WO2006049072A1 - ファイアウォール検査システムおよびファイアウォール情報抽出システム - Google Patents
ファイアウォール検査システムおよびファイアウォール情報抽出システム Download PDFInfo
- Publication number
- WO2006049072A1 WO2006049072A1 PCT/JP2005/019765 JP2005019765W WO2006049072A1 WO 2006049072 A1 WO2006049072 A1 WO 2006049072A1 JP 2005019765 W JP2005019765 W JP 2005019765W WO 2006049072 A1 WO2006049072 A1 WO 2006049072A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- firewall
- policy
- inspection
- packet
- unique
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Definitions
- the present invention relates to a firewall detection system that detects a firewall and a firewall information extraction system.
- the present invention can be used for a service for checking and correcting a firewall policy applied to a firewall.
- a firewall is a network device or software installed in a gateway or router that connects the Internet to the company network.
- the firewall inspects the packets flowing through the network and protects the company's network from unauthorized access by passing or blocking the packets. Packet detection is performed based on firewall policy.
- a firewall policy is a set of rules that define the conditions for allowing a packet to pass and the conditions for blocking it by packet attributes (source address and port, destination address and port, protocol type, etc.).
- An example of a rule is, for example, “Allow the passage of packets having a specific protocol to a specific port of the address of a public server on the company's network”.
- Patent Document 1 Japanese Patent Laid-Open No. 2001-337919
- Patent Document 2 Japanese Patent Laid-Open No. 2001-32338
- the service provider directly performs a virtual attack on the inspection target of the client company, the detoxified attack method or the inspection method itself is disclosed to the client company, and the client company then makes it to the competitors.
- the method may leak.
- the information about the client company's firewall policy, etc. is unknown to the service provider, and even if the firewall allows more packets than necessary, it is a concrete measure to improve that condition. Can't present a practical solution to client companies.
- an object of the present invention is to prevent a failure or load from occurring in a network system of an organization that receives an inspection service when providing the inspection service. Another object of the present invention is to realize prompt incident response and reduction of inspection service costs. Another object of the present invention is to increase the confidentiality of the inspection method of the inspection service provider. Another object of the present invention is to provide a specific countermeasure for improving the state when the firewall to be inspected passes the packet more than necessary. There is. Means for solving the problem
- a firewall detection system includes:
- a policy extraction means that extracts a firewall policy, which is a set of rules that define conditions for allowing or blocking packets, from the firewall, and a firewall policy extracted by the policy extraction means in a format that does not depend on the type of firewall.
- Inspection knowledge storage means for storing inspection packets which are packets used for attacks or packets obtained by removing attack codes from packets used for attacks;
- Virtual firewall generation means for generating a virtual firewall, which is a program for causing the determination processing execution means to execute determination processing, using a non-unique policy converted by the conversion means;
- An inspection unit that reads an inspection packet from the inspection knowledge storage unit, causes the determination processing execution unit to determine whether to pass or block the inspection bucket according to the virtual firewall, and obtains a determination result and a rule derived from the determination result;
- a test result generating means for generating a verification result by adding predetermined information to a rule derived from a determination result indicating that the verification packet is allowed to pass among the rules included in the non-unique policy converted by the conversion means;
- the non-unique policy included in the inspection result is formatted according to the type of firewall.
- the policy extraction means, the conversion means, the inverse conversion means, and the result output means constitute a firewall information extraction system for extracting the firewall policy from the firewall, and the inspection knowledge storage means, the determination processing execution means, and the virtual firewall generation means
- the inspection means and the inspection result generation means may constitute a detection system that performs inspection related to the firewall. According to such a configuration, the owner of the inspection system can keep the specific inspection method secret from the owner of the fire war nore. In addition, since the inspection system uses non-unique policies, it is not necessary to send a firewall policy in a format that depends on the type of firewall to the inspection system. Thus, the owner of the firewall can keep the type and version of the firewall secret from the owner of the verification system.
- the policy extraction means and the result output means constitute a firewall information extraction system for extracting the firewall policy from the firewall policy
- the conversion means, the inspection knowledge storage means, the judgment processing execution means, the virtual firewall generation means, the inspection means, and the inspection result may constitute an inspection system that performs an inspection related to the firewall. According to such a configuration, the owner of the inspection system can keep the specific inspection method secret from the owner of the fire warner.
- the determination processing execution means determines whether or not to pass the inspection packet depending on whether or not the attribute information stored in the portion other than the payload in the inspection packet matches the rule in the non-unique policy. It's okay. According to such a configuration, it is not necessary to make the attack code stored in the payload harmless. As a result, man-hours required for inspection services can be reduced, and prompt incident response can be achieved. In addition, service costs can be reduced by eliminating the need for harmless man-hours, and it is possible to provide firewall inspection services at a low price.
- a firewall detection system comprises:
- a set of rules that define the conditions for passing a packet or blocking the packet A policy extraction means for extracting a firewall policy from the firewall; a conversion means for converting the firewall policy extracted by the policy extraction means into a non-unique policy that is a firewall policy in a format independent of the firewall type;
- a detection packet that is a packet that is used for an attack or a packet that is obtained by removing an attack code from the packet that is used for an attack, and correction policy information for correcting a rule that passes the detection packet so as to block the detection packet.
- Inspection correction knowledge storage means for storing; determination processing execution means for executing determination processing for determining whether to pass a given packet or not based on a non-unique policy;
- Virtual firewall generation means for generating a virtual firewall, which is a program for causing the determination processing execution means to execute determination processing, using a non-unique policy converted by the conversion means;
- An inspection unit that reads the inspection packet from the inspection correction knowledge storage unit, causes the determination processing execution unit to determine whether to pass or block the inspection packet according to the virtual firewall, and obtains a determination result and a rule that has led to the determination result;
- a test result generating means for generating a test result by adding predetermined information to a rule derived from a determination result indicating that the test packet is allowed to pass among the rules included in the non-unique policy converted by the converting means;
- Inversion means for converting the modified non-unique policy into a firewall policy in a format depending on the type of firewall, and result output means for outputting the firewall policy converted by the inverse conversion means are provided. Also good.
- the policy extraction means, the conversion means, the inverse conversion means, and the result output means constitute a firewall information extraction system for extracting a firewall policy from the firewall, and an inspection correction knowledge storage means, a judgment processing execution means, and a virtual firewall generation
- the means, the inspection means, the inspection result generation means, and the correction means may constitute an inspection system for inspecting the firewall.
- the owner of the detection system can keep the specific detection method secret from the owner of the firewall.
- the inspection system uses non-unique policies for inspection, it is necessary to send a firewall policy in a format that depends on the type of firewall to the inspection system.
- the owner of the firewall can keep the type and version of the firewall secret from the owner of the inspection system.
- the policy extraction means and the result output means constitute a firewall information extraction system for extracting a firewall policy from the firewall force, and include conversion means, inspection correction knowledge storage means, determination processing execution means, virtual firewall generation means, inspection means, and inspection
- the result generation means, the correction means, and the inverse conversion means may constitute an inspection system that performs an inspection related to the firewall. According to such a configuration, the owner of the inspection system can keep the specific inspection method secret from the owner of the firewall.
- Policy applying means for applying the firewall policy converted by the inverse converting means to the firewall may be provided. According to such a configuration, it is not necessary to apply the firewall policy corrected by the owner of the firewall to the firewall.
- Non-unique policy storage means for storing the non-unique policy converted by the conversion means, and instruction input means for inputting an instruction to reapply the firewall policy to the firewall
- the reverse conversion means converts the non-unique policy stored in the non-unique policy storage means into a firewall policy in a format depending on the type of firewall, and applies the policy.
- the means may be configured to apply the firewall policy converted by the reverse conversion means to the firewall. According to such a configuration, the firewall policy can be easily restored when the firewall policy is broken for some reason or when the type of the firewall is changed. In addition, even if the type of firewall is changed, it is easy to restore the firewall policy, so it is possible to freely replace firewall devices and firewall software.
- the determination processing execution means determines whether or not to pass the verification packet depending on whether or not the attribute information stored in the portion other than the payload in the verification packet matches the rule in the non-unique policy.
- the structure which determines may be sufficient. According to such a configuration, it is not necessary to make the attack code stored in the payload harmless. As a result, the time required for inspection services can be reduced and prompt incident response is possible. In addition, service costs can be reduced by eliminating the need for detoxification man-hours, and firewall inspection services can be provided at a low price.
- a firewall information extraction system is a firewall information extraction system that extracts a firewall policy, which is a set of rules that define conditions for allowing a packet to pass or conditions for blocking a packet, from the firewall.
- a policy extraction means for extracting the firewall policy of the firewall policy, a conversion means for converting the firewall policy extracted by the policy extraction means into a non-unique policy that is a firewall policy in a format independent of the firewall type, and
- a non-unique policy sending means that sends the non-unique policy converted by the transformation means to the inspection system that conducts the inspection related to the firewall, and makes the inspection system execute the inspection.
- a test result receiving means for receiving a test result in which predetermined information is added to a rule that allows a test packet to pass.
- Inverse conversion means for converting a non-unique policy included in the inspection result into a firewall policy having a format depending on the type of firewall, and a result output means for outputting the firewall policy converted by the inverse conversion means together with predetermined information And may have
- a firewall information extraction system is a firewall information extraction system that extracts a firewall policy, which is a set of rules that define conditions for allowing a packet to pass or conditions for blocking a packet, from the firewall.
- a policy extraction means for extracting the firewall policy of the firewall policy, a conversion means for converting the firewall policy extracted by the policy extraction means into a non-unique policy that is a firewall policy in a format independent of the firewall type, and
- Modification that receives modified non-unique policies from non-unique policy sending means and inspection system that sends non-unique policies converted by the transformation means to inspection systems that perform inspections related to firewalls. And a result receiving means.
- a reverse conversion means for converting the modified non-unique policy into a firewall policy having a format depending on the type of firewall, and a result output means for outputting the firewall policy converted by the reverse conversion means. Les, even okay.
- the configuration may include a policy application unit that applies the firewall policy converted by the reverse conversion unit to the firewall.
- the owner of the firewall himself / herself does not have to perform the work of applying the modified firewall policy to the firewall.
- a non-unique policy storage means for storing the non-unique policy converted by the conversion means, and an instruction input means for inputting an instruction to reapply the firewall policy to the firewall, wherein the reverse conversion means
- Non-unique policy storage means when is entered
- the non-unique policy stored in the server may be converted into a firewall policy having a format depending on the type of firewall, and the policy application unit may apply the firewall policy converted by the reverse conversion unit to the firewall. According to such a configuration, the firewall policy can be easily restored when the firewall policy is broken for some reason or when the type of the firewall is changed. In addition, even if the type of firewall is changed, it is easy to restore the firewall policy, so it is possible to freely replace firewall devices and firewall software.
- a firewall detection system is a firewall detection system that receives data from a firewall information extraction system that extracts a firewall policy from the firewall and performs detection related to the firewall.
