CN100470518C

CN100470518C - Address conversion method, access control method, and device using these methods

Info

Publication number: CN100470518C
Application number: CNB200580000330XA
Authority: CN
Inventors: 松浦克智
Original assignee: Nippon Telegraph and Telephone Corp
Current assignee: Nippon Telegraph and Telephone Corp
Priority date: 2004-04-14
Filing date: 2005-04-14
Publication date: 2009-03-18
Anticipated expiration: 2025-04-14
Also published as: CN1774705A

Abstract

The conventional address translation techniques cannot allow multiple terminal devices to be accessed by using one identical port number because they can associates one port number with only one device if the terminals do not support encapsulation. According to the present invention, access from a global network to a private network is restricted in accordance with an access control rule established for each device or network sending a packet. Furthermore, address translation is performed in accordance with address translation rules established on a per sending device basis to provide communication between a global network and a private network. When a connection request is received from the global network and if authentication of the connection request is successful, an access control rule is established on a per sending device basis or on a per sending network basis and recorded. After the communication ends, the added access control rule and address translation rule are deleted.

Description

Mapping schemes, access control method and use the device of these methods

Technical field

The present invention relates to be used for not possess address mapping technology and access control technology (firewall technology) that the terminal of private of the address of World Wide Web communicates by described World Wide Web.

Background technology

In the past, has address mapping technology (NAT (Network Address Translation, Network address translators) technology), be configured between World Wide Web and the private (private network), for example between WAN communication network (WAN:Wide Area Network) such as the Internet and the Ethernet Local Area Network such as (registered trademarks), by will being the specific address from the global ip address mapping from the take over party address of the grouping of the end device of WAN in LAN, to be transformed to the global ip address from the specific address to the transmission of the grouping of WAN unit address from the end device in the LAN, thereby a plurality of end devices that only possess the specific address in the LAN can be shared a global ip address and come WAN is conducted interviews.In addition,, have, only make the grouping of permitting by the access control technology (firewall technology) in the LAN according to the security policies of setting to from the take over party of the grouping of WAN with send unit and check in order to protect the resource in the LAN.And, known possess the relay of address translation function and access control function, only possess the address conversion device of address translation function, only possess the firewall device of access control function.

In existing address mapping technology, have by will be from the address of the Internet side according to TCP (Transmission Control Protocol, transmission control protocol) or UDP (User DatagramProtocol, User Datagram Protoco (UDP)) port numbers and be assigned to end device, thereby can carry out the technology (for example, with reference to patent documentation 1) of the visit of the end device in LAN from the Internet.But, to be assigned to the address conversion device of end device from the visit of the Internet according to the port numbers of TCP or UDP at such, during end device in access to the Internet LAN, owing to use the port numbers of TCP or UDP, so only can make an end device corresponding to a port numbers, can not visit a plurality of end devices with identical port numbers.For example, exist by the default port of http (HyperText Transport Protocol, HTML (Hypertext Markup Language)) number---No. 80 the problem of a plurality of servers can not be disclosed.In addition, not agreement with TCP or UDP, there is not (IPsec (Security Architecture for Internet Protocol under the situation of communication of port numbers etc., the security system of Internet Protocol) or ICMP (Internet Control Message Protocol, Internet Control Message Protocol) situation such as), a plurality of end devices can not be disclosed, for example, because the grouping of IPsec only can be set to an end device, therefore can not use IPsec simultaneously by a plurality of end devices.This is producing under the situation that the Internet side communicates in LAN too, so be difficult to use IPsec by the end device in the LAN.In order to address this problem, the technology (for example with reference to patent documentation 2) that also has the packet encapsulation (capsule) with IPsec to transmit for the grouping of UDP.But, in the address mapping technology of such use encapsulation, need can not communicate with the terminal that does not correspond to the encapsulation that DP is divided into groups corresponding to encapsulation in the both sides that carry out IPsec communication to the UDP grouping.

On the other hand, in access control technology, also have by freely authenticating the user's who confirms visit, even also can change the technology (for example with reference to patent documentation 3) of the security policies of setting the firewall device from the Internet.With reference to Fig. 1 the technology shown in this patent documentation 3 is described.Be connected under the situation of the access control rule in the access control list 900a of user in will changing firewall device 900 of user terminal 220 of the Internet (WAN) 200, the certificate server 390 that is connected in LAN300 from 220 pairs of user terminals carries out authentication delegation.The port numbers of certificate server 390 is recorded as the condition that any grouping is passed through in access control list 900a.Comprise user's ID (identifying information) and user's signature data in the authentication delegation, as its own IP address of the accessed content that will carry out or the IP address or the port numbers of port numbers and access object.

The checking that certificate server 390 carries out the authentication delegation that receives if verify qualifiedly, is then entrusted firewall device 900, so that the accessed content that will carry out in this authentication delegation is set among the access control list 900a.Thereby for example if from the visit of user terminal 220 for the network that is connected to LAN300 (Web) server 310, then the user for example can download content from user terminal 220 access web server 310 in this trust.Like this, under the situation of having passed through specified time limit or visit when surpassing specified time limit, the permission of the outer visit that access control list 900a is set of slave firewall device is restored.

Patent documentation 1: the spy opens the 2002-185517 communique

Patent documentation 2: the spy opens the 2002-232450 communique

Patent documentation 3: the spy opens the 2003-132020 communique

In existing address mapping technology, do not corresponding to the terminal room of encapsulation, only can make an end device corresponding to a port numbers, can not visit a plurality of end devices with identical port numbers.

In addition, in existing access control technology, can dynamically change security policies, very convenient.But, carry out the user's set of this authentication delegation or pretend to be the device of this use device, utilization is after the sign off of the purpose of conduct visit originally (after the download content of the webserver in LAN that for example is being through with), being set to can be by the situation of specified time limit, thereby might carry out illegal visit.In this, existence can not be guaranteed the problem of security.

Summary of the invention

In the present invention, about the address mapping technology, its purpose is, a kind of address mapping technology is provided, even not corresponding to the terminal room of encapsulation, disclose a plurality of servers with identical port numbers, promptly using does not have the agreement of port numbers can carry out a plurality of communications yet yet.In addition, its purpose is, about access control technology, provides a kind of access control technology, even dynamically change security policies, promptly by condition, also can guarantee security.

The present invention in database part, record to each of World Wide Web side send the device of unit or send the network decision of unit access control rule, each is sent the address mapping rule of the device decision of unit.When the grouping that receives from the World Wide Web side, according to comprising the access control rule that sends metamessage, restriction is from the visit of World Wide Web to private.In addition,, carry out the conversion of take over party address, will be sent to the private side from the information of World Wide Web side according to having comprised the address mapping rule that sends metamessage.When the grouping that receives from the private side,, will be sent to the World Wide Web side from the information of private side according to having comprised the conversion that the address mapping rule that sends metamessage sends first address.

For request of access from the World Wide Web side, in database part, append, delete the take over party of the communication wished and send access control rule between the unit and the situation of address mapping rule under, authenticate.Under approved qualified situation, each is sent the device of unit or network decision access control rule that each sends unit, each is sent the device decision address mapping rule of unit and is recorded in the database part.When sign off, delete the access control rule and the address mapping rule of appending from database part.

For request of access from the private side, in database part the take over party of hopeless communication and send access control rule between the unit and the situation of address mapping rule under, determine access control rule and the address mapping rule that each sends unit and be recorded in the database part.When sign off, delete the access control rule and the address mapping rule of appending from database part.

About described authentication, the method of carrying out in the authentication processing portion of relay inside is arranged, and certificate server is set in World Wide Web, only carry out the method that access control rule (setting the condition of passing through to firewall device) to relay is appended trust by certificate server.

In addition, described method only is applied to the address mapping rule and the calculated address transform method only forms firewall method with access control rule.And then, for firewall technology, in the dialogue (session) of establishing safety, notify the communication conditions of this dialogue to asking unit by this safe dialogue.

According to the present invention, can use different access control rule and address mapping rule for sending the different grouping in first address.Thereby, can be with a plurality of servers of the open private of identical port numbers, and a plurality of terminals of private can communicate simultaneously by the agreement that does not have port numbers.

Under situation about receiving,, then append access control rule and visit transformation rule for this grouping if there be not the access control rule and the address mapping rule of registration for this grouping from the grouping of the terminal of private.Thereby, can automatically register the access control rule and the address mapping rule of the communication that begins from the terminal of private, and can communicate and do not carry out the registration of prior access control rule and address mapping rule.

About access control technology, the condition of passing through of slave firewall device external dynamic ground change firewall device, thus can pass through firewall device from the grouping of respective user terminal.And, when this safe dialogue is cut off, should be disengaged by permission (access control rule).Thereby the illegal grouping after this dialogue is cut off can not be passed through fire wall.In addition, under the situation of the communication conditions notice request unit of the dialogue that will establish, can monitor illegal communication by request unit.

And, in the request of only accepting from the certificate server of regulation, under the situation of change setting of firewall device or address change rule, can change access control or address mapping and the no-go end mouth scans providing of the existence of pick-up unit or server etc. from World Wide Web.

Description of drawings

Fig. 1 is the figure that expression is used to illustrate the system architecture of existing firewall device.

Fig. 2 is the figure of functional structure example of the relay of expression embodiment 1.

Fig. 3 is the figure of the original state of the access control list among the expression embodiment 1.

Fig. 4 is the figure of the original state of the address mapping table among the expression embodiment 1.

Fig. 5 is the figure of the treatment scheme of expression embodiment 1.

Fig. 6 is the figure of the access control list after the access control rule among the expression embodiment 1 is appended.

Fig. 7 is the figure of the address mapping table after the address mapping rule among the expression embodiment 1 is appended.

