In today's enterprise networks, in order to maintain security, firewalls are installed at the boundary of an enterprise network and the Internet to prevent unlawful access and external attacks on the enterprise network. However, now that viruses are increasingly infiltrating firewalls due to portable terminals, incoming e-mail and the Web, it is becoming increasingly difficult to maintain security.
To deal with this trend, a concept referred to as a quarantine network has been proposed. When the quarantine network performs network access authentication of a client, it screens the client's security status, and accommodates virus-infected clients or unauthorized clients which do not have asset management software installed, in a segment (quarantine segment) isolated from normal clients (“Unauthorized personal computers are controlled by quarantine network,” Nikkei Windows (registered trademark) Pro, November, 2004, pp. 78-89). To implement this concept, two methods, the IEEE802.1x method and the DHCP method, have so far been used.
The IEEE802.1x method is a method which, when a client requests connection permission to a layer-2 network device using IEEE802.1x, performs authentication based on the client's security status. A typical example is NAC (Network Admission Control) (“Network Admission Control”, http://www.cisco.com/application/pdf/en/us/guest/netsol/ns4 66/c654/cdcont—0900aecd800fdd66.pdf) of the Cisco Co.
In general, in IEEE802.1x, login authentication is performed by sending a user name and password from the client to an authentication server. In a quarantine network using the IEEE802.1x method, information about the client itself, such as the version of its anti-virus software, is sent from the client to the authentication server. Based on this information, the authentication server performs authentication based on the client's security status.
The DHCP method is a method which performs authentication based on the client's security status by using either a temporary IP address or an official IP address as the DHCP address assigned to the client by the network. A typical example is Vital QIP of NEC Corp.
Once a client is connected to the network, a DHCP server first distributes a temporary IP address to a client. When the client performs web access using the temporary IP address, a quarantine server detects the web access, and returns a quarantine script to the client which performed the web access. The quarantine script is configured so that the confirmation result of the client's security status may be reported to the quarantine server. If it is determined that the client's quarantine script is secure, the quarantine server which received the report instructs the DHCP server to recover the temporary IP address assigned to the client, and assign an official IP address. Conversely, if it is determined that it is not secure, the temporary IP address remains assigned. By restricting the communication range of this temporary IP address by the filter setup of a router or a switch, a client can be isolated to a different network according to the client's security status.