- a non-unique policy receiving means for receiving a non-unique policy that is a firewall policy in a format independent of the type of firewall from the firewall information extraction system;
- Inspection knowledge storage means for storing inspection packets which are packets used for attacks or packets obtained by removing attack codes from packets used for attacks;
- a determination processing execution means for executing a determination processing for determining whether to pass or block a given packet based on a non-unique policy
- Virtual firewall generation means for generating a virtual firewall, which is a program for causing the determination processing execution means to execute the determination processing, using the non-unique policy received by the non-unique policy receiving means;
- An inspection means that reads the inspection packet from the inspection knowledge storage means, causes the determination processing execution means to determine whether to pass or block the inspection bucket according to the virtual firewall, and obtains a determination result and a rule derived from the determination result; ,
- Test result generation means for generating a test result by adding predetermined information to a rule derived from a determination result indicating that a test packet is allowed to pass among the rules included in the non-unique policy received by the non-unique policy receiving means.
- Inspection result transmission means for transmitting the inspection result to the firewall information extraction system.
- a firewall inspection system is a firewall inspection system that receives data from a firewall information extraction system that extracts a firewall policy from the firewall and performs a detection relating to the firewall.
- a policy receiving means for receiving a firewall policy from the firewall information extraction system
- Inspection knowledge storage means for storing inspection packets which are packets used for attacks or packets obtained by removing attack codes from packets used for attacks;
- Virtual firewall generation means for generating a virtual firewall, which is a program for causing the determination processing execution means to execute determination processing, using a non-unique policy converted by the conversion means;
- An inspection unit that reads an inspection packet from the inspection knowledge storage unit, causes the determination processing execution unit to determine whether to pass or block the inspection bucket according to the virtual firewall, and obtains a determination result and a rule derived from the determination result;
- a test result generating means for generating a verification result by adding predetermined information to a rule derived from a determination result indicating that the verification packet is allowed to pass among the rules included in the non-unique policy converted by the conversion means;
- a non-unique policy included in the detection result is converted into a firewall policy having a format depending on the type of firewall, and a firewall information extraction system together with predetermined information on the firewall policy converted by the reverse conversion unit Send to And a result transmitting means.
- a firewall inspection system is a firewall inspection system that receives data from a firewall information extraction system that extracts a firewall policy from the firewall and performs a detection on the firewall.
- a non-unique policy receiving means for receiving a non-unique policy that is a firewall policy in a format independent of the type of firewall from the firewall information extraction system;
- a detection packet that is a packet that is used for an attack or a packet that is obtained by removing an attack code from the packet that is used for an attack, and correction policy information for correcting a rule that passes the detection packet so as to block the detection packet.
- Inspection correction knowledge storage means for storing; determination processing execution means for executing determination processing for determining whether to pass a given packet or not based on a non-unique policy;
- Virtual firewall generation means for generating a virtual firewall, which is a program for causing the determination processing execution means to execute the determination processing, using the non-unique policy received by the non-unique policy receiving means;
- An inspection unit that reads the inspection packet from the inspection correction knowledge storage unit, causes the determination processing execution unit to determine whether to pass or block the inspection packet according to the virtual firewall, and obtains a determination result and a rule that has led to the determination result;
- Test result generation means for generating a test result by adding predetermined information to a rule derived from a determination result that the test packet is allowed to pass among the rules included in the non-unique policy received by the non-unique policy receiving means.
- a firewall inspection system is a firewall inspection system that receives data from a firewall information extraction system that extracts a firewall policy from the firewall, and performs inspection relating to the firewall.
- a policy receiving means for receiving a firewall policy from the firewall information extraction system
- a detection packet that is a packet that is used for an attack or a packet that is obtained by removing an attack code from the packet that is used for an attack, and correction policy information for correcting a rule that passes the detection packet so as to block the detection packet.
- Inspection correction knowledge storage means for storing; determination processing execution means for executing determination processing for determining whether to pass a given packet or not based on a non-unique policy;
- Virtual firewall generation means for generating a virtual firewall, which is a program for causing the determination processing execution means to execute determination processing, using a non-unique policy converted by the conversion means;
- An inspection unit that reads the inspection packet from the inspection correction knowledge storage unit, causes the determination processing execution unit to determine whether to pass or block the inspection packet according to the virtual firewall, and obtains a determination result and a rule that has led to the determination result;
- Inspection result generation means for generating a detection result by adding predetermined information to a rule derived from a determination result indicating that the inspection packet is allowed to pass among the rules included in the non-unique policy converted by the conversion means;
- the modified non-unique policy is converted to a firewall with a format that depends on the type of firewall.
- the determination processing execution means determines whether or not to pass the verification packet depending on whether or not the attribute information stored in the portion other than the payload in the verification packet matches the rule in the non-unique policy. Even if it is the structure to judge. According to such a configuration, it is not necessary to make the attack code stored in the payload harmless. As a result, the amount of time required for inspection services can be reduced, and prompt incident response is possible. In addition, the service cost can be reduced as much as the man-hours for detoxification are not required, and the firewall inspection service can be provided at a low price.
- FIG. 1 is a block diagram showing a first embodiment of the present invention.
- FIG. 2 is a block diagram showing a configuration example of a client system and an inspection system in the first embodiment.
- FIG. 3 is an explanatory diagram showing a virtual FW.
- FIG. 4 is a flowchart showing the operation of the firewall detection system in the first exemplary embodiment.
- FIG. 5 is a block diagram showing a modification of the first embodiment.
- FIG. 6 is a block diagram showing a configuration example of a client system and a detection system in the second embodiment.
- FIG. 7 is a flowchart showing the operation of the firewall detection system in the second exemplary embodiment.
- FIG. 8 is a block diagram showing a modification of the second embodiment.
- FIG. 9 is an explanatory diagram showing an example of a unique policy and a non-unique policy.
- FIG. 10 is an explanatory diagram showing an example of information stored in the policy storage means of the client system.
- FIG. 11 is an explanatory diagram showing an example of information stored in policy storage means of the inspection system. 12]
- FIG. 12 is an explanatory diagram showing an example of inspection knowledge stored in the inspection knowledge DB.
- FIG. 13 is a flowchart showing a process for determining whether or not to allow a packet to pass.
- FIG. 14 is an explanatory diagram showing an example of a non-unique policy included in the virtual FW.
- FIG. 15 is an explanatory diagram showing an example of the inspection result.
- Fig. 16 is an explanatory diagram showing an example of a unique policy converted from a non-unique policy. 17] Fig. 17 is an explanatory diagram showing the situation where a virtual FW is created and checked for each client company. is there.
- FIG. 18 is an explanatory diagram showing an example of the inspection correction knowledge stored in the inspection correction knowledge DB
- FIG. 19 is a flowchart showing non-unique policy correction processing.
- FIG. 20 is an explanatory diagram showing an example of the modification result of the non-unique policy.
- FIG. 21 is an explanatory diagram showing an example of a unique policy converted from the modification result of the non-unique policy.
- the firewall inspection system includes a firewall information extraction system (hereinafter referred to as a client system) 100 and an inspection system 200.
- the client system 100 and the inspection system 200 are connected via a communication network 400.
- a case where the communication network 400 is the Internet will be described as an example.
- the inspection system 200 receives a firewall policy from the client system 100 and performs an inspection based on the firewall policy. Then, the inspection result is transmitted to the client system 100.
- a person who receives a firewall inspection service (in the following description, referred to as a client company, but not limited to a company) has a client company network 10 that is a communication network of the client company itself.
- the client company also has a firewall 300 that connects the Internet 400 and the client company network 10.
- the client company purchases the client system 100 from a person who provides the inspection service (in the following description, it is referred to as a service providing company, but is not limited to the company), and connects to the client company network 10.
- Client system 100 is connected to a network segment accessible to firewall 300.
- the service providing company has a service providing company network 20 which is a communication network of the service providing company itself.
- the inspection system 200 is managed by a service provider and connected to the service provider network 20. Although not shown, the inspection system 200 is connected to the Internet 400 via a gateway, a router, or the like.
- the client company receives the inspection service for the firewall 300, and pays the service company for the service.
- FIG. 2 is a block diagram showing a configuration example of the client system 100 and the inspection system 200 in the first embodiment.
- the client system 100 and the detection system 200 are shown as being directly connected to the Internet.
- the client system 100 is connected to the Internet 400 through a firewall.
- the detection system 200 is connected to the Internet 400 via a gateway, a router, etc. (not shown).
- the client system 100 includes a policy extraction unit 110, a policy conversion rule storage unit 120, a policy storage unit 130, a communication unit 140, a policy reverse conversion unit 150, and a result output unit 160. .
- the policy extraction unit 110 extracts setting information from the firewall 300.
- the setting information is information including a firewall policy, and the firewall policy is a set of rules that define conditions for allowing and blocking a knot.
- the setting information includes the type of firewall 300 (product name, etc.) and version information in addition to the firewall policy.
- the firewall policy included in the configuration information is described in a format that depends on the type of firewall 300.
- the policy extraction unit 110 converts the firewall policy included in the extracted setting information into a firewall policy described in a format independent of the type of firewall according to the policy conversion rule.
- a firewall policy with a format that depends on the type of firewall (hereinafter referred to as “unique policy”) and a firewall policy with a format that does not depend on the type of firewall (hereinafter referred to as “non-unique policy”).
- the policy conversion rule storage unit 120 stores the correspondence table in correspondence with the type and version of the firewall.
- the policy extraction unit 110 stores in the policy storage unit 130 the non-unique policy after conversion, information on the type and version of the firewall 300, the time at which the setting information is extracted, and the like.
- the policy conversion rule storage unit 120 stores policy conversion rules in advance for each type of firewall.
- the policy storage unit 130 may extract the non-unique policy, firewall type, version information, and setting information converted by the policy extraction unit 110 (the recording date and time in the policy storage unit 130 may be used). ) Etc.
- the communication unit 140 reads the non-unique policy from the policy storage unit 130 and transmits the non-unique policy to the detection system 200. At this time, the communication unit 140 adds a serial number to the non-unique policy every time the non-unique policy is transmitted. Then, the number is associated with the type and version information of the firewall 300 and stored in the policy storage unit 130, for example. In addition, the communication unit 140 receives a detection result of the firewall 300 performed using the non-unique policy from the detection system 200. The inspection result is the rule included in the non-unique policy with the name of the attack added to the rule that allows the packet that is an attack against the firewall to pass.
- the policy reverse conversion unit 150 converts a non-unique policy included in the verification result into a unique policy based on the policy conversion rule.
- the policy reverse conversion unit 150 leaves the name of the attack additionally described in the inspection result as it is.
- the number added by the communication unit 140 when transmitting the non-unique policy is left as it is.
- the policy reverse conversion unit 150 may identify the type and version information of the firewall based on the number, refer to the policy conversion rule corresponding to the type, and perform conversion into a specific policy.
- the policy reverse conversion unit 150 causes the result output unit 160 to output the unique policy to which the attack name is added.
- the result output unit 160 outputs the unique policy converted from the inspection result by the policy reverse conversion unit 150.
- the policy extraction unit 110 and the communication unit 140 are, for example, the client company network 10
- the inspection system 210 includes a communication unit 210, a policy storage unit 220, a virtual FW (firewall) creation unit 230, a virtual FW (firewall) storage unit 240, and a FW (firewall) inspection unit 250.
- inspection knowledge DB database
- the communication unit 210 receives a non-unique policy from the client system 100 and stores it in the policy storage unit 220. In addition, the communication unit 210 transmits the inspection result to the client system 100.
- Policy storage unit 220 stores the non-unique policy received by communication unit 210 from client system 100.
- the virtual FW creating unit 230 creates a virtual FW and stores it in the virtual FW storage unit 240.