Fig. 8 is expression first relay that can communicate via the Internet and the figure of the structure of second relay and LAN that is connected with them and terminal.

Fig. 9 is the figure of the treatment scheme of expression embodiment 2.

Figure 10 is the figure of the access control list of among the expression embodiment 2 first relay being appended.

Figure 11 is the figure of the address mapping table that among the expression embodiment 2 first relay appended.

Figure 12 is the figure of the access control list of among the expression embodiment 2 second relay being appended.

Figure 13 is the figure of the address mapping table that among the expression embodiment 2 second relay appended.

Figure 14 is the figure that the functional structure example of the relay under the situation of the certificate server on the WAN of embodiment 3 has been used in expression.

Figure 15 is the figure of original state of the access control list of expression embodiment 3.

Figure 16 is the figure of original state of the address mapping table of expression embodiment 3.

Figure 17 is the figure of the structure of the expression certificate server on the Internet of embodiment 3 and terminal on terminal and the LAN or server.

Figure 18 is the figure of the treatment scheme of expression embodiment 3.

Figure 19 is the figure that the certificate server of expression embodiment 3 requires the access control rule of appending.

Figure 20 is the figure that the certificate server of expression embodiment 3 requires the address mapping rule of appending.

Figure 21 is the figure of the access control list after the access control rule of expression embodiment 3 is appended.

Figure 22 is the figure of the address mapping table after the address mapping rule of expression embodiment 3 is appended.

Figure 23 is the figure of functional structure example of the address conversion device of expression embodiment 4.

Figure 24 is the figure of original state of the address mapping table of expression embodiment 4.

Figure 25 is the figure of the address mapping table after the address mapping table of expression embodiment 4 appends.

Figure 26 is the figure of the flow process of the processing before the communication of the address conversion device of expression embodiment 4 is opened.

Figure 27 is the figure of the treatment scheme after the communication of the address conversion device of expression embodiment 4 is opened.

Figure 28 is the figure of the functional structure example of expression firewall device.

Figure 29 is the figure of the treatment scheme of expression firewall device.

Figure 30 is the figure of original state of the access control list (by the condition table) of expression embodiment 5.

Figure 31 is the figure of the access control list (by the condition table) after the access control rule (passing through condition) of expression embodiment 5 is appended.

Figure 32 is the figure of the access control list (by the condition table) after the access control rule (passing through condition) of expression embodiment 6 is appended.

Figure 33 is the figure of the access control list (by the condition table) after the access control rule (passing through condition) of expression embodiment 7 is appended.

Figure 34 is the figure of treatment scheme of the firewall device of expression embodiment 8.

Embodiment

Followingly embodiments of the invention are described, give same with reference to label and omit repeat specification for the same textural element among each figure with reference to accompanying drawing.

[embodiment 1]

Fig. 2 is the figure of functional structure example of the relay 10 of expression embodiment 1.

In Fig. 2, the relay 10 of present embodiment comprises: wan interface portion 11, carry out receiving with the transmission of the grouping of WAN communication network (WAN (Wide Area Network)) 200 such as the Internet; LAN interface portion 12 carries out receiving with the transmission of the grouping of LAN300; Access control portion 13 analyzes the grouping that wan interface portion 11 and LAN interface portion 12 receive, and the control that conducts interviews; Address mapping portion 14 has permitted the grouping of passing through and in LAN the row address conversion of going forward side by side has been analyzed in the grouping of WAN side transmission access control portion 13; And database part 16, storage is used for the data of access control or is used for the data of address mapping or the data of authentication.

This relay 10 possesses access control function (firewall functionality), and access control portion 13 is based on the access control list as shown in Figure 3 of record in the database part 16, and whether decision sends the grouping that is received by wan interface portion 11 via 12 pairs of LAN sides of LAN interface portion.

In Fig. 3, the row of ' source IP address ', the transmission unit IP address of the grouping that expression is received by wan interface portion 11; The row of ' agreement, source port number ', the agreement name of the grouping that expression is received by wan interface portion 11 and with the unit of the transmission under the situation of this agreement use side slogan port numbers; The row of ' IP address, destination ', the take over party IP address of the grouping that expression is received by wan interface portion 11; The row of ' agreement, destination port numbers ', the agreement name of the grouping that expression is received by wan interface portion 11 and with the take over party's port numbers under the situation of this agreement use side slogan; The row of ' action ' are illustrated in the action that each value of the transmission unit of the grouping that is received by wan interface portion 11 and take over party and current line is carried out this grouping when consistent.

In addition, the agreement name of using in the row as ' agreement, source port number ' and ' agreement, destination port numbers ' can be used and predefined agreement name and port numbers corresponding protocols name.

For example, first line display of Fig. 3 has nothing to do with the first IP of transmission address, port numbers, take over party IP address be the grouping of ' 111.111.111.2 ' and agreement ' http (HyperText Transport Protocol, for example TCP (Transmission Control Protocol) 80) ' the by name situation that is sent to the LAN side (by: accept).

Equally, second row at Fig. 3, send first IP address and be ' 123.123.123.1 ', take over party IP address is ' 111.111.111.2 ' and agreement ' SSH (Secure Shell by name, TCP22 for example) ' grouping is sent to the LAN side, at the third line, all groupings go out of use (discarded: drop).

Access control portion 13 begins to verify from top row whether such table is consistent with the grouping that receives, if consistent, then carries out the action of appointment, for the processing end of this grouping.That is, in the table of Fig. 3, the condition of setting in the top row becomes more preferably processed condition.

Relay 10 records address mapping table as shown in Figure 4 in database part 16.Address mapping portion 14 is based on this address mapping table, will be received and the destination IP address mapping of grouping by access control portion 13 is the IP address of the inside of LAN by wan interface portion 11, and send to the LAN side via LAN interface portion 12.

In addition, the source IP address of the grouping that will be received by LAN interface portion 12 is transformed to the IP address (global address) of WAN and to 13 outputs of access control portion.Access control portion 13 sends to the WAN side with licensed grouping via wan interface portion 11.

In Fig. 4, the row of ' source IP address ', the transmission unit IP address of the grouping that expression is received by wan interface portion 11; The row of ' IP address, destination ', the take over party IP address of the grouping that expression is received by wan interface portion 11; The row of ' agreement, destination port numbers ', the agreement name of the grouping that expression is received by wan interface portion 11 and with the take over party's port numbers under the situation of this agreement use side slogan; The row of ' implicit IP address ' are illustrated in each value of the transmission unit of the grouping that is received by wan interface portion 11 and take over party and this row private address to the LAN of the take over party IP address setting of this grouping when consistent; The row of ' agreement and port numbers ' are illustrated in each value of the transmission unit of the grouping that is received by wan interface portion 11 and take over party and this row when consistent, the port numbers that take over party's port numbers of this grouping is set.Wherein the situation of ' any ' is for the address can arbitrarily.

For example, first line display of Fig. 4 is irrelevant with the first IP of transmission address, take over party IP address for ' 111.111.111.2 ' and take over party's port numbers for ' TCP80 (http) ' be grouped in that take over party IP address is rewritten as ' 192.168.100.5 ', the constant mode of take over party's port numbers is sent to the LAN side, and.

Second line display of Fig. 4 send first IP address for ' 123.123.123.1 ', take over party IP address for ' 111.111.111.2 ' and take over party's port numbers for the grouping of ' TCP22 (SSH) ' with take over party IP address be rewritten as ' 192.168.100.5 ', the constant mode of take over party's port numbers is sent to the LAN side.

By such setting, can be to the terminal distribution in the LAN from the WAN side to the visit of particular port or to the visit of the agreement that do not possess port.

Here, address mapping portion 14 begins address mapping table is as shown in Figure 4 retrieved from top row, if the grouping unanimity that receives then carry out the action of appointment finishes for the processing of this grouping.That is, at the address mapping table of Fig. 4, the condition of setting in the superincumbent row is more preferably handled.

The original state of Fig. 4 presentation address map table (state that does not have the terminal in the communication).Relay 10 appends access control rule according to from the communication request of the terminal in the LAN or from the request of the terminal of WAN side to the access control list of Fig. 3, and the address mapping table of Fig. 4 is appended the address mapping rule.

Describe with Fig. 5 particularly.When access control portion 13 receives request of access grouping to the https (HyperText Transfer Protocol Security) of the global address that installs self via wan interface portion 11 (step S1), send the terminal of unit and the establishment (step S2) of SSL (Secure Socket Layer) dialogue.If dialogue is normally established, then be stored in the IP address (step S3) of the transmission unit terminal that obtains when establishing dialogue.Then, in order to carry out user's authentication, the html file of input user's identifying information and password is encrypted and is sent to via wan interface portion 11 terminal (step S4) of request unit.

Access control portion 13 receives encrypted user's identifying information and password (step S5) from the terminal of asking unit.Then, access control portion 13 is decrypted, and user's identifying information and password sent to authentication processing portion 15, request user's authentication.

The user with identifying information consistent with the customer identification information that receives then retrieves as receiving user's identifying information and password in authentication processing portion 15 in the user's of storage the information from database part 16.If find consistent user, then this user's that will store password compares (step S6) with the password that receives.If the password unanimity, then authentication processing portion 15 will authenticate and normally send to access control portion 13.Under the situation of not finding consistent user or under the inconsistent situation of password, will authenticate and send to access control portion 13 (step S7) unusually.

Access control portion 13 receives authentication just often from authentication processing portion 15, the specific address of the LAN inside of the server that will visit of input or the html file of agreement or port numbers etc. are encrypted, and it is sent to the terminal (step S9) of request unit via wan interface portion 11.

