To connect to a network that can be accessed from an indefinite number of terminals, such as the Internet in an enterprise, a university, a home, etc., it is necessary to protect the internal network against attack from the external network. Thus, hitherto a firewall has been installed between the internal network and the external network.
The firewall generally is made up of an unauthorized access detection unit and a packet filtering unit. If an attack is made from the external network or a sign of unauthorized access is observed between the internal network and the external network, the unauthorized access detection unit notifies the network manager, etc., of the fact.
The packet filtering unit is a unit for allowing only packets used in necessary communications conducted between the internal network and the external network to pass through and blocking other packets.
(Technique of Unauthorized Access Detection Unit)
The unauthorized access detection unit detects an attack made by an attacker or unauthorized access by monitoring a flow sequence of a packet. The attack or unauthorized access detection techniques are roughly classified into the following two:
(1) Detecting the monitored packet sequence showing a sign of unauthorized access.
(2) Detecting the monitored packet sequence deviating from normal access.
The latter is a technique expected to make it possible to raise accuracy of detection of unauthorized access because it can detect operation other than normal access. However, it is difficult to stipulate normal access and provide a database in an environment in which various communications are conducted.
Thus, often the former method is operated with the targets limited. For example, a method of detecting port scan of sending a packet to a plurality of ports of a specific internal terminal, thereby examining whether or not service is activated on the port from an external network as a sign of unauthorized access has been operated. However, this method requires that information of a sign of unauthorized access be registered in an unauthorized access detection system for each technique of unauthorized access, and therefore the method has a weak point that it is hard to detect a new attack method.
The following arts are proposed as those belonging to the latter:
(2A) An unauthorized access shutoff system including a communication relay control section for receiving communication data from an external network and transferring the communication data to a server only if the communication data is normal; a normal access information storage section for storing one or more types of conditions of communication data contributing to providing service intended by the server as feature information of normal communication data; and an normal access determination section for reading the feature information from the normal access information storage section, comparing the feature information with the communication data received by the communication relay control section, and determining that only the communication data satisfying all of the feature information is normal (refer to patent document 1).
(2B) A method of determining the access type in a communication network, including the steps of defining protocol specifications and/or access policy for accepting external access made through a communication network as normal access for each target communication system or communication system group, capturing transmission information addressed to the communication system or the communication system group from among pieces of transmission information distributed through the communication network, and determining that transmission information not meeting the protocol specifications or the access policy from among the captured pieces of transmission information is transmission information having a probability of unauthorized access (refer to patent document 2).
(System of Packet Filtering Unit)
The packet filtering unit allows a packet communicated between an internal network and an external network to pass through if the packet conforms to predetermined rules; does not allow the packet to pass through if the packet does not conform to the predetermined rules. The rules are rules representing the descriptions of “permitting access from a specific host,” “permitting http (HyperText Transfer Protocol) access from internal network to external network,” “permitting ftp (File Transfer Protocol) access to a specific port from external network to internal network if ftp is started from internal network to external network,” etc. The packet filtering unit allows only packets conforming to the rules to pass through and blocks other packets, thereby defending the system against attack and unauthorized access from the external network to the internal network.
IP address units and pair units of IP addresses and port numbers are mainly used as the packet passage control units of the packet filtering unit.
Control in the IP address units can be realized as a rule of allowing all packets transferred between a specific terminal on the external network and a specific terminal on the internal network to pass through. Specifically, letting the IP address of a personal computer connected to the external network using dialup or hot spot be 202.123.12.1 and the IP address of an electronic mail server on the internal network be 202.32.21.1, the rule of permitting a packet communicated from the personal computer to the electronic mail server can be described as “Allow 202.123.12.1 202.32.21.1.” In the rule, Allow represents permitting packet passage, 202.123.12.1 represents the source IP address, and 202.32.21.1 represents the destination IP address. The packet filtering unit allows all packets conforming to the rule to pass through. Such control of allowing or not allowing the packet specified by the pair of the source IP address and the destination IP address is called control in IP address units.
