WO2005064486A1 - ネットワークシステム及びネットワーク制御方法 - Google Patents
ネットワークシステム及びネットワーク制御方法 Download PDFInfo
- Publication number
- WO2005064486A1 WO2005064486A1 PCT/JP2004/019414 JP2004019414W WO2005064486A1 WO 2005064486 A1 WO2005064486 A1 WO 2005064486A1 JP 2004019414 W JP2004019414 W JP 2004019414W WO 2005064486 A1 WO2005064486 A1 WO 2005064486A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal
- security
- network
- switching unit
- authentication
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
Definitions
- the present invention provides a network system and a network control method capable of bringing a terminal with insufficient security measures into a state where the security measures are sufficient through a network, and also performs security management of each terminal remotely and unitarily.
- a network system and a network control method capable of bringing a terminal with insufficient security measures into a state where the security measures are sufficient through a network, and also performs security management of each terminal remotely and unitarily.
- a network system in which two or more networks are prepared and terminals are connected to different networks according to the attributes of each terminal.
- Such a network system is typically provided as a VLAN (Virtual Local Area Network) by a LAN switch (Layer 2 switch).
- a VLAN connects two or more virtual networks independently of physical ports based on the attributes (IP address, MAC address, ID, password, electronic authentication, etc.) of terminals connected to the LAN switch. It is configured on one physical network.
- virus detection software is installed on the firewall and virus detection and removal of all data destined for the LAN are performed at once, the load on the firewall will increase and the network load will increase. There is a problem that the performance tends to deteriorate. For this reason, instead of having a firewall perform virus detection all at once, it is common practice to install virus detection software on individual terminals connected to the LAN and thereby take measures against viruses.
- virus detection software is a virus detection software that supports a new type of virus. Effective operation is required unless knowledge data, such as virus definition files and pattern files, are constantly updated.
- virus detection software is installed for each terminal and a virus countermeasure is performed for each terminal, it is necessary to update such virus detection data for each terminal.
- virus detection data For each terminal, if a part of many terminals fails to update such virus detection data, there is a problem that the terminal is infected with a virus and the virus is transmitted to other terminals.
- Patent Document 1 discloses a system that provides a terminal with necessary security information (for example, virus information).
- Patent Document 1 Japanese Patent Application Laid-Open No. 2003-288321
- the method of managing the security of each terminal using such a management terminal has the merit that security management can be performed remotely and centrally.Insufficient security measures for a certain terminal by the management terminal Even if is recognized, the administrator must notify the user of the terminal and the terminal side must also disconnect from the network, and it is not possible to respond quickly! There's a problem.
- the present invention provides a network system and a network system that have sufficient security measures, can prevent the spread of viruses from terminals and powerful attacks such as hackers, and facilitate security measures for such terminals.
- a second object of the present invention is to provide a network system capable of remotely and centrally performing security management and capable of promptly responding to damage caused by a virus or the like. .
- the present invention provides a terminal capable of connecting at least one or more local networks, a network for security measures that is inaccessible to the local network and is capable of security measures, and is connected.
- a switching unit that makes a terminal that is connected to one of the at least one local network and the security countermeasure network accessible, and a state of the security countermeasure of the terminal connected to the switching unit.
- a security countermeasure determining unit for determining whether the terminal connected to the terminal is connected to the terminal when the security countermeasure determining unit determines that the security countermeasure is sufficient. Terminal that has been Local network is accessible, and if the security measure determination section determines that the security measures of the connected terminal are not sufficient, the connected terminal is connected to the security measure network. In a state where it can be accessed.
- the security countermeasure network and the local network may be respectively configured by physically separate LANs, or may be physically formed as VLANs in one LAN. May be.
- the security network is a network that can supply virus detection data and patch files such as OS to each terminal. It stores security detection data such as virus detection data and patch files such as OS. Able to access the security server that can be provided through the Internet, intranet, etc.
- the security countermeasure determination unit determines the terminal security.
- the terminal security when receiving the information that the countermeasure is completed, it is preferable to re-determine the security countermeasure status for that terminal! /. In this way, even if the terminal cannot access the local network! /, Even after the security countermeasure is completed, the terminal can receive a re-evaluation of the security countermeasure status and connect to the local network.
- the security countermeasure determination unit is configured to execute the security countermeasure based on security countermeasure status data transmitted from a terminal connected to the switching unit. Preferably, it is configured to determine the status of
- the security countermeasure determining unit is connected to the switch unit, installed on a terminal, and based on an attribute of the virus detection data, based on the attribute of the virus detection data.
- the security countermeasure determination unit which is preferably configured to determine a state, is preferably installed on a terminal connected to the switch unit, based on attributes of patch files of various software. Preferably, the state of the security is determined.
- the network system further comprises an authentication unit for authenticating the terminal based on predetermined authentication information, and the switching unit is configured to transmit the authentication unit by transmitting the terminal power.
- the terminal When it is determined that the authentication information is not predetermined information, the terminal is configured to reject connection between the terminal and the at least one or more local networks and the security countermeasure network with a misaligned network. In this case, if the authentication information is not the predetermined information, the security can be further improved by rejecting the connection to the network of V and the deviation.
- the security countermeasure determination unit when the authentication unit determines that the authentication information transmitted from the terminal is predetermined, the security countermeasure determination unit is connected to the switching unit and performs a security countermeasure for the terminal. The state may be determined.
- the present invention relates to a network in which at least two or more local networks, a security countermeasure network inaccessible to the local network and capable of security measures, and a terminal are connectable and connectable.
