching information passes, all the information is transferred to an external application information check device. 3 and the application information check device 3 can filter transmission / reception information, so that it is possible to prevent leakage of important information in the company regardless of the form of the information. Is possible.

  Although details of CIFS have not been described, if the CIFS port is registered as a specific application, it is possible to block viruses, spyware, adware, etc. that exploit the file sharing function of Windows. Become. Similarly, in order to protect the network from new threats, it is possible to provide a firewall function that blocks applications not used in the network. Also, depending on the default value, by setting the default value appropriately, it is only necessary to register a specific application. For example, discarding or blocking information sent or received by that application needs to be set in detail. It is possible to operate automatically without any problem.

It can be used for information network devices.

It is a network block diagram in which the network apparatus by this invention is installed. It is a functional block diagram of the network apparatus which concerns on embodiment by this invention. It is a block diagram of the system data which the network apparatus by this invention has. It is a block diagram of the line corresponding | compatible data which the network apparatus by this invention has. It is a block diagram of the application corresponding | compatible data which the network apparatus by this invention has. It is a block diagram of the address information by this invention. It is a block diagram of an IP header. It is a block diagram of the transmission / reception data using Ethernet and TCP / IP. It is an operation | movement flowchart of the packet reception which concerns on embodiment by this invention. It is an operation | movement flowchart of the packet transmission which concerns on embodiment by this invention. It is an operation | movement flowchart of the packet content check routine which concerns on embodiment of this invention. It is an operation | movement flowchart of the content check routine which concerns on embodiment of this invention. It is an operation | movement flowchart of the packet handling routine by this invention. It is an operation | movement flowchart of the process transmission (real time check) by this invention. It is an operation | movement flowchart of the process transmission (check after an assembly) by this invention. 4 is a table of processing messages according to the present invention. It is a figure which shows the kind of POP processing transmission (check after assembly) method by this invention. It is an operation | movement flowchart of the predetermined | prescribed information reception routine by this invention. It is a figure which shows the information reception notifier list | wrist by this invention. It is a figure which shows the method of the information reception notification by this invention. It is a figure which shows the sequence at the time of the data registration by this invention. It is a figure at the time of mounting a function in a switch or a hub as a network device by the present invention. It is a figure at the time of mounting a function in the apparatus installed between networks as a network apparatus by this invention. It is a figure at the time of mounting a function in the cable which connects between apparatuses as a network apparatus by this invention. It is a functional block diagram of the network apparatus concerning the 2nd Embodiment of this invention. It is a functional block diagram of the network apparatus and application information check apparatus concerning the 3rd Embodiment of this invention. It is a flowchart which shows operation | movement of the packet content check routine concerning the 3rd Embodiment of this invention. It is a flowchart which shows the operation | movement of the application information check concerning the 3rd Embodiment of this invention. It is a flowchart which shows operation | movement of the packet handling routine concerning the 2nd Embodiment of this invention.

Explanation of symbols

1 Network Device 2 Router 3 Switch 4 Communication Network 5 PC (Personal Computer)
6 Hub 7 Information storage server 8 Network cable 9 Internal network 12 Line 121 Packet receiving unit 122 Packet transmitting unit 13, 33 Central processing unit 131 Packet transmission / reception processing unit 132, 332 Input / output processing unit 133 Data input / output unit 134 Application identification unit 135 Packet content check means 136 Packet processing means 137 Reception notification means 138 Buffer control means 14, 34 Storage unit 141 Transmission buffer 142 Reception buffer 143 Assembly buffer 144 MAC address information table 145 Application identification information file 146 Predetermined information 147 System / line Corresponding data 148 Match information accumulation data 15, 35 Input unit 16, 36 Display unit 17 Notification dedicated line 18 Lamp / alarm device 331 Transmission / reception processing means 333 Registered Content check means 341 Registered contents

Hereinafter, the best mode for carrying out the present invention will be described. FIG. 1 shows a connection configuration diagram in a network of a network apparatus 1 according to the first embodiment of the present invention. In FIG. 1, an internal network 9 is connected to an external network via a communication network 4 such as the Internet (registered trademark), and the external network stores various information related to the network device 1. The storage server 7 is installed in a state where it can be connected to the network device 1. In the internal network 9, there is a router 2 connected to the communication network 4, which controls transmission / reception of information between an internal device and a device connected to the external network, and an upper level switch 3 under the router 2. The network device 1 can be installed between the router 2 and the switch 3. In this case, the network device 1 monitors information between the router 2 and the switch 3, monitors communication between a terminal in the LAN and the outside, and cannot monitor information between the terminals in the LAN. It can also be installed as a switch 3. In this case, all packets flowing through the switch 3 can be monitored even if they are information within the LAN of the internal network 9.

