JP2006270894A - Gateway unit, terminal device, communications system and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To surely prevent leakage of confidential information from an intranet to its outside. <P>SOLUTION: A communications system comprises a terminal device for transmitting communication messages to a destination outside of the intranet, in accordance with AP, and a gateway unit for relaying communication between the destination and the terminal unit. The terminal device transmits data, indicating whether the AP is a predetermined AP to the gateway unit. The gateway unit determines whether the AP used for transmission of the communication message is the predetermined AP, based on the data transmitted from the terminal device, and destroys the communication message, when the determined result is negative; whereas, when the determination result is positive, the gateway unit transfers the communication message to the destination. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a technique for mediating communication between a terminal device connected to a first communication network such as an intranet and a communication device connected to a second communication network such as an external network, and in particular, confidential information. The present invention relates to a technique for avoiding the outflow from the first communication network to the second communication network.

  In recent years, in each company, a communication network such as a LAN is laid in a facility such as a store or factory of the company, and a communication device called an intranet is constructed by connecting a terminal device such as a personal computer to the communication network. Is generally done. This type of communication system is generally connected to another communication network such as the Internet via a relay device called a gateway device in order to enable communication with a communication system of another company, for example. is there. However, if the intranet is connected to an external communication network, communication is performed between a terminal device connected to the intranet and a communication device such as a terminal device or content server connected to the external communication network. In addition, confidential information in the intranet may leak to the outside. Therefore, various technologies that can prevent the leakage of confidential information have been proposed, and the technology disclosed in Patent Document 1 is an example.

In Patent Document 1, for example, when communication is performed by packet exchange according to TCP / IP or the like, data written in a header of the packet (for example, a transmission source address indicating a transmission source of the packet and a transmission destination thereof) A technique is disclosed in which the gateway apparatus determines whether or not a transmission destination address that represents a predetermined condition satisfies a predetermined condition, and forwards or discards the packet according to the determination result.
JP 2002-063084 A

  However, as in the technique disclosed in Patent Document 1, even if it is determined whether or not the packet can be transferred based on the data written in the header of the packet, the data is spoofed and the packet is transmitted. When a packet is transmitted by an AP created in this way (for example, an AP created to write data as if it is browser software and send a packet), the packet is transferred. Can't be stopped. That is, even if the technique disclosed in Patent Document 1 is used, leakage of confidential information to the outside cannot be reliably prevented.

  The present invention has been made in view of the above-described problems, and can reliably prevent leakage of confidential information from a first communication network such as an intranet to a second communication network outside the first communication network. The purpose is to provide technology.

  In order to solve the above-described problem, the present invention provides a communication between a terminal device connected to a first communication network and a communication device connected to a second communication network different from the first communication network. In the gateway device that relays communication, the terminal device receives a communication message transmitted from the terminal device to the communication device connected to the second communication network via the first communication network. Receiving means for receiving the filtering control information representing the application program used for transmission of the communication message from the terminal device via the first communication network, and the communication message received by the receiving means, A communication message transmitted by an application program permitted to transmit a communication message to a communication device connected to the second communication network The determination result by the transmission source determination unit for the communication source message received by the reception unit and the transmission source determination unit for determining whether the transmission message is received based on the filtering control information received by the reception unit is negative. The communication message is discarded, and if the determination result by the transmission source determination means is affirmative, the communication message is transferred to the destination via the second communication network. There is provided a gateway device characterized by comprising transfer control means. According to such a gateway device, the application program used for transmitting the communication message at the terminal device that is the transmission source of the communication message sends the communication message to the communication device connected to the second communication network. Only when the application program is permitted to be transmitted, the communication message is transferred to the communication device connected to the second communication network as the destination.

  In a more preferred aspect, the message content determining means for analyzing the communication message received by the receiving means and determining whether the destination or the communication protocol used for transmitting the communication message satisfies a predetermined condition. And the transfer control means has a negative determination result by the message content determination means even if the determination result by the transmission source determination means is positive for the communication message received by the reception means. Is characterized by discarding the communication message. In such an aspect, the destination of the communication message or the communication protocol used for transmission of the communication message satisfies a predetermined condition, and the communication message is included in the second communication network. If the communication message is transmitted by an application program that is permitted to transmit a communication message to a communication device connected to the communication device, the communication message is connected to the second communication network that is the destination. Is transferred to the existing communication device.

  In another preferred embodiment, the communication message indicates that communication with the communication device connected to the second communication network starts based on the content of the communication message received by the receiving means. A message type determining unit that determines whether or not the message is a communication message, and the transfer control unit includes a determination result by the transmission source determining unit for a communication message for which the determination result by the message type determining unit is positive. Accordingly, the communication message is transferred or discarded, and conversely, for a communication message in which the determination result by the message type determination unit is negative, regardless of the determination result of the transmission source determination unit, always It is characterized by forwarding to the destination. In such an aspect, the communication message indicating the start of communication with the communication device connected to the second communication network is transferred according to the application program used at the time of transmission. Or, it is discarded and other communication messages are always transferred to the destination.

  In another preferred aspect, the information processing apparatus further comprises signature determination means for determining whether or not an electronic signature based on predetermined electronic signature data is applied to the filtering control information, and the transfer control means is received by the reception means. Even if the determination result by the transmission source determination unit for the communication message is positive, if the determination result by the signature determination unit is negative, the communication message is discarded. In such an aspect, when both the determination result by the signature determination unit and the determination result by the transmission source determination unit are affirmative, the communication message received by the reception unit is transferred to the destination. Is done.

  In another preferable aspect, the filtering control information includes a program identifier for uniquely identifying an application program used for transmission of a communication message in the terminal device, and is connected to the second communication network. Storage means in which the program identifiers of one or more application programs that are permitted to transmit a communication message addressed to a certain communication device are written, and the transmission source determination means is connected to the terminal by the reception means. The program identifier included in the filtering control information received from the device compares the content stored in the storage means, and the communication message transmitted from the terminal device is connected to the second communication network. An account that is allowed to send a communication message to the communication device. It is characterized by determining whether a communication message sent by the publication program. In a further preferred aspect, it is desirable that the program identifier is data determined according to the structure of the execution format file of the application program.

