TREA

Device for protection against illegal communications and network system thereof

Follow

Information

  • Patent Application
  • 20070201474
  • Publication Number
    20070201474
  • Date Filed
    January 25, 2007
    18 years ago
  • Date Published
    August 30, 2007
    17 years ago
Information
Abstract
A communication device, an illegal communication protection device, and network system for providing protection from illegal communications. A communication device is connected to a network, for receiving packets sent and received over networks, and transmitting packets based on the packet destination, includes a control unit, and a storage unit for storing a routing table that stores the destination information. When there is a connection request from a packet that was received, the control unit stores the transmit source address of that packet and the line number where that packet was received, into a routing table, and where there is no connection request from the received packet, the control unit refers to the routing table, acquires the line number linked to an address matching the destination address of that packet, and sends the applicable packet via the acquired line number.
Description

BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is a drawing for describing the network system of the embodiment of this invention;



FIG. 2 is a sequence diagram showing the operation of the network system of the embodiment of this invention;



FIG. 3 is a sequence diagram for communications among the illegal communication protection device, the communication device, and the host in the embodiment of this invention;



FIG. 4 is a sequence diagram showing the operation of the network system of the embodiment of this invention;



FIG. 5 is block diagram showing the structure of the communication device of the embodiment of this invention;



FIG. 6 is a block diagram showing the structure of the communication device of the embodiment of this invention;



FIG. 7 is a drawing for describing the packet data of the embodiment of this invention;



FIG. 8A is a drawing showing one example of the routing type register table of the embodiment of this invention;



FIG. 8B is a drawing showing one example of the normal register table of the embodiment of this invention;



FIG. 8C is a drawing showing one example of the TCP routing table of the embodiment of this invention;



FIG. 9 is a flow chart of the processing in the routing unit of the embodiment of this invention;



FIG. 10 is a block diagram showing the structure of the illegal communication protection device of the embodiment of this invention;



FIG. 11 is a block diagram showing the structure of the illegal communication protection device of the embodiment of this invention;



FIG. 12A is a drawing showing an example of the SIP-DIP table of the embodiment of this invention;



FIG. 12B is a drawing showing an example of the time table of the embodiment of this invention;



FIG. 12C is a drawing showing an example of the limit time table of the embodiment of this invention;



FIG. 12D is a drawing showing an example of the SEQ No. table of the embodiment of this invention;



FIG. 12E is a drawing showing an example of the state table of the embodiment of this invention;



FIG. 12F is a drawing showing an example of the differential SEQ table of the embodiment of this invention;



FIG. 13 is a flow chart showing the operation of the SIP-DIP renewal unit in the embodiment of this invention;



FIG. 14 is a flow chart of the time update unit of the embodiment of this invention;



FIG. 15 is a flow chart of the limit time update unit of the embodiment of this invention;



FIG. 16 is a flow chart showing the operation of the SEQ. No. update unit of the embodiment of this invention;



FIG. 17 is a flow chart showing the operation of the state update unit of the embodiment of this invention;



FIG. 18 is a flow chart showing the operation of the differential SEQ update unit of the embodiment of this invention;



FIG. 19 is a flow chart showing the operation of the SEQ No. converter unit of the embodiment of this invention;



FIG. 20 is a flow chart showing the operation of the ACK No. converter unit of the embodiment of this invention;



FIG. 21 is a flow chart showing the operation of the packet update unit of the embodiment of this invention;



FIG. 22 is a sequence diagram for rejecting illegal communication by the illegal communication protection device of the embodiment of the related art;



FIG. 23 is a drawing showing the case when there was a failure in protecting normal (legal) communications of the related art; and



FIG. 24 is a sequence diagram showing the case when there was a failure in protecting normal (legal) communications of the related art.


