JP2000354034A - Business: hacker monitoring chamber - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a business: hacker monitoring chamber which can prevent infiltrations and attacks from the outside, only by being installed at the entrance of a LAN(local area network) and can detect the attacks without being recognized of existence by only connecting the chamber to the connector of an HUB, etc., in the LAN. SOLUTION: A stand-alone sensor inspects all passing packets, and when the sensor detects infiltration, generates an alarm to a director and forcibly disconnect a session. Upon detecting the infiltration, a sensor with router produces an alarm, forcibly disconnects the session, and dynamically rewrites the filtering of its router. In addition, the sensor with router will not accept access from attacking addresses thereafter. A sensor with firewall has a strong filtering function using a firewall. Since interfaces do not set any IP address, the existence of the sensors themselves is not seen at all from the outside.

Description

DETAILED DESCRIPTION OF THE INVENTION

BACKGROUND OF THE INVENTION Connected to the Internet,
When using or providing services on various networks provided through a network, unintentional attacks by external attackers are problematic. Alternatively, an attack that attempts to use computer data or programs in an unfriendly manner in a group of computers connected via a network, whether or not they are connected to the outside, is a problem. These attacks are crackin '
g) is often collectively referred to, but defending them is an important and urgent requirement for the effective use of the network now and in the future. The present invention provides a mechanism for that.

2. Description of the Related Art To date, ciphers or firewalls have been standard and common means for preventing attackers. The former is characterized in that data can be prevented from being altered or eavesdropped during communication. Also,
The latter is characterized by protecting a certain area of the network from the outside. Here, the latter case will be considered in particular. First, a firewall is a component or a group of components installed between a protected network and the Internet or other networks to restrict access therebetween. When it is installed, all data from inside and outside pass through the firewall, so it is possible to control only data determined by the security policy to pass. The firewall itself needs immunity to prevent data from passing through on its own, and it can centrally manage security decisions,
Thorough security policy, effective collection of user history,
It is possible to limit the threat from the network. In general, firewalls cannot be defended by attacks from the inside, attacks by communications that do not pass through the inside, attacks unknown to date, and intrusion of viruses. This is because a firewall is characterized by trying to protect the inside from the outside by restricting communication between the outside and the inside according to a preset policy. In this regard, two problems can be pointed out regarding attack defense. First, when protecting,
The content and scope of the restrictions in the setting policy are determined based on the services to be provided or used, but the determination requires considerable knowledge and understanding of communication technology. To do that. In particular, it is necessary to recognize and understand the communication hierarchy, the selected procedure, the technical content to be used, and the types of attacks that can be performed on all of them. Taking all these into consideration in advance and deciding the setting policy and creating its contents is a highly difficult technology, no matter how many products and systems are provided, and it is roughly the level of a general engineer. In the range of products prepared in advance, complete correspondence is impossible. Therefore, in many cases, a firewall as a product or a supply system can be fully used only by a person skilled in network technology, and further continuous work is required. Another problem is that the gate system has a fixed configuration, so rather than detecting and preventing an attack, the part that may have a small chance to prevent the attack from sacrifice its usefulness. Also have a tendency to close first. This is because, even though the communication system is used, the malicious communication (or attack) that may occur in the future must be assumed and dealt with rather than the communication itself.
These are, in part, for each individual case, the internal network (hereinafter LAN: local area net).
This is because the business requirements required by the “work” are different, and a thorough analysis of them from the viewpoint of an attack is required. Therefore, as a practical system,
Emphasis was placed on the inconvenience of using services only in the remaining area after considering the danger of external attacks, rather than being useful for effective use of the network. It is the limit for possible services. Since the attack cannot be detected, there is a fundamental problem in closing all places that can be attacked rather than preventing the attack. Also, as another point,
The attacker's cracking techniques are constantly evolving, and foreseeing them all can be extremely difficult in some cases. Therefore, once again in the prior art,
It can be pointed out that there is a practical contradiction that a network such as a LAN cannot be sufficiently utilized without a great effort of a highly skilled engineer. Further, apart from the above-mentioned issues, it is a weak point of the conventional technology that there is no way to resist an attack set in the LAN. Of course, LA
Although the means of reconstructing the entire system with the inside of N being a pseudo-outside is still being taken, this has only postponed the problem, and it goes without saying that another solution as shown below is desired. Is the thing.

SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and can be prevented from intruding or attacking from the outside only by installing it at the entrance of a LAN.
The purpose is to detect an attack simply by connecting to a connector such as a HUB inside N without knowing its existence.

Means for Solving the Problems The means we have prepared to solve the above problems are as follows. A monitoring system that can detect external attacks or intrusions by monitoring IP packets that accumulate over time at the entrance of a network system in an organization connected to an external public network such as the Internet. When an intrusion or attack is detected, it is a defense system that can dynamically change the communication permission criteria and block the intrusion or attack. However, by further applying this, a monitoring system characterized by detecting an attack or intrusion from the inside by monitoring IP packets that accumulate over time in a network system within an organization. Things were also possible. In that case, it is necessary to be able to collect data while ignoring addresses that are physically determined as hardware such as Ethernet (registered trademark) -card. It has also gained a kind of stealth without showing it on the network. This is extremely effective as a defense system, and establishes the superiority of the defender over the attacker, saying, "I do not know its existence and I will not respond to it." I have. Further, in the former defense system, a function is established by dynamically changing the reference of the communication block in a normal firewall. This is because when an intrusion or an attack is detected, the source or destination address of the attack is identified and the communication permission criteria of the conventional firewall packet filter are dynamically changed. It supports building a defense system that is characterized by blocking intrusions or attacks. In all of these cases, an updatable database is provided, so that a new pattern can be handled. This is because in the so-called Internet world, crackers or malicious hackers
New attack methods are constantly being devised, but being able to keep up with these new attack methods is extremely effective. Also, as a competitive advantage of the product, unlike this conventional security system, this system is easy to use because it can secure security by simply inserting it. Let's look at the specific construction methods of these technologies below. (See Figure 1) First, a firewall installed at the entrance of the network and a Sensor installed to monitor traffic
And a management director. Senso
When r detects an intrusion, the firewall automatically removes the intruder's access according to Director's instructions. The other consists of a Sensor installed at a critical point in the network to monitor traffic, and a Director, a central management console. When the Sensor detects an intrusion, it automatically eliminates intruder access. The method of listening to the IP packet does not detect its existence outside. Sensor is
Capture all passing packets. They are sorted and stored for source and destination addresses, and inspected using a database of over 200 attack methods. When the Sensor inspection system detects an intrusion, Director sends an alarm and automatically removes intruder access. This technique has the following three features. The synchronization check function constantly checks the packet profile of the visitor and the trend / trend on the communication path with confirmation software, and accumulates dangerous information. Dynamic heari tailored to visitor authentication
ng manages related information, services, and support information for individual visitors. One of the functions of the global cell profiler is that it can decode the duplication of a plurality of packets. The director also manages links between pages, user authentication, and server loopholes.

DESCRIPTION OF THE PREFERRED EMBODIMENTS There are the following three ways of configuring this system. (1) Standalone Sensor (Real-time intrusion detection and TCP session disconnection) Standalone Sensor is a packet Snif
It is connected to the network as "fer" and inspects all passing packets. Directo when intrusion is detected
r is notified of an alarm, and a session is forcibly disconnected by transmitting a reset packet. (T
(2) Sensor with router (reconfiguration of real-time intrusion detection and filtering) Like the Standalone Sensor, all packets that pass through the network and are passed as a packet Sniffer are inspected. Dir when detecting intrusion
In addition to notifying the alarm to the ector and sending a reset packet, the session is forcibly disconnected, and the filtering of the router is dynamically rewritten so that access from the attacked source address is not accepted anymore. (3) Sensor with Firewall (Packet Filtering Firewall and Reconfiguration of Real-Time Intrusion Detection and Filtering) A firewall cryptographic router has a very powerful filtering function and functions as a packet filtering firewall. The passing packet is transferred to the Sensor by the "copy_to" function of the firewall. The Sensor inspects the forwarded packet and, when it detects an intrusion, Dir
notification of an alarm to the
The filtering of the wall is dynamically rewritten so that access from the source address of the attack is not accepted at all. Regarding the stealth configuration of this system,
Add StandaloneSensor and S
The “wither router” has two Ethernet interfaces by default, and one can be set for reading a packet as a sniffer and the other for communication with a director and a router. For the interface set as Sniffer, do not set the IP address and
Since all packets can be picked up in the indiscriminate mode ignoring the MAC address of the Ethernet, by combining with a firewall as shown in the figure, the existence of the Sensor itself cannot be seen from the outside at all. As a result, it is possible to prevent the Sensor from being invaded or attacked from the outside, or to be aware of monitoring. It should be noted that such a configuration is not adopted,
Sniffer and Direct with just one interface
It is also possible to share the communication with the ctor or the router.