  In order to solve the above-described problem, the present invention provides a control unit that executes an application program and a control unit that is executing the application program when instructed to transmit a communication message to a predetermined destination. A transmission unit that transmits the communication message to the destination, and transmits filtering control information that is data representing the application program to a gateway device that relays communication with the destination of the communication message. A terminal device is provided. According to such a terminal device, a predetermined communication message is transmitted to the communication terminal according to the application program, and filtering control information which is data representing the application program relays communication with the communication device. Sent to the gateway device.

  In a more preferred aspect, the filtering control information includes a program identifier that uniquely identifies an application program used for transmitting the communication message. In a further preferred aspect, the program identifier is data determined according to the structure of the executable file of the application program used for transmitting the communication message, and the executable file of the application program being executed by the control means is It is preferable to provide an acquisition unit that analyzes and acquires the program identifier for the application program, and the transmission unit transmits filtering control information including the program identifier acquired by the acquisition unit to the gateway device.

  In another preferable aspect, for one or a plurality of application programs permitted to transmit a communication message to the destination, a program identifier that is data determined according to the structure of the executable file is written. A storage means, an execution format file of an application program executed by the control means, an acquisition means for acquiring the program identifier for the application program, and a program identifier acquired by the acquisition means is stored in the storage Determining means for determining whether or not the information is stored in the means, wherein the transmitting means transmits filtering control information including data representing a determination result by the determining means to the gateway device.

  In order to solve the above problems, the present invention includes a terminal device connected to a first communication network and a second communication network different from the terminal device and the first communication network. A gateway device that relays communication with a communication device, and the terminal device transmits a predetermined communication message to the communication device according to an application program, and is data representing the application program Filtering control information is transmitted to the gateway device. When the gateway device receives the communication message via the first communication network, the application program used to transmit the communication message is the second Applications that are allowed to send communication messages to communication devices connected to other communication networks Is determined based on the filtering control information received from the terminal device, and if the determination result is negative, the communication message is discarded while the determination result is positive. In some cases, a communication system is provided in which the communication message is transferred to the destination via the second communication network.

  In order to solve the above-described problem, the present invention is connected to a computer device, a terminal device connected to the first communication network, and a second communication network different from the first communication network. In a program for executing processing for relaying communication with a communication device, a communication message transmitted from the terminal device to a communication device connected to the second communication network is transmitted to the first communication network. A first step of receiving filtering control information representing an application program used for transmission of the communication message in the terminal device from the terminal device via the first communication network, The communication message received in the first step is an application that is permitted to transmit the communication message to the communication device connected to the second communication network. A second step for determining whether or not the communication message is transmitted by the communication program based on the filtering control information received in the first step, and the communication received in the first step If the determination result of the second step for the message is negative, the communication message is discarded, while if the determination result of the second step is affirmative, the communication message is And a third step of transferring to the destination via the second communication network. According to such a program, a general computer apparatus can be made to realize the same function as the gateway apparatus according to the present invention. In another aspect of the present invention, the program may be provided by being written on a computer-readable recording medium.

  In order to solve the above problem, the present invention includes a first step of transmitting a communication message to a predetermined destination according to an application program to a computer device, and filtering control information that is data representing the application program, A second step of transmitting to a gateway device that relays communication with the destination of the communication message is executed. According to such a program, it is possible to cause a general computer device to realize the same function as the terminal device according to the present invention. In another aspect of the present invention, the program may be provided by being written on a computer-readable recording medium.

  According to the present invention, it is possible to reliably prevent leakage of confidential information from the first communication network to the external second communication network.

The best mode for carrying out the present invention will be described below with reference to the drawings.
(A. Configuration)
(A-1: Configuration of communication system)
FIG. 1 is a block diagram showing a configuration example of a communication system 10 which is an embodiment of a communication system according to the present invention. The communication system 10 includes a user terminal 100 that is an embodiment of a terminal device according to the present invention, and a gateway (hereinafter referred to as “GW”) device that is also an embodiment of a gateway device according to the present invention. 200. In FIG. 1, only one user terminal is illustrated, but it is needless to say that a plurality of user terminals may be connected to the first communication network 300.

  In FIG. 1, a first communication network 300 is, for example, a LAN laid in a company and serves to mediate communication between communication devices connected to the first communication network 300. Function as. On the other hand, the second communication network 400 is the Internet, for example, and functions as an external network with respect to the first communication network 300. Although a detailed illustration is omitted in FIG. 1, for example, a plurality of communication devices such as a content server are connected to the second communication network 400.

  A user terminal 100 in FIG. 1 is a personal computer connected to a first communication network 300, and communicates via the first communication network 300 according to a predetermined communication protocol (TCP / IP in this embodiment). It can be performed. As shown in FIG. 1, the GW apparatus 200 is connected to a first communication network 300 and a second communication network 400. The GW device 200 is between a communication device (for example, the user terminal 100) connected to the first communication network 300 and a communication device (for example, the content server) connected to the second communication network 400. And a function of mediating communication performed in accordance with the predetermined communication protocol. In the present embodiment, the case where the predetermined communication protocol is TCP / IP will be described. However, other communication protocols such as UDP / IP may be used.

  In the communication system 10 shown in FIG. 1, the user terminal 100 can perform communication according to the predetermined communication protocol with other communication devices connected to the first communication network 300, and the GW device 200. The communication device connected to the second communication network 400 via the communication can communicate according to the predetermined communication protocol. More specifically, the user of the user terminal 100 causes the user terminal 100 to execute an application program (hereinafter referred to as AP) for realizing communication according to the predetermined communication protocol such as browser software. By transmitting / receiving a communication message defined by the communication protocol to / from the communication device that is the communication partner, communication according to the predetermined communication protocol can be executed with the communication partner.

