Terminal apparatus security management apparatus and method

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing an example of configuration in an embodiment of the present invention;

FIG. 2 is a diagram showing an example of configuration of update information;

FIG. 3 is a diagram showing an example of configuration of security management information;

FIG. 4 is a diagram showing an example of configuration of terminal management information; and

FIGS. 5 and 6 are diagrams for illustrating a process flow of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 shows an example of configuration in an embodiment of the present invention.

A terminal apparatus security determination apparatus (hereinafter referred to as “a security determination server”) 1 is a computer configured by a CPU, a memory, for determining the security state of a terminal apparatus 3 in response to receiving of a session establishment request from the terminal apparatus 3. The security determination server 1 can be embodied as a network router or a device arranged in a proxy server.

The security of the terminal apparatus 3 can be maintained, by a security program for performing virus cleaning processing, definition information used by the security program, and the like. The security state is also determined by the version number of the security program or the definition information.

A security information management apparatus (hereinafter referred to as “a security management server”) 5 is provided with a security information storage section 51 for storing update information about security of the terminal apparatus 3 and a download completion notification section 53 for notifying completion of download to the security determination server 1 when the update information is downloaded to the terminal apparatus 3.

The update information is program data for version up of the security program used by the terminal apparatus 3, update data of the definition information for the security program and the like.

FIG. 2 shows an example of the configuration of update information stored in the security information storage section 51. In the security information storage section 51, there are stored information for identifying the security program used by the terminal apparatus 3, for example, a program name, the version number; and update data, for example, data for update of the definition information, version-up data for the security program and the like.

The security determination server 1 is provided with a session processing section 10, a security management information storage section 11, a terminal management information storage section 12, a session-request temporary-storage section 13, a terminal management section 14, a security determination section 15 and a security management information update section 16.

The session processing section 10 transmits a session establishment request packet of the terminal apparatus 3 and is provided with a session request holding section 101 and a session request switching section 103.

The session request holding section 101 stores a session establishment request packet received from the terminal apparatus 3 in the session-request temporary-storage section 13.

The session request switching section 103 switches the session establishment request packet to be transmitted, based on the result of security determination by the security determination section 15.

The session request switching section 103 holds address information about the security management server 5. If the security state of the terminal apparatus 3 is not the latest one, for example, if the version number of the definition information for the security program is not the latest one, an update information acquisition session establishment request packet, in which the address information about the terminal apparatus 3 and the address information about the security management server 5 are set as the source and the destination, is created and transmitted. Alternatively, if the version number of the definition information for security program of the terminal apparatus 3 is the latest one, then the session establishment request packet held in the session-request temporary-storage section 13 is transmitted.

If the result of determination by the terminal management section 14 to be described later is refusal of a session establishment request, then the session request switching section 103 creates and transmits an update information acquisition session establishment request packet. Furthermore, if receiving a notification of completion of downloading update information to the terminal apparatus 3, from the security management server 5 or receiving an update information installation completion notification from the terminal apparatus 3 in the case of having transmitted the update information acquisition session establishment request packet, the session request switching section 103 transmits the session establishment request packet held in the session-request temporary-storage section 13.

The security management information storage section 11 stores security management information used to manage security information used by the terminal apparatus 3.

FIG. 3 shows an example of the configuration of the security management information. The latest version number of definition information for the security program used by the terminal apparatus 3 is recorded in the security information.

The terminal management information storage section 12 stores terminal management information.

FIGS. 4A and 4B show examples of the configuration of the terminal management information. As shown in FIG. 4A, the address of the terminal apparatus 3 and whether or not processing of a session establishment request packet is possible (permission or refusal of the packet) are set for each terminal apparatus 3, in the terminal management information. Permission or refusal of a session establishment request packet is set by the administrator of the security determination server 1.

Alternatively, as shown in FIG. 4B, the address of the terminal apparatus 3 and the time when a session establishment packet is transmitted last are recorded for each terminal apparatus 3 in the terminal management information.

The session-request temporary-storage section 13 stores a session establishment request packet which has been received from the terminal apparatus 3 and in which address information about a session establishment request destination apparatus 7 is set as the destination.

The terminal management section 14 determines permission or refusal of processing of a session establishment request packet held in the session-request temporary-storage section 13 based on the terminal management information.

The terminal management section 14 determines permission or refusal of the received session establishment request packet in accordance with the setting for the terminal apparatus 3 which has originated the session establishment request packet stored in the session-request temporary-storage section 13, if the terminal management information shown in FIG. 4A is stored.

