JP2011166375A - Device, method, program and system for setting access control, and access control device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To appropriately control accessibility of a network domain generated in hub-to-hub connection. <P>SOLUTION: When a predetermined VPN-to-VPN connection is formed via a wide-area network, with respect to each of user terminals below each VPN, an integration AAA device 100 authenticates a user who uses the user terminal. When an authentication result of successful authentication is obtained for a predetermined user terminal, the integration AAA device 100 sets access control information with respect to a gateway device 200 housing the predetermined user terminal so that access employing the predetermined user terminal as a transmission source and employing the wide-area network as a destination is allowed. When predetermined conditions set in advance are satisfied, the integration AAA device 100 sets the access control information with respect to the gateway device 200 so that access employing a user terminal other than the predetermined user terminal as a transmission source and employing the predetermined user terminal as a destination is allowed. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an access control setting device, an access control setting method, an access control setting program, an access control setting system, and an access control device.

  In recent years, services have emerged that provide a collaborative space by connecting multiple locations. In particular, there is a high demand for an on-demand service, that is, a service for connecting between bases in a timely manner upon request. Here, the “base” is an isolated network domain whose reachability is limited by VPN (Virtual Private Network) or geographical conditions. In addition, “inter-base connection” means that information for transferring a packet transmitted from a terminal at a base to a terminal at a base is set in each device existing on the path between the bases. It is interconnecting the bases so that they can communicate with each other. The “collaborative space” is a network domain generated by inter-base connection, and is a network domain having the interconnected range as a new reachable range. For example, Non-Patent Document 1 discloses a technique for connecting between a plurality of VPNs having different connection methods.

  By the way, conventionally, access control between bases is generally performed based on authentication of a user who uses a terminal (hereinafter referred to as user authentication). For example, a system for connecting bases performs user authentication for each user of each terminal belonging to the base-to-base connection, and if user authentication is successful, the gateway device that accommodates the terminal used by the user who has succeeded in user authentication. On the other hand, control is performed to permit access related to the user. For example, Patent Document 1 discloses a technique in which user authentication is performed by a gateway device and access control is performed based on a ticket paid out by the gateway device.

JP 2005-348164 A

Takaaki Koyama, Shuichi Karasawa, Kazuhiro Kishi, Shintaro Mizuno, Aetetsu Iwamura, "Proposal of VPN Connection Management System", THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS, IEICE Technical Report ( IEICE Technical Report), IN2009-48 (2009-09)

  However, the above-described conventional technique has a problem that the reachability in the network domain caused by the connection between bases cannot be appropriately controlled. For example, consider the case of inter-base connection between two bases (one terminal at each base) and the case where each base is accommodated in each of two gateway devices. In such a case, for example, when the user authentication of one user is successful, the system that connects the bases controls to permit the gateway device corresponding to the user to access the user. Here, since the other gateway device does not perform access control related to the user, at this point, a user who has succeeded in user authentication can reach the other user who has not performed user authentication.

  Note that the access control based on the ticket cannot be realized without changing the interface of the existing gateway device, and does not solve the above problem appropriately.

  The disclosed technology has been made in view of the above, and an access control setting device, an access control setting method, and an access control setting program capable of appropriately controlling reachability in a network domain caused by inter-base connection It is an object to provide an access control setting system and an access control device.

  In one aspect, an access control setting device, an access control setting method, an access control setting program, an access control setting system, and an access control device disclosed in the present application are configured such that predetermined inter-site connections are made via a wide area network for a plurality of bases. When the access control device is formed, the access control information for controlling the access is stored in the access control device that accommodates the terminals under each base and controls the access performed between the terminals belonging to the predetermined inter-base connection. An access control setting device for setting, wherein for each terminal under each of the bases, an authentication means for authenticating a user who uses the terminal, and an authentication result of successful authentication by the authentication means is the connection between the predetermined bases When acquired for a predetermined terminal among the terminals to which the terminal belongs, the wide area network is destined for the predetermined terminal as a transmission source. First access control means for setting access control information for an access control apparatus that accommodates the predetermined terminal so as to permit the access to be performed, and the first access control when a predetermined condition is set in advance. A terminal other than the predetermined terminal to which access is permitted by the means, and the predetermined terminal is permitted so that access is permitted to each terminal belonging to the predetermined inter-base connection as a transmission source. And a second access control means for setting access control information for the access control apparatus to be accommodated.

  According to one aspect of the access control setting device, the access control setting method, the access control setting program, the access control setting system, and the access control device disclosed in the present application, the reachability in the network domain caused by the inter-base connection is appropriately set. There is an effect that it becomes possible to control.

FIG. 1 is a diagram for explaining an access control setting system according to the first embodiment. FIG. 2 is a block diagram illustrating the configuration of the integrated AAA device 100 according to the first embodiment. FIG. 3 is a diagram illustrating an example of authentication information stored in the inter-VPN connection system authentication information storage unit 120. FIG. 4 is a diagram illustrating an example of the authentication result stored in the authentication result storage unit 121. FIG. 5 is a diagram illustrating an example of service information stored in the service information storage unit 122. FIG. 6 is a flowchart showing a processing procedure performed by the inter-VPN connection system authentication unit 130. FIG. 7 is a flowchart illustrating a processing procedure performed by the access control setting unit 131 according to the first embodiment. FIG. 8 is a diagram for explaining the stepwise access opening in the first embodiment. FIG. 9 is a block diagram illustrating the configuration of the gateway device 200 according to the first embodiment. FIG. 10 is a diagram illustrating an example of access control information stored in the access control information storage unit 220. FIG. 11 is a sequence diagram illustrating a processing procedure in the access control setting system according to the first embodiment. FIG. 12 is a flowchart illustrating a processing procedure performed by the access control setting unit 131 according to the second embodiment. FIG. 13 is a diagram for explaining the stepwise access opening in the second embodiment. FIG. 14 is a diagram for explaining the access control setting system according to the third embodiment. FIG. 15 is a block diagram illustrating the configuration of the integrated AAA device 100 according to the third embodiment. FIG. 16 is a diagram illustrating an example of information stored in the authentication server information storage unit 123. FIG. 17 is a diagram illustrating an example of information stored in the inter-VPN connection system authentication information storage unit 120 according to the third embodiment. FIG. 18 is a sequence diagram illustrating the processing procedure in the access control setting system according to the third embodiment. FIG. 19 is a diagram for explaining bases as a plurality of local area network groups connected by the VPN service. FIG. 20 is a diagram for explaining bases as a plurality of local area network groups connected by the VPN service. FIG. 21 is a diagram for explaining bases as a plurality of local area network groups connected by the VPN service.

  Hereinafter, embodiments of an access control setting device, an access control setting method, an access control setting program, an access control setting system, and an access control device disclosed in the present application will be described. In addition, this invention is not limited by the following examples.

[Outline of Access Control Setting System According to Embodiment 1]
The access control setting system according to the first embodiment will be described with reference to FIGS. FIG. 1 is a diagram for explaining an access control setting system according to the first embodiment. The dotted line illustrated in FIG. 1 illustrates the demarcation between the telecommunications carrier side that operates the wide area network and the telecommunications carrier side that operates the VPN service.

  Among various apparatuses illustrated in FIG. 1, an integrated AAA (Authentication Authorization Accounting) apparatus 100 and a gateway apparatus 200 correspond to the access control setting system according to the first embodiment. In addition, as illustrated in FIG. 1, a system that connects VPNs terminated by each VPN termination device 50 via the collective virtual router 10 is an inter-VPN connection system, and generally manages the inter-VPN connection system. The system is an inter-VPN connection management system 20. 1 illustrates a configuration in which the integrated AAA device 100 and the inter-VPN connection management system 20 are different cases, but the present invention is not limited to this, and the integrated AAA device 100 and the inter-VPN connection are not limited thereto. The present invention can be similarly applied to a configuration in which the management system 20 is installed in an apparatus that is housed in a single housing.

  Here, the VPN connection management system 20 will be briefly described. As illustrated in FIG. 1, the collective virtual router 10 and the VPN termination device 50 are installed in the wide area network. Here, the collective virtual router 10 is a device that controls packet transfer in a wide area network. The VPN termination device 50 is a device that accommodates the VPN and terminates the VPN between the accommodated VPN side and the wide area network side.