- a switching unit that makes a terminal that is connected to at least one of the at least one local network and the security countermeasure network, and a state of the security countermeasure of a terminal connected to the switching unit.
- a security measure judging unit for judging the terminal, and an authentication unit for authenticating the terminal based on predetermined authentication information wherein the security measure judging unit includes at least the switch unit Virus installed on connected terminal
- the switching unit is configured to determine the security state based on the attribute of the knowledge data, and the switching unit is configured to determine the security state based on the determination result of the security measure determination unit and the authentication result of the authentication unit.
- the security countermeasure determining unit is configured to determine any one of the at least one local network and the security countermeasure network to be in an accessible state with the terminal connected to the switching unit, and When it is determined that the attribute of the anti-virus data is not a predetermined attribute, a terminal connected to the switch unit is made accessible to the security countermeasure network.
- the security measures network is accessible, security measures are possible.In other cases, an accessible network is determined based on the judgment result of the security measure judgment unit and the authentication result of the authentication unit. Therefore, for example, the accessible network can be changed according to the authentication level and the security level.
- the switching unit is connected to the switch unit when the security countermeasure determining unit determines that the attribute of the antivirus data is a predetermined attribute.
- the terminal is configured to be able to access at least one of the at least two local networks, and to determine a local network to connect to based on the authentication result of the authentication unit.
- the at least two or more local networks are preferably inaccessible to each other.
- the security countermeasure determination unit may further include the security measure determination unit based on an attribute of a notch file of various software installed on a terminal connected to the switch unit.
- the security unit is configured to determine a security state, and the switching unit is connected to the switch unit when the security countermeasure determination unit determines that the attribute of the virus countermeasure data is a predetermined attribute.
- Terminal to be able to access any one of the at least two or more local networks, and based on the attributes of the notch file of the various software, determine the local network to be made accessible by the terminal.
- the security countermeasure determination unit which is preferably configured, When the terminal connected to the switch unit is in a state where it can access the security countermeasure network and receives information from the terminal that the antivirus data of the predetermined attribute has been obtained Preferably, the terminal is configured to re-determine the state of the security measure.
- the security countermeasure network is configured to be accessible to a security countermeasure server capable of supplying data for security countermeasures.
- the unit is connected to the terminal connected to the switching unit based on the transmitted security countermeasure status data.
- the security status is configured to be determined.
- the present invention provides a network for connecting a terminal to at least one or more local networks and a network for security measures which is inaccessible to the local network and capable of security measures.
- a control method comprising: a security measure judging step of judging a state of security measures of the terminal; and if it is judged that the security measures of the terminal are sufficient in the security measure judging step, the terminal is set to the at least one or more local
- the terminal in a case where information indicating that the terminal security measures have been completed is received after the terminal has been made accessible to the security countermeasure network in the connection step, It is preferable to repeat the security measure determination step and the connection step.
- the terminal is authenticated based on predetermined authentication information, and when it is determined that the authentication information transmitted by the terminal is not predetermined, the terminal is connected to the terminal.
- the method further comprises an authentication step of refusing connection to any one of the at least one local network and the security countermeasure network.
- the security countermeasure determination step is performed by the authentication step.
- the present invention is a network control method for connecting a terminal to at least two or more local networks and at least one of a security countermeasure network that is inaccessible to the local network and capable of providing security.
- One of the security measures network is determined, and when it is determined in the security measure process that the attribute of the virus measure data is not a predetermined attribute, the terminal can access the security measure network.
- a connection step for making the connection state is performed, and when it is determined in the security measure process that the attribute of the virus measure data is not a predetermined attribute, the terminal can access the security measure network.
- the present invention provides a method for connecting a terminal to at least one or more local networks and connecting the connected terminal to the at least one or more local networks.
- a switching unit for making any one of them accessible, a management terminal capable of recognizing at least one of security countermeasure status and authentication information of a terminal connected to the switching unit, and a switching unit.
- a terminal database that stores data related to the connection source of the connected terminal in association with the authentication information of the terminal, and the terminal database that is connected to the switching unit and based on the authentication information of the terminal.
- a management server capable of retrieving stored data relating to the connection source of the terminal.
- the terminal is configured to be able to transmit a request to cut off the connection of the one terminal to the management server together with the authentication information of the one terminal, and the management server cuts off the connection of the one terminal.
- the switching unit Upon receiving the request from the management terminal, the switching unit searches for data related to the connection source of the one terminal stored in the terminal database, and the switching unit searches the data retrieved by the management server. And disconnecting the connection with the one terminal based on data on the connection source of the terminal.
- the network system of the present invention when a terminal that is suspicious in security, authentication information, or the like is recognized by the management terminal, the connection of the terminal is remotely operated from the management terminal. Can be shut off.
- the present invention provides a method in which a terminal is connected to at least one or more local networks, a security countermeasure network that is inaccessible to the local network, and is capable of security measures.
- a switching unit capable of making a connected terminal accessible to at least one of the at least one local network and the security network; and a terminal connected to the switching unit. Recognize at least one of security measure status and authentication information
- a management database a terminal database for storing data relating to the connection source of the terminal connected to the switching unit in association with the authentication information of the terminal, and a terminal database connected to the switching unit, based on the authentication information of the terminal.
- a management server capable of retrieving data related to the connection source of the terminal stored in the terminal database, wherein the management terminal is connected to the at least one or more local networks.
- the terminal device is configured to be able to access any of the terminals and to transmit a request to change the access destination of one terminal to the security countermeasure network to the management server together with the authentication information of the one terminal.
- the management server receives a request to change the access destination of the one terminal from the management terminal, the management server The switching unit searches for the data related to the connection source of the one terminal stored in the database, and the switching unit based on the data related to the connection source of the one terminal searched by the management server!
