JP2011205451A - Unauthorized terminal interruption system, and unauthorized terminal interruption apparatus used therefor - Google Patents

Abstract

An object of the present invention is to provide an unauthorized terminal blocking system or the like that can easily register a specific communication device.
An unauthorized terminal blocker 2 includes a storage unit 23 that stores a table 23a in which an IP address and a MAC address are associated with each other, and an intercepted ARP request packet includes a MAC address that is not registered in the table 23a. Then, the communication of the communication device with the MAC address is blocked. When acquiring the group ID included in the ARP request packet, the unauthorized terminal blocker 2 registers the IP address and the MAC address of the communication device included in the ARP request packet in the identifier table.
[Selection] Figure 2

Description

  The present invention relates to an unauthorized terminal blocking device for blocking communication of an unauthorized terminal illegally connected to a communication line and an unauthorized terminal blocking device used therefor.

  Conventionally, a technique described in Patent Document 1 below is known as a technique for blocking unauthorized communication. This patent document 1 describes an unauthorized terminal blocking device that detects unauthorized terminals connected to a LAN network in a communication system that performs IP (Internet Protocol) communication on a LAN (Local Area Network) network.

  For example, as shown in FIG. 18, the unauthorized terminal blocking device 110 blocks communication of the unauthorized terminal when the unauthorized terminal 120 is connected to the LAN network to which the communication devices 100A and 100B are connected. Legitimate communication devices 100A and 100B and unauthorized terminal 120 have LAN I / Fs 101 and 111 as shown in FIGS. 19 and 20, and can be connected to a LAN network. These LAN I / Fs 101 and 111 are assigned unique MAC (Media Access Control address) addresses. In this LAN network, in order to perform IP communication by the IP communication unit 102 and the processing unit 103, it is necessary to exchange the MAC address with the communication partner by using ARP (Address Resolution Protocol) (RFC (Request For Comments) 826).

  The unauthorized terminal blocker 110 obtains a transmission source address from the intercepted ARP request packet and collates it with address information (MAC address, IP address) registered in advance. This ARP request packet is as shown in FIG. 21, for example. This ARP request packet is transmitted when the unauthorized terminal 120 impersonates the communication device 100B and acquires the MAC address (a) of the communication device 100A. As a result of the collation, the unauthorized terminal blocking device 110 determines whether or not the transmission source of the ARP request packet is the unauthorized terminal 120. When the unauthorized terminal blocking device 110 determines the presence of the unauthorized terminal 120, the unauthorized terminal blocking device 110 blocks the communication of the unauthorized terminal 120 by transmitting a packet that interferes with the communication of the unauthorized terminal 120.

JP 2007-266931 A

  However, in the conventional technique, the address information registered in the unauthorized terminal blocking device 110 is configured by information (MAC address, IP address) included in the ARP packet. Usually, these MAC addresses and IP addresses are assigned to the communication devices 100A and 100B. For this reason, even when it is desired to permit communication in units of groups such as models and product groups, the unauthorized terminal blocker 110 has to register a MAC address and an IP address individually for each corresponding device.

  Therefore, the present invention has been proposed in view of the above-described circumstances, and an object thereof is to provide an unauthorized terminal blocking system capable of easily registering a specific communication device and an unauthorized terminal blocking device used therefor. To do.

  An unauthorized terminal blocking system according to a first invention that solves the above-described problem includes at least an authorized first communication device, an authorized second communication device that performs communication in response to a request of the first communication device, and an unauthorized A terminal blocking device is connected via a communication line, and the unauthorized terminal blocking device stores a communication means for transmitting and receiving packets via the communication line, and an identifier table in which at least a communication identifier and a physical identifier are associated with each other. And when the physical identifier that is not registered in the identifier table is present in the physical identifier request packet intercepted by the communication means with reference to the identifier table, the communication of the communication device with the physical identifier is blocked. And a blocking processing means for performing blocking processing, wherein the first communication device uses a physical identifier of the second communication device to communicate with the second communication device. The physical identifier request packet to be transmitted includes a group identifier for handling a plurality of devices as a group, and the unauthorized terminal blocker acquires the group identifier included in the physical identifier request packet. The communication identifier and physical identifier of the first communication device included in the physical identifier request packet are registered in the identifier table.