Access control portion 13 receives encrypted specific address or agreement or port numbers (step S10) from the terminal of asking unit.Then, access control portion 13 is decrypted, and will be appended to as the access control rule of ' agreement, destination port numbers ' as ' source IP address ', with the agreement that receives, port numbers in the access control list of database part 16 (step S11) with the transmission unit IP address of the request of access grouping of the https of storage.In addition, 13 pairs of address transformation components of access control portion 14 send transmission unit IP address, the specific address that receives, agreement, the port numbers of the Address requests grouping of https, and the appending of request address transformation rule.When the append request of address mapping rule is received by address mapping portion 14, will be appended to as the address mapping rule of ' agreement, destination port numbers ' as ' implicit IP address ', with agreement, port numbers as ' source IP address ', with the specific address that receives in the address mapping table of database part 16 (step S12) with the transmission unit IP address of the request of access of https grouping.

For example, in the request of access grouping of basis from the https of the terminal that sends first IP address ' 111.222.234.123 ', the take over party IP address of the grouping of take over party IP address ' 111.111.111.2 ', take over party's port numbers ' TCP22 ' is rewritten as under the situation of implicit IP address ' 192.168.100.4 ', as shown in Figure 6, access control list is to the most up access control rule of appending by the terminal of https visit of the table of Fig. 3.In addition, as shown in Figure 7, address mapping table appends the address mapping table of terminal that can be by https visit in the first trip of the table of Fig. 4.

Thus, send the grouping of first IP address ' 111.222.234.123 ', take over party IP address ' 111.111.111.2 ', take over party's port numbers ' TCP22 ' by access control portion 13.In addition, by address mapping portion 14 take over party IP address is rewritten as 192.168.100.4 and sends to LAN.Take over party's port numbers of transmission unit IP address in addition is that the accessed control part 13 of grouping of ' TCP22 ' is discarded.

Then, access control portion 13 will authenticate normal and the html file encrypting and transmitting of specific address, agreement and port numbers etc. of LAN inside having set the situation of address mapping and shown the conversion destination to terminal (step S13).In addition, embedding is used for the program that terminal conducts interviews to relay 10 every predetermined certain hour in the html file.

In terminal, by to the html file decoding that sends and show, can confirm the information of the address mapping set.In addition, by the program that embeds in the html file, terminal begins relay 10 is sent signal at regular intervals.

Like this, set access control rule and address mapping rule, and carry out with LAN in the communicating by letter of terminal.When the user finishes to communicate by letter, from the conclusion button of communicating by letter, perhaps close the browser that shows html file, or finish to show the terminal (power-off, termination connection etc.) of html file by the html file picture displayed selection that receives from relay 10.

The access control portion 13 of relay 10 is under the situation of the grouping that receives sign off, do not sending the situation of the signal of self terminal to detect under the situation that browser is closed or terminal finishes (step S14) according to certain hour, as shown in Figure 6, the table of rewriting is returned as shown in Figure 3 original state, address transformation component 14 is sent first IP address, IP address, destination, agreement, and notify this sign off situation (step S15).Address mapping portion 14 as receive the notice of sign off then as shown in Figure 7, returns the table of having rewritten to as shown in Figure 4 original state (step S16).

As mentioned above, at present embodiment, will use the access control rule and the address mapping rule of source IP address to be set at access control list and address mapping table.Thereby, even be under the situation of identical port numbers, also can distribute each server according to source IP address the take over party, even there is not the agreement of port numbers, also can carry out and the communicating by letter of each terminal according to source IP address.

In addition, in the present embodiment, accept appending of address mapping rule, access control rule by the visit of https, but also can use http or SIP (Session Initiation Protoco1) or SSH or telnet etc.

[embodiment 2]

When the relay 10 shown in the embodiment 1 receives the initial grouping of IPsec communication in the terminal in LAN (LAN (Local Area Network)), by with take over party IP address with send first IP address (the private side becomes and sends unit.) address mapping table be appended in the address mapping table, but a plurality of terminals in the LAN are with by carrying out IPsec communication.Fig. 8 represents can be via the first relay 10a of Internet traffic and the structure of the second relay 10b and LAN that is connected with them and terminal.Below, use Fig. 9 that the situation that the IPsec of the terminal room of the terminal of LAN300 and LAN400 communicates by letter is described.

At first, terminal 410a for the first relay 10a is appended with LAN300 in the address mapping table that needs of the IPsec signal post of terminal 310a, and the first relay 10a is sent the request of access grouping of https.

When the first relay 10a receives the request of access grouping of https, carry out the establishment (step S21) that SSL talks with the terminal that sends unit, and carry out user's authentication (step S22), if certified, the html file that then will import the specific address of LAN inside of the server that will visit or agreement or port numbers etc. sends to the terminal 410a of request unit.In addition, embedding is used for the program that terminal conducts interviews to relay 10a every predetermined certain hour in this html file.

Terminal 410a shows the html file (step S23) that receives, and makes the information of user's input reference destination.In this case, the private ip address 192.168.100.2 of the terminal 310a that input will connect, and input IPsec is as agreement.Terminal 410a sends to the first relay 10a with the specific address and the agreement of input.

When the first relay 10a receives specific address and agreement, append with transmission unit IP address (the IP address 111.222.234.123 of the second relay 10b) of the request of access grouping of the https of record in the database part 16 as ' source IP address ', with IPsec as ' agreement, source port number ', with the global address 211.250.250.100 that installs self as ' IP address, destination ', with the shown in Figure 10 access control rule of IPsec as ' agreement, destination port numbers '.In addition, append with the transmission unit IP address of the request of access of https grouping as ' source IP address ', with the global address 211.250.250.100 that installs self as ' IP address, destination ', with IPsec as ' agreement, destination port numbers ', with the shown in Figure 11 address mapping rule (step S24) of 192.168.100.2 as ' implicit IP address '.

When terminal 410a sent initial IPsec grouping to the second relay 10b, whether address mapping portion 14 investigation of the second relay 10b were registered in the address mapping table about the address mapping table of IPsec communication.Specifically, whether retrieval has the source IP address of the take over party IP address of grouping and address mapping table consistent, and the transmission of grouping unit IP address, the address mapping table address mapping table (step S26) consistent with implicit IP address.

If the address mapping table with this term harmonization is arranged, then will send the address (step S27) that first IP address is rewritten as the IP address, destination of this address mapping table, and send the grouping of being rewritten by access control portion 13.

If not with the address mapping table of this term harmonization, then append with take over party IP address as ' source IP address ' and install its own IP address (being 111.222.234.123 under this situation) as ' IP address, destination ', with IPsec as ' agreement, destination port numbers ', to send the shown in Figure 12 address mapping rule of first IP address (being 192.168.20.2 under this situation) as ' implicit IP address '.In addition, the first IP of permission transmission address being appended in 13 requests of access control portion is that 211.250.250.100 and take over party IP address are the access control rule of passing through of the IPsec grouping of 111.222.234.123.Access control rule shown in Figure 13 is appended by access control portion 13.

Appending when finishing of the access control rule of access control portion 13, the transmission unit IP address of the grouping that address mapping portion 14 will receive is rewritten as the global ip address (being 111.222.234.123 in this case) of device self, and revised grouping is sent via access control portion 13.After this, between terminal 310a and terminal 410a, carry out communication by IPsec.

During sign off by IPsec, the user of terminal 410a is from the button by selection sign off the html file picture displayed that receives from the first relay 10a, or close the window that shows html file, will show that maybe the terminal of html file is closed (step S30).

When the situation that the pent situation of browser or terminal be through with detects according to the situation of the reception of the grouping of sign off, signal that certain hour does not send self terminal 410a in the access control portion 13 of the first relay 10a (step S31), delete access control rule shown in Figure 10.In addition, notice to the sign off of address transformation component 14 notice source IP address 111.222.234.123, IP address, destination 211.250.250.100, protocol IP sec situation.When address mapping portion 14 receives the notice of sign off, delete address mapping rule (step S32) shown in Figure 11.

When the situation that the pent situation of browser or terminal close detects according to the situation of the reception of the grouping of sign off, signal that certain hour does not send self terminal 410a in the access control portion 13 of the second relay 10b (step S33), delete access control rule shown in Figure 13.In addition, to the sign off of address transformation component 14 notice source IP address 211.250.250.100, IP address, destination 111.222.234.123, protocol IP sec situation.When address mapping portion 14 receives the notice of sign off, delete address mapping rule (step S34) shown in Figure 12.

As mentioned above, at present embodiment, will use the access control rule and the address mapping rule of source IP address to be set at access control list and address mapping table respectively.Thereby, even can be under the situation of identical port numbers, also be assigned to each server by each source IP address the take over party, do not communicate under the situation of agreement of port numbers even have by each source IP address and each terminal yet.

In addition, even under the situation that does not have registration for the take over party IP address of the grouping of the IPsec that receives from the LAN side joint and the address mapping rule that sends first IP address, also can register the address mapping rule of the IPsec communication that the terminal in the LAN begins automatically, needn't registration in advance address mapping rule so can carry out IPsec communication.

In addition, in the present embodiment, append address mapping rule, access control rule, but also can append address mapping rule, access control rule according to the initial grouping of IKE (Internet Key Exchange) etc. according to the initial grouping of IPsec communication.

[embodiment 3]

At embodiment 1 and embodiment 2, carry out the authentication of the terminal of WAN side by the authentication processing portion 15 in the relay 10, but also can be via the certificate server on the WAN, authenticate by this certificate server, append, delete access control rule and address mapping rule according to request from this certificate server.By like this, can be from (hidden addressable agreement or port numbers) utilization snugly on the WAN.