Furthermore, the terminal management section 14 acquires the time of receiving the session establishment request packet stored in the session-request temporary-storage section 13, if the terminal management information shown in FIG. 4B is stored. If the receiving time is within a predetermine period after the last transmission time recorded in the terminal management information, then “permission” of the received session establishment request packet is determined.

The security determination section 15 acquires the security state of the terminal apparatus 3 which has originated the session establishment request packet stored in the session-request temporary-storage section 13 and determines whether or not the security state of the terminal apparatus 3 is the latest one based on the security management information.

The security state of the terminal apparatus 3 is notified with the use of a program version number information management function 31 provided for the terminal apparatus 3.

If the terminal management section 14 determines “permission”, then the security determination section 15 acquires the current version number of the definition information for the security program as the security state of the terminal apparatus 3 which has originated the session establishment request packet stored in the session-request temporary-storage section 13. Then, it is determined whether or not the current version number of the definition information for the security program of the terminal apparatus 3 is the latest one based on the security management information, and hands the determination result to the session request switching section 103 of the session processing section 10.

The security management information update section 16 acquires the latest version number of the definition information for the security program as information indicting the latest state of security information to be used by the terminal apparatus 3, from the security management server 5 and updates the security management information stored in the security management information storage section 11.

Description will be made on the process flow in the embodiment of the present invention with the use of FIGS. 5 and 6.

The processing at steps S1 to S9 will be described with the use of FIG. 5.

Step S1: The terminal apparatus 3 transmits a session establishment request packet in which the address of a session establishment request destination apparatus 7 is set as the destination.

Step S2: The session processing section 10 of the security determination server 1 stores the source address (the address of the terminal apparatus 3) and the destination address (the address of the session establishment request destination apparatus 7) in the received session establishment request packet, into the session-request temporary-storage section 13.

Step 3: The session processing section 10 notifies the address of the terminal apparatus 3 to the terminal management section 14 and inquires about permission/refusal of a session establishment request packet.

Step S4: The terminal management section 14 determines permission or refusal of the session establishment request packet with the use of the terminal management information stored in the terminal management information storage section 12. Here, it is assumed that the terminal management information shown in FIG. 4B is stored. The terminal management section 14 regards the current time as the time of receiving the session establishment request packet. If this receiving time is after a lapse of a predetermined time after the time of the last transmission stored in the terminal management information, or if the transmission time is not recorded in the terminal management information (S4: YES), then “refusal” is returned to the session processing section 10.

Step S5: When receiving “refusal”, the session processing section 10 generates and transmits an update information acquisition session establishment request packet in which the address of the terminal apparatus 3 and the address of the security management server 5 are set as the source and the destination.

Step S6: The security management server 5 receives the update information acquisition session establishment request packet, and a session with the terminal apparatus 3 is established. Then, the terminal apparatus 3 downloads the latest update data of definition information for the security program, which is stored in the security information storage section 51.

Step S7: When the terminal apparatus 3 completes download of the latest update data, the download completion notification section 53 of the security management server 5 transmits a download completion notification to the security determination server 1.

Step S8: The terminal apparatus 3 performs update of the definition information for the security program using the downloaded update data and transmits an update completion notification to the security determination server 1. The update completion notification may be notification of the version number of the definition information for the security program by the program version number information management function 31.

Step S9: The session processing section 10 receives any one of the download completion notification and the update completion notification or receives both of them. Then, a session establishment request packet in which the address of the terminal apparatus 3 and the address of the session establishment request destination apparatus 7 are set as the source and the destination is transmitted based on the source and destination addresses stored in the session-request temporary-storage section 13.

The processing at steps S11 to S17 will be described with the use of FIG. 6. The content of the processing at steps S1 to S4 shown in FIG. 6 is the same as the content of the processing at the steps denoted by the same reference numerals shown in FIG. 5.

At the processing at step S4, if the session establishment request packet receiving time (current time) is within the predetermined time after the time of the last transmission stored in the terminal management information (S4: NO), then the terminal management section 14 returns “permission” to the session processing section 10.

Step S11: When receiving “permission”, the session processing section 10 requests the security determination section 15 to perform determination processing.

Step S12: The security determination section 15 acquires the version number of the definition information for the security program by the program version number information management function 31 of the terminal apparatus 3. Then, it is determined whether or not the current version number is the latest one based on the security management information.

Step S13: If the security determination section 15 determines that the current version number is not the latest one (determination result: NG), then an update information acquisition session establishment request packet in which the address of the terminal apparatus 3 and the address of the security management server 5 are set as the source and the destination is generated and transmitted.