- the virtual FW is a program that causes a CPU (not shown) included in the detection system 200 to perform a pseudo operation as a firewall.
- the virtual FW is a program for emulating firewall operations.
- to simulate the behavior as a firewall is to determine whether a given packet is allowed to pass or block.
- the virtual FW storage unit 240 stores the created virtual FW.
- FIG. 3 is an explanatory diagram showing a virtual FW.
- the virtual FW creation unit 230 creates the virtual FW 500 by adding the non-unique policy 510 to the FW execution instruction 520 prepared in advance.
- the FW execution instruction 520 is a group of instructions for causing the CPU (not shown) of the inspection system 200 to execute an operation as a firewall.
- the FW execution instruction 520 is stored in advance in a storage device (not shown) included in the inspection system 200. deep.
- the virtual FW creation unit 230 reads the FW execution instruction 520 when creating the virtual FW, reads the non-unique policy stored in the policy storage unit 220, adds it to the FW execution instruction 520 as the non-unique policy 510, Generate virtual FW500.
- the virtual FW 500 is generated, for example, as a program execution file. It is also possible to include a non-unique policy in the virtual FW500 generated as a program execution file. Alternatively, the non-unique policy may be a separate file from the program execution file, and the data file of the non-unique policy may be associated with the program execution file.
- the verification knowledge DB 260 stores at least one piece of data representing an attack itself or data representing an attack attribute.
- Data representing the attack itself is an attack on the system. It is the whole packet that becomes a hit.
- the data representing the attack itself contains attack codes that cause the system that received the packet to malfunction.
- the attack code is stored in the payload of the packet.
- the data representing the attack attributes is data excluding the attack code (payload part) from the data representing the attack itself. Therefore, the detection knowledge DB 260 stores data including the attack code (data indicating the attack itself), but stores data including the attack code and data (data indicating the attribute of the attack). , It ’s all right.
- the examination knowledge DB 260 may store the name of the attack and supplementary items (for example, information on what kind of device is infected, etc.). Data representing the attack itself, or data representing the attributes of the attack, and the name of the attack are collectively referred to as inspection knowledge. If supplementary items exist, they are also included in the examination knowledge, but there is no need for supplemental items.
- a verification packet the entire packet that causes an attack on the system or a packet obtained by removing the attack code from such a packet.
- Inspection Knowledge DB 260 stores one or more inspection knowledge. Inspection knowledge is created by inspection system operators and security experts of service providers. Inspection knowledge may be sold to service providers from security vendors or companies that manage incident information. The inspection knowledge is input to the inspection system 200 via, for example, an input device (not shown), and stored in the inspection knowledge DB 260 by the CPU (not shown).
- the FW inspection unit 250 activates the virtual FW 500 (see FIG. 3) stored in the virtual FW storage unit 240. Then, the FW inspection unit 250 reads the inspection packet (the attack code may or may not be stored in the payload) from the inspection knowledge DB 260, and loads it into a CPU (not shown) that operates according to the virtual FW 500. Determine whether to pass or block the inspection packet. Also, the rule that led to the determination result is specified. Then, the FW detection unit 250 additionally describes the attack name of the detection packet that is determined to be passed to the rule in the non-unique policy stored in the policy storage unit 220.
- the communication unit 210 is realized by, for example, an interface with the service providing company network 20 (see FIG. 1) and a CPU that operates according to a program.
- the virtual FW creation unit 230 and the FW detection unit 250 are realized by a CPU that operates according to a program, for example. Is done.
- the program may be stored in advance in a storage device (not shown) provided in the inspection system 200.
- the policy storage unit 220, the virtual FW storage unit 240, and the inspection knowledge DB 260 are realized by, for example, a storage device included in the inspection system 200.
- the service providing company sells the client system 100 to the client company.
- Client system 100 accesses firewall 300 in client corporate network 10 (see Figure 1)
- FIG. 4 is a flowchart showing the operation of the firewall detection system in the present embodiment.
- the policy extraction unit 110 of the client system 100 extracts the setting information of the firewall 300 (step 1001).
- the setting information may be extracted from the firewall 300 by executing a setting information acquisition command provided in the firewall 300, for example.
- the policy extraction unit 110 may extract the setting information from the firewall 300 periodically, for example.
- the client system 100 includes an input device (not shown) such as a keyboard and a mouse for inputting an instruction from the operator, and the firewall 300 is input when an instruction for extracting setting information is input from the input device. You can extract the setting information from
- the setting information extraction process may be set in advance to start the setting information extraction process at the timing determined by the contract between the client company and the service provider company.
- the policy extraction unit 110 converts the unique policy included in the setting information into a non-unique policy and stores the non-unique policy in the policy storage unit 130 (step 1002).
- the policy extraction unit 110 reads from the policy conversion rule storage unit 120 the policy conversion rule corresponding to the type and version information of the firewall 300 included in the setting information. Then, according to the policy conversion rule, the policy extraction unit 110 converts the unique policy having a format depending on the firewall type into a non-unique policy having a format independent of the firewall type.
- the policy extraction unit 110 stores the non-unique policy in the policy storage unit 130
- the date and time when the setting information is extracted may be the recording date and time in the policy storage unit 130
- the file It is memorized with information on the type and version of Firewall 300.
- the case where the type and version information of the firewall is included in the setting information is taken as an example, but the type and version information may not be included in the setting information.
- the client system 100 is preliminarily input firewall type and version information from an operator of a client company via an input device (not shown) such as a keyboard, and the input information is stored in a storage device (not shown). You may also memorize them. Then, the information such as the version stored in advance may be read by the policy extraction unit 110 in step 1002 and stored in the policy storage unit 130 together with the non-unique policy.
- the type and version information can be acquired from the firewall 300 by executing the data acquisition command (firewall type and version information acquisition command) provided in the firewall 300.
- the communication unit 140 reads the non-unique policy from the policy storage unit 130, and transmits the non-unique policy to the inspection system 200 via the Internet 400 (step 1003).
- the communication unit 140 adds a serial number to the non-unique policy and transmits it.
- the communication unit 140 associates the number added to the non-unique policy with the type and version information of the firewall 300 and stores them in the policy storage unit 130, for example. This number is used to specify the policy conversion rule to be referred to when the test result received later is converted into a specific policy.
- step 1003 communication unit 140 first transmits an inspection request to inspection system 200, and after receiving a response to receive an inspection request from inspection system 200, transmits a non-unique policy. Also good.
- the communication unit 210 of the detection system 200 receives the non-unique policy transmitted by the communication unit 140 of the client system 100, and stores the non-unique policy in the policy storage unit 220 (step 1004).
- the virtual FW creation unit 230 reads the FW execution instruction 520 from, for example, a storage device (not shown) included in the detection system 200, and is stored in the policy storage unit 220 in step 1004. Read a non-unique policy.
- the virtual FW creation unit 230 reads the read F A non-unique policy is added to the W execution instruction 520 to generate a virtual FW 500 (step 10 05).
- the virtual FW 500 is generated as a program execution file including the FW execution instruction 520 and the non-unique policy 510 (the non-unique policy itself read from the policy storage unit 220).
- the virtual FW creation unit 230 stores the generated virtual FW 500 in the virtual FW storage unit 240.
- the FW inspection unit 250 activates the virtual FW 500 to detect the firewall 300 of the client company (step 1006).
- the CPU (not shown) of the detection system 200 that performs the firewall operation according to the virtual FW500 and the CPU (not shown) that operates as the FW detection unit 250 are the same CPU.
- the FW detection unit 250 reads data representing the attack itself (entire packet that becomes an attack on the system) or data representing the attribute of the attack (packet not including the attack code) from the detection knowledge DB 260. Then, the CPU (not shown) operating according to the virtual FW500 determines whether or not to pass the packet.
- the CPU operating in accordance with the virtual FW 500 determines whether the firewall 300 passes or blocks the packet based on the non-unique policy 510 included in the virtual FW 500 and the attack attribute.
- the FW inspection unit 250 determines the rule that has resulted in the determination result that the packet is allowed to pass among the rules included in the non-unique policy stored in the policy storage unit 220.
- the attack name of the packet is added.
- the FW inspection unit 250 sequentially executes the above processing for each data representing an attack stored in the inspection knowledge DB 260 and data representing an attack attribute.
- a result obtained by adding the attack information (in this embodiment, the name of the attack) to the non-unique policy stored in step 1004 is the verification result. This check also includes the number added to the non-unique policy in step 1003.
- the FW inspection unit 250 sends the inspection result to the communication unit 210 of the inspection system 200.
- the communication unit 210 transmits the detection result to the client system 100 via the Internet 400 (step 1007).
- the communication unit 140 of the client system 100 receives the verification result from the communication unit 210 of the verification system 200 and passes the verification result to the policy reverse conversion unit 150.
- the communication unit 140 May store the inspection result in the policy storage unit 130, and the policy reverse conversion unit 150 may read the inspection result from the policy storage unit 130.
- the policy reverse conversion unit 150 stores the firewall type and version information corresponding to the number included in the inspection result (the number added to the non-unique policy in step 1003) in the information stored in step 1003. Identify based on.
- the policy conversion rule corresponding to the specified information is read from the policy conversion rule storage unit 120.
- the policy reverse conversion unit 150 refers to the policy conversion rule and converts the non-unique policy included in the detection result into a unique policy having a format dependent on the firewall 300.
- the converted unique policy is output (for example, displayed) to the result output unit 160 together with the attack information added in step 1006 (step 1008).
- the operator of the client company it is possible to present to the operator of the client company a rule that allows an attack packet to pass among the rules included in the firewall policy of the firewall 300.
- the policy extraction unit and the conversion unit correspond to the policy extraction unit 110.
- the inspection knowledge storage means corresponds to the inspection knowledge DB 260.
- the determination process execution means corresponds to the CPU (not shown) of the detection system 200.
- the virtual firewall generation means corresponds to the virtual FW generation unit 230.
- the inspection means and the inspection result generation means correspond to the FW inspection unit 250.
- the reverse conversion means corresponds to the policy reverse conversion unit 150.
- the result output means corresponds to the result output unit 160.
- the non-unique policy transmitting unit and the inspection result receiving unit correspond to the communication unit 140 of the client system 100.
- the non-unique policy receiving unit and the inspection result transmitting unit correspond to the communication unit 210 of the inspection system 200.
- the client system's firewall 300 itself does not receive the inspection.
- the service provider's inspection system 200 creates a virtual FW 500 (see FIG. 3) using the firewall 300's non-unique policy.
- the inspection is performed by virtual FW500.
- the damage of the firewall 300 eliminates the possibility that the client company will suffer damage such as business suspension or loss of business opportunities. Also firewall There is no risk that client companies that suffer from high load on S300 and the client company network 10 (see Figure 1) will suffer damage such as business stagnation and lost business opportunities.
- the CPU (not shown) of the inspection system 200 operating according to the virtual FW 500 allows the firewall 300 to pass the packet according to the non-unique policy 510 included in the virtual FW 500 and the attack attribute. Whether to block or not. This determination process can be performed even if the attack code is not included in the packet. Therefore, when a new attack is discovered and a virtual attack can be performed, the man-hour for detoxifying the virtual attack becomes unnecessary. Therefore, the service provider can respond quickly to incidents. In other words, when a new attack is discovered, inspection services related to the attack can be provided early. In addition, the service cost can be reduced as much as the man-hours to detoxify the virtual attack are eliminated, and the firewall inspection service can be provided to client companies at a low price.