Figure 14 is the figure that the functional structure example of the relay under the situation of the certificate server on the WAN has been used in expression.The relay 20 of Figure 14 comprises: wan interface portion 11 is connected with WAN communication network (WAN) such as the Internet, and carries out receiving with the transmission of the grouping of WAN; LAN interface portion 12 carries out receiving with the transmission of the grouping of LAN; Access control portion 23 analyzes the grouping of wan

interface portion

11 and 12 receptions of LAN interface portion, and the control that conducts interviews; Address mapping portion 24 carries out conversion to the transmission unit address to the grouping of WAN side in LAN; And database part 26, store the data that are used for access control or the data of station address conversion.In addition, have the authentication of on WAN, carrying out the terminal of WAN side, and to the certificate server 100 of appending of relay 20 request access control rule etc.Certificate server 100 comprises: interface portion 101 communicates with the terminal and the relay 20 of WAN side; Control part 102 carries out the control of certificate server 100; Authentication processing portion 105 carries out authentication processing; And database part 106, the information in record authentication information or the communication etc.

Relay 20 comprises firewall functionality.Specifically, access control portion 23 is based on the access control list shown in Figure 15 of record in the database part 26, and whether decision is to sending the grouping of receiving from the WAN side joint in the LAN.

In Figure 15, the row of ' source IP address ', the transmission unit IP address of the grouping that expression is received by wan interface portion 11; The row of ' source port number ', the grouping that expression is received by wan interface portion 11 sends first port numbers; The row of ' IP address, destination ', the take over party IP address of the grouping that expression is received by wan interface portion 11; The tabulation of ' agreement, destination port numbers ' is shown the agreement name of the grouping that is received by wan interface portion 11 and with the take over party's port numbers under the situation of this agreement use side slogan; The tabulation of ' action ' is shown in the action that each value of the transmission unit of the grouping that is received by wan interface portion 11 and take over party and current line is carried out this grouping when consistent.

In addition, as the employed agreement name of row of ' agreement, destination port numbers ', can use and predefined agreement name and port numbers corresponding protocols name.

For example, first row of Figure 15, have nothing to do with the first IP of transmission address, port numbers, take over party IP address be the grouping of ' 123.123.123.123 ' and agreement ' https (HyperText Transport ProtocolSecurity, for example TCP443) ' the by name situation of representing to be sent to the LAN side (by: accept).

Equally, second row at Figure 15, send first IP address and be ' 211.250.250.100 ', take over party IP address is ' 123.123.123.123 ' and agreement ' SSH (Secure Shell by name, TCP22 for example) ' grouping is sent to the LAN side, at the third line, all groupings go out of use (drop).

Access control portion 23 begins such table is verified whether the grouping that receives is consistent, if consistent, then carries out the action of appointment from top row, for the processing end of this grouping.That is, at the table of Figure 15, the condition of setting in the top row becomes preferentially processed condition.

Relay 20 records address mapping table as shown in figure 16 in database part 26, address mapping portion 24 is based on this table, and the destination IP address mapping of the grouping that will receive from the WAN side joint is the IP address of the inside of LAN, and sends in the LAN.In addition, the source IP address of the grouping that will receive from the LAN side joint is transformed to the IP address (global address) of WAN, and sends to the WAN side.

In Figure 16, the row of ' source IP address ', the transmission unit IP address of the grouping that expression is received by wan interface portion 11; The row of ' IP address, destination ', the take over party IP address of the grouping that expression is received by wan interface portion 11; The row of ' agreement, destination port numbers ', the agreement name of the grouping that expression is received by wan interface portion 11 and with the take over party's port numbers under the situation of this agreement use side slogan; The row of ' implicit IP address ' are illustrated in each value of the transmission unit of the grouping that is received by wan interface portion 11 and take over party and this row private address to the LAN of the take over party IP address setting of this grouping when consistent; The row of ' agreement and port numbers ' are illustrated in the port numbers that each value of the transmission unit of the grouping that is received by wan interface portion 11 and take over party and this row is set take over party's port numbers of this grouping when consistent.

For example, first row at Figure 16, expression is with to send first IP address irrelevant, and take over party IP address is rewritten as ' 192.168.100.5 ' take over party port numbers constant be sent to LAN side for the grouping of ' TCP443 (https) ' with take over party IP address for ' 123.123.123.123 ' and take over party's port numbers.

Equally, at second row of Figure 16, it be that to be ' 123.123.123.123 ' and take over party's port numbers be rewritten as the constant LAN of the being sent to side of ' 192.168.100.5 ' take over party port numbers with take over party IP address for the grouping of ' TCP22 (SSH) ' for ' 211.250.250.100 ', take over party IP address that expression sends first IP address.

In addition, whether address mapping portion 24 begins the grouping that checking receives to such table from top row consistent, if consistent then carry out the action of appointment, finishes for the processing of this grouping.That is, in the table of Figure 16, become the condition that the condition set in the superincumbent row is more preferably handled.

In addition, state shown in Figure 16 is original state (state that does not have the terminal in the communication).According to communication request from the terminal in the LAN, or according to request from the server of WAN side described later, append the address mapping rule, be transformed, send according to the table of Figure 16 to the grouping of WAN side, each address of grouping in the WAN side direction LAN from LAN.

Figure 17 represents certificate server and the terminal on terminal and the LAN or the structure of server on the Internet.Relay 20 is connected to LAN300, is connected with terminal 310a, 310b and server 311a, 311b on the LAN300.Relay 20 only according to the request from the certificate server on the Internet 200 100, can append access control rule to the access control list of Figure 15, and the address mapping table of Figure 16 is appended the address mapping rule.

Certificate server 100 will be used to authenticate the user's of addressable relay 200 authentication information, or the visit informations such as address, the access control rule of appending and address mapping rule of the relay 20 of each user's permits access are recorded in the database part 106.When the request that has from the terminal on the Internet 200, certificate server 100 carries out user's authentication based on the authentication information of record in the database part 106, if authentication is normal, and appending then to relay request access control rule and address mapping rule.

For example, the situation of using Figure 18 explanation between terminal 220a on the Internet 200 and server 311a, to communicate.The user of operating terminal 220a is connected to the certificate server 100 on the Internet 200, and accepts authentication.This authentication can be the easy authentication from identifying information (ID) and password, to the authentication of being undertaken by the software function by height of password or figure and features information.In addition, the employed information of such authentication sends in order to prevent at the leakage of information on the Internet, preferably to encrypt.

Certificate server 100 accepts request when authentication, with request authentication the address of terminal 220a as sending first address storage (step S41), and carry out user's authentication (step S42) based on authentication information.

If user certified (step S43), then certificate server 100 request relays 20 append address with the terminal 220a of record as the access control rule and the address mapping rule that send first address.For example, only permitting from terminal 220a under the situation of the http of server 311a visit, certificate server 100 request with the address (111.222.234.123) of terminal 220a shown in Figure 19 as send unit permit the http visit access control rule append and address (111.222.234.123) that will terminal 220a shown in Figure 20 serve as the appending of address mapping rule of the address (192.168.100.4) that changes to server 311a, the transmission destination of the grouping of the first http of transmission.

When the access control portion 23 of relay 20 receives from the append request of the append request of the access control rule of certificate server 100 and address mapping rule, then the accessing control table that receives is appended in the access control list of database part 26.In addition, the address mapping rule that receives from certificate server 100 is appended in 24 requests of 23 pairs of address transformation components of access control portion.Address mapping portion 24 as receive the append request of address mapping rule from access control portion 23 then is appended to the address mapping rule that receives in the address mapping table of database part 26 (step S44).For example, permitting from above-mentioned terminal 220a under the situation of the http of server 311a visit,, make access control list as shown in Figure 21 to the access control rule that Figure 19 is appended in the access control list of Figure 15.In addition, the address mapping rule to the address mapping table of Figure 16 appends Figure 20 makes address mapping table as shown in figure 22.

Appending when finishing of access control rule and address mapping rule, access control portion 23 beams back to append to certificate server 100 and finishes.

Certificate server 100 receives from relay 20 and appends when finishing, and sets up address, the address of relay 20, the access control rule of appending and the address mapping rule of the terminal 220a of storage related and as information stores (step S45) in communicating by letter.In addition, the 100 couples of terminal 220a of certificate server send becomes addressable situation, permitted the Service name (for example, network camera etc., IP address and port numbers also can) etc. of visit as accessive information.

At terminal 220a, the information (step S46) that receives by demonstration is to addressable situation of user notification and accessive information.

Like this, come the http visit of self terminal 220a to be assigned to server 311a, from other the http access denied of terminal.Know that the user that can conduct interviews begins to communicate by letter with terminal or server in the LAN300.

Carry out with LAN300 in terminal or the user who communicates by letter of server when finishing communication, from terminal 220a end of input information (step S51), and certificate server 100 notifying communication are finished.

Certificate server 100 receives sign off when notice, from the address search of sign off transmission unit simultaneously whether have with communicate by letter the consistent address (step S52), address of end side of information.If have with communication in the consistent information (step S53) of information, then to the related access control rule and the address mapping rule of relay 20 request deletion of association.

When the access control portion 23 of relay 20 receives the removal request of access control rule and address mapping rule, the access control rule that deletion receives from the access control list of database part 26.In addition, the address mapping rule that receives from certificate server 100 is deleted in 24 requests of 23 pairs of address transformation components of access control portion.Address mapping portion 24 as the removal request that receives the address mapping rule from access control portion 23 are then deleted corresponding address mapping rule (step S54) from the address mapping table of database 26.

Like this, by from the user's communications end notification, the access control list of relay 20 turns back to as shown in figure 15, and address mapping table turns back to as shown in figure 16.Thereby, can prevent to utilize the access control rule of appending and the illegal visit of address mapping rule.

In addition, relay 20 only gets final product from the accept the interview request of appending or deleting of control law and address mapping rule of certificate server 100, can change access control rule and address mapping rule and needn't come detection port by port scanning.