  In the communication system 10 shown in FIG. 1, when some AP is executed in the user terminal 100 and a communication message is transmitted to a communication device connected to the second communication network 400, the communication is performed. The AP used for transmitting the message is allowed to transmit the communication message to the communication device connected to the external network (in this embodiment, the second communication network 400) with respect to the first communication network 300. It is determined by the GW apparatus 200 whether or not the AP is a registered AP, and the communication message is transferred to the destination only when the determination result is “positive”.

  With this configuration, the communication system 10 shown in FIG. 1 reliably filters communication messages transmitted from APs that are not allowed to transmit communication messages to the external network, It is possible to reliably prevent confidential information from leaking outside. Hereinafter, the user terminal 100 and the GW apparatus 200 which are components of the communication system 10 illustrated in FIG. 1 will be described in detail.

(A-2: Configuration of user terminal 100)
First, the configuration of the user terminal 100 will be described with reference to FIG.
FIG. 2 is a block diagram illustrating an example of a hardware configuration of the user terminal 100. As shown in FIG. 2, the user terminal 100 includes a control unit 110, a communication interface (hereinafter “IF”) 120, a storage unit 130, and a bus 140 that mediates data exchange between these components. Have. In addition to these components, the user terminal 100 includes an input unit for allowing the user to input various instructions such as a keyboard and a mouse, a display unit for displaying images representing various input screens and various output screens, and the like. However, since the input unit and the display unit are not directly related to functions unique to the terminal device according to the present invention, the illustration thereof is omitted in FIG.

  The control unit 110 is, for example, a CPU, and centrally controls each unit of the user terminal 100 by executing various software stored in the storage unit 130 described later. The communication IF unit 120 is connected to the first communication network 300, receives data transmitted via the first communication network 300, and passes the data to the control unit 110. On the other hand, the communication IF unit 120 transfers the data transferred from the control unit 110. A function of sending to the first communication network 300 is provided.

  As illustrated in FIG. 2, the storage unit 130 includes a volatile storage unit 130a and a nonvolatile storage unit 130b. The volatile storage unit 130a is, for example, a RAM (Random Access Memory), and a memory space for causing the control unit 110 to execute various types of software is assigned to each software. On the other hand, the non-volatile storage unit 130b is a hard disk, for example, and stores various data and software. More specifically, an execution format file of software is stored for each software in the nonvolatile storage unit 130b. Here, the execution format file is a file in which a machine language code indicating the contents and order of processing to be executed by the control unit 110 is written. Examples of software written in the nonvolatile storage unit 130b include various APs, OS software for causing the control unit 110 to implement an operating system (hereinafter referred to as “OS”), and the present invention. Communication control software for causing the control unit 110 to execute communication control processing characteristic of the terminal device can be given. On the other hand, as an example of data stored in the non-volatile storage unit 130b, data for performing encrypted communication with the GW device 200 (for example, secret key-public key encryption if the encryption is performed) Key: hereinafter referred to as electronic signature data). For digital signature data, using existing technologies such as tamper resistance (Information Processing Society of Japan Vol. 44 No.6-10 “Software tamper resistance technology”, Ishima et al.), For example, xdb, sdb, etc. It is desirable not to be able to read even if using the symbolic debugger. In the following, performing encryption using this digital signature data is referred to as “digital signature”.

  Next, functions provided to the control unit 110 by executing the OS software and communication software will be described. When the power (not shown) of the user terminal 100 is turned on, the control unit 110 reads the OS software execution format file from the nonvolatile storage unit 130b and loads it into the volatile storage unit 130a. Operates according to the written machine language code. The control unit 110 operating according to the OS software is given a function of executing other software, for example, in accordance with a user instruction, and a function of executing a plurality of software in parallel. For example, when an execution of a certain AP is instructed via an input unit (not shown), the control unit 110 reads the execution format file of the AP from the nonvolatile storage unit 130b and loads it into the volatile storage unit 130a. The process represented by the machine language code written in the executable file is executed. When the AP execution format file is loaded into the volatile storage unit 130a, a unique memory space (hereinafter, “process”) is assigned to each AP. An identifier (hereinafter referred to as a process ID) for uniquely identifying each process is assigned to such a process by the OS, and the executable file loaded in the memory space specified by the process ID and the process ID. Are uniquely registered in the process management table in the memory space allocated to the OS (for example, a file path indicating the location of the executable file in the nonvolatile storage unit 130b). The stored contents of the process management table are updated as needed according to changes in the state of each process. Then, when the execution of the OS software is completed and the OS is realized, the control unit 110 immediately reads the communication control software from the nonvolatile storage unit 130b and executes the communication control software. The control unit 110 operating according to the communication control software is given the following three functions.

First, when an AP executed by the control unit 110 is instructed to transmit a communication message according to the predetermined communication protocol, the communication message is connected to the second communication network 400. This is a message type determination function for determining whether or not the communication message indicates that communication with a communication device (that is, a communication device of an external network) is started. More specifically, the control unit 110 operating according to the communication control software determines whether the communication message is a SYN message for establishing a communication connection with the communication device. The determination is made based on the written destination address and the value of the SYN flag.
Second, when the determination result of the message type determination function is “positive”, a program identifier that is data for uniquely identifying the AP is acquired for the AP that is the transmission source of the communication message, Filtering control information including a program identifier and a message identifier for uniquely identifying the communication message (for example, source and destination addresses and port numbers) is generated, and the electronic signature data is used as the filtering control information. This is a first transmission function that applies an electronic signature and transmits it to the GW apparatus 200 according to UDP / IP.
Third, there is a second transmission function for transmitting the communication message to the destination via the communication IF unit 120.