  FIG. 1 illustrates a configuration in which a plurality of VPN termination devices 50 and a collective virtual router 10 are installed, but the present invention is not limited to this. For example, the present invention can be similarly applied to a configuration in which a plurality of combinations of a plurality of casing VPN termination devices 50 and a single casing aggregate virtual router 10 are further installed. Further, for example, the present invention can be similarly applied to a configuration in which a plurality of VPN termination devices 50 with a plurality of casings and a collective virtual router 10 with a plurality of casings are installed in combination. Further, for example, the function of the VPN termination device 50 (the function of accommodating VPN and terminating the VPN between the accommodated VPN side and the wide area network side) and the function of the collective virtual router 10 (packets in the wide area network) The present invention can be similarly applied to a configuration in which a device in which a function for controlling transfer) is accommodated in one housing is installed.

  1 illustrates a configuration in which the inter-VPN connection management system 20 is installed in a wide area network, but the present invention is not limited to this. The inter-VPN connection management system 20 may be configured to be able to communicate with the collective virtual router 10 and the VPN termination device 50 and does not necessarily have to be installed in a wide area network. For example, the present invention can be similarly applied to a configuration in which the inter-VPN connection management system 20 is connected to the VPN termination device 50 and the collective virtual router 10 via a monitoring network.

  Now, under such a configuration, the inter-VPN connection management system 20 accepts an inter-VPN connection request, and identifies a device to be set with setting information necessary for the inter-VPN connection based on the accepted inter-VPN connection request. To do. Specifically, the inter-VPN connection management system 20 identifies the VPN termination device 50 that accommodates each VPN specified in the inter-VPN connection request, and identifies the collective virtual router 10.

  Next, the inter-VPN connection management system 20 specifies the setting information to be set in the specified VPN terminator 50 and corresponds to each VPN specified in the inter-VPN connection request. Generate according to 50. Further, the inter-VPN connection management system 20 generates setting information to be set for the identified aggregate virtual router 10 according to the identified aggregate virtual router 10. Then, the inter-VPN connection management system 20 reflects the generated setting information to the specified VPN termination device 50 and the collective virtual router 10. The setting information is reflected in accordance with, for example, a service start time reserved in advance.

  Thus, the inter-VPN connection management system 20 established the inter-VPN connection based on the inter-VPN connection request in the inter-VPN connection system. The constructed inter-VPN connection is provided by the inter-VPN connection management system 20 as an inter-VPN connection service.

  Returning to FIG. 1, an ASP (Application Service Provider) 30 is a server installed in a wide area network. For example, a user terminal that is provided with an inter-VPN connection service accesses the ASP 30 using a protocol such as HTTP (Hyper Text Transfer Protocol). The hub 11 is, for example, a Layer 2 switching hub and accommodates the VPN termination device 50 and the like.

  1 illustrates a configuration in which the gateway device 200 and the VPN termination device 50 have a one-to-one relationship for convenience of explanation, but the present invention is not limited to this. The configuration of the gateway device 200 and the VPN termination device 50 may be an M-to-N relationship. In FIG. 1, for example, “gateway device 1”, “gateway device 2”, and “gateway device 3” are shown as the gateway device 200. ) ”,“ Gateway device 200 (2) ”, and“ gateway device 200 (3) ”. The same applies to other devices.

  In the first embodiment, as illustrated in FIG. 1, the user terminal used by the user “UserA” is accommodated in the VPN terminal device 50 (1) and the gateway device 200 (1), and the user “UserB” The user terminal to be used is accommodated in the VPN terminating device 50 (2) and the gateway device 200 (2), and the user terminal used by the user “UserC” is in the VPN terminating device 50 (3) and the gateway device 200 (3). Although the example accommodated is demonstrated, this invention is not limited to this. For example, the user terminal used by the user “UserA”, the user terminal used by the user “UserB”, and the user terminal used by the user “UserC” are all the same VPN terminal device 50 and gateway device 200 (for example, VPN The present invention can be similarly applied to configurations accommodated in the terminating device 50 (1) and the gateway device 200 (1)).

  Under the above configuration, the integrated AAA device 100 according to the first embodiment provides the connection service between VPNs by the VPN connection management system 20 for each user terminal under each VPN receiving provision of the connection service between VPNs. Authenticate the user who uses the user terminal. Further, the integrated AAA device 100 controls access between VPNs so that access between VPNs is allowed in stages according to the authentication result for each user using the user terminal. That is, the integrated AAA device 100 sets access control information for the gateway device 200 so that access between VPNs is allowed in stages according to the authentication result for each user terminal.

[Configuration of Integrated AAA Device 100 According to Embodiment 1]
Next, the configuration of the integrated AAA device 100 (also referred to as an access control setting device) according to the first embodiment will be described with reference to FIGS. FIG. 2 is a block diagram illustrating the configuration of the integrated AAA device 100 according to the first embodiment. As illustrated in FIG. 2, the integrated AAA device 100 according to the first embodiment includes a communication I / F unit 110. For example, the communication I / F unit 110 is a general interface for IP (Internet Protocol) communication.

  Further, the integrated AAA device 100 according to the first embodiment particularly includes an inter-VPN connection system authentication information storage unit 120, an authentication result storage unit 121, a service information storage unit 122, an inter-VPN connection system authentication unit 130, and an access. And a control setting unit 131.

  The inter-VPN connection system authentication information storage unit 120 stores authentication information for authenticating the user who receives the provision of the inter-VPN connection service. Specifically, the inter-VPN connection system authentication information storage unit 120 stores the authentication information by being registered in advance by, for example, a person in charge of the inter-VPN connection service when contracting the inter-VPN connection service. . The authentication information stored in the inter-VPN connection system authentication information storage unit 120 is used for processing by the inter-VPN connection system authentication unit 130.

  FIG. 3 is a diagram illustrating an example of authentication information stored in the inter-VPN connection system authentication information storage unit 120. For example, as illustrated in FIG. 3, the inter-VPN connection system authentication information storage unit 120 according to the first embodiment stores the user name, password, and remote IP address of the inter-VPN connection system in association with each other.

  The user name of the inter-VPN connection system is a name for identifying, in the inter-VPN connection management system 20, a user who receives provision of the inter-VPN connection service. The password is information for authenticating whether or not the user identified by the user name is a valid user, and is, for example, a character string encoded by Base64. The remote IP address is a private address assigned to the user terminal used by the user. In FIG. 3, although expressed as “remote IP address A” or the like, the actual IP address is “192.168.1.10”, for example.

  The authentication result storage unit 121 stores a user authentication result. Specifically, the authentication result storage unit 121 stores the authentication result by being stored by the inter-VPN connection system authentication unit 130. The authentication result stored in the authentication result storage unit 121 is used for processing by the access control setting unit 131.

  FIG. 4 is a diagram illustrating an example of the authentication result stored in the authentication result storage unit 121. For example, as illustrated in FIG. 4, the authentication result storage unit 121 according to the first embodiment stores the user name of the inter-VPN connection system, the authentication result, and the authentication completion time in association with each other. The authentication result is a result of whether or not the authentication is successful. “OK” indicates that the authentication has been successful, and “NG” indicates that the authentication has failed. In the first embodiment, it is assumed that authentication is repeatedly performed until success, and “authentication completed” is referred to when authentication is successful. The authentication completion time is a time when the authentication process is performed, and is recorded in the first embodiment regardless of whether or not the authentication is successful.

  The service information storage unit 122 stores service information related to the inter-VPN connection service. Specifically, the service information storage unit 122 is registered in advance by the person in charge of the inter-VPN connection service or the inter-VPN connection management system 20 before the service start time when the inter-VPN connection service is provided, for example. Thus, the service information is stored. The service information stored in the service information storage unit 122 is used for processing by the access control setting unit 131.

  FIG. 5 is a diagram illustrating an example of service information stored in the service information storage unit 122. For example, as illustrated in FIG. 5, the service information storage unit 122 includes a service start time, a service end time, a virtual router name, a user name of an inter-VPN connection system, a gateway device, and a VPN termination device. Store in association with each other. The service start time is the start time of the inter-VPN connection service provided by the inter-VPN connection management system 20. The service end time is the end time of the inter-VPN connection service provided by the inter-VPN connection management system 20. The virtual router name is a name for identifying, in the inter-VPN connection management system 20, an inter-VPN connection service provided by the inter-VPN connection management system 20. The gateway device is the name of the gateway device that accommodates the user terminal used by the user identified by the user name. The VPN terminator is also the name of a VPN terminator that accommodates user terminals.

  For example, the service start time of the inter-VPN connection service identified by the virtual router name “vrf1” is “t1”, the service end time is “t3”, and the user who receives this inter-VPN connection service is “UserA”. , “UserB”, and “UserC”, the user terminals used by the respective users are accommodated in “gateway device 1”, “gateway device 2”, and “gateway device 3”, respectively. It is indicated that it is accommodated in “Termination Device 1”, “VPN Termination Device 2”, and “VPN Termination Device 3”.