And then, because authenticate, so can easily carry out from by the more senior authentication of authenticating to of ID and password by certificate server 100.

In addition, access control rule and address mapping rule have been deleted according to the sign off notice of coming self terminal 220a, but the transmission that more than certain hour, does not have grouping receive the time, or from beginning communication when having passed through certain hour, be judged as sign off, and deletion access control rule and address mapping rule also can.

In addition, also can make certificate server 100 have the function as http-server and the notice of the demonstration of acceptance that can on homepage, authenticate or accessive information or sign off.In addition, also can use SIP (Session Initiation Protocol) server as certificate server 100.

In addition, access control rule is passed through all visits, be can be used as address conversion device and work by being set at.

[embodiment 4]

From embodiment 1 to 3, use address control technology and address mapping technology to represent the functional structure and the treatment scheme of relay.In the present embodiment, only use the address mapping technology to represent address conversion device and treatment scheme.The functional structure example of Figure 23 presentation address converting means.Address conversion device 30 comprises: wan interface portion 11, LAN interface portion 12, database part 33, address mapping portion 34, authentication processing portion 35.

Database part 33 stores the data that are used for address mapping that comprise address mapping table, is used for the data of authenticated etc.

One example of Figure 24 presentation address map table.In addition, Figure 25 represents that address mapping table to Figure 24 has appended an example that comprises the address mapping table after the address mapping rule of the first IP of transmission described later address as source IP address.

In Figure 24, Figure 25, the row of ' source IP address ', (wherein, the situation of ' any ' is that the address can arbitrarily in the transmission unit IP address of the grouping that expression is received by wan interface portion 11.)。The row of ' IP address, destination ', expression is by the take over party IP address of the grouping of wan interface portion 11 receptions.The row of ' agreement, destination port numbers ', agreement and take over party's port numbers of the grouping that expression is received by wan interface portion 11.Each of the transmission unit of the grouping that the row of ' implicit IP address ', expression are received by wan interface portion 11 and take over party and this row is worth when consistent, to the specific address in the LAN of the take over party IP address setting of this grouping.The row of ' agreement and port numbers ' are illustrated in each value of the transmission unit of the grouping that is received by wan interface portion 11 and take over party and this row when consistent, to the port numbers of take over party's port numbers setting of this grouping.Address mapping portion 34 carries out the appending and deleting of the address mapping rule of address mapping table, and carries out the address mapping of the grouping that received by wan interface portion 11 and LAN interface portion 12 simultaneously based on this address mapping table.

Promptly, address mapping portion 34 is for the grouping that is received by wan interface portion 11, according to sending first IP address and take over party IP address, with reference to described address mapping table, with take over party IP address mapping is IP address (implicit IP address) in the LAN, and sends to the LAN side via LAN interface portion 12.

For example, first row at Figure 24, with to send first IP address irrelevant, take over party IP address is rewritten as ' 192.168.100.5 ', take over party port numbers constant be sent to LAN side for the grouping of ' TCP443 (https) ' with take over party IP address for ' 123.123.123.123 ' and take over party's port numbers.

Equally, second row at Figure 24, with to send first IP address irrelevant, take over party IP address is rewritten as ' 192.168.100.5 ', take over party port numbers constant be sent to LAN side for the grouping of ' TCP22 (SSH) ' with take over party IP address for ' 123.123.123.123 ' and take over party's port numbers.

In addition, address mapping portion 34 is for the grouping that is received by LAN interface portion 12, the take over party IP address of grouping is changed and reads to be source IP address, retrieval and the transmission unit identical implicit IP address in IP address that divides into groups in address mapping table, and the transmission that will divide into groups unit IP address mapping is the global ip address in the WAN, sends to the WAN side via wan interface portion 11.

In address mapping portion 34, according to the content of the grouping that receives from top row beginning with reference to described address mapping table, if consistent then carry out the action of appointment, processing end corresponding with this grouping.That is, in the address mapping table of Figure 24, Figure 25, the condition of setting in the top row becomes the condition of more preferably being handled.

Authentication processing portion 35 carries out user's authentication processing according to the request of address transformation component 34.

Figure 26, Figure 27 are the process flow diagrams of the treatment scheme of presentation address converting means, below explain the action of this address converting means in view of the above.

Address mapping portion 34 receives request of access to the http of the address of installing self (communication begin request) (step S61) from the end device 220 of WAN side via wan interface portion 11, with the IP address storage (step S62) of the transmission unit IP address of request of access grouping, send the required user's of the authentication that is used to import the user the identifying information and HTML (the Hyper Text Markup Language) file (step S63) of password via the end device 220 of 11 pairs of request of access units of wan interface portion as the end device that sends unit.

When address mapping portion 34 receives user's identifying information and password (step S64) from the end device 220 of request of access unit, the user's that receives identifying information and password is sent to authentication processing portion 35, and request user's authentication (step S65).

When authentication processing portion 35 received user's identifying information and password, retrieval had the user of the identifying information consistent with the customer identification information that receives in the user's who accumulates from database part 33 the information.If find consistent user, then this user's that will store password compares with the password that receives, if consistent, then address transformation component portion 34 is sent authentication normal (step S66).Under the situation of not finding consistent user or under the inconsistent situation of password, it is unusual that address transformation component 34 is sent authentication.At this moment, require the user to import user's identifying information or password once more, under the also inconsistent situation of number of times that has repeated regulation, unusually also can as authentication.

Address mapping portion 34 receives authentication just often from authentication processing portion 35, the html file of the specific address of the LAN inside of the server that will visit of input or agreement, port numbers etc. is sent to the end device 220 (step S67) of request unit via wan interface portion 11.

When the end device 220 of request of access unit receives specific address agreement, port numbers etc. (step S68), address mapping portion 34 will be appended to as the address mapping rule of agreement and destination port numbers as implicit IP address, with agreement and port numbers as source IP address, with the specific address that receives in the address mapping table of database part 33 (step S69) with the transmission unit IP address of the request of access grouping of the http of record.

For example, in the transmission unit IP address that the request of access of http is divided into groups is that ' 111.222.234.123 ', take over party IP address are rewritten as under the situation of implicit IP address ' 192.168.100.4 ' for the take over party IP address of the grouping of ' TCP22 ' for ' 123.123.123.123 ', take over party's port numbers, as shown in figure 25, in the table of Figure 24 the most up, append address mapping rule by the terminal of http visit.

Thus, send first IP address and be rewritten as ' 192.168.100.4 ' for the take over party IP address of the grouping of ' TCP22 ' for ' 111.222.234.123 ', take over party's port numbers, and being sent to LAN, take over party's port numbers of transmission unit IP address in addition is rewritten as ' 198.168.100.5 ' and is sent to LAN for the take over party IP address of the grouping of ' TCP22 '.

Then, the end device 220 of request unit of 34 pairs in address mapping portion sends html files, and this document shows (the step S70) such as specific address, agreement and port numbers of the LAN inside of situation that the normal situation of authentication, address resolution protocol be set, conversion destination.In addition, embedding is used for the program that terminal conducts interviews to relay 10a every predetermined certain hour in the html file.

End device 220 in request unit by the html file that sends is shown, can be confirmed the information of the address mapping set.In addition, the program by embedding in the html file asks the end device 220 of unit automatically address conversion device 30 to be carried out http communication at regular intervals then.

After the address mapping rule is set, when address mapping portion 34 receives grouping from wan interface portion 11 (step S72, step S74), send first IP address and take over party IP address according to this, with reference to described address mapping table (step S75), with take over party IP address mapping is IP address (implicit IP address) (step S76) in the LAN, sends to LAN via LAN interface portion 12.

In addition, when address mapping portion 34 receives grouping from LAN interface portion 12 (step S72, step S74), according to this implicit IP address, with reference to described address mapping table (step S77).Then, the transmission unit IP address that address mapping portion 34 will divide into groups IP address mapping internally is the interior global ip address (step S78) of WAN, and sends to WAN via wan interface portion 11.

Like this, carry out with LAN in the communicating by letter of server (end device).In addition, under the user of end device 220 is through with the situation of communication, select the button of sign off the picture of the html file that receives from address conversion device 30, send the grouping of sign off, or close this picture itself.

The address mapping portion 34 of address conversion device 30 is according to the cut-out (step S71) of the detection of end communication of the HTML picture of the end device 220 of request of access unit, or when receiving the grouping of sign off (step S73), as shown in figure 25, the address mapping table (step S79) that deletion is appended from the address mapping table of having been rewritten returns the original state of Figure 24.

Like this, in the present embodiment, can be according to the condition enactment address mapping rule that comprises source IP address, even so to identical port numbers grouping, also can be by each source IP address to each server-assignment, even there is not the agreement of port numbers, also communicate by each source IP address and each terminal.

In addition,, perhaps, the setting of after changing address mapping rule is restored, so the visit of the mistake that the setting that can prevent to change causes according to the cut-out of communication according to user's request.

In addition, at present embodiment, to http being used in the visit of address conversion device, but also can use https or telnet or SIP (Session Initiation Protocol) etc. from terminal.In addition, in the present embodiment, carried out user's authentication, but also can not carry out request authentication for request from predefined terminal.

[embodiment 5]

At present embodiment, the technology of access control technology of the present invention is only used in expression.Figure 28 and Figure 29 represent the functional structure example of firewall device and the step example of firewall method.

The firewall device 40 of this embodiment comprises: wan interface portion 11, be connected with WAN communication network (WAN (Wide Area Network)) 200 such as the Internet, and carry out receiving with the transmission of the grouping of WAN200; LAN interface portion 12 carries out receiving with the transmission of the grouping of LAN300; Access control portion 46 analyzes the grouping that wan interface portion 11 and LAN interface portion 12 receive, and the control that conducts interviews; Authentication processing portion 47 according to the request of access control portion 46, carries out the authentication processing of user (user); And database part 16, storage is used for the data of access control or the data of authentication.