  An unauthorized terminal blocking system according to a first invention, wherein the first communication device authenticates the first communication device in addition to the group identifier in the physical identifier request packet. The authentication value includes a secret key, a physical identifier, or a value obtained by converting the group identifier.

  An unauthorized terminal blocking system according to a first invention, wherein the first communication device authenticates the first communication device in addition to the group identifier in the physical identifier request packet. The authentication value includes a value obtained by encrypting a physical identifier or the group identifier with a private key in a public key cryptosystem.

  The unauthorized terminal blocking system according to the second or third invention, wherein the first communication device includes the communication identifier as a calculation target for obtaining the authentication value. Features.

  The unauthorized terminal blocking system according to any one of the first to fourth inventions, wherein the unauthorized terminal blocking device receives a physical identifier request packet including the group identifier, The communication identifier and physical identifier of the first communication device included in the physical identifier request packet are temporarily registered in the identifier table.

  An unauthorized terminal blocking system according to a fourth invention, wherein the unauthorized terminal blocking device is configured to store a communication identifier and a physical identifier of the first communication device temporarily registered in the identifier table. In addition, it is characterized in that it is officially registered in the identifier table on the basis of an input corresponding to the operation of the administrator of the unauthorized terminal blocking system.

  A fraudulent terminal blocking apparatus according to a seventh invention for solving the above-mentioned problem is that a first communication device and a second communication device that performs communication in response to a request from the first communication device are connected via a communication line. A communication unit that transmits and receives packets via the communication line; a storage unit that stores an identifier table in which a communication identifier and a physical identifier are associated with each other; a physical unit that is intercepted by the communication unit with reference to the identifier table; When a physical identifier that is not registered in the identifier table exists in the identifier request packet, the identifier request packet includes a blocking processing unit that performs a blocking process to block communication of the communication device with the physical identifier, and the communication unit includes the first communication unit. When the physical identifier request packet including a group identifier for handling a plurality of devices transmitted from a communication device as a group is received, the storage means And registers the communication identifier and physical identifier of the first communication device included in the physical identifier request packet identifier table.

  According to the present invention, a device group can be easily registered by setting a group identifier for a specific communication device.

It is a block diagram showing an example of 1 composition of an unauthorized terminal interception system shown as a 1st embodiment of the present invention. It is a block diagram which shows the example of 1 structure of the communication apparatus in the unauthorized terminal interruption | blocking system shown as 1st Embodiment of this invention. It is a block diagram which shows the example of 1 structure of the unauthorized terminal blocker in the unauthorized terminal block system shown as 1st Embodiment of this invention. It is a figure which shows an example of the ARP request packet transmitted in the unauthorized terminal block system shown as 1st Embodiment of this invention. It is a flowchart which shows the process sequence when an unauthorized terminal block device receives an ARP request packet in the unauthorized terminal block system shown as 1st Embodiment of this invention. It is a block diagram which shows the example of 1 structure of the communication apparatus in the unauthorized terminal interruption | blocking system shown as 1st Embodiment of this invention. It is a block diagram which shows the example of 1 structure of the communication apparatus in the unauthorized terminal block | disconnection system shown as 2nd Embodiment of this invention. It is a block diagram which shows the example of 1 structure of the unauthorized terminal blocker in the unauthorized terminal block system shown as 2nd Embodiment of this invention. It is a figure which shows an example of the ARP request packet transmitted in the unauthorized terminal block system shown as 2nd Embodiment of this invention. It is a flowchart which shows the process sequence when an unauthorized terminal block device receives an ARP request packet in the unauthorized terminal block system shown as 2nd Embodiment of this invention. It is a block diagram which shows the other structural example of the unauthorized terminal blocker in the unauthorized terminal block system shown as 2nd Embodiment of this invention. It is a figure which shows another example of the ARP request packet transmitted in the unauthorized terminal block | disconnection system shown as 2nd Embodiment of this invention. It is a block diagram which shows the example of 1 structure of the communication apparatus in the unauthorized terminal block | disconnection system shown as 2nd Embodiment of this invention. It is a figure which shows another example of the ARP request packet transmitted in the unauthorized terminal block | disconnection system shown as 2nd Embodiment of this invention. It is a block diagram which shows the example of 1 structure of the unauthorized terminal block | disconnection system shown as 3rd Embodiment of this invention. It is a block diagram which shows the other structural example of the unauthorized terminal blocker in the unauthorized terminal block system shown as 3rd Embodiment of this invention. It is a flowchart which shows the process sequence when an unauthorized terminal block device receives an ARP request packet in the unauthorized terminal block system shown as 3rd Embodiment of this invention. It is a communication system figure explaining background art. It is a block diagram which shows an example of the communication apparatus in background art. It is a block diagram which shows an example of the unauthorized terminal blocker in background art. It is a figure which shows an example of the ARP request packet transmitted in background art.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