  In the first embodiment, an example in which the integrated AAA device 100 includes the service information storage unit 122 and the service information storage unit 122 stores the service information will be described, but the present invention is not limited to this. For example, the integrated AAA device 100 may access the inter-VPN connection management system 20 as necessary and receive provision of necessary service information from the inter-VPN connection management system 20.

  When the inter-VPN connection management system 20 provides the inter-VPN connection service, the inter-VPN connection system authentication unit 130 determines the user who uses the user terminal for each user terminal under the VPN that receives the provision of the inter-VPN connection service. Certify. Specifically, the inter-VPN connection system authentication unit 130 accepts transfer of a connection request from the gateway device 200 via the communication I / F unit 110, and stores the authentication information transmitted from the user terminal and the inter-VPN connection system authentication information. Authentication processing is performed using the authentication information stored in the unit 120. Further, the inter-VPN connection system authentication unit 130 stores the authentication result in the authentication result storage unit 121. Further, the inter-VPN connection system authentication unit 130 notifies the access control setting unit 131 that the authentication result is stored in the authentication result storage unit 121.

  FIG. 6 is a flowchart showing a processing procedure performed by the inter-VPN connection system authentication unit 130. As illustrated in FIG. 6, the inter-VPN connection system authentication unit 130 determines whether or not transfer of a connection request is accepted from the gateway device 200 (step S <b> 101), and if accepted (step S <b> 101 affirmative), authentication is performed. The result storage unit 121 is referred to (step S102).

  As a result of referring to the authentication result storage unit 121 as a result of referring to the authentication result storage unit 121, the inter-VPN connection system authentication unit 130 responds to the gateway device 200 (step S104). ), The process is terminated.

  On the other hand, if the corresponding user is not authenticated as a result of referring to the authentication result storage unit 121 (No in step S103), the inter-VPN connection system authentication unit 130 authenticates the user terminal used by the corresponding user. Is requested to be transmitted (step S105).

  When the authentication information is received from the user terminal that requested the authentication information in step S105 (step S106), the inter-VPN connection system authentication unit 130 uses the authentication information stored in the inter-VPN connection system authentication information storage unit 120. An authentication process is performed (step S107). Subsequently, the inter-VPN connection system authentication unit 130 stores the authentication result in the authentication result storage unit 121 (step S108).

  For example, when the VPN connection system authentication unit 130 receives a combination of the username and password of the VPN connection system from the user terminal, the received combination and the combination stored in the VPN connection system authentication information storage unit 120 Is matched. The VPN connection system authentication unit 130 stores the authentication result “OK” in the authentication result storage unit 121 when it is determined to match, and authenticates the authentication result “NG” when it is determined that they do not match. The result is stored in the result storage unit 121.

  Thereafter, the inter-VPN connection system authenticating unit 130 determines whether or not the authentication is completed, that is, whether or not the authentication is successful (step S109). When the authentication is completed (Yes in step S109), The process is terminated as it is. On the other hand, when the authentication is not completed (No at Step S109), the inter-VPN connection system authentication unit 130 requests the user terminal used by the corresponding user to transmit the authentication information again (Step S109). S105), the subsequent processing is repeated.

  Returning to FIG. 2, the access control setting unit 131 controls access between VPNs so that access between VPNs is allowed in stages according to the authentication result for each user terminal. Specifically, the access control setting unit 131 notifies the inter-VPN connection system authentication unit 130 that the authentication result is stored in the authentication result storage unit 121 (for example, the remote IP address of the user terminal corresponding to the authentication result, etc. ), The authentication result storage unit 121 and the service information storage unit 122 are referred to. The access control setting unit 131 instructs the gateway device 200 to set access control information.

  FIG. 7 is a flowchart illustrating a processing procedure performed by the access control setting unit 131 according to the first embodiment. As illustrated in FIG. 7, the access control setting unit 131 has received a notification indicating that the authentication result is stored in the authentication result storage unit 121, that is, the authentication result stored in the authentication result storage unit 121 is updated. It is determined whether or not (step S201).

  If the access control setting unit 131 determines that the authentication result has been updated (Yes at Step S201), the access control setting unit 131 refers to the service information storage unit 122 together with the updated authentication result (Step S202). For example, as illustrated in FIG. 4, when the access control setting unit 131 determines that the authentication result “OK” for “UserA” has been updated, the access control setting unit 131 uses the “UserA” to store the service information storage unit 122. The “gateway device 1” stored in association with “User A” is identified.

  Next, the access control setting unit 131 instructs the corresponding gateway device to open access in the VPN → VPN connection system direction related to the authenticated user terminal (step S203). For example, the access control setting unit 131 instructs the “gateway device 1” specified in step S202 to open access in the VPN → VPN connection system direction related to the user terminal used by “User A”.

  Here, the meaning of access in the VPN-to-VPN connection system direction will be described. User terminals used by “UserA” are accommodated in “gateway device 1”. Here, for example, when an inter-VPN connection service is provided between a user terminal used by “User A”, a user terminal used by “User B”, and a user terminal used by “User C”, it is apparent from FIG. As shown, a packet transmitted from a user terminal used by “User A” to “User B” passes through “Gateway device 1” and the collective virtual router 10, and further passes through “Gateway device 2”. The user terminal used by “UserB” is reached. Similarly, a packet transmitted from the user terminal used by “User A” to “User C” passes through “Gateway device 1” and the collective virtual router 10, and further passes through “Gateway device 3”. The user terminal used by “UserC” is reached.

  On the other hand, a packet transmitted from the user terminal used by “UserB” to “UserA” passes through “Gateway device 2” and the collective virtual router 10, and further passes through “Gateway device 1” to “UserA”. ”Reaches the user terminal used. Similarly, a packet transmitted from a user terminal used by “UserC” to “UserA” passes through “gateway device 3” and the collective virtual router 10, and further passes through “gateway device 1”. The user terminal used by “User A” is reached.

  For this reason, for example, the “gateway device 1” has at least a route through which packets transmitted from the user terminal used by “UserA” to “UserB” or “UserC” reach the collective virtual router 10 (Route 1), a route for a packet transmitted from the user terminal used by “User B” or “User C” and transferred from the collective virtual router 10 to reach the user terminal used by “User A” ( Route 2) is required. The ASP 30 is also connected to the wide area network as illustrated in FIG. Therefore, for example, in order for “User A” to use the ASP 30 of the wide area network, a route (route 3) for transmitting and receiving packets between the user terminal used by “User A” and the ASP 30 is required.

  The access control to be executed in the gateway device 200 changes according to the operation of the inter-VPN connection service or the like, and can be arbitrarily changed, but here, conceptually, the user used by “User A” A packet transmitted from the terminal to “UserB” or “UserC” is transmitted and received between the ASP 30 and the path (route 1) through which the packet reaches the collective virtual router 10 and the user terminal used by “UserA”. The state in which the route (route 3) for opening is opened is expressed as opening “access in the direction of the VPN → VPN connection system”.

  Subsequently, the access control setting unit 131 determines whether or not all users have been authenticated (step S204). For example, the access control setting unit 131 refers to the service information storage unit 122 and identifies “UserB” and “UserC” which are users who use the inter-VPN connection service together with “UserA” and are users other than “UserA”. To do. Then, the access control setting unit 131 refers to the authentication result storage unit 121 using the specified “UserB” and “UserC”, and has “OK” stored in association with “UserB” and “UserC”? Determine whether or not.

  If the access control setting unit 131 determines that the authentication of all users has not been completed (No at Step S204), the access control setting unit 131 returns to the process at Step S201 again. On the other hand, if it is determined that the authentication of all users has been completed (Yes in step S204), the access control setting unit 131 sets each gateway device to open access between the VPN connection system → VPN direction related to the communication partner. An instruction is issued (step S205).

  For example, the access control setting unit 131 refers to the service information storage unit 122 to identify “gateway device 1”, and to the identified “gateway device 1”, “UserB”, which is a communication partner of “UserA”, and An instruction is given to open an access in the direction of VPN-> VPN for the user terminal used by “UserC”. Here, conceptually, a packet transmitted from the user terminal used by “UserB” or “UserC” and transferred from the collective virtual router 10 reaches the user terminal used by “UserA”. A state in which the route (route 2) for opening is opened is expressed as opening the "VPN connection system → access in the VPN direction".