Claims
  • 1. A communication device connected to a network, for receiving packets sent over network, and transmitting packets based on the packet destination, comprising: a control unit; and a storage unit containing at least one routing table for storing information concerning the packet destination; wherein, when the received packet is a request for connecting to the packet destination, the control unit stores in the routing table a transmit source address of the packet associated with an identified line where the packet was received, andwhen the received packet is not a connection request, the control unit checks the routing table, acquires a line associated with a destination address matching the destination address of the packet, and sends the packet via the acquired line.
  • 2. A communication device according to claim 1, wherein the control unit includes: a type detector unit for identifying a type of protocol of the packet, andan attachment information detector unit for identifying a type of flag attached to the packet, and whereinwhen the type detector unit identifies the protocol of the received packet as a TCP protocol, and the attachment information detector unit identifies the flag attached to the packet as SYN, then the control unit stores in the routing table the transmit source address of the packet associated with the line where the packet was received, andwhen the type detector unit identifies the protocol of the received packet as a TCP protocol, and the attachment information detector unit identifies the flag attached to the packet as other than SYN, the control unit checks the routing table, acquires a line associated with a destination address matching the destination address of the packet, and sends the packet via the acquired line.
  • 3. A communication device according to claim 2, wherein the storage unit includes: a first routing table for TCP protocol, anda second routing table for protocols other than TCP, and whereinwhen the packet is sent, the storage unit stores routing type register information that contains information for setting whether to use either the first routing table or the second routing table; and whereinthe control unit contains a routing discriminator unit for checking the routing type register information, and deciding the routing table used to transfer the received packet, and whereinwhen the routing discriminator unit decides that the routing table used in transferring the received packet is the first routing table, and the attachment information detector unit identifies the flag attached to the packet as SYN, then the control unit stores in the routing table the transmit source address of the packet associated with the line where the packet was received, andwhen the routing discriminator unit identifies the routing table used for transferring the received packet as the first routing table, and the attachment information detector unit identifies the flag attached to the packet as not SYN, then the control unit acquires the line associated with the destination address matching the destination address of the packet from the first routing table, and sends the packet via the acquired line, andwhen the routing discriminator unit identifies the routing table used for the received packet as the second routing table, or the protocol of the received packet is not TCP protocol, then the control unit acquires the line linking the destination address of the packet with the matching packet address from the second routing table, and sends the packet via the acquired line.
  • 4. An illegal communication protection device connected to a network for receiving packets exchanged over the networks, transmitting ones of the packets based on the packet destination, and restricting the transmission of the packet when the packet is illegal, including: a control unit; and a storage unit, whereinthe storage unit contains:a connection request source IP address of the packet, a connection request destination IP address of the packet, and a session information for recording an arrival time that the packet arrived associated with a limit time showing a period to limit rewriting of information relating to the packet, andwhen the difference between current time and the arrival time recorded in the session information has exceeded the limit time recorded in the session table, the control unit permits the rewriting of information relating to the packet.
  • 5. An illegal communication protection device according to claim 4, wherein the limit time is changed based on at least one selected from the group consisting of the connection request source IP address of the packet, the connection request destination IP address of the packet, and the difference between the current time and the arrival time recorded in the session information.
  • 6. An illegal communication protection device according to claim 4, wherein, when a first packet sent from the connection request source IP address to the connection request destination IP address is received whose protocol is a TCP protocol, and whose flag attached to the first packet is SYN, the control unit respectively changes the connection request source IP address of the first packet to the connection request destination IP address, and changes the connection request destination IP address of the first packet to the connection request source IP address; and changes the flag to SYN-ACK, and generates a second packet attached with a transmit sequence number generated from a random value, and sends the second packet to the connection request source IP address, andwhen a third packet sent from the connection request source IP address to the connection request destination IP address is received whose protocol is a TCP protocol, and whose attached flag is ACK, and whose attached receive sequence number is a value where a 1 is added to the transmit sequence number, then the control unit decides that communication between the connection request destination IP address and the connection request source IP address is legal, and changes the third packet flag to SYN, and subtracts a 1 from the transmit sequence number, and generates a fourth packet with a 0 in the receive sequence number, and sends the fourth packet to the connection request destination IP address, andwhen a fifth packet sent from the connection request destination IP address to the connection request source IP address is received whose protocol is a TCP protocol, and whose attached flag is SYN-ACK, then the control unit respectively changes the connection request source IP address of the fifth packet to the connection request destination IP address, and changes the connection request destination IP address of the fifth packet to the connection request source IP address; changes the flag to ACK, respectively changes the transmit sequence number to the receive sequence number, and the receive sequence number to the transmit sequence number, and also generates a sixth packet with a 1 added to the receive sequence number, and by sending the sixth packet to the connection request destination IP address, allows communication between the connection request destination IP address and the connection request source IP address.
  • 7. An illegal communication protection device according to claim 6, wherein the limit time recorded in the session table is changed when the third packet or the fifth packet is received.
  • 8. An illegal communication protection device according to claim 6, wherein, the control unit allows sending and receiving packets between the connection request source IP address and the connection request destination IP address after deciding to pass the packet, andwhen a seventh packet sent from the connection request source IP address to the connection request destination IP address is received, a TCP checksum is recalculated after subtracting a difference between the transmit sequence numbers attached to the fifth packet and the transmit sequence number attached to the second packet, from the receive sequence number attached to the seventh packet, andwhen an eighth packet sent from the connection request destination IP address to the connection request source IP address is received, the TCP checksum is recalculated after adding a difference between the transmit sequence number of the second packet and the transmit sequence number of the fifth packet, to the transmit sequence number of the eighth packet, andbefore making a packet pass decision, the packets sent and received between the connection request source IP address and the connection request destination IP address are discarded, or are accumulated in a buffer.
  • 9. A network system connected to one or multiple communication devices for receiving packets sent and received along a network, and for sending packets based on the destination address of the packet, and which is connected to a single or multiple illegal communication protection devices for receiving packets sent and received along a network, sending packets based on the destination address of the packet, and restricting transmission of a packet when that packet is illegal, comprising:a first control unit; a first storage unit for storing a routing table containing information on the destination of the packet; whereinwhen the received packet is a connection request, the first control unit associates a packet transmit source address with a received line for the packet and stores it in the routing table, andwhen the received packet is not a connection request, the first control unit checks the routing table, acquires a line associating the destination address of the packet with the matching destination address, and sends the packet via the acquired line;the illegal communication protection device including a second control unit, and a second storage unit; whereinthe second storage unit includes a connection request source IP address of the packet, a connection request destination IP address of the packet, session information for recording an arrival time that the packet arrived associated with a limit time showing a period to limit rewriting of information relating to the packet, andthe second control unit permits rewriting of the packet when the difference between the arrival time recorded in the session table and current time has exceeded the limit time.
  • 10. A secure router, comprising: at least two input lines;at least two output lines;a sequence generator; andat least one state table;wherein the secure router routes legal communications, via the two input lines and the two output lines, between at least one user, and at least one of a host and a second router; wherein legal communications comprise those communications that are properly incremented and sent or received on a proper one of the two output or two input lines without ever having bypassed the secure router, starting from a random initialization by the sequence generator, and that are in a legal state for no more than an allowable time limit in accordance with the at least one state table.
Priority Claims (1)
Number Date Country Kind
2006-052181 Feb 2006 JP national