  More specifically, the control unit 110 operating in accordance with the communication control software acquires the program identifier as described below. That is, the control unit 110 acquires a process ID for the AP by a known method such as executing a netstat command, searches the process management table described above using the process ID as a key, and searches for the AP. Get the file path of the executable file. Then, the control unit 110 reads a bit string of a predetermined portion of the executable file specified by the file path by a predetermined bit length, and reads the bit string with a predetermined hash function (for example, SHA-1 or MD-5). To obtain the program identifier. In the present embodiment, a case where data obtained by inputting a bit string of a predetermined bit length of a predetermined portion of an execution format file of an AP that is a transmission source of a communication message to a predetermined hash function is used as the program identifier is described. However, the bit string may be used as a program identifier as it is. In short, any data may be used as long as it is determined according to the structure of the execution format file of the AP that is the transmission source of the communication message.

The above is the configuration of the user terminal 100.
As described above, the hardware configuration of the user terminal 100 according to the present embodiment is the same as the hardware configuration of a general computer device, and by operating the control unit 110 according to the communication control software, Functions specific to the terminal device according to the present invention are realized. As described above, in the present embodiment, the case where the function specific to the terminal device according to the present invention is realized by the software module has been described. However, the terminal device according to the present invention is combined with the hardware module having the above functions. Of course, it may be configured.

(A-3: Configuration of GW apparatus 200)
Next, the hardware configuration of the GW apparatus 200 will be described.
FIG. 3 is a block diagram illustrating an example of a hardware configuration of the GW apparatus 200. As shown in FIG. 3, the hardware configuration of the GW apparatus 200 is the same as that of the user terminal 100 except that a first communication IF unit 120a and a second communication IF unit 120b are provided instead of the communication IF unit 120. The hardware configuration is the same. The first communication IF unit 120 a is connected to the first communication network 300, receives data transmitted from the first communication network 300, and delivers the data to the control unit 110, while the data delivered from the control unit 110. Is transmitted to the first communication network 300. On the other hand, the second communication IF unit 120b is connected to the second communication network 400 described above, receives data transmitted from the second communication network 400 and delivers it to the control unit 110, while being delivered from the control unit 110. The transmitted data is sent to the second communication network 400.

  Now, software different from the user terminal 100 described above is stored in the nonvolatile storage unit 130b of the GW apparatus 200, and a function different from that of the user terminal 100 is obtained when the control unit 110 executes the software. Is granted. More specifically, in the nonvolatile storage unit 130b of the GW device 200, in addition to the OS software described above, relay software that causes the control unit 110 to execute relay processing unique to the gateway device according to the present invention and the relay processing thereof Filtering control table (see FIG. 4) used in executing the signature and signature confirmation data for confirming the electronic signature applied to the filtering control information by the user terminal 100 (for example, the above-described electronic signature data is a private key) If so, the signature confirmation data is stored as a public key).

First, the filtering control table stored in the nonvolatile storage unit 130b will be described.
FIG. 4 is a diagram illustrating an example of the filtering control table. As shown in FIG. 4, the filtering control table is permitted to transmit a communication message addressed to the above-described program identifier and a communication device connected to the second communication network 400 for each of a plurality of APs. A transmission permission / inhibition flag (in FIG. 4, permitted if the flag value is “1”, not permitted if the flag value is “0”) is stored. In the filtering control table shown in FIG. 4, it is determined whether or not the AP identified by the program identifier associated with the program identifier is an AP that is permitted to transmit a communication message to the communication device. In the above description, the transmission permission / rejection flag is stored. However, only the program identifier of the AP that is permitted to transmit a communication message to the communication device or the communication message is transmitted to the communication device. Of course, only the program identifiers of APs that are not allowed to be stored may be stored in the filtering control table. In short, based on the program identifier included in the filtering control information transmitted from the user terminal 100, the communication message identified by the message identifier included in the filtering control information is the second communication network 400. The control unit 110 of the GW apparatus 200 can determine whether the communication message is transmitted by an AP that is permitted to transmit a communication message to a communication apparatus connected to the GW apparatus 200. Any of them may be used.

  Next, functions provided to the control unit 110 of the GW apparatus 200 by executing the OS software and relay software will be described. When the power (not shown) of the GW device 200 is turned on, the control unit 110 first reads the OS software from the nonvolatile storage unit 130b and executes it. The control unit 110 operating in accordance with the OS software includes a function for controlling each unit of the GW apparatus 200, a timer function for measuring time based on a clock supplied from a clock generator (not shown), and other software in a nonvolatile manner. A function of reading out and executing from the storage unit 130b is added. When the execution of the OS software is completed and the OS is realized, the control unit 110 immediately reads the relay software from the nonvolatile storage unit 130b and executes it. The control unit 110 operating according to this relay software is given the following six functions.

The first function is a first reception function for receiving a communication message transmitted via the first communication network 300 by the first communication IF unit 120a. When receiving the communication message by the first reception function, the control unit 110 of the GW apparatus 200 acquires the reception time by the timer function, and the communication message is provided in the volatile storage unit 130a. Stored in the message buffer. Then, the control unit 110 receives reception time data indicating the reception time (for example, data indicating a clock value at the time when the communication message is received) and data indicating a storage position of the communication message in the message buffer. (For example, a memory address) and data for uniquely identifying the communication message (for example, the message identifier described above) are associated and registered in the message management table shown in FIG. Thereafter, the control unit 110 searches the message management table using the message identifier as a key, thereby specifying the storage location of each communication message and enabling high-speed access to each communication message.
Second, the second reception function receives the filtering control information transmitted according to the UDP via the first communication network 300 by the first communication IF unit 120a.
Third, a message for determining whether or not the communication message received by the first reception function is a communication message indicating that communication with a communication device connected to the second communication network 400 is started. This is a type determination function. This message type determination function is the same as the message type determination function provided to the control unit 110 of the user terminal 100 by executing the communication control software described above.
Fourthly, there is a signature determination function for determining whether or not the filtering control information received by the second reception function is provided with an electronic signature based on predetermined electronic signature data. For example, when the electronic signature data is a private key and the electronic signature confirmation data is a public key, the filtering control information electronically signed (that is, encrypted) by the electronic signature data is represented by the electronic signature confirmation data. When decryption is successful, the determination result by the signature determination function is “positive”.
Fifth, the message identifier included in the filtering control information is identified based on the program identifier included in the filtering control information received by the second receiving function and the stored contents of the filtering control table. Source determination that determines whether the communication message to be transmitted is a communication message transmitted by an AP that is permitted to transmit the communication message to a communication terminal connected to the second communication network 400 It is a function. Note that the corresponding filtering control is performed from when the communication message is received by the first reception function until a predetermined timeout period elapses (that is, until a predetermined timeout period elapses from the time indicated by the reception time data). When information (that is, filtering control information including a message identifier uniquely identifying the communication message) is not received by the second reception function, the determination result by the transmission source determination function is always , Become “negative”.
Sixth, there is a transfer control function that transfers or discards the communication message received by the first reception function to the destination in accordance with the determination result by each determination function. More specifically, for a communication message for which the determination result of the message type determination function is “negative”, the communication message is always transferred to the destination, and the determination result is “positive”. Is transferred to the destination or discarded according to the determination results of the transmission source determination function and the signature determination function. Specifically, the communication message received by the first reception function is sent to the destination only when the determination result by the transmission source determination function and the determination result by the signature determination function are both “positive”. In other cases, the communication message is deleted from the message buffer and discarded. When the communication message is discarded by the transfer control function, the control unit 110 deletes data corresponding to the communication message from the message management table.