  Further, for example, the access control setting unit 131 refers to the service information storage unit 122 to identify “gateway device 2”, and “UserA”, which is a communication partner of “UserB”, with respect to the identified “gateway device 2” ”And“ UserC ”are instructed to open the access in the VPN direction → VPN direction related to the user terminal.

  Further, for example, the access control setting unit 131 refers to the service information storage unit 122 to identify “gateway device 3”, and “UserA”, which is a communication partner of “UserC”, with respect to the identified “gateway device 3”. ”And“ User B ”are instructed to open an access in the VPN direction → VPN direction related to the user terminal.

  Here, FIG. 8 is a diagram for explaining the stepwise access opening in the first embodiment. In FIG. 8, it is assumed that the authentication is completed step by step in the order of “UserA”, “UserB”, and “UserC”. Note that the default setting of each gateway device 200 is a setting for not permitting access.

  For example, as illustrated in (1) of FIG. 8, when only “UserA” is authenticated, access opening is instructed only to “gateway device 1” in which “UserA” is accommodated. Also, access is permitted only for access in the direction of the VPN → VPN connection system related to the user terminal used by “User A”. At this time, only “User A” can access a resource (for example, ASP 30) on the inter-VPN connection system side, but cannot access another user side via the resource.

  Next, for example, as illustrated in (2) of FIG. 8, when the authentication of “UserB” is also completed, an instruction to open access is instructed only to “Gateway device 2” in which “UserB” is accommodated. The In addition, access is permitted only for access in the direction of the VPN → VPN connection system related to the user terminal used by “UserB”.

  Next, as illustrated in (3) of FIG. 8, for example, when authentication of “UserC” is completed and authentication of all users is completed, “Gateway device 1” and “UserB” in which “UserA” is accommodated. Is instructed to open access to all of “gateway device 2” in which “is stored” and “gateway device 3” in which “UserC” is stored. First, in the “gateway device 1”, access opening is permitted for access in the VPN direction → VPN direction for user terminals used by “UserB” and “UserC”. In addition, access to the gateway apparatus 2 is permitted for access in the VPN connection system → VPN direction for user terminals used by “User A” and “User C”.

  In addition, access is permitted in the “gateway device 3” for access to the user terminal used by “UserC” in the direction of the VPN → VPN connection system and users used by “UserA” and “UserB”. This is access between the VPNs related to the terminal → VPN direction.

  When the access control setting unit 131 according to the first embodiment detects the end time of the inter-VPN connection service, the access control setting unit 131 controls the gateway device 200 so as to block the access between the VPNs. For example, when the access control setting unit 131 periodically refers to the service information storage unit 122 and detects the end time of the inter-VPN connection service, the access control setting unit 131 accesses the corresponding gateway device 200 by the corresponding user. Instructs the release of access control information so as not to permit it. Further, the access control setting unit 131 updates the authentication result “OK” stored in the authentication result storage unit 121 to “NG” or blank for the corresponding user.

[Configuration of Gateway Device 200 According to Embodiment 1]
Next, the configuration of the gateway device 200 (also referred to as an access control device) according to the first embodiment will be described with reference to FIGS. FIG. 9 is a block diagram illustrating the configuration of the gateway device 200 according to the first embodiment. As illustrated in FIG. 9, the gateway device 200 according to the first embodiment includes a communication I / F unit 210. For example, the communication I / F unit 210 is a general interface for IP communication.

  Further, the gateway device 200 according to the first embodiment particularly includes an access control information storage unit 220, a connection request reception unit 230, an access control setting reception unit 231 and an access control unit 232. The access control information storage unit 220 and the access control unit 232 are realized by known firewall software or the like.

  The access control information storage unit 220 stores access control information for controlling access of the user terminal in the inter-VPN connection service. Specifically, the access control information storage unit 220 stores the access control information by being stored by the access control setting receiving unit 231. The access control information stored in the access control information storage unit 220 is used for processing by the access control unit 232.

  FIG. 10 is a diagram illustrating an example of access control information stored in the access control information storage unit 220. For example, as illustrated in FIG. 10, the access control information storage unit 220 according to the first embodiment stores the source IP address, the destination IP address, and the user name of the inter-VPN connection system in association with each other. . Note that the access control information illustrated in FIG. 10 is merely a conceptual representation of the access control information. Actually, when more detailed information such as a port number is specified, or access for one route is opened. In some cases, multiple lines of access control information are set. Either can be realized by a known technique.

  The connection request receiving unit 230 receives a connection request for using the inter-VPN connection service from the user terminal. Specifically, the connection request receiving unit 230 receives a connection request from a user terminal via the communication I / F unit 210 and transfers the received connection request to the integrated AAA device 100 via the communication I / F unit 210. To do.

  The access control setting receiving unit 231 receives a setting instruction for access control information. Specifically, upon receiving an access control information setting instruction from the integrated AAA device 100 via the communication I / F unit 210, the access control setting receiving unit 231 generates access control information, and the generated access control information Stored in the access control information storage unit 220.

  For example, it is assumed that the access control setting reception unit 231 of the “gateway device 1” receives an instruction to open access in the VPN → VPN connection system direction for the user terminal used by the “User A”. For example, the access control setting receiving unit 231 accesses the inter-VPN connection management system 20 via the communication I / F unit 210, and information necessary for generating access control information, for example, a user terminal used by “User A” An IP address or the like of the accommodated VPN termination device 50 is acquired. Then, the access control setting receiving unit 231 generates access control information using the acquired information.

  Note that what kind of access control information should be generated as the access control information set in the “gateway device 1” can be arbitrarily selected using a known technique. For example, in the case of “gateway device 1”, a route (route 1) for a packet transmitted from a user terminal used by “UserA” to “UserB” or “UserC” to reach the collective virtual router 10, “ A packet (path 2) through which a packet transmitted from the user terminal used by “User B” or “User C” and transferred from the collective virtual router 10 reaches the user terminal used by “User A”; Any access control information may be used as long as the access control information opens a path (path 3) for transmitting and receiving packets between the user terminal used by User A and the ASP 30.

  For example, which IP address is set as the source address, which IP address is set as the destination address, the IP address is after Single-NAT (Network Address Translation), or after Twice-NAT The selection of whether to specify the port number or not should be done by using a known technique and selecting appropriate access control information according to the form of operation.

  The access control unit 232 controls access between VPNs according to the access control information. Specifically, the access control unit 232 refers to the access control information stored in the access control information storage unit 220 and controls access according to the access control information. When the integrated AAA device 100 instructs the access control unit 232 according to the first embodiment to release the access control information, the access control unit 232 refers to the access control information stored in the access control information storage unit 220 and performs the corresponding access control. Delete information. When the access control information is deleted, access between VPNs is in an initial state, that is, access is not permitted.

  Note that the release of the access control information by the access control unit 232 is not limited to the above method. For example, the access control unit 232 may control the access period. For example, it is assumed that the access control unit 232 is notified of the access period from the integrated AAA device 100 in the access control information. In this case, the access control unit 232 detects, for example, an access period expiration at an interval of 1 minute using, for example, a UNIX (registered trademark) Cron command. Information that instructs to invalidate the user authentication result is transmitted. When the integrated AAA device 100 receives the information instructing invalidation, for example, for the corresponding user, the authentication result “OK” stored in the authentication result storage unit 121 is changed to “NG” or blank. Update to

[Processing Procedure in Access Control Setting System According to Embodiment 1]
Subsequently, a processing procedure in the access control setting system according to the first embodiment will be described with reference to FIG. FIG. 11 is a sequence diagram illustrating a processing procedure in the access control setting system according to the first embodiment.

  As illustrated in FIG. 11, the user terminal of the user who receives the provision of the inter-VPN connection service transmits a connection request for using the inter-VPN connection service to the gateway apparatus 200 to which the user terminal belongs. S1). In general, the user is notified in advance of the address of the gateway device 200 to which the user terminal used by the user belongs, for example, by e-mail or postal mail, so the notified address (URL (Uniform Resource Locator) of the ASP 30) ) Is set in the software of the user terminal, and this software is activated when using the VPN connection service. Then, the user terminal attempts to access the set URL and transmits a connection request. The connection request is forcibly accepted by the gateway device 200.

  On the other hand, when receiving the connection request from the user terminal, the gateway device 200 transfers the received connection request to the integrated AAA device 100 (step S2). For example, the gateway device 200 transfers a connection request from the user name “UserA” of the inter-VPN connection system to the integrated AAA device 100.