Claims (16)

A device that is installed between devices that communicate via a network and that transparently relays data transmitted and received between the devices,
Packet receiving means for receiving packets addressed to another device from one device;
Application identification means for determining the application type of the received packet using a predetermined application identification method;
Based on the application type determined by the application identifying means, a series of data is formed based on a plurality of packet groups received by the packet receiving means, and the data meets a predetermined condition. When at least one packet in the plurality of packet groups is changed and transmitted to the other device as a transmission destination, and when the predetermined condition is not satisfied, the received plurality of packet groups are left as they are. A network device comprising: packet content checking means for transmitting to the other device as a transmission destination.   The packet content check means performs packet processing by at least one of a stream check process for checking a packet stream in real time and a post-assembly check process for checking after assembling the packet based on an application type of the packet. The network device according to claim 1, wherein the contents of the network device are checked. The packet receiving means stores the destination address of the received packet,
The packet content check means does not determine that the check by the stream check process satisfies a predetermined condition when the check is executed by both the stream check process and the post-assembly check process, but the post-assembly check 3. The network device according to claim 2, wherein if it is determined that a predetermined condition is satisfied in the check by processing, the destination address is notified that the predetermined condition is satisfied.   2. The network device according to claim 1, wherein the packet content checking unit notifies a predetermined destination address that the predetermined condition is met when it is determined that the predetermined condition is met. .   The packet content check means is configured to be able to select which one of the destination IP address of the received packet and its own IP address to use when notifying a predetermined specific destination address. The network apparatus according to claim 4, wherein the network apparatus is provided.   2. The network device according to claim 1, wherein at least one of the plurality of lines of the network device is connected to a network different from a network to which other lines are connected.   2. The network device according to claim 1, wherein the predetermined condition of the packet content check means is detection of a computer virus. In the case where the predetermined application type is a mail protocol and a computer virus is found by the packet content check means after assembling a packet,
The packet content checking means is configured to modify the MIME (Multipurpose Internet Mail Extensions) header of the received packet so that the attached file is unreadable, to delete all the attached files, and to receive an illegal packet. 8. A process for adding a new header to be indicated is executed, and at least one of the processes is executed to transmit the received packet to the destination address and to notify that a computer virus is detected at the predetermined destination address. The network device described in 1.   Means for determining whether or not a packet received by the packet receiving means corresponds to a predetermined application type; and a series formed based on the received packet group if corresponding to a predetermined application type The network apparatus according to claim 1, further comprising: means for storing the data.   The network apparatus according to claim 9, wherein the stored series of data is configured to be accessible from an internal network. A device that is installed between devices that communicate via a network and that transparently relays data transmitted and received between the devices,
Packet receiving means for receiving packets addressed to another device from one device;
Application identification means for determining the application type of the received packet using a predetermined application identification method;
Means for monitoring whether or not predetermined information is included in a packet received by the packet receiving means or a series of data formed based on the received packet group;
Means for storing a packet or a series of data including the predetermined information when the predetermined information is included, and executing a predetermined operation based on the application type. Network device.   12. The network device according to claim 11, wherein when the application type is a mail protocol, relaying mails having the same mail source address and mail destination address is prohibited as the predetermined operation. A method of transparently relaying data transmitted and received between devices connected via a network,
Receiving a packet addressed to another device from one device;
Determining an application type of a packet received using a predetermined application identification method;
A series of data is formed based on the plurality of received packet groups based on the determined application type, and when the data satisfies a predetermined condition, If at least one of the packets is changed and transmitted to the other device that is the destination, and the predetermined condition is not met, the received plurality of packets are directly addressed to the other device that is the destination Sending to
A data relay method comprising: A method for transparently relaying data transmitted and received between devices installed between devices communicating via a network,
Receiving a packet addressed to another device from one device;
Determining an application type of a packet received using a predetermined application identification method;
Monitoring whether or not predetermined information is included in the received packet or a series of data formed based on the received packet;
If the predetermined information is included, the packet includes a step of storing a packet or a series of data including the information and executing a predetermined operation based on the application type. Relay method. A program installed on devices communicating via a network and operating on a device that transparently relays data transmitted and received between the devices,
A process of receiving a packet addressed to another device from one device;
A process of determining the application type of a packet received using a predetermined application identification method;
Based on the determined application type, a series of data is formed based on the received plurality of packet groups, and when the data meets a predetermined condition, the plurality of packet groups If at least one of the packets is changed and transmitted to the other device that is the transmission destination and the predetermined condition is not met, the other device that is the transmission destination as it is the plurality of received packet groups Processing to send to,
A data relay program comprising: A program installed on devices communicating via a network and operating on a device that transparently relays data transmitted and received between the devices,
A process of receiving a packet addressed to another device from one device;
A process of determining the application type of a packet received using a predetermined application identification method;
A process of monitoring whether or not predetermined information is included in the received packet or a series of data formed based on the received packet;
A process for storing a packet or a series of data including the predetermined information when the predetermined information is included, and executing a predetermined operation based on the application type. Relay program.

Images