[First Embodiment]
The unauthorized terminal blocking system shown as the first embodiment of the present invention is configured, for example, as shown in FIG. In this unauthorized terminal blocking system, a plurality of communication devices 1A and 1B and an unauthorized terminal blocking device 2 are connected to a communication network NT composed of a communication line such as a LAN. In this unauthorized terminal blocking system, the communication devices 1A and 1B are devices that are legally connected. The unauthorized terminal blocking device 2 blocks communication of the unauthorized terminal 3 when the unauthorized terminal 3 is connected and a packet is transmitted to the communication network NT to which the communication devices 1A and 1B are connected.

  In the communication apparatus 1A, “A” is set as the IP address (communication identifier), and “a” is set as the MAC address (physical identifier). In the communication device 1B, “B” is set as the IP address, and “b” is set as the MAC address. Further, “M” is set as the same group ID (group identifier) in the communication apparatuses 1A and 1B. This group ID is an identifier for handling a plurality of devices as a group of groups. The group ID is assigned to, for example, an arbitrary group set by an administrator such as a department using the communication devices 1A and 1B, or a device of a specific type and a product group.

  The unauthorized terminal 3 has “X” set as the IP address and “x” set as the MAC address. The group ID is not given to the unauthorized terminal 3. The unauthorized terminal 3 includes a communication device connected by a malicious third party who wants to communicate illegally with the communication devices 1A and 1B, and communication that transmits unauthorized data to other devices infected by viruses such as worms. Examples thereof include an apparatus.

  The communication devices 1A and 1B include a LAN I / F 11, an IP communication unit 12, and a processing unit 13, as shown in FIG. A group ID 14a is assigned to each of the communication devices 1A and 1B. The group ID 14a is set by an administrator of the unauthorized terminal blocking system or set at the time of manufacture, and is stored in a memory or a hard disk device.

  In such communication apparatuses 1A and 1B, the processing unit 13 generates application data and the like, and the IP communication unit 12 performs processing for adding an IP header and a data link layer header, and the packet is transmitted via the LAN I / F 11. Send and receive.

  When the communication devices 1A and 1B start communication with other communication devices, the communication devices 1A and 1B broadcast an ARP request packet (physical identifier request packet) requesting acquisition of the IP address of the communication partner on the communication network NT. At this time, the communication devices 1A and 1B use the IP communication unit 12 to copy and store the group ID 14a in the padding area of the ARP request packet.

  Such an ARP request packet is, for example, as shown in FIG. FIG. 4 shows an ARP request packet when the communication device 1A wants to acquire the MAC address of the communication device 1B. That is, when the communication device 1A is the first communication device, the communication device 1B is the second communication device that performs communication in response to a request from the first communication device.

  The broadcast address is stored in the destination MAC address of the ARP request field in the Ethernet (registered trademark) protocol, and the MAC address of the communication device 1A is stored in the source MAC address field. In the ARP protocol, the source MAC address field is the MAC address (a) of the communication device 1A, the source IP address is the IP address (A) of the communication device 1A, the destination MAC address field is "0", and the destination IP address field Stores the IP address (B) of the communication device 1B. A group ID field is provided in a padding area in the Ethernet (registered trademark) protocol, and the group ID (M) of the communication device 1A is stored in the group ID field.