- the terminal is configured to change the access destination of the terminal to the security countermeasure network.
- the terminal to which the terminal is connected can be remotely controlled by the management terminal power management network.
- the management terminal is configured to be able to transmit a request to cut off the connection of the one terminal to the management server together with the authentication information of the one terminal,
- the management server searches for data related to the connection source of the one terminal stored in the terminal database, and the switching unit includes: The connection with the one terminal may be cut off based on data on the connection source of the one terminal searched by the management server.
- the security countermeasure network is a network that can supply virus detection data and patch files such as an OS to each terminal, and includes virus detection data and patch files such as an OS.
- virus detection data and patch files such as an OS
- the present invention provides at least two or more local networks and any one of the at least two or more local networks to which terminals can be connected.
- a terminal database that stores data relating to the connection source of the terminal that is connected to the terminal authentication information, and that is stored in the terminal database based on the terminal authentication information that is connected to the switching unit.
- a management server capable of searching for data related to the connection source of the terminal that is The management terminal sends a request to change the access destination of one terminal, which has been made accessible to one of the at least two local networks, to another local network, the management server
- the management server is configured to be able to transmit the authentication information of the one terminal together with the request for changing the access destination of the one terminal from the management terminal.
- the switching unit searches for data related to the connection source of the one terminal, and determines the access destination of the one terminal based on the data related to the connection source of the one terminal searched by the management server. It is characterized in that it is configured to change
- the connection destination of the terminal is remotely operated from the management terminal. Can be changed to another local network.
- the management terminal is configured to be able to transmit a request to cut off the connection of the one terminal to the management server together with the authentication information of the one terminal,
- the management server receives a request to cut off the connection of the one terminal from the management terminal, the management server searches for data related to the connection source of the one terminal stored in the terminal database, and the switching unit May be configured to cut off the connection with the one terminal based on data on the connection source of the one terminal searched by the management server.
- the present invention provides at least one or more role networks, a network for security measures which is inaccessible to the local network and capable of security measures, and A switching unit which is connectable and makes the connected terminal accessible to at least one of the at least one local network and the security network; and a terminal connected to the switching unit.
- a management terminal capable of recognizing at least one of a security countermeasure status and authentication information, a terminal database for storing data relating to a connection source of a terminal connected to the switching unit in association with the authentication information of the terminal, Security of the terminal connected to the switching unit Connected to the authentication unit for authenticating the state of the security measure and the switching unit, and based on the authentication information of the terminal, it is possible to search for data relating to the connection source of the terminal stored in the terminal database based on the authentication information of the terminal.
- a management server wherein the management terminal sends a request for re-authentication of one terminal connected to the switching unit to the management server together with the authentication information of the one terminal.
- the management server When the management server is connected to the switching unit and receives a request for re-authentication of one terminal from the management terminal, the management server is configured to store the one stored in the terminal database.
- the authentication unit searches for data related to the connection source of the terminal, and the authentication unit determines the security of the one terminal based on the data related to the connection source of the one terminal searched by the management server.
- the switching unit re-authenticates the state of the security countermeasure, and when the switching unit is authenticated by the authentication unit as having sufficient security measures for the connected terminal, the switching unit determines that the connected terminal is at least one or more. If the security unit of the connected terminal is found to be inadequate by re-authentication by the authentication unit, the connected terminal accesses the security network. It is characterized by being made possible.
- the management terminal when the management terminal recognizes a terminal whose security or authentication information is suspicious, the terminal is re-authenticated by remote operation from the management terminal. In this way, the connection of the terminal can be continued, cut off, or the connection destination can be changed depending on the result of the re-authentication.
- the management terminal is configured to be able to transmit a request to cut off the connection of the one terminal to the management server together with the authentication information of the one terminal
- the management server includes: When receiving the request to cut off the connection of the one terminal from the management terminal, the terminal searches for data related to the connection source of the one terminal stored in the terminal database, and the switching unit sends a request to the management server. Therefore, based on the retrieved data on the connection source of the one terminal, the connection with the one terminal may be cut off.
- the authentication unit when the authentication unit receives a request for re-authentication of a terminal connected to the switching unit from the management terminal, the authentication unit further includes authentication information of the terminal.
- the switching unit is configured to perform re-authentication of the terminal, if the authentication information of the terminal is authenticated to be not predetermined by the re-authentication by the authentication unit, the terminal and the at least one or more local networks and
- the switching unit which is preferably configured to cut off the connection of the security countermeasure network to the misaligned network, is configured such that the management server is connected to the switching unit from the management terminal.
- the terminal When a request for re-authentication of the terminal is received, the terminal is configured to be unable to access the network.
- the security countermeasure network is a network that can supply virus detection data and patch files such as an OS to each terminal. It is possible to access security measures that can supply data for measures via the Internet or an intranet.
- the network system of the present invention even if the terminal does not have sufficient security measures, it is possible to access the network for security measures that can perform security measures. It is possible to provide a network system and a network control method that can prevent the spread of a virus from a terminal and an attack from a knocker and the like, and that can easily take security measures in such a terminal. [0036] Further, according to the network system of the present invention, it is possible to provide a network system that can perform security management in a remote and unified manner and can quickly respond to damage caused by a virus or the like. .
- FIG. 1 is a conceptual diagram of a first embodiment of a network system according to the present invention.
- FIG. 2 is a flowchart showing an operation of the network system according to the first example.
- FIG. 3 is a conceptual diagram of a second embodiment of the network system according to the present invention.