- the data representing the attack itself or the data representing the attribute of the attack stored in the examination knowledge DB 260 is used in the examination system 200 and is not transmitted to the client system 100. Therefore, there is no risk of leaking to competitors through the data strength S client company used by the service provider itself for inspection.
- the client system 100 transmits a non-unique policy instead of a unique policy. Further, the client system 100 transmits a number associated with the information by the client system 100 itself, not the information on the type and version of the firewall 300. Therefore, the inspection system 200 cannot identify the type and version of the firewall 300 used by the client company. Therefore, for client companies who want to keep the type and version of their own firewall 300 confidential, they can receive the inspection service without knowing the information of the type and version of the firewall 300 to the service provider. There is an effect.
- the virtual FW creation unit 230 starts creating the virtual FW (step 1005) after the end of step 1004, and the operator of the service provider is instructed to start creating the virtual FW.
- the FW inspection unit 250 starts the inspection (step 1006) after the end of step 1005 by the operator of the service provider. Therefore, it may be when the start of inspection is instructed.
- the inspection system 200 includes an input device (not shown) such as a keyboard and a mouse for inputting an instruction from the operator.
- the operator of the service providing company can perform the processing of steps 10005 and 1006 collectively by batch processing after the non-unique policies stored in the policy storage unit 220 increase.
- the operation can be interrupted in Step 1004, and the operation after Step 1005 can be resumed after the verification knowledge DB 260 ends.
- FIG. 5 shows a configuration example in the case of transmitting a unique policy in a format depending on the type of firewall, information on the type of firewall, and version to the detection system 200.
- the client system 100 includes a policy extraction unit 110, a communication unit 140, and a result output unit 160.
- the result output unit 160 is the same as the result output unit 160 shown in FIG.
- the policy extraction unit 110 extracts setting information from the firewall 300, and sends the firewall policy (unique policy) included in the setting information and information on the type and version of the firewall 300 to the communication unit 140.
- the information on the type of firewall 300 may be input in advance by the operator of the client company.
- the type and version information may be extracted from the firewall 300.
- the communication unit 140 of the client system 100 transmits the information on the unique policy and the type and version of the firewall 300 sent from the policy extraction unit 140 to the detection system 200 via the Internet 400.
- the communication unit 140 receives a detection result from the detection system 200, the communication unit 140 causes the result output unit 160 to output (for example, display output) the detection result.
- the verification system 200 includes a communication unit 210 and a policy conversion rule storage.
- Unit 125 unique policy storage unit 135, policy conversion unit 155, non-unique policy storage unit 225, virtual FW creation unit 230, virtual FW storage unit 240, FW inspection unit 250, and inspection knowledge DB 260.
- the policy conversion rule storage unit 125 stores policy conversion rules in the same manner as the policy conversion rule storage unit 120 in the configuration shown in FIG.
- Virtual FW creation unit 230, virtual FW storage unit 240, FW verification unit 250, verification knowledge DB 260 are virtual FW creation unit 230, virtual FW storage unit 240, FW detection unit 250, Examination knowledge Same as DB2 60.
- the non-unique policy storage unit 225 stores the non-unique policy in the same manner as the policy storage unit 220 of the detection system 200 in the configuration shown in FIG.
- the communication unit 210 of the detection system 200 causes the unique policy storage unit 135 to store the unique policy and the type and version information of the firewall 300 received from the client system 100.
- the reception time of the unique policy may be stored in the unique policy storage unit 135.
- the communication unit 210 may add a number or the like for identifying each unique policy to the unique policy and store it in the unique policy storage unit 135.
- the unique policy storage unit 135 stores information on unique policies, types of firewalls 300, and versions.
- the policy conversion unit 155 refers to the policy conversion rule and performs conversion from a unique policy to a non-unique policy and conversion from a non-unique policy to a unique policy. After the unique policy is stored in the unique policy storage unit 135 by the communication unit 210, the policy conversion unit 155 stores the policy conversion rule according to the type and version of the firewall stored together with the specific policy. Read from part 125. Then, based on the policy conversion rule, the unique policy stored in the unique policy storage unit 135 is converted into a non-unique policy and stored in the non-unique policy storage unit 225. Information added to identify each unique policy (number, etc.) is also added to the non-unique policy after conversion.
- the virtual FW creation unit 230 creates a virtual FW 500 (see Fig. 3) in the same manner as in step 1005, and the FW detection unit 250 performs the step. Perform the same inspection as step 1006. If it is determined at the time of detection that the attack packet is allowed to pass, the FW detection unit 250 stores the non-unique policy stored in the non-unique policy storage unit 225. The attack name of the packet is added to the rule that led to the determination result that the packet is allowed to pass among the rules included in the sequence.
- the policy conversion unit 155 specifies the type and version of the firewall from the information for identifying each unique policy added to the non-unique policy, and further, the policy conversion rule according to the type and version. Is read. Then, the non-unique policy stored in the non-unique policy storage unit 225 is converted into a unique policy. If an attack name is added to a rule included in a non-unique policy, the attack name is left as it is at the time of conversion.
- the communication unit 210 of the verification system 200 transmits the unique policy converted from the non-unique policy to the client system 100 as the verification result.
- the attack name is also added to the unique policy transmitted as the inspection result.
- the communication unit 140 of the client system 100 When the communication unit 140 of the client system 100 receives the inspection result from the inspection system 200, the communication unit 140 causes the result output unit 160 to output the inspection result.
- the policy conversion rule storage unit 125, the unique policy storage unit 135, and the non-unique policy storage unit 125 are realized by a storage device (not shown) included in the inspection system 200, for example.
- the policy conversion unit 155 is realized by a CPU that operates according to a program, for example.
- the policy extraction unit corresponds to the policy extraction unit 110.
- the conversion unit and the reverse conversion unit correspond to the policy conversion unit 155.
- the inspection knowledge storage means corresponds to the inspection knowledge DB 260.
- the determination processing execution means corresponds to the CPU (not shown) of the inspection system 200.
- the virtual firewall generation means corresponds to the virtual FW generation means 230.
- the inspection means and the inspection result generation means correspond to the FW inspection unit 250.
- the result output means corresponds to the result output unit 160.
- the policy receiving unit and the result transmitting unit correspond to the communication unit 210 of the verification system 200.
- the inspection system 200 may be combined with the client system 100 and installed in the client company network 10.
- the inspection system 200 in order to prevent the operation of the inspection system 200 from being known to the client company, when storing various data in the policy storage unit 220, the virtual FW storage unit 240, and the inspection knowledge DB 260, Then, encrypt and store the data. Then, when using data stored in the policy storage unit 220, the virtual FW storage unit 240, and the detection knowledge DB 260, the data can be decrypted and processed.
- the verification knowledge DB 260 when adding verification knowledge to the verification knowledge DB 260, additional processing is performed so that the verification knowledge is not known to the client company.
- the terminal device (not shown) power of the service providing company and the inspection knowledge obtained from the inspection system 200 are transmitted.
- the communication unit 210 of the verification system 200 When receiving the verification knowledge, the communication unit 210 of the verification system 200 additionally stores the verification knowledge in the verification knowledge DB 260 in an encrypted state.
- FIG. 6 is a block diagram showing a configuration example of the client system (firewall information extraction system) 100 and the inspection system 200 in the present embodiment. Components and apparatuses similar to those shown in FIG. 2 are denoted by the same reference numerals as those in FIG. 2 and description thereof is omitted.
- the inspection system 200 includes an inspection correction knowledge DB 280 instead of the inspection knowledge DB 260 shown in FIG. 2, and includes an FW inspection correction unit 270 instead of the FW inspection unit 250 shown in FIG.
- Inspection Correction Knowledge DB 280 stores inspection correction knowledge.
- Inspection correction knowledge is data in which correction policy information for rules that pass inspection packets is added to the inspection knowledge.
- the revision policy information is described in the same format as the rules of the non-unique policy, but some elements are not specifically specified.
- the modification policy information is described so that the rule that does not pass the inspection packet is applied by applying the element of the rule that passes the inspection packet to the element that is not specifically specified.
- the inspection / correction knowledge DB2 80 is realized by a storage device included in the inspection system 200, for example.
- the FW inspection correction unit 270 performs the same processing as the FW inspection unit 250 shown in FIG.
- the FW inspection / correction unit 270 further creates a rule that does not pass the verification packet, using the rule determined to pass the detection packet and the correction policy information. And that le Modify non-unique policies by adding rules.
- the FW inspection correction unit 270 is realized by a CPU that operates according to a program, for example.
- the client system 100 includes a policy application unit 170 instead of the policy reverse conversion unit 150 shown in FIG.
- the policy application unit 170 converts the correction result (in this embodiment, a non-unique policy that has been verified and corrected by the FW detection / correction unit 270) into a specific policy, and outputs the specific policy to the result output unit 160. To do. This process is executed in the same manner as the process executed by the policy inverse converter 150 shown in FIG. Furthermore, the policy application unit 170 applies the unique policy converted from the correction result to the firewall 300.
- the communication unit 140 causes the policy storage unit 130 to store the correction result received from the verification system 200.
- the policy application unit 170 once applies the unique policy to the firewall 300, and when an instruction to reapply the firewall policy is input from the operator, reads the correction result from the policy storage unit 130 according to the instruction, The conversion process to the unique policy and the process to apply the unique policy to the firewall 300 are executed again.
- the instruction to reapply the firewall policy is input via an input device (not shown) such as a keyboard or a mouse provided in the client system 100, for example.
- the policy application unit 170 converts the non-unique policy (non-unique policy before being modified) converted from the unique policy in the setting information by the policy extraction unit 110. You can convert it to a unique policy and reapply it to Firewall 300.
- the communication unit 140 may not store the correction result received from the inspection system 200 in the policy storage unit 130.
- the policy application unit 170 is realized by a CPU that operates according to a program, for example.
- FIG. 7 is a flowchart showing the operation of the firewall detection system in the present embodiment.
- the same processes as those shown in FIG. 4 are denoted by the same reference numerals as those in FIG. [0103]
- the non-unique policy stored in the policy storage unit 220 of the inspection system 200 is in a state where the attack name is added to the rule determined to pass the inspection packet.
- the FW inspection correction unit 270 corrects the non-unique policy in which the attack name is added to the rule (step 1006a).
- the FW detection / correction unit 270 extracts a rule to which an attack name is added from each rule included in the non-unique policy (that is, a rule determined to pass the detection packet). Then, the correction policy information associated with the attack name is read from the verification correction knowledge DB 280. The FW inspection / correction unit 270 uses the rule with the attack name added and the correction policy information to create a new rule that does not allow the inspection packet to pass. At this time, it is determined that the verification packet is passed through the correction policy information that is described in the same format as the rule of the non-unique policy, and is specified. Create new rules by applying rule elements. The FW inspection and correction unit 270 inserts the newly created rule before the rule with the attack name added. In addition, the attached attack name is deleted. As a result, the decision to block the inspection packet is made based on the newly created rule.
- the inspection correction knowledge DB 280 may store inspection correction knowledge including information of “none” as the correction policy information.
- the revision policy information associated with the attack name may be “None” information.
- the rule power with the attack name added may not be able to create a new rule.