When the effects of the above system are compared with the prior art, there are the following issues. First, regarding an example of a network system connected to a public network such as the Internet, five classifications are possible in view of the purpose of use. For education of universities and schools, research and development of companies and government agencies,
For business processing of companies, etc., for general electronic commerce services such as electronic malls and homepages, and for general network connection services such as providers. In this context, it is not necessary to close and protect the external network so much, but it cannot be said that it is highly secure. However, in the cases of and, a connection with the outside is requested while the inside has information that cannot be disclosed to the outside. Usually, security requirements take precedence,
We have to adopt a policy of allowing outside access in the remaining area. In the case of (1), since the purpose is to provide the service to the outside, it is released to the outside to a certain extent, but it is necessary to separately protect a portion having privacy, such as payment data regarding purchase. In these real world systems, for different security requirements, if the system of the present invention is applied, respectively, higher security, connection flexibility, or improvement in speed / service will be achieved. can get. This is different from the conventional method of suspending the communication function of that part in anticipation of the possibility of an attack that may occur in advance, such as encryption or firewall, which is the conventional security, and in the present invention, In order to detect and identify them at the point where the attack was actually made and to prevent them while leaving them open, there is no need to restrict communication in advance, or the burden can be reduced. is there.
This can be viewed as sufficiently contributing to the sound development of a networked society. In addition, as a result of working on the actual construction and operation of the above system, we were surprised at the number of restrictions required to assume the possibility of an attack in a specific situation. Alleviated.
For example, when trying to access (a kind of) an electronic mall from the above system, it is almost impossible to settle the purchase from experience, but if this can reduce the load of communication restriction, Should be possible. Services provided by financial institutions on networks have similar problems. In short, anti-hacker measures to date have been very slow in terms of ease of use and security strength, and are easier to use and have improved security levels for future Internet business development. The supply of a mechanism to make it happen is indispensable, and it was necessary to answer it. Also, if we talk about industrial utility,
The necessity of this system and the estimated value of the user class are as follows. As of the end of 1997, the number of Web sites registered with the Japan Internet Association was less than 10,000, and all of them are likely to be used. Also, jp-
According to a report by cert (an organization related to the Ministry of International Trade and Industry), there are about 150 intrusion cases per month (1,800 cases per year) in Japan alone, and it is estimated that an average of about 20% are victims. There is no doubt that everywhere that is connected to the Internet, and not others, needs technology to prevent it.
In other words, in comparison with the prior art, it can be said that prevention of unauthorized access from the outside is an "active" approach of monitoring and repelling the unauthorized access.
Responding to access through the network is usually U
In UNIX, it is a service process called a daemon, but the standard daemon in the system is usually silent and does not leave detailed logs. There is not much that can restrict access by IP address. The famous "TCP Wrapper"
By replacing inetd (super daemon), which is the main program of the daemon, by using the package, it is possible to obtain access logs, restrict access, and perform booby traps for all daemons started via inetd. The booby trap is a function for executing a registered command (for example, applying a finger to an access source) when an access is made under a certain condition, and may be useful for tracing an intrusion attempt. However, it cannot be said that a system that generally identifies and repels attacks as in the present invention and that can be automatically updated is far from being available. As a precautionary note, here is a summary of conventional firewall technologies and comparisons. The basics of firewall technology include packet filtering and application gateway. By checking the communication packet of each layer, communication of an unacceptable address or service type is prohibited. And there is an application program for adding exceptions to it. In addition, there is also a method of intermediating only secure communications with a robust and reduced functionality relay machine. All are well-known methods, but they need to be used in an appropriate combination. For example, in the Internet TCP / IP protocol, rules and u
In the convention of the ix era, a port number as shown in the figure is assigned to each type of service. For example, if you look at a homepage, the number is 80, and for mail, it is 25. However, since this differs between the sender and the receiver and can sometimes be redefined at the time of communication, it presents complex aspects in implementation and needs to be well constrained by firewall technology. Although it is slightly different from the restriction, the address of the internal system needs to be kept secret, and a technique such as address translation is used for that purpose. The service that must be handled by the firewall and the port number for that are roughly the port number Description 20 File Transfer Protocol, data 21 File Transfer Protocol, Control 23 Telenet 25 Wide Web 110 Post Office Protocol-ver. 3 119 Network News Transfer Protocol 123 Network Time Protocol 194 Internet Relay Chat Protocol. For these, whether or not passage is possible is set. Specific element technologies for configuring the firewall include target Hardware Address, Address Resolution Protocol ICMP (Route Control Protocol), DNS (Domain Name System) IP address, TCP connection, re-connection, re-connection, re-connection, re-connection, re-connection, re-connection, re-connection, re-connection, re-communication, re-communication, re-communication, re-connection, re-communication , Virtual Private Network Dynamic Packet Filtering Application Level Gateway, Circuit Level Gateway Transport Proxy Server ec. And so on. These firewall-related technologies include route control, address translation, transparent proxy, service-added TCP connections, and user accounts. From a different perspective, this means that if a truly sophisticated attack is performed, the problem is only time, and today's common security equipment cannot completely eliminate intrusions from outside. It simply increases the time required for intrusion. In the absence of any security measures, the intrusion can take minutes to hours. If a general