- FIG. 4 An example of a table stored in the policy server 16 and showing the correspondence between the type of terminal outputting a connection request, the degree of security measures thereof, and the authentication level of authentication information. .
- FIG. 5 is a flowchart showing an operation of the network system according to the second embodiment.
- FIG. 6 is a flowchart showing another operation of the network system according to the first embodiment.
- FIG. 7 is a flowchart showing another operation of the network system according to the second embodiment.
- FIG. 8 is a conceptual diagram of a third embodiment of the network system according to the present invention.
- FIG. 9 is a flowchart showing an operation of the network system according to the third embodiment.
- FIG. 10 is a flowchart showing an operation of the network system according to the third embodiment.
- FIG. 11 is a flowchart showing an operation of the network system according to the third example.
- the network system according to the first embodiment includes a network 10, a LAN switch 12 (12-1, 12-2) to which terminals 11 (11-1 to 16) are connected, and a data switch.
- a server 13, an authentication server 14 and a status diagnosis server 15 are provided.
- the authentication server 14 and the status diagnosis server 15 constitute a security countermeasure determining unit that determines the status of the security countermeasure in each terminal 11.
- These LAN switches 12-1 and 12-2 connect the terminal 11 to one of a plurality of types of LANs (VLANs) virtually formed in the network 10 based on a predetermined rule.
- VLAN-1 and Guest-V LAN are formed as VLANs.
- the VLAN-1 is a VLAN to which the terminal 11 having sufficient security measures can be connected, and the data server 13-1 is connected.
- Guest— The VLAN is a VLAN to which terminals 11 with insufficient security measures are forcibly connected, as described later, and can be connected to various security measure servers 30 (3 1-33) via the Internet 20. .
- the security countermeasure servers 31-33 are, for example, WWW servers of manufacturers of virus detection software and OSs.
- the terminal 11 connected to the VLAN-1 and the terminal 11 connected to the Guest-VLAN are configured to be inaccessible.
- each terminal 11 is installed with generally commercially available virus detection software, updates the virus detection data of the virus detection software, OS, e-mail software and web Software (condition diagnosis software) for transmitting data on the security measures including the download status of patch files such as browser software to the authentication server 14 via the LAN switch 12 is installed.
- security measures should be determined to be inadequate because the virus detection data of virus detection software is not up-to-date or the OS patch file is not up-to-date.
- the terminal 111 is a terminal that is not permitted to be connected to the network 10.
- the authentication server 14 is, for example, a RADIUS (Remote Authentication DiaHn User Service) server, and recognizes the LAN switch 12 corresponding to IEEE802.IX as a RADIUS client. Then, based on the security countermeasure status data transmitted from the terminal 11 or predetermined authentication information, the terminal 11 authenticates the VLAN to which the terminal 11 is to be connected. The authentication server 14 determines the security countermeasure status and the like of each terminal 11 and determines the type of VLAN to which the terminal 11 is to be connected, and receives the signal from each terminal 11 and determines And a signal transmitting / receiving unit 142 for transmitting a control signal corresponding to the determination result. The determination by the determination unit 141 is EAP (PPP Extensible
- the status diagnosis server 15 diagnoses the security countermeasure status of each terminal 11 based on the security countermeasure status data transmitted from each terminal 11 via the authentication server 14, and compares the diagnosis result with the determination unit 141 of the authentication server 14. Reply to example For example, a diagnosis is made as to whether or not the version of the transmitted virus detection data is the latest, whether or not the latest patch file has been downloaded.
- the authentication server 14 when the authentication server 14 receives a request for connection to the network 10 output from the terminal 11 via the LAN switch 12 (S100), the authentication server 14 notifies the terminal 11 that has output the connection request of its own security countermeasure status. A request is made to output the security measure status data shown to the authentication server 14 (S102). Next, when the authentication server 14 receives the security countermeasure status data indicating the status of its security countermeasure output from the terminal 11 in response to the request via the LAN switch 12 (S104), the authentication server 14 receives the data.
- the security countermeasure status data is transferred to the status diagnostic server 15, and a request is made to diagnose the security countermeasure status of the terminal 11 that has output the connection request (S106).
- the state diagnosis server 15 executes the diagnosis of the security countermeasure state based on the request, and transmits the result of the diagnosis to the authentication server 14 (S108).
- the determination unit 141 of the authentication server 14 determines whether or not the terminal 11 that has output the connection request has sufficient security measures based on the diagnosis result (S110).
- the authentication server 14 When the determination unit 141 determines that the security measures are sufficient, the authentication server 14 requests predetermined authentication information (ID and password, MAC address, electronic authentication, etc.) from the terminal 11 that has output the connection request ( S 112). Upon receiving predetermined authentication information output from the terminal in response to the request via the LAN switch 12 (S114), the authentication server 14 executes authentication for the terminal 11 that has output the connection request (S114). S116). If the authentication server 14 determines that the authentication information is inappropriate, the authentication server 14 refuses the connection of the terminal 11 and blocks the terminal 11 from both VLAN-1 and Guest-VLAN (S117). ). For example, when the terminal is authenticated by the MAC address, the data of the MAC address of the authorized terminal 11-2-7 is held by the authentication server 14.
- predetermined authentication information ID and password, MAC address, electronic authentication, etc.
- the terminal 11 is authenticated by transmitting its own MAC address to the authentication server 14, and can receive connection permission to the network 10. On the other hand, the terminal 11-1 in which the MAC address is not registered is refused connection.
- the terminal 111 can also be authenticated by inputting an IDZ password, an electronic certificate, or the like, and by registering a MAC address, the connection can be permitted.