  Here, when the transfer control of the communication message received by the first reception function is performed by the transfer control function, the communication message is transmitted only when the determination result by the message type determination function is “positive”. The reason for deciding whether to transfer or discard the communication message according to the determination result by the transmission source determination function and the determination result by the signature determination function for the AP that is the transmission source is as follows. In the present embodiment, the AP executed on the user terminal 100 performs communication according to TCP. In TCP, it is stipulated that a communication connection is established with a communication partner prior to actual transmission / reception of data, and the establishment of this communication connection is called a 3-way handshake shown in FIG. It is done according to the procedure. FIG. 6 shows a communication sequence when the user terminal 100 requests establishment of a communication connection from a communication device connected to an external network (for example, the second communication network 400). What should be noted here is that in TCP, a SYN message for establishing a communication connection is always transmitted prior to actual transmission / reception of data. In other words, for only the SYN message, if transfer permission / inhibition is determined according to the determination result by the transmission source determination function and the determination result by the signature determination function, communication with the communication device connected to the second communication network 400 is performed. This is because it is possible to reliably suspend communication with such a communication device for an AP that is not permitted to communicate.

The above is the configuration of the GW apparatus 200.
As described above, the hardware configuration of the GW apparatus 200 according to the present embodiment is the same as the hardware configuration of a general computer apparatus. By operating the control unit 110 in accordance with the communication control software, Functions specific to the GW apparatus according to the invention are realized. As described above, in the present embodiment, the case where the functions specific to the GW apparatus according to the present invention are realized by the software module has been described. However, the GW apparatus according to the present invention is combined with the hardware modules having the above functions. Of course, it may be configured.

(A-4: Operation)
Next, among the operations performed by the user terminal 100 and the GW apparatus 200, operations that clearly show the features will be described with reference to the drawings. In the operation example described below, it is assumed that the communication control software described above is executed in the user terminal 100, and the relay software described above is executed in the GW apparatus 200. In the operation example described below, a certain AP is executed by the control unit 110 of the user terminal 100, and the above-described SYN message addressed to the content server connected to the second communication network 400 is transmitted by the AP. A case of transmission will be described.

First, communication control processing performed by the control unit 110 of the user terminal 100 in accordance with the communication control software when the AP is instructed to transmit a communication message will be described with reference to FIG.
FIG. 7 is a flowchart showing a flow of communication control processing performed by the control unit 110 of the user terminal 100 in accordance with the communication control software. As shown in FIG. 7, the control unit 110 of the user terminal 100 waits for an instruction to transmit a communication message. When the AP is instructed to transmit a communication message (step SA100: Yes), It is determined whether or not the communication message is a communication message indicating the start of communication with a communication device connected to an external network (second communication network 400 in this embodiment) (step SA110). Specifically, the control unit 110 of the user terminal 100 determines that the transmission address of the communication message is a communication address other than the communication device connected to the first communication network 300 and the value of the SYN flag is “ If it is 1 ″, it is determined that the communication message indicates that communication with the communication device connected to the second communication network 400 is started. In this operation example, since the AP is instructed to transmit a SYN message to the content server connected to the second communication network 400, the determination result in Step SA110 is “Yes”.

  If the determination result in step SA110 is “No”, the control unit 110 of the user terminal 100 transmits the communication message to the first communication network 300 using the communication IF unit 120 (step SA150). The communication control process ends. On the other hand, when the determination result in step SA100 is “Yes”, the control unit 110 of the user terminal 100 executes processes in steps SA120 to SA140 described later.

  In step SA120 executed subsequently when the determination result in step SA110 is “Yes”, the control unit 110 of the user terminal 100 generates the filtering control information described above for the communication message. Specifically, the control unit 110 of the user terminal 100 acquires the program identifier of the AP, which is the transmission source of the communication message, based on the process ID of the process assigned to the execution of the AP. On the other hand, a message identifier for uniquely identifying the communication message is obtained by analyzing the content of the communication message. And the control part 110 of the user terminal 100 produces | generates the filtering control information containing the program identifier and message identifier which were acquired in this way.

Next, the control unit 110 of the user terminal 100 reads the electronic signature data stored in the non-volatile storage unit 130b, and applies the electronic signature to the filtering control information generated in step SA120 using the electronic signature data. Thereafter, the communication message is transmitted to the GW apparatus 200 according to UDP (step SA130), and further, the communication message is transmitted to the first communication network 300 by the communication IF unit 120 (step SA140). As described above, in this operation example, the determination result of step SA110 is “Yes”, so the processing of step SA120 to step SA140 is executed, and the SYN message transmitted by the AP is transmitted to the first communication network. Filtering control information including the program identifier for the AP and the message identifier for the SYN message is transmitted to the GW apparatus 200 via the first communication network 300.
The above is the flow of communication control processing performed by the control unit 110 of the user terminal 100 in accordance with the communication control software.