- the FW inspection correction unit 270 sends the correction result (the non-unique policy that has been verified and corrected by the FW inspection correction unit 270) to the communication unit 210 of the inspection system 200.
- the communication unit 210 transmits the correction result to the client system 100 via the Internet 400 (step 1007). This operation is the same as the operation of Step 1007 in the first embodiment.
- the communication unit 140 of the client system 100 receives the correction result of the communication unit 210 of the detection system 200 and passes the correction result to the policy application unit 170. In addition, the communication unit 140 stores the received correction result in the policy storage unit 130.
- the policy application unit 170 The correction result may be read from one storage unit 130.
- the policy application unit 170 reads the policy conversion rule from the policy conversion rule storage unit 120 as in the policy reverse conversion unit 150 shown in FIG. Then, the policy applying unit 170 refers to the policy conversion rule, and converts the non-unique policy included in the modification result into a unique policy having a format depending on the firewall 300. Further, the policy applying unit 170 causes the result output unit 160 to output (for example, display output) the unique policy (step 1008a).
- step 1006a If the information on the attack name added in step 1006 is included in the correction result, the information on the attack name is also output.
- step 1008a the policy applying unit 170 applies the unique policy converted from the non-unique policy to the firewall 300. Since the non-unique policy was modified in step 1006a, the unique policy converted from that non-unique policy is different from the original unique policy. By applying this unique policy, the firewall policy of Firewall 300 will be changed. Specifically, it is changed so that the attack packet is not passed.
- the policy storage unit 130 of the client system 100 stores the modified non-unique policy.
- the client company can restore (re-apply) the firewall policy to the firewall 300 owned by the client company based on the non-unique policy stored in the policy storage unit 300 without receiving the inspection service by the inspection system 200 again. )It can be performed.
- the firewall policy is restored, for example, when the firewall policy is broken for some reason or when the model of the firewall 300 is changed.
- the policy applying unit 170 reads the policy conversion rule and sets the non-unique policy to the unique policy in the same manner as in Step 1008a. Convert and reapply its unique policy to Firewall 300.
- the policy application section In 170 information on the type and version of the firewall 300 is input together with an instruction to reapply the firewall policy via an input device (not shown).
- the policy applying unit 170 may read a policy conversion rule corresponding to the type and version information of the firewall 300 that has been input, and convert it to a specific policy using the policy conversion rule. If the model of the firewall 300 has not been changed, the type and version information of the firewall 300 need not be entered.
- the policy application unit 170 may specify the policy conversion rule in the same manner as the policy reverse conversion unit 150 shown in FIG. That is, in step 1003, a number corresponding to the type and version of the firewall is added to the non-unique policy in advance, so the type and version of the firewall are identified from the number added to the non-unique policy that is the modification result, Furthermore, the policy conversion rule may be specified.
- the policy application unit 170 converts the non-unique policy (non-unique policy before modification) stored in the policy storage unit 130 by the policy extraction unit 110 into the unique policy in step 1002, and converts the non-unique policy to the firewall 300. You can apply it to.
- the policy application unit 170 responds to the type and purge information. Read policy transformation rules.
- the policy application unit 170 converts the non-unique policy stored in the policy storage unit 130 in step 1002 into a unique policy using the policy conversion rule.
- the policy application unit 170 applies the specific policy to the firewall 300. In this case, the communication unit 140 of the client system 100 does not have to store the correction result received from the inspection system 200 in the policy storage unit 130.
- the policy extraction unit and the conversion unit correspond to the policy extraction unit 110.
- the inspection correction knowledge storage means corresponds to the inspection correction knowledge DB 280.
- the determination processing execution means corresponds to the CPU (not shown) of the inspection system 200.
- the virtual firewall generation means corresponds to the virtual FW generation unit 230.
- the inspection means, inspection result generation means, and correction means correspond to the FW inspection correction unit 270.
- the reverse conversion means corresponds to the policy reverse conversion unit 150.
- the result output means corresponds to the result output unit 160.
- Policy application means is policy It corresponds to one application part 170.
- the non-unique policy storage means corresponds to the policy storage unit 130 of the client system.
- the instruction input means corresponds to an input device (not shown) included in the client system 100.
- the non-unique policy transmitting unit and the modification result receiving unit correspond to the communication unit 140 of the client system 100.
- the non-unique policy receiving unit and the correction result transmitting unit correspond to the communication unit 210 of the inspection system 200
- the inspection system 200 receives the non-unique policy from the client system 100, and after the inspection by the virtual FW, the FW inspection correction unit 270 determines that the inspection packet is allowed to pass. A new rule that does not pass the verification packet is created using the rule and the revision policy information. Then, the non-unique policy to which the rule is added is transmitted to the client system 100.
- the policy application unit 170 of the client system 100 converts the non-unique policy into a unique policy and applies it to the firewall 300. Therefore, even if the firewall allows more packets than necessary, it can provide client companies with specific measures to improve the condition.
- the policy application unit 170 converts the non-unique policy stored in the policy storage unit 130 into a unique policy, and the unique policy is converted to the firewall 300. Applies to Therefore, the client company can easily restore the firewall policy when the firewall policy is broken for some reason or when the model of the firewall 300 is changed. Even if the model of the firewall 300 is changed, it is easy to restore the firewall policy, so that client companies can freely replace firewall software and firewall software.
- the communication unit 210, the policy conversion rule storage unit 125, the unique policy storage unit 135, the policy conversion unit 155, and the non-unique policy storage unit 225 included in the inspection system 200 are respectively shown in FIG. 5 is the same as the communication unit 210, the policy conversion rule storage unit 125, the unique policy storage unit 135, the policy conversion unit 155, and the non-unique policy storage unit 225 shown in (Modification of the first embodiment).
- the virtual FW creation unit 230, virtual FW storage unit 240, FW verification / correction unit 270, and verification / correction knowledge DB2 80 included in the verification system 200 are illustrated in FIG. 6 (second embodiment). This is the same as the creation unit 230, the virtual FW storage unit 240, the FW inspection / correction unit 270, and the inspection / correction knowledge DB 280.
- the policy extraction unit 110, the communication unit 140, and the result output unit 160 included in the client system 100 are the policy extraction unit 110, the communication unit illustrated in FIG. 140 and the result output unit 160 are the same.
- the policy application unit 175 included in the client system 100 does not perform the conversion from the force non-specific policy to the unique policy, which is the same as the policy application unit 170 shown in FIG.
- the policy application unit 175 transfers the unique policy to the firewall 300. Set to.
- the firewall inspection system shown in FIG. 8 operates as follows.
- the policy extraction unit 110 extracts setting information from the firewall 300, and sends the firewall policy (unique policy) included in the setting information, and the type and version information of the firewall 300 to the communication unit 140.
- the communication unit 140 transmits information about the unique policy and the type and version of the firewall 300 to the detection system 200.
- the communication unit 210 of the detection system 200 causes the unique policy storage unit 135 to store information about the unique policy and the type and version of the firewall 300 received from the client system 100.
- the reception time of the unique policy may be stored in the unique policy storage unit 135.
- the communication unit 210 may add a number or the like for identifying each unique policy to the unique policy and store it in the unique policy storage unit 135.
- the sea conversion unit 155 reads the policy conversion rule corresponding to the type and version of the firewall stored together with the specific policy from the policy conversion rule storage unit 125. Based on the policy conversion rule, the unique policy stored in the unique policy storage unit 135 is converted into a non-unique policy and stored in the non-unique policy storage unit 225. Information added to identify each unique policy (number, etc.) is also added to the non-unique policy after conversion.
- the virtual FW creation unit 230 creates the virtual FW 500, and the FW validation / correction unit 270 performs the validation in the same manner as in step 1006. . Further, the FW inspection / correction unit 270 corrects the non-unique policy in the same manner as in Step 1006a. The FW inspection / correction unit 270 stores the correction result in the non-unique policy storage unit 225.
- the policy conversion unit 155 identifies the type and version of the firewall from the information for identifying each unique policy that is added to the non-unique policy after the non-unique policy is modified. Read policy conversion rules according to Then, the non-unique policy stored in the non-unique policy storage unit 225 is converted into a unique policy. If an attack name is added to a rule included in a non-unique policy, the attack name is left as it is at the time of conversion.
- the communication unit 210 of the inspection system 200 transmits the unique policy converted from the non-unique policy to the client system 100 as a correction result. If an attack name is added to the rule included in the unique policy, the attack name is also sent with the unique policy.
- the communication unit 140 of the client system 100 receives the correction result from the inspection system 200, the communication unit 140 causes the result output unit 160 to output the correction result. In addition, the communication unit 140 passes the correction result to the policy application unit 175, and the policy application unit 175 applies the specific policy included in the correction result to the firewall 300.
- the communication unit 140 of the client system 100 transmits the instruction to the detection system 200. .
- the type and version information of the firewall 300 is also input, and the type and version information may also be sent.
- the communication unit 210 of the inspection system 200 When receiving an instruction from the client system 100, the policy conversion unit 155 converts the modified non-unique policy into a unique policy. Then, the communication unit 210 transmits the unique policy to the client device 100.
- the communication unit 140 of the client system 100 receives the unique policy, it passes it to the policy application unit 175, and the policy application unit 175 reapplies the unique policy to the firewall 300.
- the communication unit 210 of the detection system 200 receives from the client system 100 an instruction to reapply the firewall policy and information on the type and version of the firewall 300
- the policy conversion unit 155 receives the type and version information.
- the policy conversion rule corresponding to the is read.
- the policy conversion unit 155 converts the non-unique policy before modification stored in the non-unique policy storage unit 225 into a unique policy using the policy conversion rule.
- the communication unit 210 transmits the unique policy to the client device 100.
- the client system 100 that has received the unique policy resets the unique policy in the firewall 300 as described above.
- the FW detection / modification unit 270 does not need to store the modification result in the non-unique policy storage unit 225.
- the policy extraction means corresponds to the policy extraction unit 110.
- the conversion unit and the reverse conversion unit correspond to the policy conversion unit 155.
- the inspection correction knowledge storage means corresponds to the inspection correction knowledge DB280.
- the judgment processing execution means corresponds to the CPU (not shown) of the inspection system 200.
- the virtual firewall generation means corresponds to the virtual FW generation unit 230.
- the inspection means, inspection result generation means, and correction means correspond to the FW inspection correction unit 270.
- the result output means corresponds to the result output unit 160.
- the policy application means corresponds to the policy application unit 175.
- the non-unique policy storage means corresponds to the non-unique policy storage unit 225.
- the instruction input means corresponds to an input device (not shown) provided in the client system 100.
- the policy receiving unit and the corrected policy transmitting unit correspond to the communication unit 210 of the inspection system 200.
- the inspection system 200 may be combined with the client system 100 and installed in the client company network 10.
- various data are stored in the policy storage unit 220, the virtual FW storage unit 240, and the inspection correction knowledge DB 280.
- data is encrypted and stored.
- the data may be decrypted and processed. Further, when adding the correction knowledge to the inspection / correction knowledge DB 280, additional processing is performed so that the inspection / correction knowledge is not known to the client company.
- the inspection correction knowledge obtained from the terminal device (not shown) of the service providing company is transmitted to the inspection system 200.
- the communication unit 210 of the verification system 200 receives the verification correction knowledge, it stores the verification correction knowledge in the verification correction knowledge DB 280 in an encrypted state.