Step S14: The security management server 5 receives the update information acquisition session establishment request packet, and a session with the terminal apparatus 3 is established. The terminal apparatus 3 downloads the latest update data in the security information storage section 51.

Step S15: the download completion notification section 53 of the security management server 5 transmits a notification of completion of download of the update data onto the terminal apparatus 3, to the security determination server 1.

Step S16: The terminal apparatus 3 transmits a security program update completion notification to the security determination server 1.

Step S17: If the security determination section 15 determines that the current version number of the security program of the terminal apparatus 3 is the latest one (determination result: OK), then the session processing section 10 transmits a session establishment request packet in which the address of the terminal apparatus 3 and the address of the session establishment request destination apparatus 7 are set as the source and the destination based on the source and destination addresses stored in the session-request temporary-storage section 13.

If permission/refusal of a session establishment request packet is set for each terminal apparatus 3 as terminal management information, as shown in FIG. 4A, and it is successively determined by the security determination section 15 that the version number of the definition information for the security program of the terminal apparatus 3 is not the latest one a predetermined number of times, then “refusal” is set by the terminal management section 14 for processing of a session establishment request packet of the terminal apparatus 3, in the terminal management information. In this case, the session processing section 10 refuses the session establishment request packet processing.

On the other hand, when the result of the determination by the security determination section 15 indicates that the version number of the security program of the terminal apparatus 3 is the latest one, the terminal management section 14 updates the setting for session establishment request packet processing in the terminal management information to be “permission”.

As described above, if it is determined by the terminal management section 14 that a predetermined time or more has elapsed after the time of transmitting a new or the last session establishment request when a session establishment request packet is received from the terminal apparatus 3, then a session request packet in which the address of the security management server 5 is set as the destination is transmitted by the session processing section 10 without making determination on security information. Therefore, the terminal apparatus 3 cannot be connected to the session establishment request destination apparatus 7 to which it originally desires to connect unless it is connected to the security management server 5 to acquire update information held in the security management server 5 and updates the security with the update information. When it is notified to the security determination server 1 that the security of the terminal apparatus 3 has been updated, connection with the session establishment request destination apparatus 7 which the terminal apparatus 3 requests is enabled.

The present invention has been described using an embodiment thereof. It goes without saying that various variations of the present invention are possible within the range of its spirit. For example, transmission history information about session establishment requests received from the terminal apparatus 3 and processed may be used as the terminal management information to be stored in the terminal management information storage section 12. The terminal management section 14 may determine permission/refusal of processing of a session establishment request based on intervals among multiple transmission times, based on this transmission history information.