  Then, the integrated AAA device 100 requests the user terminal to transmit authentication information (step S3). For example, the integrated AAA device 100 refers to the inter-VPN connection system authentication information storage unit 120 and acquires the remote IP address “remote IP address A” of the user terminal used by the user name “UserA” of the inter-VPN connection system. Then, the integrated AAA device 100 transmits, for example, an ID and password input screen to the acquired remote IP address “remote IP address A”.

  When the integrated AAA device 100 is requested to transmit the authentication information, the user terminal transmits the authentication information to the integrated AAA device 100 (step S4). For example, the user terminal inputs the ID “UserA” and the password “****” on the input screen transmitted from the integrated AAA device 100, and displays the input screen after the input as the integrated AAA device 100. Send to.

  Then, the integrated AAA device 100 performs an authentication process (step S5). For example, the integrated AAA device 100 refers to the inter-VPN connection system authentication information storage unit 120 using the ID “UserA” transmitted from the user terminal, and is stored in association with the user name “UserA” of the inter-VPN connection system. Get the password “****” that is saved. Then, the integrated AAA device 100 includes the password “******” acquired from the VPN connection system authentication information storage unit 120 and the password “******” transmitted from the user terminal. The authentication process is performed by checking whether or not matches.

  Next, the integrated AAA device 100 stores the authentication result in the authentication result storage unit 121 (step S6). For example, the integrated AAA device 100 includes the password “******” acquired from the VPN connection system authentication information storage unit 120 and the password “******” transmitted from the user terminal. If the two match, the authentication result “OK” is stored in the authentication result storage unit 121. Further, for example, the integrated AAA device 100 includes the password “******” acquired from the inter-VPN connection system authentication information storage unit 120 and the password “****” transmitted from the user terminal. When “” does not match, the authentication result “NG” is stored in the authentication result storage unit 121.

  Meanwhile, when the new authentication result is stored in the authentication result storage unit 121, the integrated AAA device 100 performs access control according to the authentication result. Specifically, the integrated AAA device 100 refers to the service information storage unit 122 together with the authentication result (step S7). For example, when the authentication result “OK” for “UserA” is stored in the authentication result storage unit 121, the integrated AAA device 100 refers to the service information storage unit 122 using “UserA” and sets “UserA” to “UserA”. The “gateway device 1” stored in association is specified.

  Next, the integrated AAA device 100 instructs the corresponding gateway device to open access in the VPN → VPN connection system direction related to the authenticated user terminal (step S8). For example, the integrated AAA device 100 instructs the “gateway device 1” identified in step S7 to open access in the VPN → VPN connection system direction for the user terminal used by “UserA”.

  Here, in step S8, the integrated AAA device 100 also determines whether or not all users have been authenticated. If it is determined that all users have been authenticated, the inter-VPN connection system related to the communication partner → The gateway device is instructed to open access in the VPN direction.

  For example, the integrated AAA device 100 opens access to the gateway device 1 in the VPN direction → VPN direction related to the user terminals used by “User B” and “User C”, which are communication partners of “User A”. To instruct. Further, the integrated AAA device 100 opens access to the gateway device 2 in the VPN direction between the user terminals used by “User A” and “User C” that are communication partners of “User B” → VPN direction access. To instruct. Further, the integrated AAA device 100 opens access to the gateway device 3 in the VPN direction between the user terminals used by “User A” and “User B” that are communication partners of “User C” → VPN direction access. To instruct.

  When the gateway apparatus 200 receives an access control information setting instruction from the integrated AAA apparatus 100, the gateway apparatus 200 generates access control information and sets the generated access control information (step S9).

  For example, it is assumed that the gateway device 200 (1) receives a setting instruction from the integrated AAA device 100 to open access in the VPN → VPN connection system direction for the user terminal used by “UserA”. Then, the gateway device 200 (1) generates a command for storing the access control information in the access control information storage unit 220, and stores the access control information in the access control information storage unit 220 using the generated command.

  Then, the gateway device 200 responds to the integrated AAA device 100 that the setting of the access control information has been completed (step S10). Then, the integrated AAA device 100 transmits a connection completion notification to the user terminal (step S11).

  The user terminal that has received the connection completion notification from the integrated AAA device 100 accesses the ASP 30 via the gateway device 200 as illustrated in FIG. 11, for example, when the URL of the ASP 30 is input by the user at the user terminal. To do. That is, access from the user terminal to the gateway device 200 (step S12) is controlled by the gateway device 200 (step S13) and reaches the ASP 30 (step S14).

[Effect of Example 1]
As described above, the integrated AAA device 100 according to the first embodiment uses a user terminal for each user terminal under each VPN when a plurality of VPNs are connected between VPNs via a wide area network. Authenticate. Further, the integrated AAA device 100 accommodates each user terminal belonging to the connection between VPNs with access control information for controlling the access between VPNs in a stepwise manner according to the authentication result for each user terminal. A setting instruction is given to each gateway device 200.

  Specifically, the inter-VPN connection system authentication unit 130 authenticates a user who uses the user terminal for each user terminal under each VPN. Further, when the access control setting unit 131 obtains the authentication result of the successful authentication by the inter-VPN connection system authentication unit 130 for the predetermined user terminal among the user terminals belonging to the predetermined inter-VPN connection, the access control setting unit 131 Access control information is set for the gateway device 200 that accommodates a predetermined user terminal so as to permit access to the wide area network as the transmission source. Further, when a predetermined condition set in advance is satisfied, the access control setting unit 131 uses a user terminal other than the predetermined user terminal permitted to access and belonging to a predetermined connection between VPNs as a transmission source. Access control information is set for the gateway device 200 that accommodates the predetermined user terminal so as to permit access to the predetermined user terminal. On the other hand, each gateway device 200 receives an instruction to set access control information, and controls access between VPNs via the gateway device 200 according to the received access control information.

  For this reason, according to the first embodiment, it is possible to appropriately control the reachability in the network domain caused by the connection between VPNs. That is, according to the first embodiment, access between VPNs is allowed in stages according to the authentication result of user authentication, so that, for example, a user who has succeeded in user authentication is performing user authentication as in the prior art. It is also possible to prevent a situation where the other user who is not present can be reached.

  Further, the integrated AAA device 100 according to the first embodiment sets access control information for controlling access to each gateway device 200 that accommodates each user terminal belonging to the connection between VPNs.

  Specifically, when the integrated AAA device 100 acquires an authentication result of successful authentication for a predetermined user terminal among user terminals belonging to the connection between VPNs, the integrated AAA device 100 uses the predetermined user terminal as a transmission source and sets the wide area network as a destination. Set access control information to allow access. Further, when the integrated AAA device 100 acquires the authentication result of the authentication success for all user terminals belonging to the inter-VPN connection, the integrated AAA device 100 transmits each user terminal other than the predetermined user terminal among the user terminals belonging to the inter-VPN connection. The access control information is set so as to permit access destined for a predetermined user terminal.

  For this reason, according to the first embodiment, the reachability between users is limited unless the user authentication of all users belonging to the connection between VPNs is successful. On the other hand, for users who have succeeded in user authentication, Use of resources (for example, ASP 30) of the inter-VPN connection system is permitted.

  Next, an access control setting system according to the second embodiment will be described. The access control setting system according to the second embodiment is different from the access control setting system according to the first embodiment in the procedure of access control setting. Therefore, hereinafter, the processing procedure by the access control setting unit 131 will be described with reference to FIGS.

  FIG. 12 is a flowchart illustrating a processing procedure performed by the access control setting unit 131 according to the second embodiment. As illustrated in FIG. 12, as in the first embodiment, the access control setting unit 131 has received a notification indicating that the authentication result is stored in the authentication result storage unit 121, that is, the authentication result storage unit 121 stores the notification. It is determined whether or not the authentication result to be updated has been updated (step S301).

  When it is determined that the authentication result has been updated (Yes at Step S301), the access control setting unit 131 refers to the service information storage unit 122 together with the updated authentication result (Step S302), as in the first embodiment. For example, as illustrated in FIG. 4, when the access control setting unit 131 determines that the authentication result “OK” for “UserA” has been updated, the access control setting unit 131 uses the “UserA” to store the service information storage unit 122. The “gateway device 1” stored in association with “User A” is identified.

  Next, unlike the first embodiment, the access control setting unit 131 opens not only access in the VPN-to-VPN connection system direction for the authenticated user terminal but also access in the VPN connection system-to-VPN direction for the communication partner. Thus, the corresponding gateway device is instructed (step S303). For example, the access control setting unit 131 instructs the “gateway device 1” specified in step S302 to open access in the VPN → VPN connection system direction for the user terminal used by “User A”. An instruction is given to open access in the VPN direction → VPN direction for the user terminals used by “UserB” and “UserC”.