- a specific example of the first embodiment is shown.
- a firewall inspection system including the client system 100 and the inspection system 200 shown in FIG. 2 will be described as an example.
- a service provider providing a firewall inspection service sells the client system 100 to a client company receiving the inspection service.
- the client company pays the service consideration to the service provider.
- the client company is in a network segment accessible to the firewall 300 in the client company network 10 (see Figure 1).
- the policy extraction unit 110 of the client system 100 extracts setting information from the firewall 300 of the client company network 10 (step 1001 shown in FIG. 4).
- the policy extraction unit 110 periodically extracts setting information, for example.
- the setting information may be extracted when a setting information extraction instruction is input from an operator of the client company.
- the policy extraction unit 110 is preset to start the setting information extraction process at the timing determined in the contract between the client company and the service provider company, and starts the setting information extraction process at that timing. May be.
- the policy extraction unit 110 converts the unique policy included in the setting information into a non-unique policy (step 1002 shown in FIG. 4).
- An example of a unique policy is shown in Fig. 9 (a), and an example of a non-unique policy converted from the unique policy shown in Fig. 9 (a) is shown in Fig. 9 (b).
- the iptables firewall policy (unique policy) illustrated in Fig. 9 (a) includes five rules.
- the rule on the top line (line 01) in Fig. 9 (a) is a rule called the default rule.
- a default rule is a rule that regulates the behavior of a firewall when a packet that is subject to judgment on whether or not to pass does not match a rule other than the default rule.
- the default rule shown in Fig. 9 (a) stipulates that all buckets should be dropped.
- “-p” is a symbol specified by a protocol such as tcp or udp, and is described next to the specified protocol strength S “-p”. If there is no description of the protocol following "-p” and “-p”, it means that there is no particular limitation on the packet protocol.
- “-S” is a symbol for designating the source address, and the designated source address is described after “-s”.
- “-D” is a symbol for designating the destination address, and the designated destination address is described after “-d”.
- “-Dport” is a symbol that specifies the destination port number, and the destination port number is described after "-dportj. There is no description of the destination port number following" -dport "and” -dport ".
- the destination port number is not particularly limited. “” Is a symbol that specifies the action (whether to pass or block) for a packet that matches the protocol, source address, destination address, destination port number, etc. In case of passing, “acc mark t” is described after “-”. In the case of blocking, “drop” is described after “tsu”.
- the rule on line 02 shown in Fig. 9 (a) does not limit the protocol, the source address is 0/0, that is, an arbitrary IP address space, and the destination address is 192.168.1.1. A packet whose destination port number is “53 (the port number to which the name resolution service is assigned)” is accepted.
- the rules on and after line 03 define conditions for allowing packets to pass.
- Policy extraction unit 110 reads from policy conversion rule storage unit 120 a policy conversion rule corresponding to the type and version information of firewall 300. And that poly With reference to the sea conversion rule, the unique policy illustrated in Fig. 9 (a) is converted to the non-unique policy illustrated in Fig. 9 (b). Note that the type and version information of the firewall 300 is included in the setting information, for example.
- D2 indicates the end address of the destination address.
- DP1 indicates the start port number of the destination port number.
- DP2 indicates the end port number of the destination port number.
- P1 indicates the start number of the protocol, and “P2” indicates the end number of the protocol.
- the protocol number “1” represents TCP, and “2” represents UDP. Therefore, when P1 is “1” and P2 is “2”, TCP and UDP are indicated as protocols.
- A indicates the action for the packet, and either “allow” (pass) or “deny” (block) is described as “A”. In each rule shown in Fig. 9 (a), the source port number is not specified, so in the non-unique policy, SP1 is set to “1” and SP2 is set to "65535". All values are specified.
- the policy extraction unit 110 stores the non-unique policy converted from the unique policy in the policy storage unit 130.
- FIG. 10 is an explanatory diagram showing an example of information stored in the policy storage unit 130 of the client system 100.
- the policy extraction unit 110 stores the non-unique policy together with the non-unique policy in the policy storage unit 130 as the supplementary information 131, the date and time when the non-unique policy is stored, and the type and version of the firewall.
- the type of software is stored as the type of firewall, and specifically, the product name “iptables” is stored. Also, the version information “1.13.9” is stored.
- the communication unit 140 of the client system 100 reads the non-unique policy from the policy storage unit 130 and transmits it to the inspection system 200 (step 1003 shown in FIG. 4).
- the communication unit 140 transmits the non-unique policy out of the non-unique policy and the incidental information 131 stored in the policy storage unit 130.
- the communication unit 140 does not transmit the incidental information 131 itself, but transmits a non-unique policy with a sequential number added each time a non-unique policy is transmitted. Then, the number is associated with the type and version information of the firewall 300 and stored in the policy storage unit 130, for example.
- the communication unit 140 also transmits an ID for identifying the client company (hereinafter referred to as a user ID) together with a non-unique policy.
- the user ID may be input in advance from an operator via an input device (not shown) such as a keyboard and stored in a storage device (not shown) included in the client system 100, for example.
- the communication unit 210 of the detection system 200 receives the non-unique policy and the user ID from the client system 100, and stores the received non-unique policy and the user ID in the policy storage unit 220 (step shown in FIG. 4). 1004).
- FIG. 11 is an explanatory diagram illustrating an example of information stored in the policy storage unit 220 of the inspection system 200.
- the policy storage unit 220 stores, as data 221, the user ID “NEC KL”, the non-unique policy, and the date and time information when the non-unique policy is stored.
- information received from a client company whose user ID is “AAA” is also stored as data 222.
- the virtual FW creation unit 230 of the inspection system 200 creates a virtual FW using the non-unique policy recorded in the policy storage unit 220 and stores it in the virtual FW storage unit 240 (Fig. Step 1005) shown in 4).
- the virtual FW creation unit 230 creates one virtual FW for each non-unique policy.
- the virtual FW creation unit 230 is provided for each non-unique policy. Create a virtual FW separately.
- the virtual FW is created by attaching a non-unique policy 510 (see Fig. 3) to the FW execution command 520 (see Fig. 3).
- the part of the FW execution instruction 520 is common to each virtual FW. Since there are multiple client companies that provide the inspection service, the non-unique policy of one client company is different from the other client company. Manage using user IDs, etc. so that they do not leak to ant companies. The details of the operation for each client company will be described later.
- the FW inspection unit 250 activates the virtual FW 500 (see Fig. 3) and inspects the firewall 300 of the client company (step 1006 shown in Fig. 4).
- FIG. 12 is an explanatory diagram showing an example of verification knowledge stored in the verification knowledge DB 260.
- Each inspection knowledge 261 and 262 illustrated in FIG. 12 includes information of “attack ID”, “description”, “bucket”, and “supplement”, respectively.
- “Attack ID” is an ID for uniquely identifying inspection knowledge.
- “Description” indicates the name of the attack.
- “Packet” is a verification packet.
- “Supplement” is a supplementary matter indicating a device or the like infected by an attack.
- the essence of inspection knowledge that does not include “attack ID” or “supplement” in inspection knowledge is data that represents the attack itself or data that represents the attributes of the attack (ie, inspection packet). .
- Packets included in the inspection knowledge are described in the same format as the rules included in the non-unique policies (SA1, SA2, SP1, SP2, DAI, DA2, DPI, DP2, Pl, It is described in the format P2, C).
- the meaning of the elements other than the last “C” is the same as the elements of the rules included in the non-unique policy.
- “C” corresponds to the payload of the inspection packet (specifically, the attack code).
- “*” representing an arbitrary may be described.
- an attack code may be described.
- “*” is written instead of the attack code itself, and the attack code is not limited.
- SA1 (start address of source address) "SA2 (end address of source address)"
- DA1 start address of destination address
- DA2 (destination address) As the end address of the address), “*” representing an arbitrary is described.
- the part other than "C" in the inspection packet is a part representing the attribute (attack attribute) of the inspection packet.
- FIG. 13 is a flowchart showing a process for determining whether or not to allow a packet (not shown) of the detection system 200 operating according to the virtual FW 500 to pass.
- the FW inspection unit 250 reads the inspection packet from the inspection knowledge DB 260.
- the FW inspection unit 250 passes the inspection packet to a CPU (not shown) according to the virtual FW500.
- CPU receives the verification packet Take (step 1051).
- the FW inspection unit 250 writes an inspection packet in a RAM (not shown), and the CPU reads the inspection packet.
- the CPU extracts the attribute of the inspection packet (the part other than “C” corresponding to the payload) (step 1052). That is, a part indicating the range of the source address, the range of the source port number, the range of the destination address, the range of the destination port number, and the protocol range in the verification packet is extracted. Then, the CPU extracts one non-unique policy 510 (see FIG. 3) force rule included in the virtual FW 500 (step 1053). The CPU retrieves one rule each time it moves to step 1053. At this time, the CPU also sequentially extracts the first rule force of the non-unique policy 510. Therefore, the first rule is taken when moving to step 1053 for the first time. After step 1053, the CPU determines whether the rule has been successfully extracted (step 1054). If it has failed (if no rail has been extracted), it determines whether to allow the packet to pass. The process ends.
- the attribute of the inspection packet the part other than “C” corresponding to the payload
- the CPU determines whether or not the attribute power of the inspection bucket retrieved in step 1052 matches the rule retrieved in step 1053 (step 1055). If they do not match, go to step 1053 and repeat the operation after step 1053. If the attribute of the inspection packet matches the extracted rule, the CPU extracts the action (the last element “A” in the rule of the non-unique policy) from the rule (step 1056). Then, the CPU determines whether or not the action is “allow” (step 1057). When the action is “allow”, the CPU determines that the inspection packet is passed by the extracted rule, and the rule that derived the result (that is, the rule that matches the attribute of the inspection packet). Is passed to the FW inspection section 250 (step 1058).
- Step 1058 the determination process for one detection packet is completed.
- the FW inspection unit 250 sequentially extracts the inspection knowledge from the inspection knowledge DB 260, and passes the inspection packet included in the inspection knowledge to the CPU operating according to the virtual FW 500. Then, a result indicating that the inspection packet is passed from the CPU operating in accordance with the virtual FW500 or the detection is performed. ⁇ Receives the result of blocking the packet and the rule that led to the result.
- the FW detection unit 250 receives the result of passing the inspection packet and the rule that led to the result, the name of the attack corresponding to the inspection packet (for example, “Code Red” shown in FIG. ) Is added to the rule in the non-unique policy stored in the rule policy storage unit 220.
- FIG. 14 A specific example of creating a verification result by adding an attack name to a non-unique policy is shown below.
- the non-unique policy 510 illustrated in FIG. 14 is included in the virtual FW 500 created in Step 1005.
- the non-unique policy 510 shown in FIG. 14 includes five nodes 510a to 510e.
- the FW inspection unit 250 sequentially extracts inspection knowledge from the inspection knowledge DB 260.
- the FW inspection unit 250 passes the inspection packet included in the inspection knowledge 261 to the CPU operating according to the virtual FW500.
- the CPU reads the inspection packet (step 1051) and extracts the attribute of the inspection packet (step 1052).
- the CPU attributes the inspection packet as a source address range (SA1 and SA2), a source port number range (SP1 and SP2), a destination address range (DA1 and DA2), and a destination port number range. (DPI and DP2) and protocol range (P1 and P2) are retrieved.