Storage table as described in Figure 30 among the access control list of database part 48 (by the condition table) 48a, whether access control portion 46 is sent to the LAN300 side via LAN interface portion 12 with the grouping that wan interface portion 11 receives based on this voting is fixed.

In Figure 30, the row of ' source IP address ', the transmission unit IP address of the grouping that expression is received by wan interface portion 11; The row of ' source port number ', the transmission unit port numbers of the grouping that expression is received by wan interface portion 11; The row of ' IP address, destination ', the take over party IP address of the grouping that expression is received by wan interface portion 11; The row of ' agreement, destination port numbers ', expression is by take over party's port numbers (here, by representing with port numbers corresponding protocols name) of the grouping of wan interface portion 11 receptions; The row of ' action ', expression is carried out in the transmission metamessage of the grouping that is received by wan interface portion 11 and take over party's information and the action that presents when consistent respectively by the source IP address among condition table (access control list) 48a and source port number and IP address, destination and agreement, destination port numbers this grouping.

In addition, the agreement name of using in the row of ' agreement, destination port numbers ' and the correspondence of port numbers are preestablished.In addition, also can set numerical value in the row of ' agreement, destination port numbers ', be port numbers itself.

For example, first row in the condition of passing through of Figure 30, because source IP address and source port number are ' any (arbitrarily) ', therefore irrelevant with these IP addresses and port numbers, take over party IP address be ' 111.111.111.2 ' and take over party's port numbers for the grouping of ' http (HyperText Transport Protocol, for example TCP (Transmission Control Protocol) 80) ' be sent to LAN12 (by: accept).

Second row at Fig. 3, send first IP address and be ' 123.123.123.1 ', the upper of take over party IP address is that ' 111.111.111 ' and take over party's port numbers are ' https (Hypertext Transfer ProtocolSecurity, TCP443 for example) ' grouping is sent to LAN300, because the hurdle of ' action ' is ' discarding ',, all groupings (discard: drop) so going out of use.

Whether the search part 46a in the access control portion 46 begins the such condition of passing through table 48a checking consistent with the transmission unit and the transmission destination information of the grouping that receives from top row, if it is consistent, then carry out the action of appointment, for the processing end of this grouping by transmission control part 46b.In this example, for the condition of the passing through table 48a of Figure 30, the condition of setting in the superincumbent row becomes the condition of more preferably being handled.

Refer again to the action that Figure 29 specifically describes access control portion 46.Receive to the https of the address of firewall device 40 pass through condition enactment request grouping the time (step S81), carry out the establishment (step S82) of safe dialogue (SSL (Secure Socket Layer) dialogue) by the user terminal 220 of establishing the dialogue/cut-out 46c of portion and being connected to the transmission unit of WAN200.If dialogue is normally established, the IP address of the transmission unit user terminal of obtaining in the time of then will establishing dialogue 220 for example is stored in (step S83) in the database part 48.In addition, the 46d1 of request portion by announcement information generating unit 46d sends authentication information request (step S84) to user terminal 220.For example, input user's the identifying information and the html file of password are encrypted, and sent to the user terminal 220 of request unit via wan interface portion 11.In this example, except the IP address of asking first user terminal 220, the condition of other that comprises in this condition enactment request grouping also is stored among the condition of passing through table (access control list) 48a of database part.

From the identifying information of asking the user that first user terminal 220 receives encrypted and password the time (step S85), by decryption part 46e this authentication information of having encrypted is decrypted (step S86), identifying information and the password of user after the deciphering are sent to authentication processing portion 47, and user's authentication (step S87) is carried out in request.

When authentication processing portion 47 receives user's identifying information and password, has the user of the identifying information consistent according to the user's who stores among the 48b of authentication information portion in the database part 48 information retrieval with the customer identification information that receives.If find consistent user, the password that then will be stored in this user among the 48b of authentication information portion compares with the password that receives, if consistent, it is normal then access control portion 46 to be sent authentication.Under the situation that does not have consistent user or under the inconsistent situation of password, authentication processing portion 47 will authenticate and send to access control portion 46 unusually.

Access control portion 46 receives authentication (qualified) (step S88) just often from authentication processing portion 47, pass through the condition enactment information requested based on what become the normal user of authentication, the row that granted packet is passed through appends in by condition table (access control list) 48a (step S89).

For example, to request unit user terminal 200 permissions that become authentication normal IP address ' 123.123.111.1 ' (by) to ftp (the File Transfer Protocol of the server (webserver 310 that for example is connected) of IP address ' 111.111.111.3 ' with LAN300, under the situation of visit file transfer protocol (FTP)), as shown in figure 31, address information and ' action ' of the append request unit's user terminal 220 and the webserver 310 are the access control rule (passing through condition) of ' by ' in the condition of the passing through table 28a of Figure 30 the most up.As the general condition of passing through, it is also passable for ' any ' to send first address, but in this example, also sets the IP address of the first user terminal 220 of request.

Then, access control portion 46, by the 46d2 of permission portion of its announcement information generating unit 46d and the 46d3 of situation portion generate that the expression authentication is normal, visit is licensed, the html file of accessive information (visit licensed Service name (for example network camera) or IP address and port numbers), communication conditions (server 310 of the user terminal 220 of IP address ' 123.123.111.1 ', IP address ' 111.111.111.3 ', port numbers ' ftp ' is in communicating by letter) etc., by adding compact part 46f encrypting and transmitting to asking first user terminal 220 (step S90).

At user terminal 220,, can show accessive information, visit situation by deciphering and demonstration from the html file that this firewall device 40 sends.

In the SSL of the user terminal of establishing like this 220 and the webserver 310 dialogue, access control portion 46 is in the visit (step S91) that is monitored by monitoring unit 46g from user terminal 220, and detect when the visit of user's terminal 220 unusual (step S92) by abnormity detection portion 46g1, abnormal portion 46d4 by announcement information generating unit 46d generates this abnormity notifying, by this SSL dialogue user terminal 220 is sent (step S93).Specifically, for example following such.

(1) traffic (for example, MB/s etc.) from the time per unit of the grouping of user terminal is roughly certain for the service of each animation service, voice service etc.Therefore, access control portion 46 monitors the traffic of unit interval of establishing the grouping of the terminal of having talked with from SSL, taking place to surpass when serving the traffic of the predefined traffic, sending to this user terminal 220 after the html file that shows the traffic etc. of this Service name or generation is encrypted for each.In user terminal 220, by the html file deciphering and the demonstration that will send, can show the information of the visit that is considered to unusual, the user of this user terminal 220 can learn illegal visit.

(2) have to the time from user terminal 220 not by the request of access of the service of this user terminal 220 permissions, should count and count for each service, surpass predefined value, at for example 1 o'clock in the value of this counting, the html file encrypting and transmitting that will show this Service name or count value etc. is to this user terminal 220.In the user terminal 220 that receives this document, by the html file deciphering and the demonstration that will send, this user is for the server or the terminal that do not have to establish dialogue with this user terminal 220, and can know has illegal visit.

(3) to counting to the request of access of the https of firewall device 40 grouping (unusual number of times) based on authenticated by the condition enactment request from same user terminal 220, when the value of this counting surpasses predefined value, will show that the situation of the frequency abnormality that authentication is unusual and the html file encrypting and transmitting of its count value arrive this user terminal 220.In the user terminal 220 that receives such abnormity notifying, with html file deciphering and the demonstration that sends.Show that by this under the situation that the illegal visit of pretending to be legal users is arranged, legal users can be known illegal visit.

As above be licensed for access to like that, carried out with LAN300 in the user who communicates by letter of server 310 when finishing communication, slave firewall device 40 receives, and from this user terminal 220 by the button of selecting sign off in the html file picture displayed, or cut off the SSL dialogue.

The access control portion 46 of firewall device 40 is under the situation of the grouping that receives sign off, or detect under the situation of cut-out of SSL dialogue (step S94), as shown in figure 31, the condition of the passing through table 48a that has rewritten is returned original state (step S95) shown in Figure 30.Under the situation of received communication end of packet, will return original state by condition table 48a, cut off this SSL dialogue simultaneously.

At step S94, if there be not end or dialogue, communication do not cut off, then return step S81.If in step S81,, then skip to the step S91 supervision that conducts interviews not by the condition enactment request.If approved qualified in step S88, then in step S96, talking with/cut off not by establishment, 46c cuts off this SSL dialogue and skips to step S81.

In addition, step S91, S92 and S93 constitute the communication conditions monitoring step.In addition, in Figure 28, control part 49 make successively each several part action or for reading of database part 48 write, deletion etc.

As mentioned above, at present embodiment, in the dialogue of https, carry out user (user's) authentication, if authentication is normal, then access permission that will be corresponding with this user (passing through condition) appends and is set in the IP address that requires this https dialogue, so the security policies (passing through condition) of firewall device 40 is more safely changed in the outside that can slave firewall device 40.And, if dialogue is cut off, then delete the condition of passing through that this appends setting immediately, therefore can visit illegal visit.

In addition, at present embodiment, owing to append the IP address information of the terminal of passing through condition enactment request unit of passing through to comprise in the condition authentication of authentication, so, also can prevent unauthorized access from this point.

And then, since to the user show to the Service name of this https dialogue permits access or with the communication conditions of the IP address of permits access, so this is confirmed, can prevent illegal visit by the user.

In addition, according to user's the request or the cut-out of https dialogue, if utilize the sign off of this https dialogue, the set condition of the access permission (passing through condition) that then will change immediately restores, so can prevent to utilize the illegal visit of passing through condition enactment of having changed.