  The access control setting unit 131 according to the second embodiment repeats the processes of steps S301 to S303 to open access between VPNs in stages for all user terminals using the inter-VPN connection service.

  Here, FIG. 13 is a diagram for explaining the stepwise access opening in the second embodiment. In FIG. 13, it is assumed that authentication is completed step by step in the order of “UserA”, “UserB”, and “UserC”. Note that the default setting of each gateway device 200 is a setting for not permitting access.

  For example, as illustrated in (1) of FIG. 13, when only “User A” is authenticated, access opening is instructed only to “gateway device 1” in which “User A” is accommodated. Here, the access is permitted not only for access in the VPN-to-VPN connection system direction for the user terminal used by “User A” but also between the VPNs for the user terminal used by “User B” and “User C”. Access from the connected system to the VPN. This is based on the idea that “User A” is required to be authenticated in order for “User B” and “User C” to access the “User A” side. However, if “UserB” and “UserC” are not successfully authenticated, “UserB” and “UserC” cannot access the “UserA” side.

  Next, for example, as illustrated in (2) of FIG. 13, when the authentication of “User B” is also completed, an instruction to open access is instructed only to “Gateway device 2” in which “User B” is accommodated. The Here, the opening of access is permitted not only for access in the VPN-to-VPN connection system direction for user terminals used by “User B” but also between VPNs for user terminals used by “User A” and “User C”. Access from the connected system to the VPN. At this stage, it is possible to access each other between the user terminal used by “User A” and the user terminal used by “User B”.

  Next, for example, as illustrated in (3) of FIG. 13, when the authentication of “UserC” is also completed, an access opening instruction is issued only to “gateway device 3” in which “UserC” is accommodated. The Here, access is permitted not only for access in the VPN-to-VPN connection system direction for user terminals used by “UserC” but also for VPNs related to user terminals used by “UserA” and “UserB”. Access from the connected system to the VPN.

[Effect of Example 2]
As described above, according to the second embodiment, the integrated AAA device 100 transmits a predetermined user terminal as a transmission source when acquiring an authentication result of successful authentication for a predetermined user terminal among user terminals belonging to an inter-VPN connection. Access control information is set so as to permit access to a wide area network as a destination, and a user terminal other than a predetermined user terminal among user terminals belonging to an inter-VPN connection is set as a transmission source. Set access control information to allow access.

  For this reason, according to the second embodiment, reachability between users is limited at least unless user authentication of both users who access each other succeeds. On the other hand, use of resources (for example, ASP 30) of the inter-VPN connection system is permitted for users who have succeeded in user authentication.

  Next, an access control setting system according to the third embodiment will be described. In the first embodiment and the second embodiment, the integrated AAA device 100 itself performs user authentication of a user who receives provision of an inter-VPN connection service. Here, some user terminals that use the inter-VPN connection service require user authentication when connecting to the VPN service to which the user terminal belongs, in addition to user authentication for the inter-VPN connection service. There is a user terminal. If so, in the first and second embodiments, such a user terminal must perform both user authentication for connecting to the VPN service and user authentication for the inter-VPN connection service. .

  In this regard, the access control setting system according to the third embodiment obtains the authentication result of the user authentication for connecting to the VPN service, and changes to the user authentication for the inter-VPN connection service. In other words, the access control setting system according to the third embodiment relays the authentication result between the user terminal and the authentication server for the user terminal that requires user authentication even when connecting to the VPN service. The authentication result of the user authentication for acquiring and connecting to the VPN service is used as the authentication result of the user authentication for the inter-VPN connection service. On the other hand, as in the first and second embodiments, the access control setting system performs user authentication by itself for user terminals that do not require user authentication when connecting to the VPN service.

  The access control setting system according to the third embodiment will be described with reference to FIGS. FIG. 14 is a diagram for explaining the access control setting system according to the third embodiment. As illustrated in FIG. 14, the integrated AAA device 100 according to the third embodiment communicates with the authentication server 40.

[Configuration of Integrated AAA Device 100 According to Embodiment 3]
FIG. 15 is a block diagram illustrating the configuration of the integrated AAA device 100 according to the third embodiment. As illustrated in FIG. 15, the integrated AAA device 100 according to the third embodiment includes an authentication server information storage unit 123, an authentication type identification unit 132, and an authentication relay unit 133 in addition to the integrated AAA device 100 according to the first embodiment. And further comprising.

  The authentication server information storage unit 123 stores information related to the authentication server. Specifically, the authentication server information storage unit 123 stores information related to the authentication server by being registered in advance by an operator in charge of the inter-VPN connection service at the time of contracting the inter-VPN connection service, for example. Information stored in the authentication server information storage unit 123 is used for processing by the authentication relay unit 133.

  FIG. 16 is a diagram illustrating an example of information stored in the authentication server information storage unit 123. For example, as illustrated in FIG. 16, the authentication server information storage unit 123 according to the third embodiment stores the IP address of the VPN termination device and the IP address of the authentication server in association with each other. In FIG. 16, although expressed as “VPN-IP address 1” or “SVR-IP address 1”, the IP address is actually “10.0.0.10”, for example.

  Further, the inter-VPN connection system authentication information storage unit 120 according to the third embodiment includes a user name in the VPN service as a user name in addition to the information stored in the inter-VPN connection system authentication information storage unit 120 according to the first embodiment. Also memorize. In other words, the inter-VPN connection system authentication information storage unit 120 according to the third embodiment stores a user name in the inter-VPN connection system and a user name in the VPN service in association with each other.

  FIG. 17 is a diagram illustrating an example of information stored in the inter-VPN connection system authentication information storage unit 120 according to the third embodiment. For example, as illustrated in FIG. 17, the inter-VPN connection system authentication information storage unit 120 according to the third embodiment includes the user name, password, VPN service user name, and remote IP address of the inter-VPN connection system. Store in association with each other.

  The authentication type identification unit 132 identifies the type of authentication for the user who is the transmission source of the connection request. Here, the type of authentication is a type such as whether the user needs user authentication for connecting to the VPN service or whether the user does not need user authentication for connecting to the VPN service. Specifically, the authentication type identification unit 132 accepts transfer of a connection request from the gateway device 200 or the VPN termination device 50 via the communication I / F unit 110, and identifies the type of authentication. Further, the authentication type identification unit 132 distributes the connection request to either the inter-VPN connection system authentication unit 130 or the authentication relay unit 133 according to the identified authentication type.

  For example, when the connection request transfer source is the VPN termination device 50, the authentication type identification unit 132 indicates that the user who is the transmission source of the connection request is a user who needs user authentication for connecting to the VPN service. Is identified. Then, the authentication type identification unit 132 transfers this connection request to the authentication relay unit 133.

  On the other hand, when the connection request transfer source is the gateway device 200, the authentication type identification unit 132 is a user who does not require user authentication for connecting to the VPN service. Identify it. Then, the authentication type identification unit 132 transfers this connection request to the inter-VPN connection system authentication unit 130.

  Whether it is a VPN service that requires user authentication or a VPN service that does not require user authentication, for example, appears as a difference in protocols used for VPN. For example, L2VPN and IP-VPN do not require user authentication. On the other hand, IPsec, RADIUS (Remote Authentication Dial In User Service), LDAP (Lightweight Directory Access Protocol), and the like require user authentication. For this reason, in the third embodiment, an example in which the authentication type identification unit 132 identifies the authentication type by the transfer source of the connection request has been described. For example, the authentication type identification unit 132 performs authentication by identifying the protocol used for the VPN service. May be identified.

  The authentication relay unit 133 relays the authentication server to the authentication server 40 and acquires the authentication result. Specifically, when receiving the transfer of the connection request from the authentication type identification unit 132, the authentication relay unit 133 requests the user terminal used by the corresponding user to transmit the authentication information. Further, when receiving the authentication information from the user terminal, the authentication relay unit 133 relays the received authentication information (such as credentials) to the authentication server 40. When the authentication relay unit 133 receives the authentication result from the authentication server 40, the authentication relay unit 133 stores the received authentication result in the authentication result storage unit 121.

  The authentication relay unit 133 refers to the authentication server information storage unit 123 using the IP address of the VPN termination device 50 that is the connection request transfer source, and acquires the IP address of the authentication server stored in association therewith. . Then, the authentication relay unit 133 relays the authentication information with the acquired IP address as a destination.