- the CPU extracts one rule from the non-unique policy 510 included in the virtual FW (step 1053).
- the first rule 510 a (see FIG. 14) is taken out.
- the next step 1054 it is determined that the rule has been successfully extracted, and it is determined whether or not it matches the rule 510a extracted from the attribute power of the inspection packet (step 1055).
- the source attribute range (S A1 and SA2), source port number range (SP1 and SP2), destination address range (DA1 and DA2), and destination port number range are the attributes of the rule.
- Judgment is made based on whether or not the attributes of the detection packet are within the respective ranges (DPI and DP2) and protocol (P1 and P2). If the inspection packet attributes fall within each range of rule attributes, it is determined that they match, and if they do not, they are determined not to match. In addition, the CPU determines that the attribute described as “*” falls within an arbitrary range. 261 Inspection packet attributes ( Figure 1) 2) and the attributes of rule 510a (see Fig. 14), the source address range, source port number range, and destination address range in the inspection packet are described in rule 510a. It is in range.
- the protocol specified in the inspection packet is “1 (represents TCP)”, and the protocol specified in the rule 510a is “1” and “2 (represents UDP)”. Therefore, the protocol is also within the range described in Rule 510a.
- the range of the transmission destination port number designated by the verification packet is “80 to 80”, whereas the range of the transmission destination port number designated by the rule 510a is “53 to 53”. Therefore, the range of the destination port number specified in the verification packet is not within the range specified by No. 5 10a. Therefore, it is determined that the verification packet of the verification knowledge 261 and the rule 510a do not match, and the process proceeds to step 1053.
- the rules are taken out one by one in order, and the processing after step 1053 is repeated.
- step 1053 when the third rule 510c shown in FIG. 14 is extracted in step 1053, it is determined that the attribute of the inspection packet matches the rule 510c. Then, the process shifts to step 1056, and the action of CPUi NOR NONORE 510c is taken out (step 1056). Since the action of the normal 510c is “allow” (see FIG. 14), it is determined as “Yes” in the determination process in Step 1057, and the process proceeds to Step 1058. That is, the CPU passes the information indicating that the inspection packet passed from the FW inspection unit 250 is passed by the rule 510c to the FW inspection unit 250.
- the attribute of the validation packet of validation knowledge in DB 260 always matches the default rule (the last rule in the non-unique policy, rule 510e in the example shown in FIG. 14). Therefore, the result of passing or blocking is obtained for all the detection packets passed from the FW inspection unit 250. In the flowchart shown in FIG. 13, if “No” is determined in step 104, the process is terminated without outputting the result of passing or blocking. It is impossible to detect that there is no Occurs when (abnormal).
- the FW inspection unit 250 When the FW inspection unit 250 obtains the determination result of passing or blocking and the information of the rule that led to the determination result, it reads the non-unique policy from the policy storage unit 220. Then, the FW inspection unit 250 adds the name of the attack corresponding to the inspection packet to the rule derived from the determination result that the inspection packet is allowed to pass among the rules included in the non-unique policy. In this example, the inspection result is obtained by adding the name of the attack to the non-unique policy.
- Figure 15 shows an example of the inspection results. As already indicated, the third rule will pass the inspection packet with the detection knowledge 2 61 (see Fig. 12), and the fourth rule will pass the inspection packet with the detection knowledge 262. It will be. Therefore, as shown in FIG.
- the FW detection unit 250 adds the name “Code Red” of the attack included in the verification knowledge 261 to the third rule.
- the attack name “SQL Slammer” included in the knowledge 262 is added to the fourth rule.
- the name of the attack is added together with the character string “Alert”.
- the test result shown in Fig. 15 may cause the third rule to pass the attack (Code Red) of the test knowledge 261, and the fourth rule will attack the test knowledge 262 (SQL
- the FW inspection unit 250 sends the inspection result to the communication unit 210.
- Communication part of inspection system 200
- the communication unit 140 of the client system 100 receives the inspection result sent from the inspection system 200 and sends the inspection result to the policy reverse conversion unit 150.
- the communication unit 140 is supposed to send the inspection result directly to the policy reverse conversion unit 150.
- the communication unit 140 stores the inspection result in the policy storage unit 130, and the policy reverse conversion unit 150 detects from the policy storage unit 130. ⁇ Results may be read.
- the number added by the communication unit 140 of the client system 100 at the time of non-unique policy transmission is added to the force check result not shown in FIG. 15 as it is.
- the policy reverse conversion unit 150 identifies the type and version information of the firewall 300 based on the number, and the policy conversion rule corresponding to the type and version. Is read from the policy conversion rule storage unit 120.
- the policy reverse conversion unit 150 converts a non-unique policy included in the inspection result received from the inspection system 200 into a unique policy based on the conversion rule.
- the name of the attack included in the inspection result remains unchanged.
- a unique policy with the name of the attack added to the rule is obtained, as shown in Figure 16.
- the policy reverse conversion unit 150 causes the result output unit 160 to output (for example, display output) the unique policy in which the name of the attack is added to the rule (step 1008 shown in FIG. 4). As a result, it is possible to provide the client company with which rules pass which attacks.
- the user of the client system 100 of the client company modifies the firewall policy of the firewall 300 with reference to the output result.
- the non-unique policy in which the communication unit 140 of the client system 100 and the communication unit 210 of the detection system 200 communicate with each other is assumed to be transmitted and received in plain text on the Internet 400. It was.
- the communication unit 140 of the client system 100 may encrypt and transmit the non-unique policy, and the non-unique policy received by the communication unit 210 of the inspection system 200 may be decrypted.
- the communication unit 210 of the inspection system 200 may encrypt and transmit the inspection result, and the inspection result received by the communication unit 140 of the client system 100 may be decrypted.
- FIG. 17 is an explanatory diagram showing a situation where a virtual FW is created for each client company and inspection is performed.
- the communication unit 210 of the inspection system 200 receives a verification request from the client system 100 and sends a response indicating that the verification request is received to the client system 100.
- the non-unique policy and user ID are received from the client system 100.
- the user ID does not have to be received at the same time as the non-unique policy.
- the client system 100 may be authenticated, a user ID may be received at the time of authentication, and then a non-unique policy may be received.
- the communication unit 210 associates the received non-unique policy with the user ID, and stores the policy storage unit. Store in 220. For example, it is stored as data 221 illustrated in FIG.
- the virtual FW creation unit 230 reads the non-unique policy and the user ID from the policy storage unit 220, and creates the virtual FW 500 using the non-unique policy. At this time, the user ID is used as the file name of the virtual FW500. For example, a virtual FW 500 with a file name “NEC Kushi vf” is created and stored in the virtual FW storage unit 240.
- the FW inspection unit 250 activates the virtual FW500 with the file name “NEC Ksh vf” and performs the inspection.
- the firewall of the client company having the user ID “NEC KL” is inspected.
- the user ID is used for the file name of the virtual FW 500.
- the user ID may not be used for the file name.
- FIG. 6 A specific example of the second embodiment is shown.
- a firewall inspection system including the client system 100 and the inspection system 200 shown in FIG. 6 will be described as an example. Since the operation until the FW inspection correction unit 270 executes the inspection (the operation from Step 1001 to Step 1006 shown in FIG. 7) is the same as that in the first specific example, the description is omitted.
- FIG. 18 is an explanatory diagram showing an example of the inspection correction knowledge stored in the inspection correction knowledge DB 280.
- Each of the verification correction knowledge 281 and 282 illustrated in FIG. 18 includes information of “attack ID”, “description”, “packet”, “correction policy”, and “supplement”, respectively.
- “Attack ID”, “Description”, “Packet”, and “Supplement” are the same information as the information included in the inspection knowledge (see FIG. 12) shown in the first specific example.
- “Correction policy” is correction policy information for a rule that allows a verification packet to pass.
- the inspection and correction knowledge may include “None” as the correction policy (see Inspection and correction 281 shown in FIG. 18).
- Revision policy information other than "None” is included in the non-unique policy shown in the first specific example It is described in the same format as the rule. That is, the correction policy is described in the format (SA1, SA2, SP1, SP2, DAI, DA2, DPI, DP2, Pl, P2, A). The meaning of each element from SA1 force to A is as explained in the first example. “Deny” is described as “A (action)” in the correction policy for creating a new rule that blocks the inspection packet from the rule that allows the inspection packet to pass. Also, some elements included in the revision policy information are described as “*”, for example, and are not specifically identified.
- FIG. 19 is a flowchart showing the non-unique policy correction processing (step 1006a).
- the correction process for the non-unique policy included in the verification result will be described, taking as an example the case where the verification result shown in FIG. 15 is obtained by the verification in step 1006.
- the FW detection / correction unit 270 first extracts one rule determined to pass the attack (detection packet) of the detection result in step 1006 (step 1071).
- the FW inspection correction unit 270 may extract the rule to which the attack name is added.
- the rule on line 03 shown in FIG. 15 is taken out.
- the FW inspection correction unit 270 determines whether or not the rule has been successfully extracted (step 1072). If all the rules determined to pass the attack have been extracted and there are no rules to be extracted, it is determined that the rule extraction has failed, and the process is terminated.
- step 1073 the FW inspection / correction unit 270 reads the correction policy information corresponding to the attack name added to the rule determined to pass the attack from the inspection / correction knowledge DB 280 (step 1073). Since the attack name “rcode Red” is added to the root line on line 03 shown in FIG. 15, the correction policy information corresponding to this attack name (the correction policy included in the inspection correction knowledge 281 shown in FIG. 18). Information).
- the FW inspection / correction unit 270 determines whether or not the read correction policy information is “none” (step 1074). If the revision policy information is not “None”, Move to step 1075. If the revision policy information is not “None”, the process proceeds to Step 1071, and the operations after Step 1071 are repeated. In this example, since the correction policy information power S contained in the inspection correction knowledge 281 is “None”, the process proceeds to Step 1071. The processing after step 1075 will be described later.
- the FW inspection / correction unit 270 takes out the rule in the fourth line shown in FIG. Since the rule has been successfully extracted (Yes in Step 1072), the FW inspection correction unit 270 reads the correction policy information corresponding to “SQL Slammer” added to the rule on the 04th line (Step 1073). Here, the correction policy information included in the inspection correction knowledge 281 shown in FIG. 18 is read. Since this revision policy information is not “none”, the process proceeds to step 1075.
- the FW inspection / correction unit 270 describes elements that are not specifically specified in the correction policy (elements described as "*") in the rule extracted in step 1071. Replace with the element you are using.
- the correction policy information included in the inspection correction knowledge 281 is (*, *, 10 25, 65535, *, *, 1434, 1434, 2, 2, deny), and “SA1 (start address of source address)” , “SA2 (end address of source address)”, “DA1 (start address of destination address)”, and “DA2 (end address of destination address)” are not specified.
- the FW inspection amendment unit 270 uses the rule (0.0.0.0, 255.255.255.255,1, 65535, 192.168.) Of the 04th line shown in FIG. 15 as SA1, SA2, DAI, DA2 1.4,192.168.1.4, l, 65535, l, 2, allow) are replaced with SA1 (0.0.0.0), SA2 (255.255.255.255), DA1 (192.16 8.1.4), DA2 (192.168.1.4).
- the revision policy information is (0.0.0.0,25 5.255.255.255, 1025, 65535,192.168.1.4, 192.168.1.4,1434, 1434,2,2, deny).