- the authentication server 14 determines that the authentication information of the terminal 11 that has output the connection request is appropriate, the authentication server 14 outputs a control signal to connect the terminal 11 to the VLAN-1 to the LAN switch 12. Then, the terminal 11 is connected to the VLAN-1 (S118).
- the authentication server 14 If the determination unit 141 determines that the security measures are insufficient in step 110, the authentication server 14 outputs a control signal for connecting the terminal 11 to the Guest-VLAN to the LAN switch 12. Then, the terminal 11 is connected to the Guest-VLAN, and the terminal 11 is notified of the connection to the Guest-VLAN (S120). Guest—The terminal 11 connected to the V LAN can access various security countermeasure servers 31 to 33 via the Internet 20. As a result, the terminal 11 connected to the Guest-VLAN can download necessary virus detection data, a notch file, and the like, and execute security measures.
- step 122 when a connection request is output and a notification that the security measure is completed is received from the terminal 11, the process may go to step 112 without returning to step 102. Also, in step 122, if a connection request is output and the security measure status data is transmitted from the terminal 11 at the same time as the notification that the security measure has been completed, the process does not return to step 102. To return to step 106.
- the network 10 in the network system according to the second embodiment has a total of four VLANs, VLAN-2 and VLAN-3, in addition to Guest-VLAN and VLAN-1. It is configured to be
- the terminal 11 outputting the connection request It is configured to connect to one of these four VLANs based on the level of security measures and the content of authentication information (authentication level).
- authentication level the level of security measures and the content of authentication information
- VLAN switching control based on the level of security measures and the contents of authentication information is executed by the authentication server 14 and the policy server 16 connected thereto.
- the policy server 16 stores the type of the terminal 11 that outputs the connection request, the degree of the security measure, and the authentication level of the input authentication information in association with each other.
- FIG. 4 shows an example of a correspondence table showing this correspondence.
- the authentication level A is when the data for virus detection is not up-to-date, and in this case, both terminals are connected to the Guest-VLAN.
- Authentication level B is when virus detection data is up-to-date.
- the latest patch file such as OS is downloaded. In this case, all terminals are allowed to connect to VLAN-1. Is done.
- the VLAN-1 can be connected to various security countermeasure servers 30 (31-33) via the Internet 20, like the Guest-VLAN.
- authentication level C is when security measures are sufficient.
- the connected VLAN differs depending on the content of the authentication information of each terminal. That is, for example, a terminal 11-5 having a high authentication level, such as a terminal for an administrator, is capable of connecting to the VLAN-3. Other terminals are allocated to the VLAN-2 even in this case.
- the data server 13-2 connected to the VLAN-2 stores, for example, data that is relatively important but does not affect the operation of the network system according to the second embodiment.
- the data server 13-3 connected to the VLAN-3 stores, for example, data that affects the operation of the network system according to the second embodiment.
- the authentication server 14 upon receiving the security countermeasure status data indicating the status of its security countermeasure output from the terminal 11 in response to the request via the LAN switch 12 (S204), the authentication server 14 Then, the received security countermeasure status data is transferred to the status diagnosis server 15, and a request is made to diagnose the security countermeasure status of the terminal 11 that has output the connection request (S206). Based on the request, the status diagnosis server 15 executes a diagnosis of the security countermeasure status, and transmits a result of the diagnosis to the authentication server 14 (S208).
- the determination unit 141 of the authentication server 14 first determines, based on the diagnosis result, whether the security detection of the terminal 11 that has output the connection request has updated the virus detection data of the virus detection software to the latest one. (S210), and when it is determined that the virus detection data has been updated to the latest one, based on the diagnosis result, the latest OS etc. among the security measures of the terminal 11 that output the connection request It is determined whether or not the patch file has been downloaded (S212).
- the authentication server 14 determines in step 212 that the latest patch file such as the OS has been downloaded, the authentication server 14 outputs predetermined authentication information (ID and password, MAC address, An electronic certificate or the like is requested (S214). Upon receiving the predetermined authentication information output from the terminal 11 in response to the request via the LAN switch 12 (S216), the authentication server 14 outputs a connection request and outputs the connection request to the terminal 11. Authentication is performed (S218). If the authentication server 14 determines that the authentication information is inappropriate, the authentication server 14 rejects the connection of the terminal 11 and blocks the terminal 11 from any of the VLANs 1 to 3 and the Guest—VLAN. (S220).
- the authentication server 14 determines that the authentication information of the terminal 11 outputting the connection request is appropriate, the authentication server 14 transfers the authentication information received from the terminal 11 outputting the connection request to the policy server 16. Then, the policy server 16 identifies the corresponding VLAN (VLAN-2 or 3) by referring to the association table shown in FIG. 4, and confirms the information. Is output to the determination unit 141 of the certificate server 14. The determination unit 141 determines the VLAN to which the terminal 11 that has output the connection request is to be connected, and the signal transmission / reception unit 142 determines the control signal for connecting to the VLAN-2 or VLAN-3 according to this determination.
- the authentication server 14 If the determination unit 141 determines in step 212 that the latest patch file such as the OS has not been downloaded in step 212, the authentication server 14 outputs predetermined authentication information (ID, password, MAC address) to the terminal 11 that has output the connection request. Address, electronic authentication, etc.) (S226). Upon receiving the predetermined authentication information output from the terminal 11 in response to the request via the LAN switch 12 (S228), the authentication server 14 executes authentication for the terminal 11 that has output the connection request (S228). S230). If the authentication server 14 determines that the authentication information is inappropriate, the authentication server 14 rejects the connection of the terminal 11 and shuts off the terminal 11 from any of VLAN-1 to 3 and Guest-VLAN (S220). ).