[embodiment 6]

Embodiment 1 to 5 terminal unit with the user decides access control rule (passing through condition), but also can use the present invention for the append request (by the condition enactment request) with the access control rule of network (network) unit.

At present embodiment, expression will be applied to the example of structure shown in the embodiment 5 with the method for adding of the access control rule (passing through condition) of network unit.For example, among Figure 28, the home network 210 in the family that is illustrated by the broken lines is connected with WAN200, and this home network 210 is connected a plurality of user terminals 220.In this case, in when authentication, with user's identifying information and password send simultaneously with network unit pass through the condition enactment request, based on user's visit information, permit setting with the visit of network unit.In other words, the permission (' action ' being made as the condition of passing through of ' by ') of visit is set in the network address of the IP addresses that 46 pairs in access control portion obtains when SSL establishes dialogue.

For example, (the IP address is that (upper 24 bits are 123.123.111 to 123.123.111.0/24 for the user terminal that is connected to network 210, the next bit is 0,1,2 ..., 254 one of them)), under the situation of permission, append the network address (the IP address that upper 24 bits of IP address are 123.123.111) as the condition of passing through of source IP address with network 210 in the condition of passing through table 48a shown in Figure 30 the most up to the visit of the ftp (File Transfer Protocol) of the server 310 of IP address 111.111.111.3.It is such to become Figure 32 after appending.

Thus, in the establishment of SSL dialogue, even come any one visit of the user terminal 220 in the automatic network 210 also can permit, and the user terminal that never has a browser in the network 210 also can conduct interviews to the take over party of permission.In addition, communication conditions sends to have and carries out this SSL and establish session request, the i.e. user terminal of the browser by the condition enactment request.

[embodiment 7]

Embodiment 6, the firewall device 40 of embodiment 5 has been carried out the appending of access control rule (passing through condition) with network unit, and at present embodiment, the situation of appending of the access control rule (passing through condition) with network unit is carried out in expression to the relay 10 of embodiment 1.

For example, the home network 210 in the family that is represented by dotted lines among Fig. 2 is connected with WAN200, and this home network 210 is connected a plurality of user terminals 220.In this case, in when authentication, with user's identifying information and password send simultaneously with network unit pass through the condition enactment request, based on user's visit information, permit setting with the visit of network unit.In other words, the permission (' action ' being made as the condition of passing through of ' by ') of visit is set in the network address of the IP addresses that 13 pairs in access control portion obtains when SSL establishes dialogue.

For example, (the IP address is that (upper 24 bits are 123.123.111 to 123.123.111.0/24 for the user terminal that is connected to network 210, the next bit is 0,1,2 ..., 254 one of them)), under the situation of permission, append the network address (the IP address that upper 24 bits of IP address are 123.123.111) as the condition of passing through of source IP address with network 210 in access control list shown in Figure 3 the most up to the visit of the ftp (File Transfer Protocol) of the server 310 of IP address 111.111.111.3.It is such to become Figure 33 after appending.

Also have after having carried out the appending of such access control rule with network unit, each terminal 220 of network 210 is appended the method for address mapping rule.

Thus, in the establishment of SSL dialogue, even come any one visit of the user terminal 220 in the automatic network 210 also can permit, and the user terminal that never has a browser in the network 210 also can conduct interviews to the take over party of permission.

[embodiment 8]

As the processing that embodiment 5 or 6 is appended following processing is arranged.Append the condition of passing through, and when establishing dialogue, also consider to receive from the grouping of this user terminal 220 requests to different take over partys' connection with the SSL of user terminal 220 for the IP address or the network address of user terminal 220.Specifically, the user who has established the user terminal of dialogue with firewall device 40 for example will accept the service etc. beyond the service of current acceptance sometimes.Under these circumstances, according to established SSL dialogue, inquire that this user terminal is also passable.

Specifically, user terminal 220 uses the SSL dialogue in establishing that access control portion 46 is sent the new condition enactment request of passing through.Access control portion 46 is as described in the dotted line, and then the step S81 among Figure 29 appends and sets treatment S 97.Figure 34 represents that this appends the example of setting step (step S97).Whether the request unit IP address of passing through the condition enactment request that access control portion 46 investigation receives is the request set (step S97a) of appending from the user terminal 220 of the SSL dialogue in establishing.If from the request of setting of appending of the user terminal 220 of the dialogue of the SSL in establishing, then to this user terminal 220f, generate html file by announcement information generating unit 46d, use this SSL dialogue to send to user terminal 220 (step S97b) after encryption, html file represents to receive situation, this take over party's who appends the request of setting the IP address of the grouping of appending the request of setting and port numbers simultaneously with accessive information or visit situation etc., whether selection permits this to append the button of the request of setting.

In the user terminal 220 that receives this document, the html file deciphering by will sending also shows, the user notification of user terminal 220 is received the request of setting of appending.Thereby, can be that the user confirms that this appends whether the request of setting is that the user is known.

As receive for reply (the step S97c) that asks, replying in the access control portion 46 checked.If from replying of this user terminal 220 to ' to permit this to append setting.(admit to append and pass through condition enactment.) ' (step S97d), then the condition of passing through (step S97e) that this appends the request of setting of setting is appended by condition table 48a by 46 pairs in access control portion.Then, the grouping of satisfying the condition of passing through append is sent to the server of the take over party in the LAN by the SSL dialogue of having established.In addition, if in step S97d, from replying of user terminal to ' refusal connects.', then access control portion 46 discards the grouping (step S97f) of new connection request (appending the request of setting).

At said method, establish the SSL dialogue that finishes to appending the new condition of passing through by condition table 48a in order to connect with the server that different service is provided, to utilize.As other method, also can followingly handle.Access control portion 46 carries out the processing of as shown in figure 34 step S97a, S97b, S97c and S97d, if the replying of permission step S97d, it is also passable then this services request grouping to be sent to corresponding server (bracket of step S97e).In other words, the SSL dialogue that use has been established, for from the condition enactment request of appending of the user terminal 220 of request unit or to other take over party's request of access etc., needn't carry out authentication processing especially, also can use and establish the SSL dialogue that finishes and transmit to take over party's server.

Said method is because use SSL talks with the user's query SSL dialogue to this user terminal 220, so can prevent illegal visit.

In addition, in this embodiment 5 to 7, use https, but also can use dialogue by the safety of SSH (Secure Shell) etc. as visit from the safety of user terminal.In addition, as shown in phantom in Figure 28, also can be to firewall device 40 direct Connection Service devices 310.In addition, if, then at first ask first terminal to establish the dialogue of safety, carry out authentication processing then, but also can carry out authentication processing earlier with this by by the condition enactment request.In other words, in step S81, if receive by the condition enactment request, shown in dotted line among Figure 29 then, transfer to step S84 immediately, carry out authentication processing, if this is approved qualified, then in step S89, database part 48 is set it by condition, and and the first terminal of request between to establish the dialogue of safety also passable.In addition, though be provided with authentication processing portion 47 in firewall device 40, also can externally be provided with, for example, can be the certificate server that is connected with LAN300.In this case, omitted data storehouse portion 48 to the 48b of authentication information portion.And then as authentication processing, request customer identification information and password, whether in the 48b of authentication information portion, determine whether according to it approved qualified, but also can be by using certificate server, and the higher authentication method of safety in utilization.

Relay shown in the embodiment 1 to 8, address conversion device, firewall device (access control apparatus) also can come functionalization by computing machine.In this case, the program of being carried out each treatment scheme by computing machine is installed in the computing machine from recording mediums such as CD-ROM, disk, semiconductor storages, or downloads via communication line, and carries out this program by this computing machine and get final product.

Claims

1. a relay is used for making the terminal or the server of the private of the address with World Wide Web to communicate via described World Wide Web, and it comprises:

Wan interface portion carries out and the communicating by letter of described World Wide Web;

LAN interface portion carries out and the communicating by letter of described private;

Access control portion has the access control rule according to the network decision of device that each is sent unit or transmission unit, and control is from the parts of described World Wide Web to the visit of described private;

Address mapping portion has: according to the address mapping rule of the device decision that each is sent unit, carry out in order to be sent to the terminal of described private side from the terminal information of described World Wide Web side address mapping parts and

According to the address mapping rule of the device decision that each is sent unit, carry out the parts of address mapping in order to be sent to the terminal of described World Wide Web side from the terminal information of described private side; And

Database part writes down described access control rule and described address mapping rule.

2. relay as claimed in claim 1 comprises:

Authentication processing portion when accepting the trust from the access permission of the terminal of described World Wide Web side, carries out authentication processing,

Wherein:

Described database part also writes down the user profile that described authentication processing portion uses in order to authenticate;

Described access control portion also has: under the situation that described authentication normally is through with, to described database part append to each send the device of unit or send unit the network decision access control rule parts and

When satisfying the judgment standard of predetermined sign off, delete the parts of this access control rule of appending from described database part,

Described address mapping portion also has: under the situation that described authentication normally is through with, to described database part append to each send unit the device decision the address mapping rule parts and

When satisfying the judgment standard of predetermined sign off, delete the parts of this address mapping rule of appending from described database part.

3. relay as claimed in claim 1, wherein:

Described access control portion also has: when the request that has from the authentication processing server of the authentication of the terminal of carrying out the World Wide Web side, to described database part append to each send the device of unit or send unit the network decision access control rule parts and

Described address mapping portion also has: when the request that has from described certificate server, to described database part append to each send unit the device decision the address mapping rule parts and

4. as any one described relay of claim 1 to 3, wherein:

Described access control portion also has: when the request that begins to communicate by letter that has from the terminal of private side, to described database part append to each send unit the device decision access control rule parts and

Described address mapping portion also has: when the request that begins to communicate by letter that has from the terminal of private side, to described database part append to each send unit the device decision the address mapping rule parts and

5. relay as claimed in claim 1 is characterized in that,

Described access control rule and described address mapping rule have comprised uses IP address that sends element apparatus or the condition that sends the IP address of metanetwork.