  Now, the SYN message and the filtering control information transmitted from the user terminal 100 as described above are appropriately routed in the first communication network 300 and reach the GW apparatus 200. Next, relay processing performed by the control unit 110 of the GW apparatus 200 when the SYN message and the filtering control information are received will be described with reference to FIG.

  FIG. 8 is a flowchart showing a flow of relay processing performed by the control unit 110 of the GW apparatus 200 according to the relay software. As shown in FIG. 8, when the control unit 110 receives a communication message transmitted from the user terminal 100 by the first communication IF unit 120a (step SB100), the control unit 110 writes the communication message to the volatile storage unit 130a. The message identifier of the communication message, the data indicating the reception time, and the data indicating the storage location are registered in the above-described message management table (see FIG. 5).

  Next, the control unit 110 of the GW apparatus 200 determines whether or not the communication message received in step SB100 is a communication message indicating that communication with the communication apparatus connected to the second communication network 400 is started. Determination is made (step SB110). Note that the determination criterion in step SB110 is the same as the determination criterion in step SA110 described above. In this operation example, since the SYN message addressed to the content server connected to the second communication network 400 is transmitted, the determination result in step SB110 is “Yes”.

  When the determination result in step SB110 is “No”, the control unit 110 of the GW apparatus 200 reads the communication message received in step SB100 from the volatile storage unit 130a and transfers it to the destination (step SB140), the data about the communication message is deleted from the message management table. Conversely, when the determination result in step SB110 is “Yes”, the control unit 110 of the GW apparatus 200 includes the program identifier included in the filtering control information corresponding to the communication message and the above-described filtering control table ( The AP identified by the program identifier is compared with the stored contents of FIG. 4), and the AP that is permitted to transmit a communication message to the communication device connected to the second communication network 400 is permitted. Is determined (step SB120).

  If the determination result in step SB120 is “No”, the control unit 110 of the GW apparatus 200 deletes the communication message received in step SB100 from the volatile storage unit 130a and discards the communication message (step SB150). In addition, the data about the communication message is deleted from the message management table. On the other hand, when the determination result in step SB120 is “Yes”, the control unit 110 of the GW apparatus 200 determines whether or not an electronic signature based on predetermined electronic signature data is applied to the filtering control information. (Step SB130) If the determination result is “Yes”, the processing of Step SB140 is executed to end the relay processing. On the other hand, if the determination result is “No”, the above Step The process of SB150 is executed and the relay process is terminated.

As described above, according to the present embodiment, when the communication message transmitted from the user terminal 100 via the first communication network 300 such as an intranet is transferred to the second communication network 400 which is an external network by the GW apparatus 200. In addition, whether or not the transfer is possible can be determined for each AP that is the transmission source of the protocol message, and confidential information is transferred from the first communication network 300 to the outside by executing the AP created for an illegal purpose. There is an effect that leakage is avoided.
Further, according to the present embodiment, it is determined whether or not the AP is an AP that is permitted to transmit a communication message to the external network, using a program identifier that is determined according to the structure of the AP executable file. For this reason, it is extremely difficult to misrepresent the program identifier, and it is possible to reliably prevent leakage of confidential information to an external network.
Further, according to the present embodiment, the filtering process is not performed by the GW device 200, but the processing is distributed to the user terminal 100 and the GW device 200, so the filtering process is performed only by the GW device 200. Compared to the conventional technique, the processing load on the GW apparatus 200 can be reduced.

(B. Modification)
As mentioned above, although embodiment of this invention was described, it is needless to say that each embodiment mentioned above may be changed as follows.
(B-1: Modification 1)
In the embodiment described above, the control unit 110 of the GW apparatus 200 compares the program identifier included in the filtering control information transmitted from the user terminal 100 and the stored content of the filtering control table (see FIG. 4). The AP that is the transmission source of the communication message identified by the message identifier included in the filtering control information is permitted to transmit the communication message to the communication device connected to the second communication network 400. The case where the control unit 110 of the GW apparatus 200 determines whether or not it is an AP has been described. However, the filtering control table is stored in the non-volatile storage unit 130b of the user terminal 100 so that the control unit 110 of the user terminal 100 performs the above determination on the AP that is the transmission source of the communication message. Also good. In such an aspect, instead of the program identifier, filtering control information including data representing the determination result of the determination is transmitted to the control unit 110 of the user terminal 100, and the value of the data is set. In response, the control unit 110 of the GW apparatus 200 may execute whether or not the communication message identified by the message identifier included in the filtering control information can be transferred. Needless to say, the same effects as those of the above-described embodiment can be obtained in such an aspect.

(B-2: Modification 2)
In the embodiment described above, for a communication message in which the determination result by the transmission source determination function is “positive” and the determination result by the signature determination function is also “positive”, the control unit 110 of the GW apparatus 200 The case where data is unconditionally transferred to the destination has been described. However, as shown in FIG. 9, for a communication message in which the determination result by the transmission source determination function is “positive” and the determination result by the signature determination function is “positive”, the header of the communication message is further added. It is determined whether or not the data (transmission source and transmission destination address, transmission source and transmission destination port number, etc.) written in the section satisfies a predetermined condition (FIG. 9: Step SB135). If it is “positive”, it is transmitted to the destination, and conversely, if the determination result is “negative”, the communication message may be discarded.

  Moreover, in the aspect which determines the propriety of the transfer based on the data written in the header of the communication message as described above, instead of the filtering control table shown in FIG. 4, the filtering control shown in FIG. The table may be stored in the nonvolatile storage unit 130b of the GW device 200. The filtering control table shown in FIG. 10 is different from the filtering control table shown in FIG. 4 in that condition data representing conditions for the data written in the header is stored instead of the transmission enable / disable flag. Is a point. The filtering control table shown in FIG. 10 is stored in the non-volatile storage unit 130b, and data representing conditions specific to each AP is stored as the condition data. In the process of step SB135 in FIG. Whether the data written in the header of the communication message satisfies the condition represented by the condition data stored in the filtering control table shown in FIG. 10 in association with the program identifier of the AP that is the transmission source of the target communication message If the control unit 110 of the GW apparatus 200 determines whether or not, it is possible to perform the determination of step SB135 under different conditions for each AP, that is, to perform fine filtering processing for each AP. become.