- predetermined authentication information ID, password, MAC address
- the authentication server 14 determines that the authentication information of the terminal 11 outputting the connection request is appropriate, the authentication server 14 transfers the authentication information received from the terminal 11 outputting the connection request to the policy server 16.
- the policy server 16 identifies the corresponding VLAN (VLAN-1) with reference to the correspondence table shown in FIG. 4, and outputs the information to the determination unit 141 of the authentication server 14.
- the determining unit 141 determines the VLAN to which the terminal 11 that has output the connection request is to be connected, and the signal transmitting / receiving unit 142 outputs a control signal for connecting to the VLAN-1 according to this determination to the LAN switch 12.
- the terminal 11 is connected to the VLAN-1, and the terminal 11 is notified that the terminal 11 is connected to the VLAN-1 (S232).
- the terminal 11 connected to the VLAN-1 can access various security countermeasure servers 31-33 via the Internet 20.
- the terminal 11 connected to the Guest-VLAN can download the latest patch file and execute security measures.
- the authentication server 14 receives a notification that the latest Notch file has been downloaded from the terminal 11 that has output the connection request (S234), the authentication server 14 returns to step 202 and displays the security countermeasure status data indicating its own security countermeasure status. To the authentication server 14.
- a connection request If a notification indicating that the download of the latest patch file has been completed is not received from the current terminal 11, the terminal 11 that has requested connection is kept connected to VLAN-1.
- the process returns to step 202 without returning to step 202. It may be configured to go to 214.
- step 234 if a connection request is output and the security measure status data is transmitted from the terminal 11 simultaneously with the notification that the latest patch file has been downloaded, the process proceeds to step 202. Configure to return to step 206 without returning.
- step 210 when the determination unit 141 determines that the virus detection data is not the latest one in step 210, the authentication server 14 transmits a control signal for connecting the terminal 11 to the Guest-VLAN by the LAN switch 12. Then, the terminal 11 is connected to the Guest—VLAN, and the terminal 11 is notified of the connection to the Guest—VLAN (S236). Guest—The terminal 11 connected to the VLAN can access various security servers 31 to 33 via the Internet 20. Thus, the terminal 11 connected to the Guest-VLAN can download the latest virus detection data and execute security measures.
- the authentication server 14 receives the notification that the terminal that has output the connection request has updated the virus detection data to the latest one (S238), the authentication server 14 returns to step 202 to indicate the security measures of its own.
- step 2308 if a connection request is output and a notification that the virus detection data has been updated to the latest one is received from the terminal 11, the process proceeds to step 212 without returning to step 202. May be configured. Also, in step 238, if the security countermeasure status data is transmitted from the terminal 11 outputting the connection request at the same time as the notification that the virus detection data has been updated to the latest one, the process returns to step 202 without returning to step 202. It is configured to return to.
- the ability to certify the authentication information of each terminal after determining the status of security measures of each terminal is not limited to this.
- the status of security measures of each terminal may be determined.
- the authentication information of each terminal is certified after judging the security countermeasure status of each terminal. It may be configured not to perform this. For example, in FIG.
- steps 112 to 116 may be omitted, and in step 110, the terminal may be directly connected to VLAN-1 if yes.
- steps 226 to 230 may be omitted. If the answer is yes in step 212, the terminal may be directly connected to VLAN-1.
- FIG. 8 is a conceptual diagram of the network system according to the third embodiment.
- the network system according to the third embodiment includes a network 40 and a LAN switch 44 (441, 44-44) having one or more connection ports to which terminals 42 (42-1-4) can be connected. 2), a management terminal 46 capable of recognizing the security countermeasure status of each terminal 42 connected to the LAN switch 44, a management server 48 for controlling the LAN switch 44, etc., and a connection to the LAN switch 44.
- Terminal database 50 that stores data related to the connection source, such as the LAN switch 44 and connection port of the terminal 42, in association with the authentication information of each terminal 42, and the state of security measures for the terminal 42 connected to the LAN switch 44. And an authentication server 52 for authenticating predetermined authentication information, and a policy database 54 connected to the LAN switch 44 and storing information on the type of network to which the terminal 42 is connected. ing.
- the LAN switches 44-1 and 442 are connected to one of a plurality of types of VLANs (Virtual Local Area Networks) virtually formed in the network 40 based on predetermined rules. Connect.
- VLAN-1, VLAN-2 and Guest VLAN are formed as VLANs.
- VLAN-1 and VLAN-2 have sufficient security measures
- the established terminal 12 is a connectable VLAN, to which the data server 56 or 57 is connected.
- the Guest-VLAN is a VLAN to which the terminal 42 having insufficient security measures is connected, and can be connected to various security measures servers 60 via the Internet 58.
- the security countermeasure server 60 is, for example, a WWW server of a virus manufacturer or an OS manufacturer.
- the terminal connected to VLAN-1, the terminal 42 connected to VLAN-2, and the terminal 42 connected to Guest—VLAN are configured such that they cannot access each other. .
- the management terminal 46 checks the security countermeasure status of each terminal 42 connected to the LAN switch 44, for example, whether the virus detection data of the virus detection software has been updated to the latest one, or the OS, e-mail It is possible to recognize whether the latest patch files such as software and web browser software are installed, etc., which can be recognized in association with the authentication information of the terminal 42, such as the MAC address and user ID. . That is, the network administrator using the management terminal 46 recognizes the security countermeasure status of each terminal 42 from a remote location of each terminal 42 connected to the LAN switch 44 in association with the authentication information of the terminal 42. be able to.
