The present invention relates to a technology for grasping a state, where a terminal not having obtained connection authorization is connected to a terminal, such as a PC, having obtained proper authentication, by causing a network address translation device to operate thereon.
Commonly, a computer not having obtained authorization is prevented from being connected to a network (e.g., intranet) of a corporation and the like in order to prevent information leakage and proliferation of computer viruses. For this purpose, at authentication switches, and at wireless access points, after terminals are authenticated in accordance with IEEE 802.1x or the like, the authenticated terminals are discriminated by use of MAC addresses (media access control addresses) thereof, or by use of the MAC addresses and IP addresses (Internet protocol addresses) thereof in combination. The same discrimination is performed in each product and system, which makes it possible to detect unauthorized connected terminals. As described above, a technique for discriminating terminals by use of MAC addresses and IP addresses thereof is commonly used.
On the other hand, there is a technique for connecting an unauthorized terminal to a network in the following manner. Specifically, a plurality of LAN (local area network) cards are installed in an authorized terminal having obtained connection authorization, and then the NAT (network address translation) and NAPT (network address port translation) on the authorized terminal are caused to be active. As a result, the unauthorized terminal is connected to the network via the NAT or NAPT of the authorized terminal. An employee of a corporation may use such a connection without malice in order to connect a PC (personal computer) or the like, which is used by the employee at home, to a network of the corporation. In this case, the PC may be connected without antivirus software installed therein. In the worst case, the PC may be connected in a state of being infected by a computer virus. Such a terminal not having obtained connection authorization should not be permitted to connect to the network.
However, it is difficult to detect this PC because the PC is connected to the network via the NAT/NAPT of the authorized terminal, and thereby a MAC address and an IP address of packets sent from the PC not having obtained connection authorization are replaced by those of the authorized terminal. For this reason, even when there is a dubious access or operation to or in the intranet, it is difficult for a network administrator to find the source of such an access or operation.
In “Detecting NAT Devices using sFlow (URL: http://www.sflow.org/detectNAT/)” (Non-patent Document 1), information passed through a switch is collected in an analysis server by use of the sFlow protocol (RFC 3176) in order to find out the above-mentioned terminals each operating a NAT/NAPT. The analysis server checks TTL (time-to-live) values of IP headers, and thus identifies the terminals each operating the NAT/NAPT. In “NATDet—NAT Detection Tool (URL: http://elceef.itsec.pl/natdet/)” (Non-patent Document 2), although details of the technology are not explained, it appears that a terminal operating a NAT is identified by using the TTL values, timestamp values of TCP (transmission control protocol) headers or the like of network data passed through a network.
In each of Non-patent Documents 1 and 2, a rate of NAT/NAPT detection is not very high because the detection is performed merely by monitoring packets. Moreover, these technologies cannot be considered highly reliable in detecting a NAT/NAPT for at least the following reason. Although initial values of the TTL values are determined to be 128 for a Microsoft Windows OS (operating system) (Windows is a registered trademark of Microsoft Corporation in the United States and/or other countries), and to be 64 for a Linux OS (Linux is a registered trademark of Linux Torvalds in the United States and/or other countries), a user can easily manipulate each of these values by changing a registry or a configuration file of the OS.
It is necessary to detect, with high accuracy, a terminal operating a network address translation device, such as a NAT or NAPT, and to cause the terminal not to function as the network address translation device.