Control in pair units of IP addresses and port numbers can be realized as a rule of allowing data transmitted from a specific port of a specific terminal on the external network to pass through to a specific port where an application of a specific terminal stands by on the internal network. For example, let the IP address of an IP telephone terminal on the external network be 202.123.12.2, the port number of the port where an audio data transmission application is started in the terminal be 12345, the IP address of an IP telephone terminal on the internal network be 202.32.21.2, and the port number of the port where an audio data reception application is started in the terminal be 23456. In this case, the rule of permitting the audio data to pass through can be described as “Allow 202.123.12.2 12345 202.32.21.2 23456.” In the rule, Allow represents permitting packet passage and 202.123.12.2, 12345, 202.32.21.2, and 23456 represent the source IP address, the source port number, the destination IP address, and the destination port number respectively. The packet filtering unit allows all packets conforming to the rule to pass through. Such control of allowing or not allowing the packet specified by the pair of the source IP address and the source port number and the pair of the destination IP address and the destination port number is called control in pair units of IP addresses and port numbers.
To make an attack from an external network to an internal network, a technique of capturing a specific terminal and attacking a terminal on the internal network from the specific terminal is often used. In this case, if the packet filtering unit performs control in IP address units, it is made possible to access all services (applications) in the terminal on the internal network from the captured specific terminal; this is undesirable. That is, if control in pair units of IP addresses and port numbers is performed, the attack range can be narrowed; this is more desirable.
However, the pair of the source IP address and the source port number and the pair of the destination IP address and the destination port number are information not made clear between the terminals until communications are established. Thus, a unit positioned midway in the network like the packet filtering unit cannot easily acquire the IP address and port number pair information.
To solve such a problem, a method of using a server for relaying call control to establish communications and acquiring the information is known (for example, refer to patent documents 3 and 4). The call control proxy server will be discussed below:
(Call Control Proxy Server)
Communication control based on SIP (Session Initiation Control) is available as call control for establishing communications between specific terminals. The SIP defines the format and the sequence of control messages for adjusting the IP address, the port number, the codec type, the band, etc., used for distributing media between two or more terminals to establish communications. There is a method of installing a call control proxy server for relaying all call control sequences transmitted and received by terminals belonging to a specific organization in operation of the SIP.
FIG. 21 shows a call control sequence (INVITE sequence) for an internal terminal installed in an internal network and an external terminal installed in an external network to establish communications using a call control proxy server. INVITE, TRYING, RINGING, OK, and ACK added to control messages in the figure represent control messages defined in the SIP. As the control messages are exchanged between the terminals, it is made possible to adjust information of the IP address, the port number, the media type, codec, the band, etc., used in communications to be established between the terminals and establish communications between the terminals.
For example, to establish audio communications in a sequence in FIG. 21, the following information is contained in a control message for determining the source IP address and the source port number or the destination IP address and the destination port number:
m=audio 49170 RTP/AVP 0
c=IN IP4 224.2.17.12
This description format is a description format standardized in IETF, an Internet protocol standardization organization as SDP (Session Description Protocol). The row of m=indicates information concerning media. Audio indicates the media type, 49170 indicates the port number, and RTP/AVP 0 indicates the format of transport and payload. The row of c=indicates information concerning connection. IN indicates the Internet, IP4 indicates IPv4, and 224.2.17.12 indicates the IP address used for connection.
In FIG. 21, when the call control proxy server receives ACK, it can know information of the source IP address and the destination IP address and the destination port number.
The call control proxy server can use the set information of the source IP address, the destination IP address, and the destination port number to control the packet filtering unit. This method is called a packet filtering unit control method using a call control proxy server. This method, however, cannot be used in a mobile IP environment described just below:
(Mobile IP Environment)
The mobile IP is a technology for making it possible to continue once established communications without break in a situation in which the IP address changes because of a move or disconnection from a network and re-connection thereto. The mobile IP is standardized in IETF and the details of the protocol are defined in RFC3775 (IPv6) and RFC3344 (IPv4).