- the management terminal 46 sends a notification that the connection of each terminal 42 to the LAN switch 44 is to be interrupted, a notification that the connection of each terminal 42 to the VLAN-1 is to be changed to Guest—VLAN, — Send notification to the management server 48 that the connection to 1 is changed to VLAN-2 and a notification requesting re-authentication of each terminal 42 in a state associated with the authentication information of each terminal 42. It is configured to be able to.
- Each terminal 42 is installed with generally available virus detection software, updates the virus detection data of the virus detection software, OS, e-mail software, web browser software, and the like.
- Software has been installed to send data on the security measures including the patch file download status to the management server 48 via the LAN switch 44.
- the management server 48 is, for example, a RADIUS (Remote Authentication DiaHn User Service) server, and connects the LAN switch 44 corresponding to IEEE802.IX to a RADIUS client. It is recognized.
- the management server 48 accesses the terminal database 50 and searches for information on the LAN switch 44 and the connection port to which the terminal is connected, based on the terminal authentication information transmitted together with the notification from the management terminal 46. A request from the management terminal 46 can be transmitted to the LAN switch 44 of the information together with the connection port information. Further, the management server 48 accesses the policy database 54 to search for a connection destination of the terminal 52 connected to the LAN switch 44, and stores the changed connection destination when the connection destination is changed. be able to.
- RADIUS Remote Authentication DiaHn User Service
- the management server 48 causes the authentication server 52 to authenticate the security countermeasure status of the terminal 42 and the predetermined authentication information based on the security countermeasure status data transmitted from the terminal 42 or the predetermined authentication information. Can be.
- the authentication in the authentication server 52 uses an authentication method such as EAP (PPP Extensible Authentication Protocol). That is, the authentication server 52 authenticates the security countermeasure status of each terminal 42 based on the security countermeasure status data transmitted from each terminal 42 via the management server 48, and returns the authentication result to the management server 8. . For example, it authenticates whether the version of the transmitted virus detection data is the latest, whether the latest patch file has been downloaded, and the like.
- the management terminal 46 causes the management server 48 to transmit a notification to the effect that the connection with the terminal 42-1 is cut off together with the authentication information of the terminal 42-1 (S500). ).
- the management server 46 accesses the terminal database 50 and, based on the authentication information of the terminal 42-1 received with the shutdown notification, connects the terminal 42-1 to the LAN switch 44. It searches for information about 1 and the connection port, and obtains such information (S502).
- the management server 48 obtains information on the connection port to which the terminal 42-1 connects and the terminal 42-1 connects to the LAN switch 441. To disconnect the terminal 42-1 (S504).
- the network administrator sets the connection destination of the terminal 42 connected to VLAN-1! The case of forcibly changing to -LAN will be described based on the flowchart shown in FIG.
- the management terminal 46 sends a notification to the management server 48 to the effect that the connection with the terminal 42-2 will be changed to Guest-VLAN. It is transmitted together with the authentication information of step 2 (S600).
- the management server 46 accesses the terminal database 50 and, based on the authentication information of the terminal 42-2 received with the change notification, connects the terminal 42-2 to the LAN switch 44. It searches for information about 1 and the connection port, and obtains such information (S602).
- the management server 48 changes the connection destination of the terminal 42-2, which is stored in the policy database 54, to Guest-VLAN and stores it (S604), and the information acquired from the terminal database 50. Based on the information, the terminal 42-2 connects to the LAN switch 441, and sends information about the change of the connection destination of the terminal 12-2 to the LAN switch 441 to change the connection destination of the terminal 42-2 to the Guest—VLAN. (S606).
- the management terminal 46 sends a notification to the management server 48 to re-authenticate the terminal 42-3 together with the authentication information of the terminal 42-3 (S700). ).
- the management server 46 accesses the terminal database 50 and connects to the terminal 42-3 based on the authentication information of the terminal 42-3 received together with the re-authentication notification.
- Information about the LAN switch 442 and the connection port is searched, and the information is obtained (S702).
- the management server 48 determines the connection port to which the terminal 42-3 is connected and the terminal 42-3 is connected to the LAN switch 442. By transmitting the information, the connection between the terminal 42-3 and the local network is temporarily interrupted (S704). Next, the management server 48 outputs security countermeasure status data indicating its own security countermeasure status to the terminal 42-3 via the LAN switch 44 to which the terminal 42-3 is connected, to the management server 48. (S706). Next, when receiving the security countermeasure status data indicating the status of the security countermeasure output from the terminal 42 in response to the request via the LAN switch 442 (S708), the management server 48 receives the received security countermeasure status data.
- the authentication server 52 Confirm data Transfer to the authentication server 52, and requests authentication of the security countermeasure status of the terminal 42-3 (S710).
- the authentication server 52 authenticates the security countermeasure status based on the request, and transmits the authentication result to the management server 48 (S712).
- the management server 48 determines whether or not the security measures of the terminal 42-3 are sufficient based on the authentication result (S714).
- the management server 48 When determining that the security measures are sufficient, the management server 48 requests the terminal 42-1 for predetermined authentication information (ID and password, MAC address, electronic certificate, etc.) (S716). Upon receiving the predetermined authentication information output from the terminal 42-3 in response to the request via the LAN switch 442 (S718), the management server 48 executes authentication for the terminal 42-3 (S720). . If the management server 48 determines that the authentication information is inappropriate, the management server 48 refuses the connection of the terminal 42-3, and sets the terminal 42-3 to VLAN-1 or Guest-VLAN. Cut off (S722). For example, when the MAC address is not registered.