  The communication devices 1A and 1B receive the ARP request packet through the LAN I / F 11. At this time, when the destination IP address of the ARP request packet is its own IP address, the LAN I / F 11 returns an ARP response packet including its own MAC address to the transmission source of the ARP request packet.

  The communication devices 1A and 1B receive the ARP response packet from the communication partner via the LAN I / F 11. As a result, the LAN I / F 11 can obtain the MAC address of the communication partner stored in the ARP response packet.

  The unauthorized terminal blocking device 2 includes a LAN I / F 21, a processing unit 22, a storage unit 23, and a setting I / F 24.

  The storage unit 23 stores an address table (identifier table) 23a that stores a set of IP addresses and MAC addresses of the communication apparatuses 1A and 1B that are legally connected to the communication network NT. In the address table 23a, a set of an IP address and a MAC address is registered at any time when the LAN I / F 11 intercepts a packet transmitted / received in the communication network NT.

  Further, the storage unit 23 stores a group ID corresponding to the IP address and the MAC address in the address table 23a. The address table 23a stores a plurality of group IDs including the group ID (M) of the communication devices 1A and 1B. This address table 23a is constructed by registering the group ID supplied via the setting I / F 24 according to the PC operation or the like of the administrator of the unauthorized terminal blocking system. In the address table 23a, an IP address and a MAC address corresponding to the group ID can be registered for each of the communication devices 1A and 1B by intercepting the ARP packet flowing in the communication network NT.

  The LAN I / F 21 intercepts an ARP request packet flowing in the communication network NT. This ARP request packet is supplied to the processing unit 22.

  The processing unit 22 acquires the group ID from the padding area of the ARP request packet supplied via the LAN I / F 21. This group ID is stored in the group ID field of the padding area in the Ethernet (registered trademark) protocol as shown in FIG. When acquiring the group ID included in the ARP request packet, the processing unit 22 registers the IP address and MAC address of the communication devices 1A and 1B included in the ARP request packet in the address table 23a. Thereby, the memory | storage part 23 can memorize | store the address table 23a with which the MAC address, IP address, and group ID of communication apparatus 1A, 1B were matched.

  When the transmission source MAC address of the ARP request packet intercepted by the LAN I / F 21 is a MAC address that is not registered in the address table 23a, the processing unit 22 performs a blocking process that blocks communication of the communication device having the MAC address. (Blocking processing means). Further, as illustrated in FIG. 5, when the group ID included in the padding area of the ARP request packet is not registered in the address table 23 a (Step S <b> 11), the processing unit 22 determines the ARP request packet. The communication of the transmission source is cut off (step S12).

  The process in which the unauthorized terminal blocking device 2 blocks the transmission of the transmission source only needs to be able to block communication from the unauthorized terminal 3 to the communication devices 1A and 1B by a known method. The process of blocking the communication of the unauthorized terminal 3 can be realized by ARPSpoof, for example. For example, when the unauthorized terminal blocking device 2 receives an ARP packet in which the unauthorized terminal 3 inquires about the MAC address from the IP address, it responds with a fake MAC address regardless of the IP address included in the packet. Thereby, it is possible to prevent the unauthorized terminal 3 from acquiring a correct MAC address, and it is possible to block communication using IP. In response to an ARP inquiry from the unauthorized terminal 3, the MAC address of another communication device such as a server that manages the unauthorized terminal 3 is used as an ARP response. Thus, the communication destination of the unauthorized terminal 3 can be guided to the other communication device.

  As described above, according to the unauthorized terminal blocking system shown as the first embodiment, by setting a group ID to a specific communication device group, the device group can be easily registered. Then, the unauthorized terminal blocker 2 can block communication with reference to the group ID. Therefore, even if the unauthorized terminal 3 is connected to the communication network NT and transmits the ARP request packet by spoofing the IP addresses of the communication apparatuses 1A and 1B, the unauthorized terminal blocking device 2 can block communication based on the group ID. .