[Processing Procedure in Access Control Setting System According to Embodiment 3]
Subsequently, a processing procedure in the access control setting system according to the third embodiment will be described with reference to FIG. FIG. 18 is a sequence diagram illustrating the processing procedure in the access control setting system according to the third embodiment. In FIG. 18, for convenience of explanation, only the case where the user who is the transmission source of the connection request is a user who needs user authentication for connecting to the VPN service will be described. That is, although not shown in FIG. 18, the access control setting system according to the third embodiment performs the processing procedure shown in steps S <b> 1 to S <b> 4 in FIG. 11 (users that do not require user authentication to connect to the VPN service). (Procedure for authenticating).

  As illustrated in FIG. 18, the user terminal of the user who receives the provision of the inter-VPN connection service transmits a connection request for using the VPN service to the VPN terminating device 50 to which the user terminal belongs. ). In general, the user is notified in advance of the address of the VPN terminal device 50 to which the user terminal used by the user belongs, for example, by e-mail or postal mail. Therefore, the notified address is set in the software of the user terminal, This software is activated when the VPN service is used. Then, the user terminal accesses the set address and transmits a connection request.

  On the other hand, when receiving the connection request from the user terminal, the VPN terminating device 50 transfers the received connection request to the integrated AAA device 100 (step S21). For example, the VPN terminating device 50 transfers a connection request from the user name “User100” of the VPN service to the integrated AAA device 100.

  Then, the integrated AAA device 100 requests the user terminal to transmit authentication information (step S22). For example, the integrated AAA device 100 refers to the inter-VPN connection system authentication information storage unit 120 and acquires the remote IP address “192.168.1.10” of the user terminal used by the user name “User100” of the VPN service. . Then, the integrated AAA device 100 transmits, for example, an ID and password input screen to the acquired remote IP address “192.168.1.10”.

  When the integrated AAA device 100 is requested to transmit the authentication information, the user terminal transmits the authentication information to the integrated AAA device 100 (step S23). For example, the user terminal inputs the ID “User100” and the password “****” on the input screen transmitted from the integrated AAA device 100, and displays the input screen after the input as the integrated AAA device 100. Send to.

  Then, the integrated AAA device 100 relays the authentication information transmitted from the user terminal to the authentication server 40 (step S24). For example, the integrated AAA device 100 identifies the IP address of the source VPN termination device 50 that transferred the connection request in step S21, refers to the authentication server information storage unit 123 using the identified IP address, and authenticates the authentication server 40. Specify the IP address. Then, the integrated AAA device 100 relays the authentication information to the specified IP address.

  On the other hand, the authentication server 40 performs an authentication process (step S25), and transmits an authentication result to the integrated AAA device 100 (step S26). For example, the authentication server 40 refers to the storage unit (not shown) using the ID “User100” transmitted from the integrated AAA device 100, and stores the password stored in association with the user name “User100” of the VPN service. Acquire “****”. Then, the authentication server 40 determines whether or not the password “******” acquired from the storage unit matches the password “******” transmitted from the integrated AAA device 100. Authentication processing is performed by collating these.

  Next, the integrated AAA device 100 stores the authentication result in the authentication result storage unit 121 (step S27). For example, if the authentication result transmitted from the authentication server 40 indicates success, the integrated AAA device 100 refers to the inter-VPN connection system authentication information storage unit 120 using “User100”, and “User100” “UserA” stored in association with is identified. Then, the integrated AAA device 100 stores the authentication result “OK” in the authentication result storage unit 121 in association with the specified “UserA”.

  The subsequent processing procedure is the same as that of the access control setting system according to the first embodiment. That is, the integrated AAA device 100 refers to the service information storage unit 122 together with the authentication result (step S28), and sends the access in the VPN → VPN connection system direction related to the authenticated user terminal to the corresponding gateway device. An instruction is issued (step S29). Upon receiving an access control information setting instruction from the integrated AAA device 100, the gateway device 200 generates access control information, sets the generated access control information (step S30), and indicates that the setting of the access control information is completed. Then, it responds to the integrated AAA device 100 (step S31).

  Then, the integrated AAA device 100 transmits a connection completion notification to the user terminal (step S32), and the user terminal that has received the connection completion notification from the integrated AAA device 100 receives the URL of the ASP 30, for example, by the user at the user terminal. When input, the ASP 30 is accessed via the gateway device 200 as illustrated in FIG. That is, access from the user terminal to the gateway device 200 (step S33) is controlled by the gateway device 200 (step S34) and reaches the ASP 30 (step S35).

  In the third embodiment, the integrated AAA device 100 relays the authentication information to the authentication server 40, and the integrated AAA device 100 acquires the authentication result from the authentication server 40. A method of sharing between the device 50 and the integrated AAA device 100 was adopted. However, the present invention is not limited to this. For example, the VPN termination device 50 performs an authentication process (or the VPN termination device 50 relays the authentication information to the authentication server 40, and the VPN termination device 50 acquires the authentication result from the authentication server 40). A method of sharing the authentication result of the user authentication between the VPN terminating device 50 and the integrated AAA device 100 by the VPN terminating device 50 transmitting to the integrated AAA device 100 may be used.

[Effect of Example 3]
As described above, the integrated AAA device 100 according to the third embodiment uses a predetermined number of user terminals that require authentication to connect to a VPN when a plurality of VPNs are connected to each other via a wide area network. The authentication result is obtained by relaying the authentication information for authentication to the authentication server 40, and for the user terminal that does not require authentication for connecting to the VPN, the user of the user terminal is authenticated by the own device Get the authentication result with.

  For this reason, according to the third embodiment, the number of authentication processes can be reduced. That is, in order to use the inter-VPN connection service, it is assumed that user authentication is performed. However, for users who need authentication for connecting to the VPN, authentication for connecting to the VPN and between VPNs are required. Two authentication actions, that is, authentication for using the connection service must be performed. In this regard, according to the third embodiment, for a user who needs authentication for connecting to the VPN, the integrated AAA device 100 relays the authentication and acquires the authentication result by itself, thereby using the inter-VPN connection service. In order to authenticate. On the other hand, for a user who does not require authentication for connecting to the VPN, the integrated AAA device 100 performs authentication independently. In this way, it is possible to reduce the number of authentication processes for users who need authentication for connecting to the VPN.

  Although the first to third embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the above-described embodiments.

[Network configuration]
In the above embodiment, a star-type network configuration is assumed, but the present invention is not limited to this. For example, the present invention can be similarly applied to a full-mesh network configuration.

[Mode of the base]
In the above embodiment, it is assumed that the base is a local area network connected to a VPN service provided by a telecommunications carrier or the like, but the present invention is not limited to this. The base may be one terminal instead of a so-called network. For example, there is a case where a router installed at a base is realized by software in a terminal instead of a physical router. The base may be an in-house network with a plurality of local area networks connected by a VPN service provided by a telecommunications carrier or the like.

  19 to 21 are diagrams for explaining bases as a plurality of local area network groups connected by a VPN service. In FIGS. 19 to 21, two types of dotted lines are used. One is a normal dotted line, and the other is a broken line (a combination of a short line and a long line). The broken lines indicate that a plurality of bases belonging to the same VPN service and a VPN is formed between bases in the same company (for example, C company). On the other hand, the dotted line indicates that the VPNs are connected. For example, connection between a plurality of bases belonging to different VPN services, or connection between VPNs of different companies, even between a plurality of bases belonging to the same VPN service.

  As shown in FIG. 19, for example, Company C has a base group belonging to the VPN service 1 and a base belonging to the VPN service 3. On the other hand, Company D has a base belonging to the VPN service 2 and a base belonging to the VPN service 4. The access control apparatus according to the present invention can control access between bases for such inter-base connection between a group of companies C and a group of companies D belonging to different VPN services.

  As shown in FIG. 20, for example, Company C has a group of bases grouped by the VPN service 3. On the other hand, Company D has a group of bases grouped by the VPN service 4. The access control apparatus according to the present invention can also control access between bases for such inter-base connection between the base group of company C and the base group of company D belonging to different VPN services.

  Further, as shown in FIG. 21, for example, Company C and Company D both have base groups grouped by VPN service 2. The access control apparatus according to the present invention is such a connection between the base group of the company C belonging to the same VPN service and the base group of the company D, in other words, between a plurality of base groups belonging to the same VPN termination apparatus. For inter-base connection, access between bases can be controlled.

[Block access control]
In the first to third embodiments, the integrated AAA device 100 instructs the release of the access control information according to the end time of the inter-VPN connection service, and the gateway device 200 blocks the access between the VPNs in response to this instruction. It was a thing. However, the present invention is not limited to this. For example, the access control setting system detects that the user has logged out of the inter-VPN connection service, and controls the access between VPNs so that the access between VPNs is blocked in stages according to the logout for each user. May be.