- predetermined authentication information ID and password, MAC address, electronic certificate, etc.
- the management server 48 when the management server 48 recognizes that the authentication information of the terminal 42 is appropriate, the management server 48 outputs a control signal for connecting the terminal 42-3 to the VLAN-1 to the LAN switch 442, and outputs the control signal to the LAN switch 442. — Connect 3 to VLAN 1 (S724).
- the management server 48 determines in step 714 that the security measures are insufficient, it outputs a control signal for connecting the terminal 42 to the Guest VLAN to the LAN switch 44-2. Then, the terminal 42 is connected to the Guest—VLAN, the policy database 54 is notified that the connection destination of the terminal 42—3 is changed to the Guest—VLAN, and is stored, and further, the terminal 42—3 is connected to the Guest—VLAN. The connection is notified (S726).
- the terminal 42 connected to the Guest VLAN can access various security countermeasure servers 60 via the Internet 58. As a result, the terminal 42-3 connected to the Guest VLAN can download necessary data for virus detection, a notch file, etc., and execute security measures.
- the management server 48 Upon receiving the notification from the terminal 42-3 that the security measure has been completed (S728), the management server 48 returns to step 706 and outputs security measure status data indicating its own security measure status to the management server 48. Request to do so. On the other hand, if the terminal 42-3 that has output the connection request does not receive a notification that the security measures have been completed, the terminal 42-3 that has requested the connection remains connected to the Guest-VLAN. To When the management server 48 receives from the management terminal 46 a notification that the connection of each terminal 42 to VLAN-1 is changed to VLA N-2, the connection of each terminal 42 to VLAN-1 is sent to the Guest. The connection destination is changed by the same steps as in the case of changing to VLAN.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Virology (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Description
Claims
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2003435500A JP3739772B2 (ja) | 2003-12-26 | 2003-12-26 | ネットワークシステム |
JP2003-435500 | 2003-12-26 | ||
JP2003-435499 | 2003-12-26 | ||
JP2003435499A JP2005197815A (ja) | 2003-12-26 | 2003-12-26 | ネットワークシステム及びネットワーク制御方法 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005064486A1 true WO2005064486A1 (ja) | 2005-07-14 |
Family
ID=34742159
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2004/019414 WO2005064486A1 (ja) | 2003-12-26 | 2004-12-24 | ネットワークシステム及びネットワーク制御方法 |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2005064486A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111132168A (zh) * | 2020-01-02 | 2020-05-08 | 深圳市高德信通信股份有限公司 | 一种无线网络接入系统 |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001195262A (ja) * | 1999-10-15 | 2001-07-19 | Alcatel | ソフトウエア構成要素をユーザ端末にインストールする方法、関連する装置および関連するソフトウエアモジュール |
-
2004
- 2004-12-24 WO PCT/JP2004/019414 patent/WO2005064486A1/ja active Application Filing
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001195262A (ja) * | 1999-10-15 | 2001-07-19 | Alcatel | ソフトウエア構成要素をユーザ端末にインストールする方法、関連する装置および関連するソフトウエアモジュール |
Non-Patent Citations (2)
Title |
---|
ITAYA Y. ET AL.: "Hitachi open middleware world enterprise TCO sakugen", WINDOWS NT WORLD, KABUSHIKI KAISHA IDG COMMUNICATIONS., vol. 3, no. 5, 1 May 1998 (1998-05-01), pages 139 - 151, XP002992166 * |
YOSHIDA A. ET AL.: "note PC kara no virus ahinyu o fusege.", NIKKEI INETRNET SOLUTIONS., vol. 77, 22 November 2003 (2003-11-22), pages 77 - 90, XP002992165 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111132168A (zh) * | 2020-01-02 | 2020-05-08 | 深圳市高德信通信股份有限公司 | 一种无线网络接入系统 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7325248B2 (en) | Personal firewall with location dependent functionality | |
EP1379046B1 (en) | A personal firewall with location detection | |
JP5062967B2 (ja) | ネットワークアクセス制御方法、およびシステム | |
US9723019B1 (en) | Infected endpoint containment using aggregated security status information | |
US8959334B2 (en) | Secure network architecture | |
US8185933B1 (en) | Local caching of endpoint security information | |
US8001610B1 (en) | Network defense system utilizing endpoint health indicators and user identity | |
US8230480B2 (en) | Method and apparatus for network security based on device security status | |
US7792990B2 (en) | Remote client remediation | |
JP2009508403A (ja) | 準拠性に基づくダイナミックネットワーク接続 | |
TW200947969A (en) | Open network connections | |
US20120054358A1 (en) | Network Relay Device and Frame Relaying Control Method | |
JP5143198B2 (ja) | ネットワーク中継装置 | |
US20080056238A1 (en) | Packet communication apparatus | |
JP6117050B2 (ja) | ネットワーク制御装置 | |
JP2005197815A (ja) | ネットワークシステム及びネットワーク制御方法 | |
US8031596B2 (en) | Router associated to a secure device | |
JP2005236394A (ja) | ネットワークシステム及びネットワーク制御方法 | |
WO2005064486A1 (ja) | ネットワークシステム及びネットワーク制御方法 | |
JP3887325B2 (ja) | データ通信網システムおよびデータ通信網接続制御方法 | |
JP3739772B2 (ja) | ネットワークシステム | |
EP2090073B1 (en) | Secure network architecture | |
EP1976219A1 (en) | Secure network architecture | |
JP4568857B2 (ja) | 認証伝送システム | |
CN117242743A (zh) | 用于在本地网络中的IoT节点或IoT设备的通信的方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
122 | Ep: pct application non-entry in european phase |