  Further, according to this unauthorized terminal blocking system, specific communication devices can be registered together by group ID, so there is no need to register in the unauthorized terminal blocking device 2 for each communication device belonging to the group. The burden can be reduced.

  Furthermore, according to this unauthorized terminal blocking system, by using a non-use area called a padding area of an ARP packet, a group unit such as a model or a product group by a group ID is generated without causing a change in communication procedure or an increase in traffic. You can allow communication.

  As shown in FIG. 6, the communication apparatuses 1 </ b> A and 1 </ b> B include a setting I / F 15, and the group ID 14 a may be set according to a signal from a PC or the like connected to the setting I / F 15. As described above, by enabling the group ID 14a of the communication devices 1A and 1B to be set via the setting I / F 15, the communication devices 1A and 1B can be grouped more flexibly to reduce the burden on the administrator.

[Second Embodiment]
Next, an unauthorized terminal blocking system according to the second embodiment will be described. In addition, about the part similar to the above-mentioned 1st Embodiment, the detailed description is abbreviate | omitted by attaching | subjecting the same code | symbol.

  The unauthorized terminal blocking system shown as the second embodiment includes other values in the ARP request packet as authentication values for authenticating the communication devices 1A and 1B in addition to the group ID.

  As shown in FIG. 7, an authentication value 14b is set in the communication devices 1A and 1B in such an unauthorized terminal blocking system in addition to the group ID 14a. Similarly to the group ID 14a, the authentication value 14b is set and stored at the time of PC operation or manufacturing by the administrator. This authentication value 14b is read by the IP communication unit 12 in the same manner as the group ID 14a. As shown in FIG. 9, the IP communication unit 12 includes an authentication value 14b in addition to the group ID 14a in the padding area of the ARP request packet. Note that the communication devices 1A and 1B combine the secret key, the MAC address, and the group ID, and use, for example, a value converted by a predetermined hash function such as MD4 and MD5 as the authentication value of the communication devices 1A and 1B. .

  As shown in FIG. 8, the unauthorized terminal blocking device 2 stores a secret key 23b as an authentication value for authenticating the communication devices 1A and 1B in the address table 23a. The secret key 23b is set via the setting I / F 24 and registered in the address table 23a of the storage unit 23, like the group ID. The unauthorized terminal blocking device 2 registers the same value as the secret key 23b used by the communication devices 1A and 1B.

  When the transmission source MAC address of the ARP request packet intercepted by the LAN I / F 21 is a MAC address that is not registered in the address table 23a, the processing unit 22 performs a blocking process that blocks communication of the communication device having the MAC address. (Blocking processing means). As shown in FIG. 10, when the group ID included in the padding area of the ARP request packet is not registered in the address table 23a (step S11), the processing unit 22 The communication of the transmission source is cut off (step S12). On the other hand, when the group ID is registered in the address table 23a, the processing unit 22 determines whether the authentication value included in the ARP request packet is a correct authentication value registered in the address table 23a ( Step S21). At this time, the processing unit 22 calculates an authentication value using the secret key 23b, group ID, and MAC address registered in advance in the storage unit 23, and compares the calculated value with the received authentication value. When the received authentication value is a correct authentication value, communication of the transmission source of the ARP request packet is permitted. On the other hand, if the authentication value is not correct, communication of the transmission source of the ARP request packet is blocked (step S12).

  According to such an unauthorized terminal blocking system, since the authentication value is included in the ARP request packet in addition to the group ID, if the authentication value is not correct, the communication of the unauthorized terminal 3 can be blocked and security can be improved. it can. That is, even if the fraudulent terminal 3 intercepts the group ID and the authentication value included in the ARP request packet and transmits the ARP request using them, the communication devices 1A and 1B can be spoofed by the communication devices 1A and 1B. Since the MAC address is different from that, the unauthorized terminal blocking device 2 can determine that the authentication value is not correct and block communication of the unauthorized terminal 3. Therefore, this unauthorized terminal blocking system can further improve security.