(B-3: Modification 3)
In the embodiment described above, the communication message transmitted from the user terminal 100 starts communication with a communication device connected to an external network different from the communication network to which the user terminal 100 is connected. In the case of a communication message of the communication message, the transfer or discard of the communication message is determined according to the determination result by the transmission source determination function and the determination result by the signature determination function for the AP that is the transmission source of the communication message Explained. However, regardless of whether or not the communication message is to start communication with a communication device connected to the external network, the determination by the transmission source determination function and the determination by the signature determination function are performed, and these determinations are made. Of course, it may be determined whether or not the communication message can be transferred according to the result.

(B-4: Modification 4)
In the above-described embodiment, the case has been described in which when the filtering control information is transmitted to the user terminal 100, an electronic signature with predetermined electronic signature data is applied and transmitted. This is to cause the control unit 110 of the GW apparatus 200 to authenticate that the filtering control information has been transmitted in accordance with a predetermined communication control program, but such authentication using an electronic signature is not necessarily essential. For example, filtering control information may be transmitted without performing an electronic signature as described above, and a communication message whose determination result by the transmission source determination function is “positive” may be unconditionally transferred to its destination. Of course it is good.

(B-5: Modification 5)
In the embodiment described above, separately from the communication message transmitted by the AP, filtering control information for causing the GW apparatus 200 to determine whether or not to transfer the communication message is transmitted from the user terminal 100 to the GW apparatus 200 according to UDP. The case of sending was explained. However, of course, the communication message and the filtering control information may be encapsulated in, for example, a UDP packet and transmitted.

(B-6: Modification 6)
In the above-described embodiment, when the communication message instructed to be transmitted by the AP is a communication message indicating the start of communication with the communication device connected to the second communication network 400, the user terminal 100 The case where the control unit 110 obtains the program identifier for the AP has been described. However, an AP management table (see FIG. 11) that stores the process ID of the process assigned to the execution of the AP and the program identifier of the AP in association with each other is written in the nonvolatile storage unit 130b of the user terminal 100 in advance. Alternatively, the stored contents of the AP management table may be updated according to the AP execution status in the user terminal 100. Such a thing is implement | achieved by making the control part 110 of the user terminal 100 perform AP management processing shown in FIG. As shown in FIG. 12, the control unit 110 first determines whether or not a new process has been started (step SC100). If the determination result is “Yes”, the processing after step SC110 is performed. On the contrary, if the determination result in step SC100 is “No”, the processes after step SC100 are repeatedly executed.

  In step SC110 executed after the determination result of step SC100 is “Yes” (that is, when a new process is activated), the control unit 110 performs the process of the newly activated process. Get an ID. Next, the control unit 110 acquires the file path of the executable file of the AP being executed in the new process (step SC120). Note that the processing of step SC110 and step SC120 is realized by causing the control unit 110 to execute a tasklist command or a ps command, for example.

  Then, the control unit 110 accesses the execution format file of the AP according to the file path acquired in step SC120, acquires a program identifier for the AP (step SC130), and acquires the program identifier and the step SC110. Are registered in the AP management table in association with the process ID acquired in step SC140. Thereafter, the control unit 110 of the user terminal 100 repeatedly executes the processes after step SC100.

  In this way, when the execution start time of the AP (that is, when the process corresponding to the AP is activated), the process ID and the program identifier of the AP are associated with each other and registered in the AP management table. When an AP is instructed to transmit a communication message, the program identifier of the AP can be read immediately from the AP management table, so that the time required for sending the filtering control information for the AP is reduced. Is possible. For the AP that has finished executing, the data about the AP may be deleted from the AP management table at the end of the execution, and each AP registered in the AP management table may be deleted. For example, periodically, it is determined whether or not the process specified by the process ID associated with the program identifier of the AP is actually operating. If the process is not operating, the process ID and The set of program identifiers may be deleted from the AP management table.

(B-7: Modification 7)
In the above-described embodiment, a case has been described in which software for causing the control unit 110 such as a CPU to realize a function specific to the terminal device according to the present invention is stored in the nonvolatile storage unit 130b of the user terminal 100 in advance. . However, for example, the software is recorded on a computer-readable recording medium such as a CD-ROM (Compact Disk-Read Only Memory) or a DVD (Digital Versatile Disk), and is generally used with such a recording medium. Of course, the software may be installed in a simple computer device. If it does in this way, there exists an effect that it becomes possible to give the same function as a terminal unit concerning the present invention to a general computer device. Similarly, software for causing the control unit 110 such as a CPU to realize a function specific to the gateway device according to the present invention is recorded in a computer-readable recording medium, and the recording medium is generally used with such a recording medium. Of course, the software may be installed in a typical computer device. If it does in this way, there exists an effect that it becomes possible to provide the same function as a gateway device concerning the present invention to a general computer device.

1 is a block diagram illustrating a configuration example of a communication system 10 according to an embodiment of the present invention. 2 is a block diagram illustrating an example of a hardware configuration of a user terminal 100 included in the communication system 10. FIG. 2 is a block diagram showing an example of a hardware configuration of a GW apparatus 200 included in the communication system 10. FIG. It is a figure which shows an example of the filtering control table stored in the non-volatile storage part 130b of the GW apparatus 200. It is a figure which shows an example of the message management table produced | generated in the volatile memory | storage part 130a of the same GW apparatus 200. FIG. It is a figure for demonstrating the 3 way handshake in TCP. It is a flowchart which shows the flow of the communication control process which the control part 110 of the same user terminal 100 performs according to communication control software. It is a flowchart which shows the flow of the relay process which the control part 110 of the GW apparatus 200 performs according to relay software. 10 is a flowchart showing a flow of relay processing according to Modification 2. It is a figure which shows an example of the filtering control table which concerns on the modification 2. It is a figure which shows an example of AP management table which concerns on the modification 6. FIG. 14 is a flowchart showing a flow of AP management processing according to Modification 6;

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10 ... Communication system, 100 ... User terminal, 110 ... Control part, 120 ... Communication IF part, 120a ... 1st communication IF part, 120b ... 2nd communication IF part, 130 ... Memory | storage part, 130a ... Volatile memory part, Reference numeral 130b: a nonvolatile storage unit, 140: a bus, 200: a GW apparatus, 300: a first communication network, 400: a second communication network.