security device (firewall, authentication, etc.) is installed, the time required for intrusion increases from several days to several months. However, if they cannot be found in the meantime, the intrusion will succeed. It can also be said that the system of the present invention deprives hackers of time by detecting and eliminating intrusions in real time. From an additional standpoint, it is true that the prior art does not protect against insider threats. The FBI reports that 80% of computer crimes are internal crimes. If you ignore the areas with the greatest risk, the measures are not perfect. Most of the important corporate data resides on the internal LAN, and most current security devices are ineffective against insider threats. The system of the present invention can be installed not only at the connection points with the outside but also at important points of the internal network without affecting the network configuration and performance at all. In any case, it goes without saying that all of these firewall technologies are different from the present invention. The method of "setting security policy" that is often performed is described. Of course, security and ease of use tend to conflict. Security Policy “Policy on Organizational Security Approach” “Purpose” Build, operate, and raise awareness in an effective security environment (1) Needs analysis Determine basic stance (2) Risk analysis Identify assets, identify threats Identification (3) Setting of access rights Users, types of rights, holders of setting authority (4) Selection of measures Organizational measures, institutional measures, technical measures (5) Clarification of responsibilities Rights of managers and users (6) Establishment of operation policy Daily operation / management, penalties, emergency response (7) Documentation stance, scope, rules and reasons, execution authority and responsibilities Security environment construction procedures Policy development-> Policy implementation- > Security Audit-
> Operation Note that the “security policy” here is a mixture of “what to protect”, “from what” and “how”, but the level of satisfaction depends on management decisions. The damage is 0 or 1, and it is true that the effect tends to be unknown if no damage is encountered. As in the present invention, without depending on the formulation of a security policy,
It is also important that an effective and lean security environment can be built, and that operations and recognition can be shared. In particular, what is commonly said is that, in the balance of security, convenience, and cost in consideration of education and maintenance costs, 100% security is not possible and the investment cost does not exceed the estimated damage. Is one guideline. " This content should also be revised.
By the way, in most cases, there is no way to evaluate how effective these security systems are. Further, a general security device does not have a function of notifying the effect in real time, and analyzing an audit log is a very time-consuming operation requiring specialized knowledge. This system can not only notify in real time, but also easily output an analysis report such as the attack source address, the address that was attacked, the attack method, and the time. And even in the event of an attack, it works effectively to reduce recovery costs. Most security products do not help reduce the cost of recovery in the event of a breach. The longer an attacker's hacker has been active,
Recovery time and costs will increase. Also, most security products do not have a way to keep an accurate record of what happened on the network. The system reduces hackers' time on the network, total damage, and recovery costs by detecting and eliminating intrusions in real time. In addition, by acquiring session data as logs, it is possible to accurately understand what activities have been performed on the network. Network management costs have already been mentioned where engineers need it. Most security products are not designed with manageability and ease of use as their primary goals. Current security products are products that are very burdensome for administrators. Companies must call on vendor experts each time they make configuration changes to their security products. Most security products have a significant impact on network performance and usability, but this system does not. It also compares with existing "security audit tools". There are several well-known audit tools for comprehensive security checks. COPS (Computed Oracleland)
Password System is an internal audit, and the external audit tool is ISS (Internet Sec).
urity Scanner) or SATAN (Secu)
rity Administrator Tool f
or Analyzing Networks). These can be used to check externally for various known security holes that can be attacked over the network. SATA
It is well known that N itself is in the form of a report itself. Needless to say, it is desirable to check not only once but also periodically. In the United States and Europe, there are organizations called NCSA, and there is a service that performs such operational checks and affixes safety certification seals. However, these tools can be exploited by crackers and do not by themselves have the ability to stop attacks. The present invention is equivalent to the above-mentioned audit being regularly and continuously performed. On the other hand, when we review these businesses in their entirety, it is clear that they are joint projects centered on networks. In situations where most businesses now seem to be connected to the Internet,
The credibility of the network security with which you are collaborating is also an important concern, and cannot be ignored in terms of the social responsibilities that you must take. Even if you think in a real case, I got it from an important customer,
It is not morally permissible that important products or samples may have been stolen. Even more, if the reason is forgetting to lock or fail to close, it will be useless even if it is a amateur. Things like ordinary common sense, such as distinguishing our competitors, connecting the internal network to the outside, etc.
I want everyone to be protected. In this situation, the system works effectively to identify attacks. Since it is impossible to connect all the joint operators with a dedicated line because of the cost, it is not a joint business without a network, but a network cooperative business that makes it possible to use the Internet freely and safely. It is effective as a network between the joint enterprises that is assumed to be effective, to be able to loosely connect the joint enterprises, and to be able to cope with the change. The information provision destination on the Internet for reference is added. The url is as follows. Fire-wall Tool Kit; http: //
/ Www. tis. com / prodserv / fwt
k / readme. html ISF; www. agent. co. jp / isf / Real Secure; http: // iss. ne
t / Network Flight Recorder; h
http: // www. nfr. net / NetRanger; http: // www. cisc
o. com / warp / public / 146 / feb
ruary98 / 12. http: // www. nfr. net / Omni-Guard ITA (Intrusion
Alert); http: // www. axis. c
om / product / ita / ita. htmEnt
erprise Security (Resource
e) Manager; http: // www. axes
nt. com / product / esm / esm. ht
m NetRecon; http: // www. axen
t. com / netrecon /