  In the second embodiment, the communication devices 1A and 1B combine the MAC address and the group ID as authentication values for authenticating the communication devices 1A and 1B, and encrypt the hashed value with a private key in the public key cryptosystem. It is also possible to include converted values. On the other hand, as shown in FIG. 11, the unauthorized terminal blocking device 2 stores the public key 23c of the communication devices 1A and 1B that can decrypt the authentication value encrypted with the private key of the communication devices 1A and 1B. .

  In such an unauthorized terminal blocking system, the processing unit 22 of the communication devices 1A and 1B encrypts a value obtained by hashing a group ID and a value including the group ID and the MAC address with a private key of a public key cryptosystem. An ARP request packet including the value in the padding area is transmitted.

  The processing unit 22 acquires a group ID and an authentication value from the padding area of the ARP request packet. The processing unit 22 determines whether the group ID is registered in advance in the address table 23a. Further, the processing unit 22 obtains a value obtained by decrypting the received authentication value with the public key 23c. Then, it is determined whether or not the decrypted value is the same as the hashed value of the registered group ID and MAC address. When the group ID is registered in advance in the address table 23a and the decrypted value is the same as the hashed value of the registered group ID and the MAC address, the processing unit 22 Is determined to be valid. Otherwise, the processing unit 22 determines that the transmission source of the ARP request packet is the unauthorized terminal 3 and blocks communication of the unauthorized terminal 3.

  As described above, even in this unauthorized terminal blocking system, since the authentication value is included in the ARP request packet in addition to the group ID, the communication of the unauthorized terminal 3 can be blocked if the authentication value is different. Can be improved. Further, according to this unauthorized terminal blocking system, it is possible to improve security as compared with the case where the above-described secret key 23b is used as an authentication value. That is, when the secret key 23b is leaked from the unauthorized terminal blocking device 2 or the like, the authentication value can be camouflaged with the secret key 23b and the group ID and MAC address of the ARP request packet. However, according to this unauthorized terminal blocking system, even if the public key 23c of the communication devices 1A and 1B leaks from the unauthorized terminal blocking device 2 or the like, if the private key of the communication devices 1A and 1B does not leak, the unauthorized terminal 3 An authentication value cannot be generated. Therefore, this unauthorized terminal blocking system can further improve security.

  Furthermore, in the unauthorized terminal blocking system shown as the second embodiment, the communication devices 1A and 1B may include an IP address as a calculation target for obtaining an authentication value. In this unauthorized terminal blocking system, the communication devices 1A and 1B have a secret key 14c set in addition to the group ID 14a as shown in FIG.

  For example, as shown in FIG. 14, the communication apparatuses 1A and 1B combine the secret key 14c, the MAC address, the IP address, and the group ID 14a with the authentication value field, and create an ARP request packet that stores the hashed value. Further, the communication devices 1A and 1B may include a value obtained by hashing a value including an IP address with a private key of a public key cryptosystem in the authentication value field.

  The processing unit 22 acquires a group ID and an authentication value from the padding area of the ARP request packet. The processing unit 22 determines whether the group ID is registered in advance in the address table 23a. Further, the processing unit 22 determines whether or not the received authentication value matches the authentication value obtained by calculating the value including the IP address by the same method as the communication devices 1A and 1B. When the group ID is registered in advance in the address table 23a and the received authentication value is the same as the value calculated from the value including the registered IP address, the processing unit 22 transmits the ARP request packet. It is determined that the original is valid. Otherwise, the processing unit 22 determines that the transmission source of the ARP request packet is the unauthorized terminal 3 and blocks communication of the unauthorized terminal 3.

  As described above, since this unauthorized terminal blocking system includes an authentication value in addition to the group ID in the ARP request packet, if the authentication value is different, communication of the unauthorized terminal 3 can be blocked, and security is improved. be able to. Here, when an ARP request packet is transmitted from another network using the MAC address acquired by the unauthorized terminal 3, it is easily disguised. However, in this unauthorized terminal blocking system, even if the unauthorized terminal 3 transmits an ARP request packet from another network, since the IP address is different between the communication network NT and the other network, the authentication value intercepted by the communication network NT is It will not match. Therefore, this unauthorized terminal blocking system can further improve security.