FIG. 22 describes the operation of the mobile IP. The configuration in FIG. 22 includes a mobile terminal (also called MN (Mobile Node)) 201, a home agent (HA) 202 of a server for performing move management, a home network 205 to which the home agent 202 is connected, an external terminal (also called CN (Correspondent Node)) 203, an external network 204, a specific network (network to move to) 206 connected to the external network, a firewall 207 provided with a packet filtering unit, etc., and routers 208 and 209.
The IP address on the home network 205, for example, 2001:300:c01::2/64 is given to the mobile terminal 201 and the address is called the home address. The mobile terminal 201 establishes communications with the external terminal 203 in a state in which the mobile terminal 201 connects to the home network 205. It is assumed that the mobile terminal 201 moves to the specific network (network to move to) 206 in a state in which communications are established. Let the IP address given to the mobile terminal 201 when the mobile terminal 201 moves to the specific network (network to move to) 206 be, for example, 2001:300:c01:beef::2/64. This address is called the care address of the mobile terminal 201. To continue communications established between the mobile terminal 201 and the external terminal 203, the packet transmitted to the address of 2001:300:c01::2 (home address=old care address) from the external terminal 203 needs to be again transmitted to the new care address. In the mobile IP, if the mobile terminal 201 moves and acquires a new care address, the mobile terminal 201 sends a notification of the IP address correspondence to the home agent 202 and the external terminal 203. The notification of the IP address correspondence, namely, “change of the care address of the mobile terminal 201 from 2001:300:c01::2 to 2001:300:c01:beef::2” is called BU (Binding Update) message.
If the external terminal 203 is not compatible with the mobile IP, the packet addressed to the mobile terminal 201 is transmitted to the home address. The packet transmitted to the home address is delivered via the external network 204 to the home network 205. The packet delivered to the home network 205 is received once by the home agent 202. The home agent 202 distributes the once received packet to the care address of the mobile terminal 201, thereby delivering the packet to the mobile terminal 201. A packet from the mobile terminal 201 to the external terminal 203 is delivered in the opposite order (mobile terminal 201 to home agent 202 to external terminal 203).
If the external terminal 203 is compatible with the mobile IP, the packet addressed to the mobile terminal 201 is distributed directly to the care address. Thus, the packet delivered to the mobile terminal 201 is delivered to a specific application. This means that communications established by the mobile terminal 201 with the external terminal 203 before move can be conducted continuously even after the mobile terminal 201 moves.
However, the IP address (care address) of the mobile terminal 201 changes in a situation in which the mobile IP is operated. Thus, the rule set in the packet filtering unit before the mobile terminal 201 moves cannot be applied after the mobile terminal 201 moves; this is a problem.
Hitherto, to solve this problem, a method of controlling the packet filtering unit using information contained in a BU message sent from the mobile terminal 201 to the home agent 202 if the mobile terminal 201 moves has been available (refer to patent document 5).
FIG. 23 describes the configuration of the system in the related art. The configuration in FIG. 23 includes a first mobile terminal 301, a second mobile terminal 302, a home agent 303, a firewall management host 304, a packet filtering unit 305, an external network (Internet) 306, an ISP (Internet service provider) 307, and an authentication server 308 of the ISP 307.
Here, a situation in which the first mobile terminal 301 is brought into the external network and connection is made from the first mobile terminal 301 to the second mobile terminal 302 is assumed. The first mobile terminal 301 is connected via specific ISP 307 to the external network by dialup, etc. At this time, the authentication server 308 of the ISP 307 sends user information to the first mobile terminal 301, which then sends the user information to the firewall management host 304. If the user information is valid, the firewall management host 304 changes setting of the packet filtering unit 305 on the firewall so as to make possible communications between the first mobile terminal 301 and the home agent 303. As the operation sequence is executed, it is made possible for the first mobile terminal 301 to communicate with the second mobile terminal 302 via the home agent 303. That is, dynamic control of the packet filtering unit 305 is realized in the situation in which the mobile IP is operated.    Patent document 1: JP-A-2004-38557    Patent document 2: JP-A-2001-313640    Patent document 3: JP-A-2003-229893    Patent document 4: JP-A-2003-229915    Patent document 5: JP-A-10-70576