- the FW inspection / correction unit 270 adds, as a new rule, correction policy information obtained by replacing an unspecified element with a rule element immediately before the rule extracted in Step 1071 (Step 1076). At this time, the FW inspection / correction unit 270 deletes the attack name information added to the rule extracted in Step 1071.
- FIG. 20 is an explanatory diagram showing an example of the modification result of the non-unique policy.
- the 05th line in the non-unique policy correction result shown in FIG. 20 is the same rule as the 04th line in the inspection result shown in FIG.
- the fourth line in the modification result of the non-unique policy shown in FIG. 20 is a new rule generated based on the rule determined to pass the attack and the modification policy information.
- the new rule on line 04 shown in Fig. 20 is referenced before the rule determined to pass the attack on line 05, so that the attack packet is blocked by the rule on line 04. It becomes.
- the FW inspection / correction unit 270 sends the modified non-unique policy (correction result) to the communication unit 210. .
- the communication unit 210 of the inspection system 200 transmits the correction result sent from the FW inspection / correction unit 270 to the client system 100 (step 1007 shown in FIG. 7).
- the communication unit 140 of the client system 100 receives the correction result sent from the inspection system 200, and sends the correction result to the policy application unit 170. In addition, the communication unit 140 stores the received correction result in the policy storage unit 130. The policy application unit 170 may read the correction result from the policy storage unit 130.
- the number added by the communication unit 140 of the client system 100 when the non-unique policy is transmitted (step 1003) is directly appended.
- the policy application unit 170 identifies the type and version information of the firewall 300 based on the number, and reads the policy conversion rule corresponding to the type and version from the policy conversion rule storage unit 120. Based on the conversion rule, the policy applying unit 170 converts the non-unique policy included in the correction result received from the verification system 200 into a unique policy. At this time, if the attack name is added to the correction result, the attack name is left as it is. As a result, the unique policy converted from the modified result of the non-unique policy is obtained. An example of this unique policy is shown in FIG.
- the policy application unit 170 causes the result output unit 160 to output (for example, display output) the unique policy converted from the modification result of the non-unique policy.
- the policy application unit 170 applies the unique policy to the firewall 300 (step 1008 shown in FIG. 7). a).
- the firewall policy of the firewall 300 is changed so as not to allow the attacking bucket to pass.
- the correction policy information stored in the inspection correction knowledge DB 280 is “None”
- the attack name is displayed along with the rule as shown in line 04 of FIG. 21, so which rule passes which attack. It is possible to present to the client company whether or not
- the policy application unit 170 first outputs the specific policy, prompts the operator of the client company to determine whether or not to apply the specific policy to the firewall, and instructs the input device (Fig. Specific policy may be applied to Firewall 300 when entered through (not shown)
- the non-unique policy and the modification result in which the communication unit 140 of the client system 100 and the communication unit 210 of the detection system 200 communicate with each other are assumed to be transmitted and received over the Internet 400 in plain text.
- the communication unit 140 of the client system 100 may encrypt and transmit the non-unique policy, and the non-unique policy received by the communication unit 210 of the inspection system 200 may be decrypted.
- the configuration may be such that the communication unit 210 of the inspection system 200 encrypts and transmits the correction result, and the communication unit 140 of the client system 100 decrypts the correction result. With such a configuration, it is possible to improve the confidentiality of non-unique policies and correction results to be transmitted and received.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2006543239A JPWO2006049072A1 (ja) | 2004-11-04 | 2005-10-27 | ファイアウォール検査システムおよびファイアウォール情報抽出システム |
US11/666,861 US20070266431A1 (en) | 2004-11-04 | 2005-10-27 | Firewall Inspecting System and Firewall Information Extraction System |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2004-320788 | 2004-11-04 | ||
JP2004320788 | 2004-11-04 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006049072A1 true WO2006049072A1 (ja) | 2006-05-11 |
Family
ID=36319084
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2005/019765 WO2006049072A1 (ja) | 2004-11-04 | 2005-10-27 | ファイアウォール検査システムおよびファイアウォール情報抽出システム |
Country Status (3)
Country | Link |
---|---|
US (1) | US20070266431A1 (ja) |
JP (1) | JPWO2006049072A1 (ja) |
WO (1) | WO2006049072A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107122241A (zh) * | 2016-02-25 | 2017-09-01 | 深圳市知穹科技有限公司 | 基于cpu和gpu的数据库防火墙系统和其的控制方法 |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7634584B2 (en) | 2005-04-27 | 2009-12-15 | Solarflare Communications, Inc. | Packet validation in virtual network interface architecture |
JP5072314B2 (ja) * | 2006-10-20 | 2012-11-14 | キヤノン株式会社 | 文書管理システム、文書管理方法、文書管理プログラム、記憶媒体 |
US8261317B2 (en) * | 2008-03-27 | 2012-09-04 | Juniper Networks, Inc. | Moving security for virtual machines |
US11140178B1 (en) * | 2009-11-23 | 2021-10-05 | F5 Networks, Inc. | Methods and system for client side analysis of responses for server purposes |
US9531670B2 (en) | 2009-11-30 | 2016-12-27 | Iwebgate Technology Limited | System and method for network virtualization and security using computer systems and software |
US20110131648A1 (en) * | 2009-11-30 | 2011-06-02 | Iwebgate Technology Limited | Method and System for Digital Communication Security Using Computer Systems |
US10742604B2 (en) | 2013-04-08 | 2020-08-11 | Xilinx, Inc. | Locked down network interface |
US9667596B2 (en) | 2014-06-04 | 2017-05-30 | Bank Of America Corporation | Firewall policy comparison |
US9391955B2 (en) * | 2014-06-04 | 2016-07-12 | Bank Of America Corporation | Firewall policy converter |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000216780A (ja) * | 1998-05-19 | 2000-08-04 | Hitachi Ltd | ネットワ―ク管理システム |
JP2001237895A (ja) * | 2000-01-18 | 2001-08-31 | Lucent Technol Inc | ネットワークゲートウェイの解析方法及び装置 |
JP2002328896A (ja) * | 2001-04-27 | 2002-11-15 | Nippon Telegr & Teleph Corp <Ntt> | 不正アクセス対処ルール自動設定装置 |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7143438B1 (en) * | 1997-09-12 | 2006-11-28 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with multiple domain support |
US6141749A (en) * | 1997-09-12 | 2000-10-31 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with stateful packet filtering |
US6154775A (en) * | 1997-09-12 | 2000-11-28 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with dynamic rule processing with the ability to dynamically alter the operations of rules |
US7143151B1 (en) * | 1998-05-19 | 2006-11-28 | Hitachi, Ltd. | Network management system for generating setup information for a plurality of devices based on common meta-level information |
US6226372B1 (en) * | 1998-12-11 | 2001-05-01 | Securelogix Corporation | Tightly integrated cooperative telecommunications firewall and scanner with distributed capabilities |
CA2296989C (en) * | 1999-01-29 | 2005-10-25 | Lucent Technologies Inc. | A method and apparatus for managing a firewall |
US7150037B2 (en) * | 2001-03-21 | 2006-12-12 | Intelliden, Inc. | Network configuration manager |
US7159125B2 (en) * | 2001-08-14 | 2007-01-02 | Endforce, Inc. | Policy engine for modular generation of policy for a flat, per-device database |
ATE273591T1 (de) * | 2001-12-18 | 2004-08-15 | Stonesoft Corp | Prüfung der konfiguration einer firewall |
US20040039940A1 (en) * | 2002-08-23 | 2004-02-26 | Koninklijke Philips Electronics N.V. | Hardware-based packet filtering accelerator |
US20060041936A1 (en) * | 2004-08-19 | 2006-02-23 | International Business Machines Corporation | Method and apparatus for graphical presentation of firewall security policy |
-
2005
- 2005-10-27 JP JP2006543239A patent/JPWO2006049072A1/ja active Pending
- 2005-10-27 WO PCT/JP2005/019765 patent/WO2006049072A1/ja active Application Filing
- 2005-10-27 US US11/666,861 patent/US20070266431A1/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000216780A (ja) * | 1998-05-19 | 2000-08-04 | Hitachi Ltd | ネットワ―ク管理システム |
JP2001237895A (ja) * | 2000-01-18 | 2001-08-31 | Lucent Technol Inc | ネットワークゲートウェイの解析方法及び装置 |
JP2002328896A (ja) * | 2001-04-27 | 2002-11-15 | Nippon Telegr & Teleph Corp <Ntt> | 不正アクセス対処ルール自動設定装置 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107122241A (zh) * | 2016-02-25 | 2017-09-01 | 深圳市知穹科技有限公司 | 基于cpu和gpu的数据库防火墙系统和其的控制方法 |
CN107122241B (zh) * | 2016-02-25 | 2019-11-19 | 深圳市知穹科技有限公司 | 基于cpu和gpu的数据库防火墙系统和其的控制方法 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2006049072A1 (ja) | 2008-05-29 |
US20070266431A1 (en) | 2007-11-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2006049072A1 (ja) | ファイアウォール検査システムおよびファイアウォール情報抽出システム | |
CA2966408C (en) | A system and method for network intrusion detection of covert channels based on off-line network traffic | |
US7343599B2 (en) | Network-based patching machine | |
US7490149B2 (en) | Security management apparatus, security management system, security management method, and security management program | |
US20020069366A1 (en) | Tunnel mechanis for providing selective external access to firewall protected devices | |
CN106031118A (zh) | 云服务安全中介和代理 | |
CN102546576A (zh) | 一种网页挂马检测和防护方法、系统及相应代码提取方法 | |
Zhang et al. | Frameup: an incriminatory attack on Storj: a peer to peer blockchain enabled distributed storage system | |
JP2002533792A (ja) | 信頼された内部ネットワ−クの作動を保護方法およびシステム | |
CN107979581A (zh) | 僵尸特征的检测方法和装置 | |
JP7040992B2 (ja) | 脆弱性情報生成装置および脆弱性評価装置 | |
JP2022509121A (ja) | セキュア通信方法およびそのシステム | |
US20060294595A1 (en) | Component selector | |
CN108737338A (zh) | 一种认证方法及系统 | |
Detering et al. | On the (in-) security of javascript object signing and encryption | |
Tracy et al. | Guidelines on Securing Public Web Servers Web Servers | |
CN107342963A (zh) | 一种虚拟机安全控制方法、系统及网络设备 | |
Gupta et al. | Handbook of research on information security and assurance | |
TWI667587B (zh) | 資訊安全防護方法 | |
KR102042086B1 (ko) | 암호화 통신 프로토콜 제어 모듈 | |
CN109688108A (zh) | 一种防御文件上传漏洞的安全机制及其实施方法 | |
Mitseva et al. | Challenges and Pitfalls in Generating Representative ICS Datasets in Cyber Security Research | |
Kloiber et al. | Test-beds and guidelines for securing IoT products and for | |
CN108366040A (zh) | 一种可编程防火墙的逻辑代码检测方法、装置及电子设备 | |
Richter et al. | Conception and Implementation of Professional Laboratory Exercises in the field of ICS/SCADA Security-Part I: Fundamentals |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KN KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
DPEN | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2006543239 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11666861 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWP | Wipo information: published in national office |
Ref document number: 11666861 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 05799364 Country of ref document: EP Kind code of ref document: A1 |