[Third Embodiment]
Next, an unauthorized terminal blocking system according to the third embodiment will be described. Note that parts similar to those in the above-described embodiment are denoted by the same reference numerals, and detailed description thereof is omitted.

  The unauthorized terminal blocking system shown as the third embodiment temporarily stores the IP address and MAC address of the communication devices 1A and 1B included in the ARP request packet including the group ID in the address table 23a of the unauthorized terminal blocking device 2. sign up. Then, the unauthorized terminal blocking device 2 officially sets the IP address and MAC address of the communication devices 1A and 1B temporarily registered in the address table 23a according to the PC operation of the administrator of the unauthorized terminal blocking system. Are registered in the address table 23a.

  In this unauthorized terminal blocking system, for example, as shown in FIG. 15, an unauthorized terminal 3 ′ who wiretapped the group ID (M) of the communication apparatuses 1 </ b> A and 1 </ b> B is connected to the communication network NT. In this case, if the unauthorized terminal 3 ′ stores the group ID (M) in the padding area of the ARP request packet, the unauthorized terminal 3 ′ is not determined to be unauthorized and may acquire the MAC addresses of the communication apparatuses 1 </ b> A and 1 </ b> B. On the other hand, even if the group ID is registered in the address table 23a of the unauthorized terminal blocking device 2, the unauthorized terminal blocking system temporarily registers temporarily in the address table 23a.

  For this purpose, as shown in FIG. 16, the unauthorized terminal blocker 2 stores a temporary registration table in which the MAC address 23d temporarily registered in the address table 23a is associated with the status 23e in the storage unit 23. ing. The status 23e is one of “approval” for which registration is officially permitted by the administrator, “hold” for which registration is not yet permitted by the administrator, and “blocking” for which registration is rejected by the administrator. This status 23e is set to “approval” or “approval” or “approval” or “approval” by supplying an “approval” or “blocking” command for each MAC address through the setting I / F 24 by an administrator's PC operation or the like. Switched to “block”.

  The unauthorized terminal blocking device 2 includes a notification I / F 25. When the source MAC address of the ARP request packet is not registered in the address table 23a, the fact is notified to the administrator via the notification I / F 25. The notification I / F 25 is notified by a screen display or the like that, for example, an administrator's operation PC is connected and an ARP request packet is transmitted from a terminal having an unregistered MAC address.

  The unauthorized terminal blocking device 2 in such an unauthorized terminal blocking system performs the process shown in FIG. 17 when receiving the ARP packet.

  First, the processing unit 22 extracts a group ID and a MAC address included in an ARP request packet intercepted from the communication network NT. Next, in step S <b> 11, the processing unit 22 determines whether the received group ID is registered in the address table 23 a of the storage unit 23. If the received group ID is not registered, the transmission source of the ARP request packet is determined as the unauthorized terminal 3 in step S12, and communication is blocked. On the other hand, if the received group ID is registered, the process proceeds to step S31.

  In step S31, the processing unit 22 determines whether or not the transmission source MAC address of the ARP request packet is registered in the address table 23a. If the source MAC address of the ARP request packet is not registered in the address table 23a, in step S34, the processing unit 22 connects a terminal whose MAC address is not registered to the communication network NT via the notification I / F 25. Notify that it has been done. Further, in step S35, the processing unit 22 stores the MAC address 23d to temporarily register in the storage unit 23, and stores a “pending” status 23e corresponding to the MAC address 23d. Update the temporary registration table.

  If the source MAC address of the ARP request packet is registered in the address table 23a, the processing unit 22 determines whether or not the status 23e is “blocked” in step S32. If the status 23e is “blocked”, the processing unit 22 blocks the communication of the unauthorized terminal 3 in step S33 because the transmission source of the ARP request packet is the unauthorized terminal 3. On the other hand, when the status 23e is not “blocking”, the processing unit 22 performs processing according to a preset policy.

