Firewall control device, method and firewall device
地域:
Kawasaki-shi, Kanagawa
摘要
A firewall control device controls a plurality of firewall devices provided between a core network and a plurality of sub-networks respectively, the firewall control device is configured to receive, from the plurality of firewall devices, data amount information indicating an amount of the data discarded in the plurality of firewall devices respectively and node information indicating a transmission source node of the discarded data, identify, based on the data amount information and the node information, a data flow including the discarded data which is transmitted from an information processing device indicated by the node information and of which total amount of the discarded data exceeds a threshold value, and set, in a first firewall device which is included in the plurality of firewall devices and which is coupled to the information processing device, a first discarding flow entry defining discarding of data of the identified data flow.
說明書
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
This application is based upon and claims the benefit of priority of the prior Japanese Patent Application No. 2015-189657, filed on Sep. 28, 2015, the entire contents of which are incorporated herein by reference.
The technology described in the present specification is related to a firewall control device, a method and a firewall device.
In order to control a passage or blocking of a traffic to flow through a network, a firewall (FW) is provided at a coupling point between networks in some cases.
The FW is provided in a sub-network at, for example, a company office or the like coupled to a wide area network (may be called a “core network”), in some cases. The FW causes only desired traffics to pass from the core network to the sub-network and discards other traffics, thereby enabling the security of the sub-network to be enhanced. Note that the “traffic” may be called a “data flow” or simply called a “flow”. As documents of the related art, there are Japanese Laid-open Patent Publication No. 2015-91106, Japanese Laid-open Patent Publication No. 2014-236461, Japanese National Publication of International Patent Application No. 2008-508805, Japanese Laid-open Patent Publication No. 2006-254137, and Japanese Laid-open Patent Publication No. 2014-230157.
權(quán)利要求
What is claimed is:1. A firewall control device configured to control a plurality of firewall devices provided between a core network and a plurality of sub-networks respectively, the plurality of firewall devices being configured to discard received data based on discarding flow entries defining discarding of data, the firewall control device comprising:a memory; and a processor coupled to the memory and configured to:receive, from the plurality of firewall devices, data amount information indicating an amount of the data discarded in the plurality of firewall devices, based on the discarding flow entries, respectively and node information indicating a transmission source node of the discarded data, identify, based on the data amount information and the node information, data flows including the discarded data which are transmitted from an information processing device indicated by the node information as a single source device of the data flows and of which total sum of the amount of the data discarded at the plurality of firewall devices respectively exceeds a threshold value, and set, in a first firewall device which is included in the plurality of firewall devices and which is provided between the core network and the information processing device, a first discarding flow entry defining discarding of data of the identified data flows. 2. The firewall control device according to claim 1 , whereinthe memory is configured to store therein the discarding flow entries set in the plurality of firewall devices, and the processor is further configured to:modify the node information of a second discarding flow entry to the node information of the identified first data flow when the second discarding flow entry specifying a processing method contradictory to a data processing method specified in the first discarding flow entry is stored in the memory, and set the modified second discarding flow entry in the first firewall device. 3. The firewall control device according to claim 2 , wherein the node information further indicates a transmission destination node of the discarded data. 4. The firewall control device according to claim 3 , wherein the processor is further configured to:determine a number of the discarding flow entries for the first data flow in which the total amount of the discarded data for each combination of the transmission source node and the transmission destination node exceeds the threshold value, determine a number of the discarding flow entries for a second data flow in which the total amount of the discarded data for each of the transmission source node exceeds the threshold value, select a data flow having a smaller number of the discarding flow entries, from the first data flow and the second data flow, generate a discarding flow entry specifying discarding of data of the selected data flow, and set, as the first discarding flow entry, the generated discarding flow entry in the first firewall device. 5. The firewall control device according to claim 1 , wherein the processor is further configured to:generate an entry setting request message including information of the first discarding flow entry, and transmit the entry setting request message to the first firewall device. 6. A method using a control device configured to control a plurality of firewall devices provided between a core network and a plurality of sub-networks respectively, the plurality of firewall devices being configured to discard received data based on discarding flow entries defining discarding of data, the method comprising:receiving, by the control device, from the plurality of firewall devices, data amount information indicating an amount of the data discarded in the plurality of firewall devices, based on the discarding flow entries, respectively and node information indicating a transmission source node of the discarded data; identifying, by the control device, based on the data amount information and the node information, data flows including the discarded data which are transmitted from an information processing device indicated by the node information as a single source device of the data flows and of which total sum of the amount of the data discarded at the plurality of firewall devices respectively exceeds a threshold value; and setting, by the control device, in a first firewall device which is included in the plurality of firewall devices and which is provided between the core network and the information processing device, a first discarding flow entry defining discarding of data of the identified data flows. 7. The method according to claim 6 further comprising:storing, by the control device, the discarding flow entries set in the plurality of firewall devices; modifying, by the control device, the node information of a second discarding flow entry to the node information of the identified first data flow when the second discarding flow entry specifying a processing method contradictory to a data processing method specified in the first discarding flow entry is stored in the memory; and setting, by the control device, the modified second discarding flow entry in the first firewall device. 8. The method according to claim 7 , wherein the node information further indicates a transmission destination node of the discarded data. 9. The method according to claim 8 further comprising:determining, by the control device, a number of the discarding flow entries for the first data flow in which the total amount of the discarded data for each combination of the transmission source node and the transmission destination node exceeds the threshold value; determining, by the control device, a number of the discarding flow entries for a second data flow in which the total amount of the discarded data for each of the transmission source node exceeds the threshold value; selecting, by the control device, a data flow having a smaller number of the discarding flow entries, from the first data flow and the second data flow; generating, by the control device, a discarding flow entry specifying discarding of data of the selected data flow; and setting, by the control device, as the first discarding flow entry, the generated discarding flow entry in the first firewall device. 10. The method according to claim 6 further comprising:generating, by the control device, an entry setting request message including information of the first discarding flow entry; and transmitting, by the control device, the entry setting request message to the first firewall device.
意見反饋
使用該功能遇到問題