[Brief description of the drawings]

FIG. 1 is an overall configuration of an Internet security system to which an embodiment of the present invention is applied.

FIG. 2 is an overall configuration of an Internet security system to which another embodiment of the present invention is applied.

 ──────────────────────────────────────────────────続 き Continuing on the front page F term (reference) 5B017 AA01 BA07 BB02 CA15 CA16 5B089 GA31 HA10 JB16 KA17 KC60 MC02 5K030 GA15 HA08 HB16 HC01 JA10 KA01 KA02 LC13 LD19 MA04 MC08 5K033 AA08 BA04 DA06 DB12 DB14 DB20 EC03 CC07 EA06 CC CC08 JJ12 JJ25 LL03 LL09

Claims (7)

[Claims] 1. At the entrance of a network system in an organization connected to an external public network such as the Internet, an external attack or intrusion is detected by monitoring temporally accumulated IP packets. A surveillance system that is unique to doing 2. In a network system in an organization,
By monitoring IP packets that accumulate in time,
A surveillance system characterized by detecting internal attacks or intrusions. 3. A communication packet that is not addressed to itself can be collected as data, ignoring an address determined in hardware, such as Ethernet-card, so that its presence can be shown on a network. The monitoring system according to claim 1, wherein the presence of the monitoring system is not detected at all outside of the monitoring system. 4. A monitoring system according to claim 1, wherein the monitoring system has an updatable database so that it can cope with a new pattern. . 5. The surveillance system according to claim 1 or / and claim 2 and / or claim 3 and / or claim 4, wherein when an intrusion or an attack is detected, the monitoring of the Internet or the like is performed. Located at the entrance to an internal network system connected to an external public network,
A defense system characterized by dynamically changing the standard of communication permission in a device that filters IP packets and blocking its intrusion or attack. 6. The method according to claim 1, characterized in that it is easy to use by simply inserting it so that security can be ensured. A monitoring and / or defense system according to claim 4 or / and claim 5. 7. The communication network according to claim 1, wherein all communication packets not addressed to the communication packet can be collected ignoring the physical address of the communication network in the communication network. A monitoring and / or defense system according to claim 3 and / or claim 4 and / or claim 5 and / or claim 6.