  As described above, according to the unauthorized terminal blocking system shown as the third embodiment, when the group ID is registered in the address table 23a and the MAC address is not registered in the address table 23a, temporary registration is performed. And Therefore, according to this unauthorized terminal blocking system, it is possible to avoid automatically registering in the address table 23a and permitting communication if the group ID is registered.

  In addition, in the case where this unauthorized terminal blocking system is temporarily registered in the address table 23a, it can be formally registered according to the subsequent PC operation of the administrator. Therefore, according to this unauthorized terminal blocking system, it is possible to entrust the administrator to determine whether or not the communication device newly connected to the communication network NT is the unauthorized terminal 3, thereby further improving security.

  The above-described embodiment is an example of the present invention. For this reason, the present invention is not limited to the above-described embodiment, and various modifications can be made depending on the design and the like as long as the technical idea according to the present invention is not deviated from this embodiment. Of course, it is possible to change.

1A, 1B Communication device 2 Unauthorized terminal blocking device 3 Unauthorized terminal 11 LAN I / F
12 IP communication unit 13 Processing unit 14a Group ID
14b Authentication value 14c Private key 21 LAN I / F
22 processing unit 23 storage unit 23a address table 23b private key 23c public key 23d MAC address 23e status

Claims (7)

At least a legitimate first communication device, a legitimate second communication device that performs communication in response to a request from the first communication device, and an unauthorized terminal blocking device are connected via a communication line,
The unauthorized terminal blocking device is
Communication means for transmitting and receiving packets via the communication line;
Storage means for storing an identifier table in which at least a communication identifier and a physical identifier are associated;
Referring to the identifier table, when a physical identifier not registered in the identifier table exists in the physical identifier request packet intercepted by the communication means, a blocking process is performed to block communication of the communication device with the physical identifier. A shut-off processing means,
The first communication device includes a group identifier for handling a plurality of devices as a group in the physical identifier request packet for requesting a physical identifier of the second communication device to communicate with the second communication device. Including
When the unauthorized terminal blocking device acquires the group identifier included in the physical identifier request packet, the unauthorized terminal blocker registers the communication identifier and physical identifier of the first communication device included in the physical identifier request packet in the identifier table. An illegal terminal blocking system characterized by this.   In addition to the group identifier, the first communication device includes a secret key, a physical identifier, or a value obtained by converting the group identifier as an authentication value for authenticating the first communication device in the physical identifier request packet. The unauthorized terminal blocking system according to claim 1.   In addition to the group identifier, the first communication device uses the physical identifier or the group identifier as a authentication value for authenticating the first communication device by a private key in the public key cryptosystem. The unauthorized terminal blocking system according to claim 1, further comprising an encrypted value.   4. The unauthorized terminal blocking system according to claim 2, wherein the first communication device includes the communication identifier as a calculation target for obtaining the authentication value. 5.   When receiving the physical identifier request packet including the group identifier, the unauthorized terminal blocker temporarily stores the communication identifier and physical identifier of the first communication device included in the physical identifier request packet in the identifier table. The unauthorized terminal blocking system according to any one of claims 1 to 4, wherein the unauthorized terminal blocking system is registered.   The unauthorized terminal blocking device officially sets the communication identifier and physical identifier of the first communication device temporarily registered in the identifier table based on an input according to an operation of the administrator of the unauthorized terminal blocking system. The unauthorized terminal blocking system according to claim 4, wherein the unauthorized terminal blocking system is registered in the identifier table. A first communication device and a second communication device that communicates in response to a request from the first communication device are connected via a communication line,
Communication means for transmitting and receiving packets via the communication line;
Storage means for storing an identifier table in which communication identifiers and physical identifiers are associated;
Referring to the identifier table, when a physical identifier not registered in the identifier table exists in the physical identifier request packet intercepted by the communication means, a blocking process is performed to block communication of the communication device with the physical identifier. A shut-off processing means,
When the communication unit receives the physical identifier request packet including a group identifier for handling a plurality of devices transmitted from the first communication device as a group, the storage unit receives the physical identifier request packet. A communication terminal and a physical identifier of the first communication device included in the device are registered in an identifier table.

Images