1. Field of the Invention
The present invention relates to a Virtual Private Network (VPN) and, more particularly, to a method and apparatus for detecting a node on an external network which is performing VPN communication with a node on an internal network.
2. Description of the Related Art
The forms of connecting basic networks in remote places include a technique called Virtual Private Network (VPN).
Layer 3 VPN (L3VPN) is a technique of constructing a virtual network on a real network by performing “encapsulation”, i.e., storing an IP packet in an IP packet in the real network. This technique is sometimes called IP-VPN, Internet VPN, or the like. However, L3VPN, which is VPN in the form of transferring an IP packet upon encapsulation, cannot handle any packets that use protocols other than IP, and demands special consideration in handling broadcast and multicast communication.
The forms of connecting bases in remote places include a technique called Layer 2 Virtual Private Network (L2VPN). In general, bases in remote places belong to different networks. According to this technique, however, Layer 2 frames (e.g., Ethernet® frames) are encapsulated on an upper layer and transferred between the remote places, thereby making this system look like one virtual Layer 2. This technique makes it possible to facilitate unifying policies and the like and reduce the load on the administrator, and allows a user to belong to the same network regardless of his/her location.
In some cases, a business or governmental organization limits external access through VPN for the prevention of information leakage. There is available an apparatus for detecting VPN communication passing through a firewall (see, e.g., “One Point Wall”, Net Agent Co., Ltd) to grasp or regulate a host which is externally accessing an internal network through VPN.
This is a firewall apparatus which is characterized by monitoring the packet pattern of a communication passing through the apparatus and determining VPN connection if the pattern of the communication is that using a known VPN protocol.
If the internal network is externally accessed through VPN, the VPN communication always passes through a relay apparatus such as a router which connects to the outside. If, therefore, the VPN communication is a known VPN protocol, monitoring a passing packet makes it possible to determine whether the packet is a VPN communication packet.
However, since most VPN communications are encrypted, it is difficult to detect VPN communication only by observing a passing packet.
The above firewall apparatus described in “One Point Wall”, which is designed to detect a VPN communication packet by monitoring a communication packet pattern, can detect a communication using a known VPN protocol as a VPN communication if the communication packet pattern coincides with a known pattern even if the communication is encrypted.
It is, however, impossible to detect a VPN communication packet pattern unless the firewall apparatus already knows the pattern. For this reason, the firewall apparatus cannot detect any VPN communication packet for VPN communication based on protocols which the apparatus does not know, e.g., a VPN protocol newly developed by a firewall apparatus and modified VPN protocols.
The widespread use of computers and improvements in high-speed always-on networks has allowed users to casually use VPN. On the other hand, there are requirements for inhibiting any devices other than those in a house from connecting to a device installed in the house for the sake of copyright protection.
There has been proposed a technique of using RTT (Round Trip Time) in the standardization of DTCP (Digital Transmission Content Protection)/IP to detect whether a given communication partner (node) is accessing through VPN. However, the above situation cannot be handled by this technique alone.
In addition, the above firewall apparatus described in “One Point Wall”, which is designed to detect a VPN communication packet, can detect a VPN communication packet by using a known VPN protocol by monitoring passing communications. Even if the apparatus can detect a VPN communication packet, it cannot detect a node which connects through VPN.
As described above, the conventional apparatus cannot easily detect a node on an external network which is performing VPN communication with a node on an internal network.
Another problem is that this apparatus cannot easily detect any packet, of communication packets transmitted/received between a node on an internal network and a node on an external network, which is used for VPN communication regardless of whether the VPN protocol is known.