  For example, access blockage will be described with reference to FIG. 8 in the first embodiment. Hereinafter, it is assumed that logout is performed in stages in the order of “UserC”, “UserB”, and “UserA”. Each gateway device 200 is currently set as (3) in FIG.

  For example, when only “UserC” is logged out, all of “Gateway device 1” in which “UserA” is accommodated, “Gateway device 2” in which “UserB” is accommodated, and “Gateway device 3” in which “UserC” is accommodated Is instructed to block access. First, access in the “gateway device 1” is canceled in the inter-VPN connection system → VPN direction access relating to the user terminals used by “UserB” and “UserC”. In addition, the access is canceled in the “gateway device 2” in the inter-VPN connection system → access in the VPN direction related to the user terminals used by “User A” and “User C”. Further, in the “gateway device 3”, all access related to user terminals used by “UserA”, “UserB”, and “UserC” is canceled. Thus, for example, the state shown in FIG.

  Next, for example, when “User B” also logs out, the “gateway device 2” in which “User B” is accommodated is instructed to block access. Access in the “gateway device 2” is canceled in the VPN → VPN connection system direction for the user terminal used by “UserB”. Thus, for example, the state shown in FIG.

  Next, for example, when “User A” also logs out, the “gateway device 1” in which “User A” is accommodated is instructed to block access. Access in the “gateway device 1” is canceled in the direction of the VPN → VPN connection system for the user terminal used by “User A”. In this way, in each gateway device 200, all access relating to user terminals used by “UserA”, “UserB”, and “UserC” is released.

  Similarly, access blockage will be described with reference to FIG. 13 in the second embodiment, for example. Hereinafter, it is assumed that the user logs out step by step in the order of “UserC”, “UserB”, and “UserA”. Each gateway device 200 is currently set as (3) in FIG.

  For example, when only “UserC” is logged out, the “gateway device 3” accommodating “UserC” is instructed to block access. In the “gateway device 3”, all accesses relating to user terminals used by “UserA”, “UserB”, and “UserC” are canceled. Thus, for example, the state shown in (2) of FIG. 13 is obtained.

  Next, for example, when “User B” also logs out, the “gateway device 2” in which “User B” is accommodated is instructed to block access. In the “gateway device 2”, all accesses related to user terminals used by “UserA”, “UserB”, and “UserC” are canceled. Thus, for example, the state shown in FIG.

  Next, for example, when “User A” also logs out, the “gateway device 1” in which “User A” is accommodated is instructed to block access. In the “gateway device 1”, all accesses relating to user terminals used by “UserA”, “UserB”, and “UserC” are canceled. In this way, in each gateway device 200, all access relating to user terminals used by “UserA”, “UserB”, and “UserC” is released.

[Others]
In addition, among the processes described in the above embodiment, all or a part of the processes described as being automatically performed can be manually performed, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedures, specific names, and information including various data and parameters shown in the document and drawings can be arbitrarily changed unless otherwise specified.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. For example, a VRF (VPN routing and forwarding table) may be applied as an example of a collective virtual router, and as a result, a plurality of collective virtual routers are virtually operated in one collective virtual router. Can do. Further, all or any part of each processing function performed in each device is realized by a CPU (Central Processing Unit) and a program analyzed and executed by the CPU, or hardware by wired logic Can be realized as

  The address control method described in the above embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via an IP network such as the Internet. The program is recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM (Compact Disk Read Only Memory), an MO (Magneto-Optical disk), a DVD (Digital Versatile Disk), etc. It can also be executed by reading from the recording medium.

DESCRIPTION OF SYMBOLS 100 Integrated AAA apparatus 110 Communication I / F part 120 VPN connection system authentication information storage part 121 Authentication result storage part 122 Service information storage part 130 VPN connection system authentication part 131 Access control setting part 200 Gateway apparatus 210 Communication I / F part 220 Access control information storage unit 230 Connection request reception unit 231 Access control setting reception unit 232 Access control unit

Claims (8)

An access control device that accommodates terminals under each base and controls access performed between terminals belonging to the connection between predetermined bases when a connection between predetermined bases is formed via a wide area network for a plurality of bases An access control setting device for setting access control information for controlling the access,
Authentication means for authenticating a user who uses the terminal for each terminal under each of the bases;
When an authentication result of successful authentication by the authentication unit is acquired for a predetermined terminal among the terminals belonging to the predetermined inter-base connection, access to the wide area network with the predetermined terminal as a transmission source is permitted. A first access control means for setting access control information for an access control apparatus accommodating the predetermined terminal;
When a predetermined condition set in advance is satisfied, a terminal other than the predetermined terminal permitted to be accessed by the first access control means and each terminal belonging to the predetermined inter-base connection as a transmission source An access control setting device comprising: second access control means for setting access control information for an access control device that accommodates the predetermined terminal so as to permit access to the destination.   In the case where a predetermined connection between VPNs is formed via a wide area network for a plurality of VPNs, the authentication means sends a predetermined authentication server to the authentication server for a terminal that requires authentication for connection to the VPN. The authentication result is obtained by relaying the authentication information, and the authentication result is obtained by authenticating the user of the terminal by the own device for a terminal that does not require authentication for connecting to the VPN. The access control setting device according to claim 1.   The second access control means sets the access control information when acquiring the authentication result of the authentication success for all terminals belonging to the predetermined inter-base connection as the case where the predetermined condition is satisfied. The access control setting device according to claim 1 or 2.   The second access control means sets the access control information when an authentication result of successful authentication is obtained for a predetermined terminal permitted to be accessed by the first access control means, when the predetermined condition is satisfied. The access control setting apparatus according to claim 1 or 2, wherein An access control device that accommodates terminals under each base and controls access performed between terminals belonging to the connection between predetermined bases when a connection between predetermined bases is formed via a wide area network for a plurality of bases An access control setting method for setting access control information for controlling the access,
Computer
For each terminal under each base, an authentication step for authenticating a user who uses the terminal;
When an authentication result of successful authentication by the authentication step is acquired for a predetermined terminal among the terminals belonging to the predetermined inter-base connection, an access destined for the wide area network with the predetermined terminal as a transmission source is permitted. A first access control step of setting access control information for an access control apparatus accommodating the predetermined terminal;
When a predetermined condition set in advance is satisfied, a terminal other than the predetermined terminal permitted to be accessed by the first access control step and each terminal belonging to the predetermined inter-base connection as a transmission source is the predetermined terminal. A second access control step of setting access control information for an access control apparatus that accommodates the predetermined terminal so as to permit access to the destination.   An access control setting program for causing a computer to function as the access control setting device according to any one of claims 1 to 4. An access control device that accommodates terminals under each base and controls access performed between terminals belonging to the connection between predetermined bases when a connection between predetermined bases is formed via a wide area network for a plurality of bases In contrast, the access control setting device is an access control setting system for setting access control information for controlling the access,
The access control setting device includes:
Authentication means for authenticating a user who uses the terminal for each terminal under each of the bases;
When an authentication result of successful authentication by the authentication unit is acquired for a predetermined terminal among the terminals belonging to the predetermined inter-base connection, access to the wide area network with the predetermined terminal as a transmission source is permitted. A first access control means for setting access control information for an access control apparatus accommodating the predetermined terminal;
When a predetermined condition set in advance is satisfied, a terminal other than the predetermined terminal permitted to be accessed by the first access control means and each terminal belonging to the predetermined inter-base connection as a transmission source A second access control means for setting access control information for an access control apparatus that accommodates the predetermined terminal so as to permit access to the destination,
Each of the access control devices is
Access control setting accepting means for accepting an instruction to set access control information by the first access control means and the second access control means;
An access control setting system comprising: access control means for controlling access between the bases performed via the access control device in accordance with access control information received by the access control setting receiving means. An access control device that accommodates terminals under each base and controls access performed between terminals belonging to the connection between predetermined bases when a connection between predetermined bases is formed via a wide area network for a plurality of bases Because
When an authentication result for each user who uses a terminal under each base is acquired for a predetermined terminal among the terminals belonging to the predetermined inter-base connection, the wide area network is destined for the predetermined terminal as a transmission source Each terminal that is a terminal other than the predetermined terminal and that belongs to the predetermined inter-base connection when receiving a setting instruction of access control information for controlling to permit access and satisfying a predetermined condition set in advance Access control setting accepting means for accepting an instruction to set access control information for controlling access to the predetermined terminal as a transmission source
An access control apparatus comprising: access control means for controlling access between the bases performed via the access control apparatus in accordance with access control information received by the access control setting receiving means.

Images