Claims (13)

In a gateway device that relays communication between a terminal device connected to a first communication network and a communication device connected to a second communication network different from the first communication network,
While receiving the communication message transmitted from the terminal device to the communication device connected to the second communication network via the first communication network, the terminal device transmits the communication message. Receiving means for receiving filtering control information representing the used application program from the terminal device via the first communication network;
Whether the communication message received by the receiving means is a communication message transmitted by an application program that is permitted to transmit a communication message to a communication device connected to the second communication network. , Transmission source determination means for determining based on filtering control information received by the reception means;
When the determination result by the transmission source determination unit for the communication message received by the reception unit is negative, the communication message is discarded while the determination result by the transmission source determination unit is positive And a transfer control means for transferring the communication message to the destination via the second communication network. Analyzing the communication message received by the receiving means, comprising message content determining means for determining whether the data written in the header satisfies a predetermined condition;
The transfer control means includes
Regarding the communication message received by the receiving means, even if the determination result by the transmission source determining means is affirmative, if the determination result by the message content determining means is negative, the communication message is discarded. The gateway device according to claim 1. Based on the content of the communication message received by the receiving means, it is determined whether or not the communication message is a communication message indicating that communication with a communication device connected to the second communication network is started. A message type determination means for
The transfer control means includes
For a communication message with a positive determination result by the message type determination unit, the communication message is transferred or discarded according to the determination result by the transmission source determination unit, and conversely, the determination by the message type determination unit The gateway device according to claim 1, wherein a communication message having a negative result is always transferred to a destination thereof regardless of a determination result of the transmission source determination unit. A signature determination means for determining whether or not an electronic signature by predetermined electronic signature data is applied to the filtering control information;
The transfer control means includes
Even if the determination result by the transmission source determination unit for the communication message received by the reception unit is positive, if the determination result by the signature determination unit is negative, the communication message is discarded. The gateway device according to claim 1. The filtering control information is
Including a program identifier that uniquely identifies an application program used to transmit a communication message in the terminal device;
Storage means in which the program identifier for one or more application programs permitted to transmit a communication message addressed to a communication device connected to the second communication network is written;
The transmission source determination means includes
The communication message transmitted from the terminal device is compared with the program identifier contained in the filtering control information received from the terminal device by the receiving means and the storage content of the storage means, and the second communication network The gateway device according to claim 1, wherein it is determined whether or not the communication message is transmitted by an application program permitted to transmit a communication message to a communication device connected to the communication device. . The program identifier is
The gateway apparatus according to claim 5, wherein the gateway apparatus is data determined according to a structure of an execution format file of the application program. Control means for executing an application program;
When the control means that is executing the application program is instructed to transmit a communication message to a predetermined destination, filtering control information that is data representing the application program while transmitting the communication message to the destination Transmitting means for transmitting the message to a gateway device that relays communication with the destination of the communication message. The filtering control information is
The terminal device according to claim 7, further comprising: a program identifier that uniquely identifies an application program used for transmitting the communication message. The program identifier is data determined according to the structure of the executable file of the application program used for transmitting the communication message,
Analyzing the executable file of the application program being executed by the control means, and obtaining means for obtaining the program identifier for the application program;
The transmission means includes
The terminal device according to claim 8, wherein filtering control information including the program identifier acquired by the acquisition unit is transmitted to the gateway device. Storage means in which a program identifier, which is data determined according to the structure of the executable file, is written for one or a plurality of application programs permitted to transmit a communication message to the destination;
An acquisition means for analyzing an executable file of the application program being executed by the control means and acquiring the program identifier for the application program;
Determination means for determining whether or not the program identifier acquired by the acquisition means is stored in the storage means;
With
The transmission means includes
The terminal device according to claim 7, wherein filtering control information including data representing a determination result by the determination unit is transmitted to the gateway device. A terminal device connected to the first communication network;
A gateway device that relays communication between the terminal device and a communication device connected to a second communication network different from the first communication network;
With
The terminal device
While sending a predetermined communication message addressed to the communication device according to the application program, sending filtering control information that is data representing the application program to the gateway device,
The gateway device is
When the communication message is received via the first communication network, the application program used for transmitting the communication message sends the communication message to the communication device connected to the second communication network. Whether the application program is permitted to be transmitted is determined based on the filtering control information received from the terminal device, and if the determination result is negative, the communication message is discarded. When the determination result is affirmative, the communication message is transferred to the destination via the second communication network. Computer equipment,
In a program for executing processing for relaying communication between a terminal device connected to a first communication network and a communication device connected to a second communication network different from the first communication network,
While receiving the communication message transmitted from the terminal device to the communication device connected to the second communication network via the first communication network, the terminal device transmits the communication message. A first step of receiving filtering control information representing the used application program from the terminal device via the first communication network;
The communication message received by the first step is a communication message transmitted by an application program that is permitted to transmit a communication message to a communication device connected to the second communication network. A second step of determining whether or not based on the filtering control information received in the first step;
If the determination result of the second step for the communication message received in the first step is negative, the communication message is discarded while the determination result of the second step is positive. If so, a third step of transferring the communication message to the destination via the second communication network is executed. Computer equipment,
A first step of transmitting a communication message to a predetermined destination according to an application program;
And a second step of transmitting filtering control information, which is data representing the application program, to a gateway device that relays communication with the destination of the communication message.

Images