6. relay as claimed in claim 5 also comprises:

Authentication processing portion when the request that receives from described World Wide Web side, carries out authentication processing;

Wherein:

Described access control portion also has: under the situation that described authentication normally finishes, will send the device of unit or send access control rule that the network of unit determines each and append parts in described database part; With

Described address mapping portion also has: under the situation that described authentication normally is through with, in described database part, append to each send unit the device decision the address mapping rule parts and

7. a certificate server is permitted the visit to the described relay of claim 3, and it comprises:

Interface portion is carried out and the terminal of described World Wide Web side and communicating by letter of described relay;

Authentication processing portion is accepting during to the trust of the access permission of described relay, to carry out authentication processing from the terminal of described World Wide Web;

Control part has: under the approved qualified situation in described authentication processing portion, to described relay request append from the parts of the access control rule of the grouping of the terminal of described World Wide Web and address mapping rule and

When satisfying the judgment standard of predetermined sign off, described relay request is deleted the parts of this access control rule of appending and address mapping rule; And

Database part, record is set up related information with described authentication processing portion user profile of using in order to authenticate and the access control rule that will ask to append with the address mapping rule.

8. an address conversion device is used for making the terminal or the server of the private of the address with World Wide Web to communicate by described World Wide Web, and it comprises:

Address mapping portion has: according to the address mapping rule of the device decision that each is sent unit, carry out in order to be sent to the terminal of described private side from the terminal information of described World Wide Web side the address conversion parts and

According to the address mapping rule of the device decision that each is sent unit, the parts that carry out the conversion of address in order to be sent to the terminal of described World Wide Web side from the terminal information of described private side; And

Database part writes down described address mapping rule.

9. address conversion device as claimed in claim 8, wherein:

Described address mapping portion also has: having from the terminal of World Wide Web side or during from the request that begins to communicate by letter of the terminal of private side, to described database part append to each send unit the device decision the address mapping rule parts and

10. address conversion device as claimed in claim 9 comprises:

Authentication processing portion when the request that begins to communicate by letter that has from the terminal of World Wide Web side, carries out authentication processing;

Wherein:

Described database part also writes down the user profile that described authentication processing portion uses in order to authenticate,

Described address mapping rule for the request that begins to communicate by letter from the terminal of World Wide Web side, only under the situation that described authentication normally finishes, is appended to described database part by described address mapping portion.

11. address conversion device as claimed in claim 9, wherein,

Described address mapping portion is for the request that begins to communicate by letter from the terminal of World Wide Web side, only under situation about having from the request of the authentication processing server that carries out authentication processing, described database part appended described address mapping rule.

12. address conversion device as claimed in claim 8 is characterized in that,

Described address mapping rule has comprised IP address of using the device that sends unit or the condition that sends the IP address of first network.

13. address conversion device as claimed in claim 12, wherein:

Described address mapping portion also has: when the authentication in authentication processing portion normally finishes, will to each address mapping rule that sends the device decision of unit append in described database part parts and

14. a certificate server, permission comprises the visit of the described address conversion device of claim 9:

Interface portion is carried out and the terminal of described World Wide Web side and communicating by letter of described address conversion device;

Authentication processing portion during to the trust of the access permission of described address conversion device, carries out authentication processing receiving from the terminal of described World Wide Web;

Control part has: under the approved qualified situation in described authentication processing portion, to described address conversion device request append from the parts of the address mapping rule of the grouping of the terminal of described World Wide Web and

When satisfying the judgment standard of predetermined sign off, described address conversion device request is deleted the parts of this address mapping rule of appending; And

Database part, record with described authentication processing portion in order to authenticate user profile for using.

15. a firewall device, satisfy from the grouping of the World Wide Web outside the firewall device set in the database part pass through condition the time, make this grouping by the private in the firewall device, it comprises:

Authentication processing portion when the trust of accepting from the access permission of described World Wide Web, carries out authentication processing; And

Database part writes down the user profile that described access control rule and described authentication processing portion use in order to authenticate.

16. firewall device as claimed in claim 15, wherein,

Described access control portion also has:

With situation about not being recorded in from the corresponding access control rule of the trust of the access permission of the device of described World Wide Web in the described database part under, when the authentication in described authentication processing portion normally finishes, described database part is appended the parts of access control rule that each is sent the device of unit or sends the network decision of unit; With

When satisfying the judgment standard of predetermined sign off, delete the parts of this access control rule of appending from described database part.

17. firewall device as claimed in claim 16, wherein,

Described access control portion also has:

Establishing in the dialogue of safety with the device of described World Wide Web, have under the situation from the trust of the new access permission of the device of the World Wide Web that uses this dialogue, use described safe dialogue, the device of described World Wide Web is sent the parts of the notice of the content that is used to confirm described trust; With

Under the situation of replying that obtains from the refusal of the device of described World Wide Web, irrelevant with described access control rule, refuse the parts of new visit.

18. as any one described firewall device of claim 15 to 17, wherein:

Described access control portion also has: communicate situation supervision parts and

Under the situation of the benchmark that satisfies predetermined communication abnormality, to the unusual parts of the device notifying communication of described World Wide Web.

19. firewall device as claimed in claim 15 is characterized in that,

Described access control rule comprises the condition of the IP address of IP address of using the device that sends unit or the network that sends unit.

20. firewall device as claimed in claim 19 is characterized in that,

Described access control portion also has:

When the authentication in described authentication processing portion normally finishes, in described database part, append to each send the device of unit or send unit the network decision access control rule parts and

21. a mapping schemes is used for making the terminal of the private of the address with World Wide Web to communicate by described World Wide Web, it is characterized in that,

With in advance to each address mapping regular record of device decision that sends unit in database part,

When wan interface portion receives grouping from described World Wide Web side,

According to described address mapping rule, by address mapping portion conversion take over party address,

The grouping that this address mapping is crossed by LAN interface portion is sent to described private side,

When LAN interface portion receives grouping from described private side,

According to described address mapping rule, send first address by the conversion of address mapping portion,

This grouping that address mapping is crossed by wan interface portion is sent to described World Wide Web side.

22. a mapping schemes is used for making the terminal of the private of the address with World Wide Web to communicate by described World Wide Web, it is characterized in that,

Under wan interface portion receives situation from the grouping of described World Wide Web side,

Carry out authentication processing by authentication processing portion, when approved qualified,

Be recorded in situation in the database part by the transmission metamessage of address mapping portion investigation and described grouping and the consistent address mapping rule of take over party's information,

Under the situation that has consistent address mapping rule, come the address of the described grouping of conversion according to this address mapping rule,

Under the situation that does not have consistent address mapping rule, described database part is appended the address mapping rule, thereby come the address of the described grouping of conversion according to the address mapping rule that this appends,

This grouping after with address mapping of LAN interface portion is sent to described private side,

Under LAN interface portion receives situation from the grouping of described private side,

Be recorded in situation in the database part by the transmission metamessage of the investigation of described address mapping portion and described grouping and the consistent address mapping rule of take over party's information,

Wan interface portion will be somebody's turn to do by the grouping behind the address mapping and be sent to described World Wide Web side, when satisfying the judgment standard of predetermined sign off,

Under the situation of the address mapping rule that has described address mapping portion to append, delete this address mapping rule from described database part.

23. mapping schemes as claimed in claim 22 is characterized in that,

Replacement is carried out authentication processing by authentication processing portion, when the request that has from the certificate server of the authentication of the terminal of carrying out described World Wide Web side, is judged as approved qualified.

24. an access control method when satisfying the access control rule of setting in the database part from the grouping of the World Wide Web outside the fire wall, makes this grouping by the private in the fire wall, it is characterized in that,

To in advance each access control rule that sends the network decision of first device or transmission unit be recorded in the database part,

When wan interface portion receives connection request from described World Wide Web side,

Be recorded in situation in the described database part by the access control portion investigation access control rule consistent with connection request,

Under the situation that has the access control rule consistent with connection request, permission communication.

25. an access control method when satisfying the access control rule of setting in the database part from the grouping of the World Wide Web outside the fire wall, makes this grouping by the private in the fire wall, it is characterized in that,

To in advance each access control rule that sends the network decision of first device or transmission unit be recorded in database part,

Under wan interface portion receives situation from the connection request of described World Wide Web side,

Under the situation that has consistent access control rule, permission communication,

Under the situation that does not have consistent access control rule, described database part is appended the access control rule that each is sent the device of unit or sends the network decision of unit, thus permission communication,

Under the situation that does not have consistent access control rule, described database part is appended the access control rule that each is sent the element apparatus decision, thus permission communication,

When satisfying the judgment standard of predetermined sign off,

Under the situation of the access control rule that has described access control portion to append, delete this access control rule from described database part.

26. access control method as claimed in claim 25 is characterized in that,

27. any one the described access control method as claim 24 to 26 is characterized in that,

Establishing in the dialogue of safety with the device of described World Wide Web, monitor the communication conditions of this dialogue,

Under the situation that meets predetermined benchmark, notify unusual generation to the device of the World Wide Web of having established dialogue that should safety.

28. any one the described access control method as claim 24 to 26 is characterized in that,

In the dialogue of establishing safety, wan interface portion receives under the situation from the new connection request of the device of the World Wide Web of establishing this safe dialogue,

Notify the content of this connection request to the device of the World Wide Web of having established dialogue that should safety,

Having from this device under the situation of replying of refusal, irrelevant with the access control rule that writes down in the database part, refusal connects.