1. Field of the Invention
The present invention generally relates to a network apparatus, a communication control method, and a computer readable recording medium having a computer program for causing the network apparatus to execute the communication control method.
2. Description of the Related Art
A firewall is configured to block unauthorized access while permitting authorized communications, and is generally located at a boundary between a corporate internal local area network (LAN) such as a corporate network and an external network such as the Internet so that unauthorized external accesses to the corporate network are blocked. In addition, internal accesses within the corporate network may also be blocked based on a corporate security policy to provide a certain level of security within the corporate network. Such security is normally provided within the corporate network to block internal unauthorized accesses.
Currently, the following problems may arise in the corporate network. For example, a member of corporate staff who has an authorized access to the corporate network may unintentionally connect his or her authorized PC infected with a virus or a worm to the corporate network. Although the PC is authorized to connect to the corporate network but has a low security level, the PC adversely affects the entire corporate network security as the source of infection. The cause of the infection may include the connected PC in which no firewall is installed, the connected PC in which the firewall is installed but the latest update program is not applied, or the connected PC which is not managed by an administrator (e.g., the PC brought by an outsider).
Recently, a concept of network access protection (NAP) has become gradually acknowledged. The NAP is a protocol that implements a quarantine network technique. The NAP is a new platform that inspects a PC and requires the PC to be in compliance with a predetermined requirement before computer devices (PCs) are allowed to have access to the corporate network or allowed to communicate over the corporate network.
For example, all the PCs attempting to have access to the corporate network are connected to a special network region called an inspection network or the like where security levels of the PCs are inspected. The inspection network is logically separated from the corporate network. In the inspection network, whether the security level of the PC is compliant with the corporate security policy is determined. Specifically, the following contents are checked as the corporate security policy: 1) whether the PC has a personal firewall (software), 2) whether the latest pattern file is applied to the firewall, 3) whether the PC has prohibited software applications (installed), 4) whether the latest modified OS program (i.e., patch) is applied. If the PC clears all the above inspection tests, the PC is allowed to switch the connection to the corporate network.
However, if the PC does not clear all of the inspection tests, the PC is supplied with appropriate security measures, such as the application of the latest modified OS program or updating of the latest pattern file, based on the inspection result of the PC. Thereafter, whether the security level of the PC is compliant with the corporate security policy is determined again. If the security level is compliant with the corporate security policy, the PC is then finally authorized to have access to the corporate network.
Note that NAP may force the network to be compliant with the corporate security policy while restricting the communications of the PC. However, the quarantine network does not have rigorous definitions, so that various methods may be applied to implement the quarantine network. For example, Japanese Patent Application Publication No. 2008-154012 discloses NAP mechanisms applied to the quarantine network. The NAP includes mechanisms such as 802.1x, a Security Architecture for Internet Protocol (i.e., IPsec), a Virtual Private Network (VPN), and a Dynamic Host Configuration Protocol (DHCP). With the application of these mechanisms, the quarantine network may be implemented. Methods for implementing the quarantine network include a method for switching based on the personal firewall installed in each client, a method for changing IP addresses assigned to the PCs by a DHCP server, and a method for switching the connection destinations of the PCs by a gateway.
In this specification, NAP mechanisms, specifically, NAP employed mechanisms are focused on, and an implementing method of a NAP-DHCP based quarantine network is examined. That is, a method for changing the IP address of a PC assigned by the DHCP server based on the inspection result of the PC is examined. In this method, operations of the NAP DHCP are described as follows.
1) When the PC is connected to the quarantine network, the PC sends an IP address acquisition request to a NAP-enabled DHCP server. Note that the IP address acquisition request packet includes information used to determine whether the PC is a secure PC based on NAP. The information used to determine whether the PC is the secure PC includes information indicating whether the personal firewall is installed in the PC in question, information indicating whether the pattern file for detecting viruses is the latest version, and the like.
2) The NAP-enabled DHCP server receives the IP address acquisition packet and examines the security of the PC (e.g., whether the firewall is installed) based on the received IP address acquisition packet. If the PC security is verified, complete and effective address information (e.g., address, subnet mask, gateway, DNS, etc.) is assigned to the PC to thereby allow the PC to be connected to the corporate network.
3) On the other hand, if the PC security is not verified, the NAP-enabled DHCP server forcefully assigns restricted address information to the PC. Note that the assigned (restricted) address information differs from the address information assigned to the PC having no security problem. That is, the assigned restricted address information includes a restricted IP address and a subnet mask that will not allow the PC to be connected to the corporate network.
In the NAP DHCP operations, as described in the 3) above, if the PC has a security problem, the restricted address information is assigned to the PC so that the PC is unable to be logically connected to a protected non-restricted area of the corporate network. That is, the PC having the security problem is connected to the restricted area whereas the PC having no security problem is connected to the non-restricted area of the corporate network.
In the above-described network environment, the PCs within the restricted area do not have accesss to the non-restricted area of the corporate network. However, the above-described network environment may be different when multicast is performed between the restricted and non-restricted areas of the corporate network.
The multicast is a communication carried out by designating a specific group of PCs based on a class D address range (224.0.0.0 through 239.255.255.255), that is, a multicast address range. The multicast addresses are used as destination addresses only, and unicast addresses are used as sender's addresses.
Recently, PCs often include a protocol for searching using a multicast packet. Such a protocol is typically represented by “Bonjour” (Registered Trademark). If the PCs having no security problem within the non-restricted area carry out search for/report apparatuses or services via the multicast communication, the PCs having the security problem within the restricted area may receive the multicast packet. That is, if the sender's address contained in the multicast packet is referred to, the IP addresses of the PCs having no security problem within the non-restricted area may be exposed (disclosed).
Thus, if the IP addresses assigned to the non-restricted area are exposed in the NAP-DHCP based quarantine network, the constructed NAP-DHCP based quarantine network may be practically invalid. That is, if DHCP addresses of the PCs within the restricted area are changed into the IP addresses assigned to the non-restricted area, the PCs will reside within the non-restricted area and will be capable of logically accessing the non-restricted area.
Accordingly, embodiments of the present invention may provide a network apparatus, a communication control method and a computer readable recording medium having a computer program for causing the network apparatus to execute the communication control method that may solve one or more of the problems discussed above.