1. Field of the Invention
The present invention relates to a quarantine device, a quarantine system, and, furthermore, a quarantine method used to quarantine terminals connected to a network, as well as to a computer-readable recording medium that store a software program used to implement the above.
2. Background Art
In recent years, in order to address the increased number of infections with worms, viruses, etc. through networks, businesses have been actively deploying quarantine systems (for example, see JP 2008-54204A). Quarantine systems maintain network security by isolating terminals that do no meet requirements pre-defined by security policies, such as those with out-of-date OS patch files, definition files for anti-virus software, etc., from the work network.
A Layer 2 Switch having VLAN (Virtual LAN) capability (hereinafter, referred to as a VLAN aware Layer 2 Switch) is commonly utilized in this type of quarantine systems in order to provide a more fine and exact control over the network. The Layer 2 Switch controls the network at a layer (data link layer) that is deeper than the layer utilized for Internet protocol-based communications.
In particular, in a quarantine system, a VLAN-aware Layer 2 Switch is provided in advance with a VLAN used for work purposes and a VLAN used for isolation purposes. Additionally, a quarantine server, which forms part of the quarantine system, associates terminals connected to the Layer 2 Switch with either one of the VLANs depending on the security policies of the terminals.
This means that when a terminal is connected to any of the ports of the Layer 2 Switch, the quarantine server detects the connection of the terminal to the port through the SNMP protocol (Simple Network Management Protocol). Additionally, the quarantine server checks whether an agent program has been installed on the terminal, performs security policy checks, etc.
After that, the quarantine server attaches only safe terminals that meet security policy requirements to the work VLAN and authorizes their connection to the work network. In addition, the quarantine server uses the isolation VLAN to isolate terminals that do not meet the security policy requirements. In addition, terminals belonging to the isolation VLAN cannot communicate with anything except for the quarantine server and communicate only with the quarantine server.
Furthermore, after subjecting terminals having no agent programs deployed thereon and terminals that do not meet security policy requirements to processing intended to satisfy security policy requirements, such as agent program installation, and the like, the quarantine server connects them to the work VLAN. As a result, the security of the network is protected.
In addition, in the above-described quarantine system, a separate VLAN can be configured for each port of the Layer 2 Switch, in which case the isolation and recovery of terminals can be realized on a per-port basis. Furthermore, an isolation VLAN can be allocated to each terminal, in which case quarantine can be established for each individual terminal.
Incidentally, connecting a single terminal or information appliance directly to each port on the Layer 2 Switch is a pre-requisite in above-described quarantine system. On the other hand, there are, in fact, situations wherein, for example, a hub having no VLAN capability (hereinafter, referred to as a VLAN-unaware hub) is connected to a port of the Layer 2 Switch and multiple terminals are further connected to this VLAN-unaware hub.
In the above-described case, all the terminals under the VLAN-unaware hub belong to the same VLAN. Therefore, for example, if a terminal that meets security policy requirements is connected as a first terminal to the VLAN-unaware hub, then the port, to which the VLAN-unaware hub is connected, ends up being connected to the work VLAN by the quarantine server.
Then, when a second terminal is connected to the VLAN-unaware hub, this terminal, regardless of whether an agent program has or has not been deployed on it, ends up being connected to the network used for work purposes even if the requirements established by the security policy are not met. The problem with the above-described quarantine system is that when multiple terminals are connected to a port of the Layer 2 Switch through a VLAN-unaware hub, said terminals cannot be individually isolated from, and recovered back into, the work network.