Claims

1. A security management apparatus for a terminal apparatus, the security management apparatus comprising, in order to manage the security state of a terminal apparatus connected to a network: a security management information storage section for storing security management information indicating the latest state of the security of a terminal apparatus;a session request holding section for holding a session establishment request received from a terminal apparatus in a session-request temporary-storage section;a security determination section for acquiring the security state of the terminal apparatus which has originated the session establishment request held in the session-request temporary-storage section and determining whether or not the security state of the terminal apparatus is the latest one based on the security management information; anda session request switching section for holding destination information about a security information management apparatus holding update information about the security of the terminal apparatus, creating and transmitting an update information acquisition session establishment request, in which the terminal apparatus and the destination information are set as the source and the destination respectively, if the security state of the terminal apparatus is not the latest one, and transmitting the session establishment request held in the session-request temporary-storage section if the security state of the terminal apparatus is the latest one.
2. The security management apparatus for a terminal apparatus according to claim 1, wherein when the update information acquisition session establishment request is transmitted, and a notification to the effect that the security of the terminal apparatus has been updated is received, the session request switching section transmits the session establishment request held in the session-request temporary-storage section.
3. The security management apparatus for a terminal apparatus according to claim 1, the security management apparatus comprising: a terminal management information storage section for storing terminal management information in which permission/refusal of a session establishment request is set for each of the terminal apparatuses; anda terminal management section for determining permission/refusal of a session establishment request held in the session-request temporary-storage section, based on the terminal management information; whereinif the result of determination by the terminal management section is permission, the security determination section acquires the security state of the terminal apparatus which has originated the session establishment request held in the session-request temporary-storage section and determines whether or not the security state of the terminal apparatus is the latest one based on the security management information; andif the result of determination by the terminal management section is refusal, the session request switching section creates and transmits an update information acquisition session establishment request in which the terminal apparatus and the destination information are set as the source and the destination, respectively.
4. The security management apparatus for a terminal apparatus according to claim 3, wherein the session request switching section stores the result of determination by the terminal management section, and, if the result of determination on the terminal apparatus is refusal successively multiple times, refuses transmission of a session establishment request by the terminal apparatus.
5. The security management apparatus for a terminal apparatus according to claim 1, the security management apparatus comprising: a terminal management information storage section for storing the terminal management information in which the time of transmitting a session establishment request is stored for each of the terminal apparatuses; anda terminal management section for, when a session establishment request is held in the session-request temporary-storage section, acquiring the time of receiving the session establishment request, and determining permission of the received session establishment request if the receiving time is within a predetermined period after the time of transmitting the terminal management information last; whereinif the result of determination by the terminal management section is permission, the security determination section acquires the security state of the terminal apparatus which has originated the session establishment request held in the session-request temporary-storage section and determines whether or not the security state of the terminal apparatus is the latest one based on the security management information.
6. The security management apparatus for a terminal apparatus according to claim 5, wherein if a session establishment request is transmitted by the session request switching section, the terminal management section records the time of transmitting the session establishment request in the terminal management information.
7. The security management apparatus for a terminal apparatus according to claim 1, the security management apparatus comprising a security management information update section for acquiring input information indicating the latest state of the security of the terminal apparatus and updating the security management information stored in the security management information storage section.
8. A terminal apparatus security management method in which a security management apparatus manages the security state of a terminal apparatus connected to a network, the method comprising: holding a session establishment request received from a terminal apparatus in a session-request temporary-storage section;acquiring the security state of the terminal apparatus which has originated the session establishment request held in the session-request temporary-storage section, and determining whether or not the security state of the source terminal apparatus is the latest one, with reference to a security management information storage section in which security management information indicating the latest state of the security of terminal apparatuses is stored; andby holding destination information about a security information management apparatus holding update information about the security of the terminal apparatus, creating and transmitting an update information acquisition session establishment request in which the terminal apparatus and the destination information are set as the source and the destination if the security state of the source terminal apparatus is not the latest one, and transmitting the session establishment request held in the session-request temporary-storage section if the security state of the source terminal apparatus is the latest one.
9. The security management method for a terminal apparatus according to claim 8, the method comprising: when the update information acquisition session establishment request is transmitted, and a notification to the effect that the security of the source terminal apparatus has been updated is received, transmitting the session establishment request held in the session-request temporary-storage section.
10. The security management method for a terminal apparatus according to claim 8, the method comprising: by having stored terminal management information in which permission/refusal of a session establishment request is set for each of the terminal apparatuses, in a terminal management information storage section, determining permission/refusal of the session establishment request held in the session-request temporary-storage section based on the terminal management information;if the result of determination about permission/refusal of the session establishment request is permission, acquiring the security state of the terminal apparatus which has originated the session establishment request held in the session-request temporary-storage section and determining whether or not the security state of the source terminal apparatus is the latest one based on the security management information, and, if the result of determination about permission/refusal of the session establishment request is refusal, creating and transmitting an update information acquisition session establishment request in which the source terminal apparatus and the destination information are set as the source and the destination.
11. The security management method for a terminal apparatus according to claim 10, the method comprising: holding the result of determination about permission/refusal of the session establishment request; andif the result of determination about the source terminal apparatus is refusal successively multiple times, refusing transmission of a session establishment request by the terminal apparatus.
12. The security management method for a terminal apparatus according to claim 8, wherein the security management apparatus comprises a terminal management information storage section for storing the terminal management information in which the time of transmitting a session establishment request is stored for each of the terminal apparatuses; andthe method comprises:when a session establishment request is held in the session-request temporary-storage section, acquiring the time of receiving the session establishment request, and determining permission of the received session establishment request if the receiving time is within a predetermined period after the time of transmitting the terminal management information last; andif the result of determination about the received session establishment request is permission, acquiring the security state of the terminal apparatus which has originated the session establishment request held in the session-request temporary-storage section and determining whether or not the security state of the source terminal apparatus is the latest one based on the security management information.
13. The security management method for a terminal apparatus according to claim 12, the method comprising: if a session establishment request is transmitted by the session request switching section, recording the time of transmitting the session establishment request in the terminal management information.
14. The security management method for a terminal apparatus according to claim 8, the method comprising: acquiring input information indicating the latest state of the security of the terminal apparatus and updating the security management information stored in the security management information storage section.

Priority Claims (1)

Number	Date	Country	Kind
2006-224975	Aug 2006	JP	national

Terminal apparatus security management apparatus and method

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

US Classifications

International Classifications

Abstract

Description

Claims

Priority Claims (1)